Documentation

Overview

Getting Started

Guides

Release Notes

FAQ

SanerNow Architecture

Platforms Supported

SanerNow Feature Map

Security Content & Intelligence

Security Content and Intelligence

The security intelligence hosted at our content repository feeding the SanerNow platform. INDEX

SCAP Content Statistics

Content	Coverage
Loading Data

OVAL Definitions Platform Coverage

Platform	OVAL Definitions
Loading Data

OVAL Definitions Class-wise Distribution

OVAL Class	OVAL Definitions
Loading Data

OVAL Definitions Family-wise Distribution

OVAL Family	OVAL Definitions
Loading Data

Application and OS Remediation Coverage

Sl.No.	OVAL Definitions
Loading Data

Compliance Benchmark Coverage

Benchmark for OS	General Compliance	SecPod Compliance	NIST 800-171	NIST 800-53	PCI 3.2	HIPAA 45 CFR 164
Loading Data

List of Vulnerability to Exploit/Malware Mapping covered in SanerNow

Sl. No.	MVE (Malware Vulnerability Enumeration)
Loading Data

List of IoA (Indicators of Attack) covered in SanerNow

Sl. No.	IoA (Indicators Of Attack)
Loading Data

SanerNow Probes

Windows Probes

Access token

An access token used to check the properties of Windows access token as well as in idual privileges and rights associated with it.

Child Elements	Description
Assign primary token privilege	If Assign primary token privilege is enabled, it allows a parent process to replace an access token that is associated with a child process.
Audit privilege	If Audit privilege is enabled, it allows a process to generate audit records in the security log. The security log can be used to trace unauthorized system access.
Backup privilege	If Backup privilege is enabled, it allows the user to circumvent file and directory permissions to back up the system. The privilege is selected only when an application attempts access by using the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply.
Batch logon right	If an account is assigned the Batch logon right right, it can log on using the batch logon type.
Change notify privilege	If Change notify privilege is enabled, it allows the user to pass through folders to which the user otherwise has no access while navigating an object path in the NTFS file system or in the registry. This privilege does not allow the user to list the content of a folder; it allows the user only to traverse its directories.
Create global privilege	If Create global privilege is enabled, it allows the user to create named file mapping objects in the global namespace during Terminal Services sessions.
Create page file privilege	If Create page file privilege is enabled, it allows the user to create and change the size of a pagefile.
Create permanent privilege	If Create permanent privilege is enabled, it allows a process to create a directory object in the object manager. It is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode have this privilege inherently.
Create symbolic link privilege	If Create symbolic link privilege is enabled, it allows users to create symbolic links.
Create token privilege	If Create token privilege is enabled, it allows a process to create an access token by calling NtCreateToken() or other token-creating APIs.
Security principle	The Security principle element identifies an access token to test for. Security principles include users or groups with either local or domain accounts, and computer accounts created when a computer joins a domain. In Windows, security principles are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. User rights and permissions to access objects such as Active Directory objects, files, and registry settings are assigned to security principles. In a domain environment, security principles should be identified in the form: “domain\trustee name”. For local security principles use: “computer name\trustee name”. For built-in accounts on the system, use the trustee name without a domain.
Debug privilege	If Debug privilege is enabled, it allows the user to attach a debugger to any process. It provides access to sensitive and critical operating system components.
Deny batch logon right	If an account is assigned the Deny batch logon right right, it is explicitly denied the ability to log on using the batch logon type.
Deny interactive logon right	If an account is assigned the Deny interactive logon right right, it is explicitly denied the ability to log on using the interactive logon type.
Deny network logon right	If an account is assigned the Deny network logon right right, it is explicitly denied the ability to log on using the network logon type.
Deny Remote interactive logon right	If an account is assigned the Deny Remote interactive logon right right, it is explicitly denied the ability to log on through Terminal Services.
Deny service logon right	If an account is assigned the Deny service logon right right, it is explicitly denied the ability to log on using the service logon type.
Enable delegation privilege	If Enable delegation privilege is enabled, it allows the user to change the Trusted for Delegation setting on a user or computer object in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flags on the object.
Impersonate privilege	If Impersonate privilege is enabled, it allows the user to impersonate a client after authentication.
Increase base priority privilege	If Increase base priority privilege is enabled, it allows a user to increase the base priority class of a process.
Increase quota privilege	If Increase quota privilege is enabled, it allows a process that has access to a second process to increase the processor quota assigned to the second process.
Increase working set privilege	If Increase working set privilege is enabled, it allows a user to increase a process working set.
Interactive logon right	If an account is assigned the Interactive logon right right, it can log on using the interactive logon type.
Load driver privilege	If Load driver privilege is enabled, it allows a user to install and remove drivers for Plug and Play devices.
Lock memory privilege	If Lock memory privilege is enabled, it allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk.
Machine account privilege	If Machine account privilege is enabled, it allows the user to add a computer to a specific domain.
Manage volume privilege	If Manage volume privilege is enabled, it allows a non-administrative or remote user to manage volumes or disks.
Network logon right	If an account is assigned the Network logon right right, it can log on using the network logon type.
Profile single process privilege	If Profile single process privilege is enabled, it allows a user to sample the performance of an application process.
Re-label privilege	If Re-label privilege is enabled, it allows a user to modify an object label.
Remote interactive logon right	If an account is assigned the Remote interactive logon right right, it can log on to the computer by using a Remote Desktop connection.
Remote shutdown privilege	If Remote shutdown privilege is enabled, it allows a user to shut down a computer from a remote location on the network.
Restore privilege	If Restore privilege is enabled, it allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principle as the owner of an object.
Security privilege	If Security privilege is enabled, it allows a user to specify object access auditing options for in idual resources such as files, Active Directory objects, and registry keys. A user who has this privilege can also view and clear the security log from Event Viewer.
Service logon right	If an account is assigned the Service logon right right, it can log on using the service logon type.
Shutdown privilege	If Shutdown privilege is enabled, it allows a user to shut down the local computer.
Sync agent privilege	If Sync agent privilege is enabled, it allows a process to read all objects and properties in the directory, regardless of the protection on the objects and properties. It is required in order to use Lightweight Directory Access Protocol (LDAP) directory synchronization (Dirsync) services.
System environment privilege	If System environment privilege is enabled, it allows modification of system environment variables either by a process through an API or by a user through System Properties.
System profile privilege	If System profile privilege is enabled, it allows a user to sample the performance of system processes.
System time privilege	If System time privilege is enabled, it allows the user to adjust the time on the computer’s internal clock. It is not required to change the time zone or other display characteristics of the system time.
Take ownership	If Take ownership privilege is enabled, it allows a user to take ownership of any securable object in the system, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.
TCB privilege	If TCB privilege is enabled, it allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access.
Timezone privilege	If Timezone privilege is enabled, it allows the user to change the time zone.
Trusted credentials management access right	If an account is assigned this right, it can access the Credential Manager as a trusted caller.
Undock privilege	If Undock privilege is enabled, it allows the user of a portable computer to undock the computer by clicking Eject PC on the Start menu.
Unsolicited input privilege	If Unsolicited input privilege is enabled, it allows the user to read unsolicited data from a terminal device.

Active directory

This is used to check information about specific entries in active directory.

Child Elements	Description
ADS type	The type of information that the specified attribute represents.
Attribute	Specifies a named value contained by the object.
Naming context	Each object in active directory exists under a certain naming context (also known as a partition). A naming context is defined as a single object in the Directory Information Tree (DIT) along with every object in the tree subordinate to it. There are three default naming contexts in Active Directory: domain, configuration, and schema.
Object class	The name of the class of which the object is an instance.
Relative distinguished name	This is used to uniquely identify an object inside the specified naming context. It contains all the parts of the object’s distinguished name except those outlined by the naming context.
Value	The actual value of the specified Active Directory attribute. Note that while an Active Directory attribute can contain structured data where it is necessary to collect multiple related fields that can be described by the ‘record’ datatype, it is not always the case. It also is possible that an Active Directory attribute can contain only a single value or an array of values. In these cases, there is not a name to uniquely identify the corresponding field which is a requirement for fields in the ‘record’ datatype. As a result, the name of the Active Directory attribute will be used to uniquely identify the field and satisfy this requirement.

Anti-virus information

This is used to collect information about an installed Antivirus applications.

Child Elements	Description
Antivirus name	This element specifies a display name of a installed antivirus product.
Instance GUID	This entity holds a string that represents the GUID of a particular group.
Path to signed product executable	This element specifies the absolute path to antivirus product exe file on the machine.
Path to signed reporting executable	This element specifies the absolute path to antivirus reporting exe file on the machine.
Product enabled	This element specifies whether product is enabled/disabled.
Product state	This element specifies a state value. When this value is converted to HEX, the bits specify if product is enabled/disabled and whether definitions are up-to-date or outdated.
Product up-to-date	This element specifies whether product is up-to-date.

ARP Cache

This is used to collect various information about address resolution protocol cache table.

Child Elements	Description
Host IP	This element specifies host IP address.
Interface Index	Applicable to only Windows. This element specifies value for the network interface associated with this IP address. This index value may change when a network adapter is disabled and then enabled, or under other circumstances, and should not be considered persistent.
Interface locally unique ID index	Applicable to only Windows. This element specifies unique identifier (LUID) for the network interface associated with this IP address.
Reachability time	Applicable to only Windows. The Reachability time specifies time, in milliseconds, that a node assumes a neighbor is reachable after having received a reachability confirmation.
MAC address	This element specifies physical hardware address of the adapter for the network interface associated with this IP address.
Interface Type	Applicable to only Windows. This element specifies interface type as defined by the Internet Assigned Names Authority (IANA)
Neighbour state	Applicable to only Windows. The state of a network neighbour IP address as defined in RFC 2461. This member can be one of the values from the NL_NEIGHBOR_STATE enumeration type that is defined in the Nldef.h header file. https://msdn.microsoft.com/en-us/library/gg159207.aspx

Audit Event Policy

This is used to check different types of events the system should audit.

Child Elements	Description
Account logon	Audit attempts to log on to or log off of the system. Also, audit attempts to make a network connection.
Account management	Audit attempts to create, delete, or change user or group accounts. Also, audit password changes.
Detailed tracking	Audit specific events, such as program activation, some forms of handle duplication, indirect access to an object, and process exit. Note that this activity is also known as process tracking.
Directory service access	Audit attempts to access the directory service.
Logon	Audit attempts to log on to or log off of the system. Also, audit attempts to make a network connection.
Object access	Audit attempts to access securable objects, such as files.
Policy change	Audit attempts to change Policy object rules.
Privilege use	Audit attempts to use privileges.
System	Audit attempts to shut down or restart the computer. Also, audit events that affect system security or the security log.

Audit Event Policy Subcategories

This is used to check the audit event policy settings on a Windows system. These settings are used to specify which system and network events are monitored. For example, If Credential validation element has a value of AUDIT_FAILURE, it means that the system is configured to log all unsuccessful attempts to validate a user account on a system. It is important to note that these audit event policy settings are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information on each setting.

Child Elements	Description
Account lockout	Audit the events produced by a failed attempt to log onto a locked out account.
Application generated	Audit the events produced by applications that use the Windows Auditing API.
Application group management	Audit the events produced by changes to application groups.
Audit policy changes	Audit the events produced by changes in security audit policy settings.
Authentication policy change	Audit the events produced by changes to the authentication policy.
Authorization policy change	Audit the events produced by changes to the authorization policy.
Certificate services	Audit the events produced by operations on Active Directory Certificate Services.
Computer account management	Audit the events produced by changes to computer accounts.
Credential validation	Audit the events produced during the validation of a user’s logon credentials.
Detailed directory service	Audit the events produced by detailed Active Directory Domain Services replication between domain controllers.
Detailed file share	Audit the events produced by attempts to access files and folders on a shared folder.
Directory service access	Audit the events produced when a Active Directory Domain Services object is accessed.
Directory service changes	Audit the events produced when changes are made to Active Directory Domain Services objects.
Directory service replication	Audit the events produced when two Active Directory Domain Services domain controllers are replicated.
Distribution group management	Audit the events produced by changes to distribution groups.
Audit DPAPI(data protection) activity	Audit the events produced when requests are made to the Data Protection application interface.
File share	Audit the events produced by attempts to access a shared folder.
File system	Audit the events produced user attempts to access file system objects.
Filtering platform connection	Audit the events produced by connections that are allowed or blocked by Windows Filtering Platform.
Filtering platform packet drop	Audit the events produced by packets that are dropped by Windows Filtering Platform.
Filtering platform policy change	Audit the events produced by changes to the Windows Filtering Platform.
Handle manipulation	Audit the events produced when a handle is opened or closed.
IPSec driver	Audit the events produced by the IPsec filter driver.
IPSec extended mode	Audit the events produced by Internet Key Exchange and Authenticated Internet protocol during Extended Mode negotiations.
IPSec main mode	Audit the events produced by Internet Key Exchange and Authenticated Internet protocol during Main Mode negotiations.
IPSec quick mode	Audit the events produced by Internet Key Exchange and Authenticated Internet protocol during Quick Mode negotiations.
Kerberos authentication service	Audit the events produced by Kerberos authentication ticket-granting requests.
Kerberos service ticket operations	Audit the events produced by Kerberos service ticket requests.
Kerberos ticket events (Deprecated)	Audit the events produced during the validation of Kerberos tickets provided for a user account logon request.
Kernel object	Audit the events produced by attempts to access the system kernel.
Log off	Audit the events produced by closing a logon session.
Logon	Audit the events produced by attempts to log onto a user account.
MPSSVC rule level policy change	Audit the events produced by changes to policy rules used by the Windows Firewall.
Network policy server	Audit the events produced by RADIUS and Network Access Protection user access requests.
Non-sensitive privilege	Audit the events produced by the use of non-sensitive privileges.
Other account logon events	Audit the events produced by changes to user accounts that are not covered by other events in the Account Logon category.
Other account management events	Audit the events produced by other user account changes that are not covered by other events in the Account Management category.
Other logon logoff events	Audit the events produced by other logon/logoff based events that are not covered in the Logon/Logoff category.
Other object access events	Audit the events produced by the management of Task Scheduler jobs or COM+ objects.
Other polict change events	Audit the events produced by other security policy changes that are not covered other events in the Policy Change category.
Other privilege use events	This is currently not used and has been reserved by Microsoft for use in the future.
Other system events	Audit the events produced by the startup and shutdown, security policy processing, and cryptography key file and migration operations of the Windows Firewall.
Security state change	Audit the events produced by changes in the security state.
Process creation	Audit the events produced when a process is created or starts.
Process termination	Audit the events produced when a process ends.
Registry	Audit the events produced by attempts to access registry objects.
RPC events	Audit the events produced by inbound remote procedure call connections.
Security Account Manager(SAM)	Audit the events produced by attempts to access Security Accounts Manager objects.
Security group management	Audit the events produced by changes to security groups.
Security system extension	Audit the events produced by the security system extensions or services.
Sensitive privilege use	Audit the events produced by the use of sensitive privileges.
Special logon	Audit the events produced by special logons.
System integrity	Audit the events that indicate that the integrity security subsystem has been violated.
User account management	Audit the events produced by changes to user accounts.

Auto Logon Last Logon Last Reboot

This is used to collect auto login is enabled or not, last user logon time and last system restart time.

Child Elements	Description
Last boot up time	This element specifies date and time the operating system was last restarted. It is in datetime format such as 20180226090624.652230+330
Last logon	This element specifies last log on timestamp. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC).
User name	This element specifies the name of a particular user.
Auto admin logon	This element specifies automatic logon feature is enabled or not. Automatic logon uses the domain, user name, and password stored in the registry to log users on to the computer when the system starts.�
Auto logon enabled user name	This element specifies the last user name entered in the Log On to Windows dialog box. This entry is required if you have configured Windows to log on automatically by setting the value of Auto admin logon to 1.

BIOS Information

This is used to collect various information about BIOS.

Child Elements	Description
BIOS Manufacture	This element specifies manufacturer of this software element. This value comes from the Vendor member of the BIOS Information structure in the SMBIOS information.
BIOS Name	The BIOS Name element used to identify the software element.
BIOS Serial Number	This element specifies serial number of the software element
System Management BIOS Version	This element specifies BIOS version as reported by SMBIOS. This value comes from the BIOS Version member of the BIOS Information structure in the SMBIOS information.
BIOS Status	This element specifies current status of BIOS. Various operational and nonoperational status can be defined.
BIOS Version	This element specifies version of the BIOS. This string is created by the BIOS manufacturer
BIOS Language	This element specifies name of the current BIOS language.

Bit Locker Information

This is used to collect bit-locker enabled device information.

Child Elements	Description
Device ID	This element specifies an unique identifier for the volume on this system.
Drive letter	This element specifies the drive letter of the volume.
Status	This element specifies the status of the volume, whether or not Bit-Locker is protecting the volume.
Volume ID	This element specifies a persistent identifier for the volume on this system.

Computer Information

This is used to collect various information about computer system.

Child Elements	Description
Base board serial number	This element represents the base board serial number.
Boot device	This element specifies the name of the disk drive from which the Windows operating system starts.
BIOS serial number	This element represents the BIOS serial number.
Cache Size	This element specifies the size of the total processor cache. A cache is an external memory area that has a faster access time than the main RAM memory.
CPU	This element specifies name of the processor.
CPU cores	This element specifies the number of CPU cores.
CPU Architecture	This element specifies processor architecture used by the platform.
CPU usage	This element specified CPU usage in percentage.
Disk description	This element specifies description of the disk drive.
Disk name	This element specifies the short description of the disk drive – a one-line string.
Disk drive serial number	This element specifies serial number of the disk drive.
Disk size	This element specifies size of the disk drive (in bytes).
Disk type	This element specifies a numeric value that corresponds to the type of disk drive this logical disk represents.
Network total bytes received	This element represents the number of bytes received.
Network total bytes transmitted	This element represents the number of bytes transmitted.
Network total bytes(received/transmitted)	This element represents the total number of bytes received and transmitted.
Operating system architecture	This element specifies the architecture of the operating system.
Operating system name	This element specifies the name of the operating system.
Operating system serial number	This element represents the operating system serial number.
Free RAM	This element specifies free system memory size in bytes.
RAM usage	This element specifies used system memory size in percentage.
RAM used	This element specifies used system memory size in bytes.
System name	This element specifies system name.
System time synchronization status	This element specifies if system time is synchronised with server using Network Time Protocol(NTP). Value is either true or false
System product name	This element specifies the system hardware name.
System product version	This element specifies the system hardware version.
System uptime	This element specifies the number of milliseconds that have elapsed since the system was started.
Total RAM	This element specifies system total memory size in bytes.
Timezone name	This element specifies the timezone such as Indian Standard Time.
Timezone difference	This element specifies the difference in timezone in hours.
Volume name	This element specifies volume name of the logical disk. Constraints: Maximum 32 characters.

Device information

This is used to collect information about plug and play devices.

Child Elements	Description
Device description	This element specifies description of the device.
Device driver	This element specifies the path of the service that supports the device.
Device GUID	This element specifies the globally unique identifier (GUID) of the device.
Device hardware ID	This element specifies the hardware ID of the device.
Device instance ID	This element specifies the instance ID of the device.
Device manufacture	This element specifies manufacturer of the device.
Device name	This element specifies label given to the device.
Device status	This element specifies the current status of the device. Various operational and nonoperational statuses can be defined.
Device type	This element specifies the type of the device.

DNS cache

DNS cache is used to check the time to live and IP addresses associated with a domain name. The time to live and IP addresses for a particular domain name are retrieved from the DNS cache on the local system. The entries in the DNS cache can be collected using Microsoft’s DnsGetCacheDataTable() and DnsQuery() API calls.

Child Elements	Description
Domain name	The Domain name element contains a string that represents a domain name that was collected from the DNS cache on the local system.
IP address	The IP address element contains a string that represents an IP address associated with the specified domain name that was collected from the DNS cache on the local system. Note that the IP address can be IPv4 or IPv6.
TTL	The ttl element contains an integer that represents the time to live in seconds of the DNS cache entry.

Environment Variables

This is used to check an environment variable for the specified process, which is identified by its process ID, on the system .

Child Elements	Description
Name	This element describes the name of an environment variable.
Process ID(PID)	The process ID of the process from which the environment variable was retrieved.
Value	The actual value of the specified environment variable.

Events

This is used to collect information about Security events, System events and Application events.

Child Elements	Description
channel	This element specifies one of the following channels Security, System or Application
Computer	This element specifies the time at which this entry was submitted.
Data	This element specifies fields of an event
Event ID	This element specifies a number identifying the particular event type. The value is specific to the event source for the event, and is used with source name to locate a description string in the message file for the event source.
Level	The level element is numeric value which specifies a classification of the event severity.
String:Channel	This element specifies one of the following channels Security, System or Application
String:Keyword	This element specifies a set of categories or tags that can be used to filter or search for events.
String:Level	The level element is a string value which specifies a classification of the event severity.
String:Message	This element specifies description of the event.
String:Opcode	This element specifies what activity the application or component was doing when the event was triggered.
String:Provider	This element specifies provider of the event
System time	This element specifies the time of the computer at which the event occurred.

Family of Operating System

This is used to check the family a certain system belongs to. This test basically allows the high level system types (window, unix, ios, etc.) to be tested.

Child Elements	Description
Family of Operating System	This element describes the high-level system OS type to test against. Please refer to the definition of the EntityFamilyType for more information about the possible values.

File

This is used to check metadata associated with files. File path is mandatory for this query while submitting to agents.

Child Elements	Description
Access time	Time of last access of file. Valid on NTFS but not on FAT formatted disk drives. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
Creation time	Time of creation of file. Valid on NTFS but not on FAT formatted disk drives. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
Company	This entity defines a company name to be found within the version-information structure.
Development class	The Development class element allows the distinction to be made between the GDR development environment and the QFE development environment. This field holds the text found in front of the mmmmmm-nnnn version, for example srv03_gdr.
File name	This element specifies name of the file on the machine.
File path*	This element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
Internal name	This entity defines an internal name to be found within the version-information structure.
Language	This entity defines a language to be found within the version-information structure.
Modified time	Time of last modification of file. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
Microsoft checksum	The checksum of the file as supplied by Microsoft’s MapFileAndCheckSum function.
Original filename	This entity defines an original filename to be found within the version-information structure.
Owner	The owner element is a string that contains the name of the owner. The name should be specified in the DOMAIN\username format.
Product name	This entity defines a product name to be found within the version-information structure.
Product version	This entity defines a product version to be found within the version-information structure.
Size	The size element is the size of the file in bytes.
Type	The type element marks whether the file is a directory, named pipe, standard file, etc. These types are the return values for GetFileType, with the exception of FILE_ATTRIBUTE_DIRECTORY which is obtained by looking at GetFileAttributesEx. NOTE: Should this entity be split into two in future versions of the language as there are other values associated with GetFileAttributesEx that are not represented here?
Version	The version element is the delimited version string of the file.
Windows view	The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.

File Audit Permissions

This is used to check the audit permissions associated with Windows files. Note that the trustee’s audited permissions are the audit permissions that the SACL grants to the trustee or to any groups of which the trustee is a member. File path is mandatory for this query while submitting to agents.

Child Elements	Description
Access system security	Indicates access to a system access control list (SACL).
File append data	Grants the right to append data to the file.
File delete child	Right to delete a directory and all the files it contains (its children), even If files are read-only.
File execute	Grants the right to execute a file.
File read attributes	Grants the right to read file attributes.
File read data	Grants the right to read data from the file.
File read ea	Grants the right to read extended attributes.
File write attributes	Grants the right to change file attributes.
File write data	Grants the right to write data to the file.
File write ea	Grants the right to write extended attributes.
File path*	This element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
Generic all	Read, write, and execute access.
Generic execute	Execute access.
Generic read	Read access.
Generic write	Write access.
Standard delete	The right to delete the object.
Standard read control	The right to read the information in the object’s Security Descriptor, not including the information in the SACL.
Standard synchronize	The right to use the object for synchronization. This enables a thread to wait until the object is in the signalled state. Some object types do not support this access right.
Standard write DAC	The right to modify the DACL in the object’s Security Descriptor.
Standard write owner	The right to change the owner in the object’s Security Descriptor.
Trustee SID	The Trustee SID element is the unique SID that associated a user, group, system, or program (such as a Windows service).
Windows view	The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.

File Effective Rights

This will collect directories and all Windows file types (FILE_TYPE_CHAR, FILE_TYPE_DISK, FILE_TYPE_PIPE, FILE_TYPE_REMOTE, and FILE_TYPE_UNKNOWN). File path is mandatory for this query while submitting to agents.

Child Elements	Description
Access system security	Indicates access to a system access control list (SACL).
File append data	Grants the right to append data to the file, or if a directory, grants the right to add a sub-directory to the directory.
File delete child	Right to delete a directory and all the files it contains (its children), even If files are read-only.
File execute	Grants the right to execute a file, or if a directory, the right to traverse the directory.
File read attributes	Grants the right to read file, or directory, attributes.
File read data	Grants the right to read data from the file, or if a directory, grants the right to list the content of the directory.
File read ea	Grants the right to read extended attributes.
File write attributes	Grants the right to change file, or directory, attributes.
File write data	Grants the right to write data to the file, or if a directory, grants the right to add a file to the directory.
File write ea	Grants the right to write extended attributes.
File path*	This element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
Generic all	Read, write, and execute access.
Generic execute	Execute access.
Generic read	Read access.
Generic write	Write access.
Standard delete	The right to delete the object.
Standard read control	The right to read the information in the object’s Security Descriptor, not including the information in the SACL.
Standard synchronize	The right to use the object for synchronization. This enables a thread to wait until the object is in the signalled state. Some object types do not support this access right.
Standard write DAC	The right to modify the DACL in the object’s Security Descriptor.
Standard write owner	The right to change the owner in the object’s Security Descriptor.
Trustee SID	The Trustee SID element is the unique SID that associated a user, group, system, or program (such as a Windows service).
Windows view	The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.

filehash58

This is used for a file hash of specific file(s). This only implies on regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. File path is mandatory for this query while submitting to agents.

Child Elements	Description
File path*	This entity specifies the directory component of the absolute path to a file on the machine.
Hash	This entity specifies the result of applying the hash algorithm to the file.
Hash type	This entity specifies the hash algorithm to use when collecting the hash for each of the specified files.
Windows view	The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems.

Firewall

This is used to collect firewall status on private, public and domain profiles and inbound/outbound traffic information.

Child Elements	Description
Allow inbound traffic	This element specifies the value for the default action for inbound traffic. It can be either allowed or blocked.
Allow outbound traffic	This element specifies the value for the default action for outbound traffic. It can be either allowed or blocked.
Block inbound traffic	This element specifies the value of the BlockAllInboundTraffic property. This property indicates whether inbound traffic is blocked for a specified profile.
Display notifications	This element specifies the value of the NotificationsDisabled property. This property indicates whether notifications are enabled or disabled for a specified profile.
Profile	This element specifies name of the profile i.e Public, Private or Domain
Status	This element specifies the value of the FirewallEnabled property. This property indicates whether the firewall is enabled or disabled for a specified profile.
Unicast response to multicasr broadcast	This element specifies the value of the UnicastResponseToMulticastBroadcastDisabled property. This property indicates whether the firewall should allow unicast incoming responses to outgoing multicast and broadcast traffic.

Group

This collects different users and subgroups that directly belong to specific groups (identified by name). When this collects the groups on the system, it only includes the local and built-in group accounts and not domain group accounts. However, it is important to note that domain group accounts can still be looked up. Also, note that the subgroups of the group will not be resolved to find indirect user and group members. If subgroups need to be resolved, it should be done using the SID query.

Child Elements	Description
Group	This element holds a string that represents the name of a particular group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, groups should be identified in the form: “domain\group name”. For local groups use: “computer name\group name”. For built-in accounts on the system, use the group name without a domain.
Sub-group	Applicable only for Windows systems. A string that represents the name of a particular subgroup in the specified group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, the subgroups should be identified in the form: “domain\group name”. In a local environment, the subgroups should be identified in the form: “computer name\group name”. If subgroups are built-in groups, the subgroups should be identified in the form: “group name” without a domain component.
User	Applicable only for Windows systems. This element holds a string that represents the name of a particular user. In Windows, user names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in the form: “domain\user name”. For local users use: “computer name\user name”. For built-in accounts on the system, use the user name without a domain.

Group SID

This defines the specific group(s) identified by SID.

Child Elements	Description
Group SID	This entity holds a string that represents the SID of a particular group.
Sub-group SID	This entity holds a string that represents the SID of particular subgroup in the specified group. This entity can be included multiple times in a system characteristic item in order to record that a group contains a number of different subgroups.
User SID	This entity holds a string that represents the SID of particular user in the specified group.

Installed Applications

This is used to collect information about installed application on the system.

Child Elements	Description
Application date	This element specifies installed application date.
Application name	This element specifies installed application name.
Application last use	This element specifies the last use date of an application.
Application path	This element specifies installed application path on the machine.
Application publisher	This element specifies the application publisher information.
Application version	This element specifies installed application version
Install location	This element specifies installed location on the machine.

Installed Patches

This is used to collect information about installed application on the system.

Child Elements	Description
Description	This element specifies the description of the patch.
Patch ID	The Patch ID element is unique identifier associated with a particular update.
Patch installed by	This element specifies the person who installed the update. If this value is unknown, the property is empty.
Patch installed on	This element specifies the date that the update was installed. If this value is unknown, the property is empty.
Patch rollback available	This element specifies if rollback is possible for this patch. Possible values are TRUE or FALSE. An empty value appears if it cannot be determined.
Patch severity	This element specifies severity of a patch. Possible values: Important, Critical, etc. An empty value appears if it cannot be determined.
Patch size	This element specifies size of a patch. Values are specified in bytes. A value UNKNOWN appears if patch size cannot be determined.

Network Interfaces

The interface test enumerate various attributes about the interfaces on a system.

Child Elements	Description
Active type	This element specifies the active interfaces.
Address type	This element specifies the address type or state of a specific interface. Each interface can be associated with more than one value meaning the Address type element can occur multiple times in a system characteristic item.
Broadcast address	This element specifies the broadcast address. A broadcast address is typically the IP address with the host portion set to either all zeros or all ones. Note that the IP address can be IPv4 or IPv6.
Hardware Address	The Hardware Address entity is the hardware or MAC address of the physical network card. MAC addresses should be formatted according to the IEEE 802-2001 standard which states that a MAC address is a sequence of six octet values, separated by hyphens, where each octet is represented by two hexadecimal digits. Uppercase letters should also be used to represent the hexadecimal digits A through F.
Index	This element specifies index that identifies the interface.
IP address of an interface	This element specifies the IP address. Note that the IP address can be IPv4 or IPv6. If IP address is an IPv6 address, this entity will be expressed as an IPv6 address prefix using CIDR notation and the netmask entity will not be collected.
Name	This element specifies the name of an interface.
Netmask	This element specifies the subnet mask for the IP address. Note that If IP address of an interface entity contains an IPv6 address prefix, this entity will not be collected.
Type	This element specifies the type of interface which is limited to certain set of values.

Account Lockout Policy

The lockout policy test enumerates various attributes associated with lockout information for users and global groups in the security database.

Child Elements	Description
Force log-off	Specifies, in seconds, the amount of time between the end of the valid logon time and the time when the user is forced to log off the network. A value of TIMEQ_FOREVER (-1) indicates that the user is never forced to log off. A value of zero indicates that the user will be forced to log off immediately when the valid logon time expires. See the USER_MODALS_INFO_0 structure returned by a call to NetUserModalsGet().
Lockout duration	Specifies, in seconds, how long a locked account remains locked before it is automatically unlocked. See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet().
Lockout observation window	Specifies the maximum time, in seconds, that can elapse between any two failed logon attempts before lockout occurs. See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet().
Lockout threshold	Specifies the number of invalid password authentications that can occur before an account is marked “locked out.” See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet().

Operating System Information

This is used to collect various information about installed operating system.

Child Elements	Description
Build version	This element specifies the build number of an operating system. It can be used for more precise version information than product release version numbers.
OS Architecture	This element specifies the Architecture of the operating system, as opposed to the processor.
OS Country code	This element specifies the code for the country/region that an operating system uses. Values are based on international phone dialling prefixes-also referred to as IBM country/region codes.
OS Locale	This element specifies the language identifier used by the operating system. A language identifier is a standard international numeric abbreviation for a country/region.
Operating system name	This element specifies the operating system instance within a computer system.
Operating system version	This element specifies the operating system instance within a computer system.
Service pack major	This element specifies the major version number of the service pack installed on the computer system. If no service pack has been installed, the value is 0 (zero).
Service pack minor	This element specifies the minor version number of the service pack installed on the computer system. If no service pack has been installed, the value is 0 (zero).

Password Policy

Specific policy items associated with passwords. It is important to note that these policies are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information. Information is stored in the SAM or Active Directory but is encrypted or hidden so the registry and activedirectory are of no use. If this can be figured out, then the password policy is not needed.

Child Elements	Description
Maximum password age	Specifies, in seconds, the maximum allowable password age. A value of TIMEQ_FOREVER (-1) indicates that the password never expires. The minimum valid value for this element is ONE_DAY (86400).
Minimum password age	Specifies the minimum number of seconds that can elapse between the time a password changes and when it can be changed again. A value of zero indicates that no delay is required between password updates.
Minimum password length	Specifies the minimum allowable password length. Valid values for this element are zero through PWLEN.
Password hint length	Specifies the length of password history maintained. A new password cannot match any of the previous usrmod0_password_hist_len passwords. Valid values for this element are zero through DEF_MAX_PWHIST.
Password complexity	A boolean value that signifies whether passwords must meet the complexity requirements put forth by the operating system.
Reversible encryption	Determines whether or not passwords are stored using reversible encryption.

Port/Network Connection

Information about open ports and network connections.

Child Elements	Description
Local address	This element specifies the local IP address the listening port is bound to. Note that the IP address can be IPv4 or IPv6.
Local port	This element specifies the number assigned to the local listening port.
Protocol	This element specifies the type of listening port. It is restricted to either TCP or UDP.
Process ID(PID)	The id given to the process that is associated with the specified listening port.
Foreign address	This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
Foreign port	This is the TCP or UDP port to which the program communicates.

Printer Effective Rights

This item stores the effective rights of a printer that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee’s effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.

Child Elements	Description
Printer name	This entity specifies the name of the printer.
Trustee SID	This entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
Standard delete	The right to delete the object.
Standard read control	The right to read the information in the object’s security descriptor, not including the information in the SACL.
Standard write DAC	The right to modify the DACL in the object’s security descriptor.
Standard write owner	The right to change the owner in the object’s security descriptor.
Standard synchronize	The right to use the object for synchronization. This enables a thread to wait until the object is in the signaller state. Some object types do not support this access right.
Access system security	Indicates access to a system access control list (SACL).
Generic read	Read access.
Generic write	Write access.
Generic execute	Execute access.
Generic all	Read, write, and execute access.
Printer access administer	Printer access administer
Printer access use	Printer access use
Job access administer	Job access administer
Job access read	Job access read

Process

Information about running processes.

Child Elements	Description
Creation time	The Creation time entity represents the creation time of the process. The value of this entity represents the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). See the GetProcessTimes function lpCreationTime.
Current directory	The Current directory entity represents the current path to the executable file for the process.
DEP enabled	The DEP enabled entity represents whether or not data execution prevention (DEP) is enabled. See the GetProcessDEPPolicy function lpFlags.
Image path	The Image path entity represents the name of the executable file for the process.
Name	This element indicates name of the process.
Parent process ID	The id given to the parent of the process that is created for the specified command line.
Priority	The base priority of the process.
Primary windows text	This represents the title of the primary window of the process. See the GetWindowText function.
Process ID(PID)	The id given to the process that is created for a specified command line.
Process memory	Virtual memory is an approach to make use of the secondary storage devices as an extension of the primary storage of the computer.
Swap size	This element specified the swap size in bytes.

Registry

The windows registry item specifies information that can be collected about a particular registry key. Hive, Key and Name are mandatory fields while submitting to agents.

Child Elements	Description
Hive*	The hive that the registry key belongs to.
Key*	This element describes a registry key to be gathered. Note that the hive portion of the string should not be included, as this data can be found under the hive element. If xsi:nil attribute is set to true, then the item being represented is the higher level hive. Using xsi:nil here will result in a status of ‘does not exist’ for the type, and value entities since these entities are not associated with a hive by itself. Note that when xsi:nil is used for the key element, the name element should also be nilled.
Name*	This element describes the name of a registry key. If xsi:nil attribute is set to true, then the item being represented is the higher level key. Using xsi:nil here will result in a status of ‘does not exist’ for the type, and value entities since these entities are not associated with a key by itself.
Last write time	The last time that the key or any of its value entries was modified. The value of this entity represents the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). Last write time can be queried on a hive, key, or name. When collecting only information about a registry hive the last write time will be the time the hive or any of its entries was written to. When collecting only information about a registry hive and key the last write time will be the time the key or any of its entries was written to. When collecting only information about a registry name the last write time will be the time the name was written to. See the RegQueryInfoKey function lpftLastWriteTime.
Type	Specifies the type of data stored by the registry key. For example: REG_BINARY, REG_DWORD, REG_QWORD etc.
Value	This entity holds the actual value of the specified registry key. The representation of the value as well as the associated datatype attribute depends on type of data stored in the registry key. If specified registry key is of type REG_BINARY, then the datatype attribute should be set to ‘binary’ and the data represented by the value entity should follow the xsd:hexBinary form. (each binary octet is encoded as two hex digits) If registry key is of type REG_DWORD or REG_QWORD, then the datatype attribute should be set to ‘int’ and the value entity should represent the data as an integer. If specified registry key is of type REG_EXPAND_SZ, then the datatype attribute should be set to ‘string’ and the pre-expanded string should be represented by the value entity. If specified registry key is of type REG_MULTI_SZ, then multiple value entities should exist to describe the array of strings, with each value element holds a single string. In the end, there should be the same number of value entities as there are strings in the reg_multi_sz array. If specified registry key is of type REG_SZ, then the datatype should be ‘string’ and the value entity should be a copy of the string.
Windows view	The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of ’32_bit’ indicates the Item was collected from the 32-bit view. A value of ’64-bit’ indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set.

Registry Key Audit Permissions

The windows registry item specifies information that can be collected about a particular registry key. Hive and Key are mandatory fields while submitting to agents.

Child Elements	Description
Hive*	This element specifies the hive of a registry key on the machine from which the SACL was retrieved.
Key*	This element specifies a registry key on the machine from which the SACL was retrieved. Note that the hive portion of the string should not be included, as this data should be found under the hive element.
Access system security	Indicates access to a system access control list (SACL).
Create link	Create link
Create sub-key	Create sub-key
Enumerate sub-keys	Enumerate sub-keys
Generic read	Read access.
Generic write	Write access.
Generic execute	Execute access.
Generic all	Read, write, and execute access.
Notify	Notify
Query value	Query value
Set value	Set value
Standard delete	The right to delete the object.
Standard read control	The right to read the information in the object’s security descriptor, not including the information in the SACL.
Standard write DAC	The right to modify the DACL in the object’s security descriptor.
Standard write owner	The right to change the owner in the object’s security descriptor.
Trustee SID	The security identifier (SID) of the specified trustee name.
Windows view	The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of ’32_bit’ indicates the Item was collected from the 32-bit view. A value of ’64-bit’ indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set.
Wow64 64bit key	Wow64 64bit key
Wow64 32 bit key	Wow64 32 bit key
Wow64 result	Wow64 result

Registry Key Effective Rights

This item stores the effective rights of a registry key that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee’s effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api. Hive and Key are mandatory fields while submitting to agents.

Child Elements	Description
Hive*	The hive that the registry key belongs to.
Key*	This element describes a registry key to be gathered. Note that the hive portion of the string should not be included, as this data can be found under the hive element. If xsi:nil attribute is set to true, then the item being represented is the higher level hive.
Trustee SID	This entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
Standard delete	The right to delete the object.
Standard read control	The right to read the information in the object’s security descriptor, not including the information in the SACL.
Standard write DAC	The right to modify the DACL in the object’s security descriptor.
Standard write owner	The right to change the owner in the object’s security descriptor.
Access system security	Indicates access to a system access control list (SACL).
Generic read	Read access.
Generic write	Write access.
Generic execute	Execute access.
Generic all	Read, write, and execute access.
Query value	Query value
Set value	Set value
Create sub-key	Create sub-key
Enumerate sub-keys	Enumerate sub-keys
Notify	Notify
Create link	Create link
Wow64 64bit key	Wow64 64bit key
Wow64 32 bit key	Wow64 32 bit key
Wow64 result	Wow64 result
Windows view	The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of ’32_bit’ indicates the Item was collected from the 32-bit view. A value of ’64-bit’ indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set.

Run command history

This is used to collect history of run command.

Child Elements	Description
History	This element specifies the history of run command.

Scheduled Programs

This is used to collect various information about scheduled task.

Child Elements	Description
Task name	This element specifies the scheduled task name.
Task enabled	The Task enabled element is a boolean value that indicates If registered task is enabled.
Task state	This element specifies the operational state task.
Task path	This element specifies the the path to where the registered task is stored on the machine.
Last run time	This element specifies the time the registered task was last run. Data appears in timestamp format such as 1519706807.
Next run time	This element specifies the time when the registered task is next scheduled to run. Data appears in timestamp format such as 1520409600.

Service Effective Rights

This item stores the effective rights of a service that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee’s effective rights are determined by checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.

Child Elements	Description
Service name	This element specifies a service on the machine from which to retrieve the DACL. Note that the Service name element should contain the actual name of the service and not its display name that is found in Control Panel->Administrative Tools->Services. For example, if you wanted to check the effective rights of the Automatic Updates service you would specify ‘wuauserv’ for the Service name element not ‘Automatic Updates’.
Trustee SID	This element specifies the SID that is associated with a user, group, system, or program (such as a Windows service).
Standard delete	This permission is required to call the DeleteService function to delete the service.
Standard read control	This permission is required to call the QueryServiceObjectSecurity function to query the security descriptor of the service object.
Standard write DAC	This permission is required to call the SetServiceObjectSecurity function to modify the Dacl member of the service object’s security descriptor.
Standard write owner	This permission is required to call the SetServiceObjectSecurity function to modify the Owner and Group members of the service object’s security descriptor.
Generic read	Read access (STANDARD_RIGHTS_READ, SERVICE_QUERY_CONFIG, SERVICE_QUERY_STATUS, SERVICE_INTERROGATE, SERVICE_ENUMERATE_DEPENDENTS).
Generic write	Write access (STANDARD_RIGHTS_WRITE, SERVICE_CHANGE_CONFIG).
Generic execute	Execute access (STANDARD_RIGHTS_EXECUTE, SERVICE_START, SERVICE_STOP, SERVICE_PAUSE_CONTINUE, SERVICE_USER_DEFINED_CONTROL).
Service query configuration	This permission is required to call the QueryServiceConfig and QueryServiceConfig2 functions to query the service configuration.
Service change configuration	This permission is required to call the ChangeServiceConfig or ChangeServiceConfig2 function to change the service configuration.
Service query statistics	This permission is required to call the QueryServiceStatusEx function to ask the service control manager about the status of the service.
Service enumeration dependents	This permission is required to call the EnumDependentServices function to enumerate all the services dependent on the service.
Service start	This permission is required to call the StartService function to start the service.
Service stop	This permission is required to call the ControlService function to stop the service.
Service pause	This permission is required to call the ControlService function to pause or continue the service.
Service interrogate	This permission is required to call the ControlService function to ask the service to report its status immediately.
Service user-defined	This permission is required to call the ControlService function to specify a user-defined control code.

Services

This is used to collect different metadata associated with a windows service.

Child Elements	Description
Service name	This element specifies the name of a service in the service control manager database.
Service display name	This element specifies the service’s display name. The display name is same as it appears in the Windows Services control panel utility.
Service status	This element specifies the current status of the service.
Service start type	This element specifies a value that indicates how the service starts.
Service dependency	This element specifies the dependent services names.
Service description	This element specifies the service description.

Shared Resources

This is used to collect different metadata associated with a windows service.

Child Elements	Description
Netname	The share name of the resource.
Shared type	The type of the shared resource.
Maximum uses	The maximum number of concurrent connections that the shared resource can accommodate.
Current uses	The number of current connections to the shared resource.
Local path	The local path for the shared resource.
Access read permission	Permission to read data from a resource and, by default, to execute the resource.
Access write permission	Permission to write data to the resource.
Access create permission	Permission to create an instance of the resource (such as a file); data can be written to the resource as the resource is created.
Access execute Permission	Permission to execute the resource.
Access delete permission	Permission to delete the resource.
Access attribute permission	Permission to modify the resource’s attributes (such as the date and time when a file was last modified).
Access permanent permission	Permission to modify the permissions (read, write, create, execute, and delete) assigned to a resource for a user or application.
Access all permissions	Permission to read, write, create, execute, and delete resources, and to modify their attributes and permissions.

sharedresourceauditedpermissions

This is used to collect different metadata associated with a windows service.

Child Elements	Description
Netname	This entity specifies the name associated with a particular shared resource.
Trustee SID	This entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
Standard delete	The right to delete the object.
Standard read control	The right to read the information in the object’s security descriptor, not including the information in the SACL.
Standard write DAC	The right to modify the DACL in the object’s security descriptor.
Standard write owner	The right to change the owner in the object’s security descriptor.
Standard synchronize	The right to use the object for synchronization. This enables a thread to wait until the object is in the signalled state. Some object types do not support this access right.
Access system security	Indicates access to a system access control list (SACL).
Generic read	Read access.
Generic write	Write access.
Generic execute	Execute access.
Generic all	Read, write, and execute access.

Shared resource effective rights

This is used to collect different metadata associated with a windows service.

Child Elements	Description
Netname	This entity specifies the name associated with a particular shared resource.
Trustee SID	This entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
Standard delete	The right to delete the object.
Standard read control	The right to read the information in the object’s security descriptor, not including the information in the SACL.
Standard write DAC	The right to modify the DACL in the object’s security descriptor.
Standard write owner	The right to change the owner in the object’s security descriptor.
Standard synchronize	The right to use the object for synchronization. This enables a thread to wait until the object is in the signalled state. Some object types do not support this access right.
Access system security	Indicates access to a system access control list (SACL).
Generic read	Read access.
Generic write	Write access.
Generic execute	Execute access.
Generic all	Read, write, and execute access.

SID

This is used to check properties associated with any shared resource on the system.

Child Elements	Description
Trustee name	This element specifies the trustee name associated with a particular SID. In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: “domain\trustee name”. For local trustee names use: “computer name\trustee name”. For built-in accounts on the system, use the trustee name without a domain.
Trustee SID	The security identifier (SID) of the specified trustee name.
Trustee domain	The domain of the specified trustee name.

SID SID

This is used to check properties associated with any shared resource on the system.

Child Elements	Description
Trustee domain	The domain of the specified trustee name.
Trustee name	This element specifies the trustee name associated with a particular SID. In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: “domain\trustee name”. For local trustee names use: “computer name\trustee name”. For built-in accounts on the system, use the trustee name without a domain.
Trustee SID	The security identifier (SID) of the specified trustee name.

System Autorun

This is used to collect information about startup applications.

Child Elements	Description
Application name	This element specifies the file name of the startup command.
Caption	This element specifies the short description of the startup command.
Command	This element specifies the command run by the startup command.
Description	This element specifies description of the startup command.
Location	This element specifies the path where the startup command resides on the disk file system.
User	This element specifies the user name for whom this startup command will run.

System DEP Policy

This is used to collect information about system Data Execution Prevention (DEP) status.

Child Elements	Description
DEP Policy	This element specifies the DEP policy status on the system.

System DHCP Information

This is used to collect system Dynamic Host Configuration Protocol (DHCP) information.

Child Elements	Description
DHCP enabled	This element specifies the value that specifies whether the dynamic host configuration protocol (DHCP) is enabled for this adapter.
DHCP Server IP	This element specifies the address of the DHCP server for this adapter.
Lease obtained time	This element specifies the time when the current DHCP lease was obtained.
Lease expire time	This element specifies the time when the current DHCP lease expires.
IP mask	This element specifies the list of ip addresses associated with this adapter.
Gateway IP	This element specifies the ip address of the gateway for this adapter.
Description	This element specifies an ANSI character string that contains the description of the adapter.
MAC Address	This element specifies the hardware address for the adapter.
Type	This element specifies the adapter type.

System DNS Information

This is used to collect domain name and domain name system ip information.

Child Elements	Description
Domain name	This element specifies the domain in which the local computer is registered.
DNS server IP	This element specifies the list of dns server ip address used by the local computer.

System UAC Policy

This is used to collect information about system User Account Control (UAC) status.

Child Elements	Description
System UAC Policy	This element specifies the UAC policy status on the system.

Text File Content

This element looks at the content of a text file (aka a configuration file) by looking at in idual lines. File path, pattern and instance are mandatory for this query while submitting to agents.

Child Elements	Description
File path*	This element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
Pattern/Text*	This entity represents a block of text or regular expression that is used to define a block of text. Subexpression notation (parenthesis) is used to call out a value(s) to test against. For example, the pattern abc(.*)xyz would look for a block of text in the file that starts with abc and ends with xyz, with the subexpression being all the characters that exist in between. Note that If pattern can match more than one block of text starting at the same point, then it matches the longest. Subexpressions also match the longest possible substrings, subject to the constraint that the whole match be as long as possible, with subexpressions starting earlier in the pattern taking priority over ones starting later.
Instance*	The instance entity calls out which match of the pattern is being represented by this item. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. The main purpose of this entity is too provide uniqueness for different items that results from multiple matches of a given pattern against the same file.
Sub-expression	The subexpression entity represents the value of a subexpression in the specified pattern. If multiple subexpressions are specified in the pattern, then multiple entities are presented. Note that this in OVAL definition schema only allows a single subexpression entity. This means that this will check that all (or at least one, none, etc.) the subexpressions pass the same check. This means that the order of multiple subexpression entities in the item does not matter.
Windows view	The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of ’32_bit’ indicates the Item was collected from the 32-bit view. A value of ’64-bit’ indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. This entity only applies to 64-bit Microsoft Windows operating systems.

User SID

This allows collection of different groups (identified by SID) that a user belongs to.

Child Elements	Description
User SID	A string the represents the SID of a particular user.
Enabled	A boolean that represents whether the particular user is enabled or not.
Group SID	A string that represents the SID of a particular group. If specified user belongs to more than one group, then multiple Group SID elements should exist. If specified user is not a member of a single group, then a single Group SID element should exist with a status of ‘does not exist’. Ifre is an error determining the groups that the user belongs to, then a single Group SID element should be included with a status of ‘error’.

WMI

The wmi57 outlines information to be checked through Microsoft’s WMI interface. Namespace and Windows Query Language(WQL) are mandatory fields while submitting to agents.

Child Elements	Description
Namespace*	The WMI namespaces of the specific object.
Windows Query Language(WQL)*	A WQL query used to identify the object(s) specified. Any valid WQL query is allowed with one exception, all fields must be named. For example SELECT name, age FROM … is valid, but SELECT * FROM … is not valid. This is because the record entity supports only named fields.
Result	This entity holds the results of the specified WQL statement.

WSUS SCCM Information

This is used to collect configuration details about Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM).

Child Elements	Description
User Windows update server	The UseWUServer element if set to 1 specifies to use wsus server settings.
No auto update	This element specifies enable/disable automatic updates.
Auto update options	This element specifies how to download and notify updates.
Windows update server	This element specifies URL of the WSUS server used by Automatic Updates.
Windows update status server	This element specifies HTTP(S) URL of the server to which reporting information will be sent for client computers that use the WSUS server configured by the WUServer key

WUA Update Searcher

This outlines information defined through the Search method of the IUpdateSearcher interface as part of Microsoft’s WUA (Windows Update Agent) API. This information is related to the current patch level in a Windows environment. Search criteria is a mandatory field while submitting query to agents.

Child Elements	Description
Search criteria*	This entity specifies a search criteria to use when generating a search result. The string used for the search criteria entity must match the custom search language for Search method of the IUpdateSearcher interface. The string consists of criteria that are evaluated to determine which updates to return. The Search method performs a synchronous search for updates by using the current configured search options. For more information about possible search criteria, please see the Search method of the IUpdateSearcher interface.
Update ID	This entity specifies a string that represents a revision-independent identifier of an update. This information is part of the IUpdateIdentity interface that is part of the result of the IUpdateSearcher interface’s Search method. Note that multiple update identifiers can be associated with a give search criteria and thus multiple entities can exist for this item.

Volume

The volume item enumerates various attributes about a particular volume mounted to a machine. This includes the various system flags returned by GetVolumeInformation(). It is important to note that these system flags are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information.

Child Elements	Description
Root path	A string that contains the root directory of the volume to be described. A trailing backslash is required. For example, you would specify \\MyServer\MyShare as “\\MyServer\MyShare\”, or the C drive as “C:\”.
File system	The type of filesystem. For example FAT or NTFS.
Name	The name of the volume.
Drive type	The drive type of the volume.
Volume Maximum Compoment Length	This element specifies the maximum length, in TCHARs, of a file name component that a specified file system supports. A file name component is the portion of a file name between backslashes. The value that is stored in the variable that *lpMaximumComponentLength points to is used to indicate that a specified file system supports long names. For example, for a FAT file system that supports long names, the function stores the value 255, rather than the previous 8.3 indicator. Long names can also be supported on systems that use the NTFS file system.
Serial number	The volume serial number.
Case sensitive search	The file system supports case-sensitive file names.
Case preserved names	The file system preserves the case of file names when it places a name on disk.
Unicode on disk	The file system supports Unicode in file names as they appear on disk.
Persistent ACLs	The file system preserves and enforces ACLs. For example, NTFS preserves and enforces ACLs, and FAT does not.
File compression	The file system supports file-based compression.
Volume quota	The file system supports disk quotas.
Supports sparse files	The file system supports sparse files.
Supports reparse points	The file system supports reparse points.
Supports remote storage	The specified volume is a compressed volume; for example, a DoubleSpace volume.
Is volume compressed?	The specified volume is a compressed volume; for example, a DoubleSpace volume.
Supports object IDs	The file system supports object identifiers.
Supports encryption	The file system supports the Encrypted File System (EFS).
Named streams	The file system supports named streams.
File read-only volumes	The specified volume is read-only.
File sequential write once	The file system supports one time writes in sequential order.
File supports transactions	The file system supports transaction processing.
File supports hard links	The file system supports direct links to other devices and partitions.
File supports extended attributes	The file system supports extended attributes.
File supports open by file ID	The file system supports fileID.
File supports usn journal	The file system supports update sequence number journals.

Wireless Information

This is used to collect various information about wireless connection (WLAN).

Child Elements	Description
WLAN Interface GUID	This element holds a string that represents the GUID of an wireless interface.
WLAN Interface description	This element specifies the wireless interface description.
WLAN Interface state	This element specifies the state of the wireless interface
WLAN Connection Mode	This element specifies the mode of connection.
WLAN Profile name	This element specifies the profile name associated with the network. If network does not have a profile, this member will be empty. If multiple profiles are associated with the network, there will be multiple entries with the same SSID in the visible network list.
WLAN SSID	This element specifies the contains the SSID of the association.
WLAN BSS Network type	This element specifies whether the network is infrastructure or ad hoc.
WLAN MAC address	This element specifies physical hardware address wireless interface.
WLAN Physical network type	The WLAN Physical network type element indicates the physical type of the association.
WLAN Physical index	This element specifies the list of PHY types.
WLAN Signal quality	This element specifies a percentage value that represents the signal quality of the network.
WLAN Receiving rate	This element specifies the receiving rate of the association.
WLAN Transmission rate	This element specifies the transmission rate of the association.
WLAN Security enabled	This element specifies whether security is enabled on the network. A value of TRUE indicates that security is enabled, otherwise it is not.
WLAN 802.11 enabled	This element specifies whether 802.1X is enabled for this connection.
WLAN Authentication algorithm	This element specifies currently used authentication algorithm.
WLAN Cipher algorithm	This element specifies currently used cipher algorithm.

User

This is used to check information about Windows users. When this collects the users on the system, it only includes the local and built-in user accounts and not domain user accounts. However, it is important to note that domain user accounts can still be looked up. Also, note that the collection of groups, for which a user is a member, is not recursive. The groups that will be collected are those for which the user is a direct member. For example, if a user is a member of group A, and group A is a member of group B, the only group that will be collected is group A.

Child Elements	Description
Enabled	This element holds a boolean value that specifies whether the particular user account is enabled or not.
Group	A string that represents the name of a particular group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, groups should be identified in the form: “domain\group name”. For local groups use: “computer name\group name”. For built-in accounts on the system, use the group name without a domain.The group element can be included multiple times in a system characteristic item in order to record that a user can be a member of a number of different groups.
Last logon	The date and time when the last logon occurred. This value is stored as the number of seconds that have elapsed since 00:00:00, January 1, 1970, GMT.
User	This entity holds a string that represents the name of a particular user. In Windows, user names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in the form: “domain\user name”. For local users use: “computer name\user name”. For built-in accounts on the system, use the user name without a domain.
Domain logon	The Domain logon holds a string that represents the name of a particular domain user.
Is elevated?	The iselevated holds a string that represents the user name should have admin rights.

User SID

This is used to check information about Windows users. When this check collects the user SIDs on the system, it should only include the local and built-in user SIDs and not domain user SIDs. However, it is important to note that domain user SIDs can still be looked up. Also, note that the collection of groups, for which a user is a member, is not recursive. The only groups that will be collected are those for which the user is a direct member. For example, if a user is a member of group A, and group A is a member of group B, the only group that will be collected is group A.

Child Elements	Description
Enabled	This element holds a boolean value that specifies whether the particular user account is enabled or not.
Group SID	A string the represents the SID of a particular group. The Group SID element can be included multiple times in a system characteristic item in order to record that a user can be a member of a number of different groups.
Last Logon	The date and time when the last logon occurred. This value is stored as the number of seconds that have elapsed since 00:00:00, January 1, 1970, GMT.
Name	This entity indicates the name of the user.
User SID	This entity holds a string that represents the SID of a particular user.

License

The entity is used to check the content of a particular entry in the Windows registry HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions key, ProductPolicy value. Access to this data is exposed by the functions NtQueryLicenseValue (and also, in version 6.0 and higher, ZwQueryLicenseValue) in NTDLL.DLL. Name is a mandatory field while submitting to agents.

Child Elements	Description
name*	The name of the license.
type	This entity provides the type of data that is expected: REG_SZ (0x01) for a string; REG_BINARY (0x03) for binary data; REG_DWORD (0x04) for a DWORD.
value	attribute should be set to ‘binary’ and the data represented by the value entity should follow the xsd:hexBinary form. (each binary octet is encoded as two hex digits) If the value being checked is of type REG_DWORD, then the datatype attribute should be set to ‘int’ and the value entity should represent the data as an integer. If the specified registry key is of type REG_SZ, then the datatype should be ‘string’ and the value entity should be a copy of the string.

NTUser

This element defines the different metadata associated with a ntuser.dat file. This includes the key, name, type, and value. Key and name are mandatory fields while submitting to agents.

Child Elements	Description
Account type	The account_type element describes if the user account is a local account or domain account.
date_modified	Time of last modification of file. The integer should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
Days since modified	The number of days since the ntuser.dat file was last modified. The value should be rounded up to the next whole integer.
Enabled	The enabled element describes if the user account is enabled or disabled.
File path	This element describes the file path of the ntuser.dat file.
Key*	This element describes a registry key normally found in the HKCU hive to be tested.
Last write time	The last time that the key or any of its value entries was modified. The value of this entity represents the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). Last write time can be queried on a key or name. When collecting only information about a registry key the last write time will be the time the key or any of its entities was written to. When collecting only information about a registry name the last write time will be the time the name was written to. See the RegQueryInfoKey function lpftLastWriteTime. Data appears in timestamp format such as 1520409600.
Logged on	The logged_on element describes if the user account is currently logged on to the computer.
Name*	This element describes the name of a value of a registry key.
SID	This element holds a string that represents the SID of a particular user.
Username	This entity holds a string that represents the name of a particular user. In Windows, user names are case-insensitive. In a domain environment, users should be identified in the form: “domain\user name”. For local users use: “computer name\user name”.
Type	This entity allows a test to be written against the registry type associated with the specified registry key(s).
Value	The entity specifies value of the registry key.

System Metric

This is used to check the value of a particular Windows system metric. Access to this information is exposed by the GetSystemMetrics function in User32.dll.

Child Elements	Description
Index	This entity corresponds to the index entity.
Value	This entity provides the value of the system metric.

User right

This entity is used to enumerate all of the trustees/SIDs that have been granted a specific user right/privilege.

Child Elements	Description
Trustee name	This entity is the unique name associated with the SID that has been granted the specified user right/privilege. A trustee can be associated with a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. In a domain environment, trustee names should be identified in the form: “domain\trustee name”. For local trustee names use: “computer name\trustee name”. For built-in accounts on the system, use the trustee name without a domain.
Trustee SID	This entity identifies the SID that has been granted the specified user right/privilege.
User right	This entity holds a string that represents the name of a particular user right/privilege.

Junction

This used to obtain canonical path information for junctions (reparse points) on Windows filesystems. Path is a mandatory filed while submitting to agents.

Child Elements	Description
Path*	This specifies the path.
Canonical path	This specifies the canonical path for the target of a Windows junction specified by the path.
Windows view	This is used to indicate which view (32-bit or 64-bit), the associated path applies to.

PE Header

This defines the different metadata associated with the header of a PE file. For more information, please see the documentation for the IMAGE_FILE_HEADER and IMAGE_OPTIONAL_HEADER structures. File path is a mandatory field while submitting to agents.

Child Elements	Description
Address of entry point	This entity is an unsigned 32-bit integer (DWORD) that specifies the address where the loader will begin execution.
Base of code	This entity is an unsigned 32-bit integer (DWORD) that specifies the relative virtual address where the file’s code section begins.
Base of data	This entity is an unsigned 32-bit integer (DWORD) that specifies the relative virtual address where the file’s data section begins.
Checksum	This entity is an unsigned 32-bit integer (DWORD) that specifies the checksum of the image file.
DLL characteristics	This entity is an unsigned 32-bit integer (DWORD) that specifies the set of flags indicating the circumstances under which a DLL’s initialization function will be called.
File path*	This element specifies the absolute path for a PE file on the machine. A directory cannot be specified as a file path.
Header signature	This entity is the signature of the header.
Number of sections	This entity is an unsigned 16-bit integer (WORD) that specifies the number of sections in the file.
Number of symbols	This entity is an unsigned 32-bit integer (DWORD) that specifies the number of symbols in the COFF symbol table.
Pointer to symbol table	This entity is an unsigned 32-bit integer (DWORD) that specifies the file offset of the COFF symbol table.
Target machine type	This entity is an unsigned 16-bit integer (WORD) that specifies the target architecture that the file is intended for.
Time date stamp	This entity is an unsigned 32-bit integer (DWORD) that specifies the time that the linker produced the file. The value is represented as the number of seconds since January 1, 1970, 00:00:00.
Size of optional header	This entity is an unsigned 32-bit integer (DWORD) that specifies the size of an optional header in bytes.
Image file aggressive working set trim	This entity is a boolean value that specifies that the working set should be aggressively trimmed.
Image file debug stripped	This entity is a boolean value that specifies that the debugging information is stored separately in a .dbg file.
Image file executable image	This entity is a boolean value that specifies if the file is executable.
Image file large address aware	This entity is a boolean value that specifies that the application can handle addresses larger than 2GB.
Image file local symbols stripped	This entity is a boolean value that specifies if the local symbols are stripped from the file.
Image file line numbers stripped	This entity is a boolean value that specifies if the line numbers are stripped from the file.
Image file 16bit machine	This entity is a boolean value that specifies that the computer supports 16-bit words.
Image file 32bit machine	This entity is a boolean value that specifies that the computer supports 32-bit words.
Image file bytes reversed low	This entity is a boolean value that specifies that the bytes of the word are reversed.
Image file dll	This entity is a boolean value that specifies that the image is a DLL.
Image file relocs stripped	This entity is a boolean value that specifies if the relocation information is stripped from the file.
Image file removable run from swap	This entity is a boolean value that specifies that the image is on removable media, copy and run from the swap file.
Image file system	This entity is a boolean value that specifies that the image is a system file.
Image file up system only	This entity is a boolean value that specifies that the file should only be run on a uniprocessor computer.
Image file dll	This entity is a boolean value that specifies that the image is a DLL.
Image file up system only	This entity is a boolean value that specifies that the file should only be run on a uniprocessor computer.
Image file bytes reversed high	This entity is a boolean value that specifies that the bytes of the word are reversed.
Magic number	This entity is an unsigned 16-bit integer (WORD) that specifies the state of the image file.
Major linker version	This entity is a BYTE that specifies the major version of the linker that produced the file.
Minor linker version	This entity is a BYTE that specifies the minor version of the linker that produced the file.
Image base address	This entity is an unsigned 32-bit integer (DWORD) that specifies the preferred address of the first byte of the image when it is loaded into memory.
Section alignment	This entity is an unsigned 32-bit integer (DWORD) that specifies the alignment of the sections loaded into memory.
File alignment	This entity is an unsigned 32-bit integer (DWORD) that specifies the alignment of the raw data of sections in the image file.
Loader flags	This entity is an unsigned 32-bit integer (DWORD) that specifies the loader flags of the header.
Major operating system version	This entity is an unsigned 16-bit integer (WORD) that specifies the major version of the operating system required to use this executable.
Minor operating system version	This entity is an unsigned 16-bit integer (WORD) that specifies the minor version of the operating system required to use this executable.
Major image version	This entity is an unsigned 16-bit integer (WORD) that specifies the major version number of the image.
Minor image version	This entity is an unsigned 32-bit integer (DWORD) that specifies the minor version number of the image.
Major subsystem version	This entity is an unsigned 16-bit integer (WORD) that specifies the major version of the subsystem required to run the executable.
Minor subsystem version	This entity is an unsigned 16-bit integer (WORD) that specifies the minor version of the subsystem required to run the executable.
Number of RVA and sizes	This entity is an unsigned 32-bit integer (DWORD) that specifies the number of directory entries in the remainder of the optional header.
Real number of directory entries	This entity is the real number of data directory entries in the remainder of the optional header calculated by enumerating the directory entries.
Size of code	This entity is an unsigned 32-bit integer (DWORD) that specifies the total size of all of the code sections (in bytes).
Size of headers	This entity is an unsigned 32-bit integer (DWORD) that specifies the total combined size of the MS-DOS stub, PE header, and the section headers (in bytes).
Size of heap reserve	This entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to reserve for the local heap.
Size of heap commit	This entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to commit for the local heap.
Size of image	This entity is an unsigned 32-bit integer (DWORD) that specifies the total size of the image including all of the headers (in bytes).
Size of initialized data	This entity is an unsigned 32-bit integer (DWORD) that specifies the total size of all of the sections that are composed of initialized data (in bytes).
Size of stack commit	This entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to commit for the stack.
Size of stack reserve	This entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to reserve for the stack.
Size of uninitialized data	This entity is an unsigned 32-bit integer (DWORD) that specifies the total size of all of the sections that are composed of uninitialized data (in bytes).
Subsystem	This entity is an unsigned 32-bit integer (DWORD) that specifies the type of subsystem that the executable uses for its user interface.
Windows view	The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.

User Access Control(UAC)

This element specifies the different settings that are available under User Access Control. A user access control test will reference a specific instance of this state that defines the exact settings that need to be evaluated.

Child Elements	Description
Admin approval mode	Admin Approval Mode for the Built-in Administrator account.
Detect installations	Detect application installations and prompt for elevation.
Elevation prompt admin	Behavior of the elevation prompt for administrators in Admin Approval Mode.
Elevation prompt standard	Behavior of the elevation prompt for standard users.
Elevate signed executables	Only elevate executables that are signed and validated.
Elevate UI access	Only elevate UIAccess applications that are installed in secure locations.
Run admins AAM	Run all administrators in Admin Approval Mode.
Secure desktop	Switch to the secure desktop when prompting for elevation.
Virtualize write failures	Virtualize file and registry write failures to per-user locations.

XML File Content

This element is used by a xml file content test to define the specific piece of an xml file(s) to be evaluated. This will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. The set of files to be evaluated will be identified with a complete File path. File path and XPath are mandatory fields while submitting to agents.

Child Elements	Description
File path*	This element specifies the absolute path for a file on the machine. A directory cannot be specified as a file path.
XPath*	Specifies an XPath 1.0 expression to evaluate against the XML file specified by the filename entity. This XPath 1.0 expression must evaluate to a list of zero or more text values which will be accessible in OVAL via instances of the value_of entity. Any results from evaluating the XPath 1.0 expression other than a list of text strings (e.g., a nodes set) is considered an error. The intention is that the text values be drawn from instances of a single, uniquely named element or attribute. However, an OVAL interpreter is not required to verify this, so the author should define the XPath expression carefully. Note that “equals” is the only valid operator for the xpath entity.
Value of	This element checks the value(s) of the text node(s) or attribute(s) found.
Windows view	The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems.

Software Licenses

This is used to collect information of Software Licenses. It includes software name and license information.

Child Elements	Description
Software family	This element specifies the family of the software application.
Software name	This element specifies the name of the software application.
Software license	This element specifies the license serial number of the software application.
Software version	This element specifies the version of the software application.

Partition

This is used to check the information associated with partitions on the local system.

Child Elements	Description
Disk name	This element represents the drive letter or disk name.
Disk description	This element specifies the description associated with the disk.
Disk type	This element specified the type of disk. For example, Local Disk.
Volume name	This element specifies the name associated with the volume.
Space left	This element contains an integer that represents the number of blocks left on a partition (in bytes).
Space used	This element contains an integer that represents the number of blocks used on a partition (in bytes).
Total space	This element contains an integer that represents the total number of blocks on a partition (in bytes).

Missing Patches

This is used to investigate missing patches and security fixes in a computer system.

Child Elements	Description
Patch description	This element describes a patch.
Patch ID	A unique identification number associated with a patch.
Patch name	This element specifies the patch name.
Patch rollback available	This element specifies if rollback is possible for this patch. Possible values are TRUE or FALSE. An empty value appears if it cannot be determined.
Patch severity	This element specifies severity of a patch. Possible values: Important, Critical, etc. An empty value appears if it cannot be determined.
Patch size	This element specifies size of a patch. Values are specified in bytes. A value UNKNOWN appears if patch size cannot be determined.
Reboot required	This element specifies if reboot is required after patch installation. Passible values are TRUE or FALSE.
Platform CPE	This element specifies platform CPE ID associated with the patch.
Product CPE	This element specifies product CPE ID associated with the patch. Note: This value is empty when a patch is associated with an operating system.

Linux Probes

Child Elements	Description
Child Elements	Description

ARP Cache

This is used to collect various information about address resolution protocol(ARP) cache table. It includes host IP address, mac address, interface name from ARP cache table.

Child Elements	Description
Host IP	This element specifies host IP address.
Network Interfaces	This element specifies device interface.
MAC address	This element specifies physical hardware address of the adapter for the network interface associated with this IP address.
Permanent	This element specifies if an ARP entry is permanent or not.

BIOS Information

This is used to collect various information about BIOS (basic input/output system). It includes bios name, version, manufacture, serial number, smbios version, and bios status.

Child Elements	Description
BIOS Manufacture	This element specifies manufacturer of this software element. This value comes from the vendor of the BIOS Information structure in the SMBIOS information.
BIOS Name	This element used to identify the software element.
BIOS Serial Number	This element specifies serial number of the software element.
System Management BIOS Version	This element specifies BIOS version as reported by SMBIOS. This value comes from the version of the BIOS information structure in the SMBIOS information.
BIOS Status	This element specifies current status of BIOS. Various operational and non-operational status can be defined.
BIOS Version	This element specifies version of the BIOS. This string is created by the BIOS manufacturer.

Anti-virus information

This is used to collect information about an installed Antivirus applications.

Child Elements	Description
Antivirus name	This element specifies a display name of a installed antivirus product.
Antivirus evr	This represents the epoch, version, and release fields as a single version string. It has the form “EPOCH:VERSION-RELEASE”.
Antivirus epoch	Restriction of oval-def:EntityStateAnySimpleType. See schema for details.
Antivirus release	Restriction of oval-def:EntityStateAnySimpleType. See schema for details.
Antivirus version	This element specifies version of a installed antivirus product.

Computer Information

This is used to collect various information about computer system. It includes CPU, RAM, ROM, swap memory, virtual memory, disk, operating system, cache size, host name, model name, serial name etc.

Child Elements	Description
Address Sizes	This element specifies the CPU address size info.
Buffers	This element specifies the amount of RAM, in kilobytes, used for file buffers.
Cache size	This element specifies the size of the total processor cache (in bytes). A cache is an external memory area that has a faster access time than the main RAM memory.
CPU	This element specifies name of the processor.
CPU Speed	This element specifies speed of the processor in megahertz.
CPU Architecture	This element specifies processor architecture used by the platform.
CPU cores	This element specifies number of cores.
CPU family	This element specifies authoritatively identifies the type of processor in the system.
CPU usage	This element specified CPU usage in percentage.
Disk model	This element specifies the disk model name – a one-line string.
Disk name	This element specifies the short description of the disk drive – a one-line string.
Disk removable device	This element specifies the disk is removable or not.
Disk size	This element specifies the total size of the disk drive (in bytes).
Free RAM	This element specifies system free memory size in bytes.
Host name	This element specifies the label that is assigned to a computer.
Model name	This element specifies the CPU model info.
Network total bytes received	This element represents the number of bytes received.
Network total bytes transmitted	This element represents the number of bytes transmitted.
Network total bytes(received/transmitted)	This element represents the total number of bytes received and transmitted.
Operating system architecture	This element specifies the architecture of the operating system.
Operating system name	This element specifies the name of the operating system.
Operating system release	This element specifies the release version of the operating system.
Operating system version	This element specifies the version of the operating system.
RAM used	This element specifies used system memory size in bytes.
Total RAM	This element specifies system total memory size in bytes.
ROM model	This element specifies the rom model name – a one-line string.
ROM name	This element specifies the short description of the rom – a one-line string.
ROM removable device	This element specifies the rom is removable or not.
ROM size	This element specifies the size of the rom.
Serial number	This element specifies the BIOS serial number.
Shared memory	This element specifies system shared memory size in bytes.
Free swap size	This element specifies system free swap size in bytes.
Total swap size	This element specifies system total swap size in bytes.
System name	This element specifies system name.
System product name	This element specifies the system hardware name.
System time synchronization status	This element specified if system time is synchronised with server using Network Time Protocol(NTP). Value is either true or false
System uptime	This element specifies the time elapsed since the system was started.
Timezone name	This element specifies the timezone such as Asia/Kolkata.
Total virtual memory allocated	This element specifies system total virtual memory size in bytes.

Cron

This is used to collect various information about cron jobs. It includes user name, scheduled job and command.

Child Elements	Description
Scheduled	This element specifies the scheduled time for a particular cron job.
Scheduled command	This element indicates command to be executed at scheduled time.
User name	This element specifies the username for which cron job is scheduled.

Device information

This is used to collect information about installed devices on the system. It includes device name, driver, subsystem, device path, class and subclass.

Child Elements	Description
Device class	This element describes a type of device
Device driver	This element specifies driver used by the device.
Device manufacture	This element specifies manufacturer of the device.
Device name	This element specifies the device name.
Device path	This element specifies the logical path within the device node
Device subclass	This element specifies the support of the class
Device subsystem	This element retrieves the subsystem of the device.

DPKG Information

This is used to check information of a DPKG package.

Child Elements	Description
Architecture	This is the architecture for which the package was built, like : i386, ppc, sparc, noarch.
Epoch	Restriction of oval-def:EntityStateAnySimpleType. See schema for details.
EVR	This represents the epoch, version, and release fields as a single version string. It has the form “EPOCH:VERSION-RELEASE”.
Name	This is the DPKG package name to check.
Release	Restriction of oval-def:EntityStateAnySimpleType. See schema for details.
Version	Restriction of oval-def:EntityStateAnySimpleType. See schema for details.

Environment Variables

This is used to collect system environment variable information. It includes environment variable name, value and process id.

Child Elements	Description
Name	This element specifies name of the environment variable
Process ID(PID)	This element specifies pid of a process
Value	This element specifies value of the environment variable

Hosts File(/etc/hosts)

This used to collect various information about hosts from /etc/hosts. It includes host IP address and host name.

Child Elements	Description
Host IP	This element specifies host IP address.
Host name	This element specifies the label that is assigned to a computer.

Protocols File(/etc/protocols)

This is used to collect various information about protocol from /etc/protocols. It includes protocol name, protocol number and protocol aliases.

Child Elements	Description
Protocol aliases	This element specifies the aliases for the protocol.
Protocol name	This element specifies the native name for the protocol.
Protocol number	This element specifies the official number for the protocol.

Services File(/etc/services)

This is used to collect various information about service from /etc/services. It includes service name, service port, service protocol and service aliases.

Child Elements	Description
Service aliases	This element specifies alternative names for the same service.
Service name	This element specifies the service name.
Service port	This element specifies port the service is offered on.
Service protocol	This element specifies, which transport protocol is used.

Family of Operating System

This is used to collect operating system family standard values being windows, unix or macos(Mac OS).

Child Elements	Description
family of operating system	This element specifies operating system family.

File

This is used to check metadata associated with files. File path is mandatory for this query while submitting to agents.

Child Elements	Description
Access time	This element specifies access time of a file.
Creation time	This element specifies creation time of a file (in timestamp format).
File md5 sum	This element specifies md5 sum of a file.
File name	This element specifies name of the file on the machine.
File path*	This element specifies the location of the file.
Group execute	This element specifies the group execution permission of a file.
Group read	This element specifies the group read permission of a file.
Group ID	This element specifies the group ID for a file.
Group write	This element specifies the group write permission of a file.
Has extended ACL	This element specifies the access control list existences for a file.
Modified time	This element specifies the modified time of a file.
Others execute	This element specifies the execute permission of a file for other users.
Others read	This element specifies the read permission of a file for other users.
Others write	This element specifies the write permission of a file for other users.
Set group User ID	This element specifies the group user id.
Size	This element specifies the size of a file (in bytes).
Sticky bit	This element specifies the sticky bit of a file.
Owner User ID	This element specifies the owners user id.
Type	This element specifies the type of the file.
User execute	This element specifies the user execute permission.
User read	This element specifies the user read permission.
User ID	This element specifies the user id of a file.
User write	This element specifies the user write permission of a file.

Group

This is used to collect various information about the groups. It includes group name and group id.

Child Elements	Description
Group	This element specifies the group name.
Group ID	This element specifies the group id.

Interface Listeners

This is used to check what applications such as packet sniffers that are bound to an interface on the system. This is limited to applications that are listening on AF_PACKET sockets. Furthermore, only applications bound to an ethernet interface should be collected.

Child Elements	Description
Hardware address	This is the hardware address associated with the interface.
Interface name	This is the name of the interface (eth0, eth1, fw0, etc.).
Process ID (PID)	The pid is the process ID of a specific process
Program name	This is the name of the communicating program.
Protocol	This is the physical layer protocol used by the AF_PACKET socket.
User ID	The numeric user id, or UID, is the third column of each user’s entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program.

Inet-Listening Servers (Deprecated)

This is used to collect various information about listening ports. It includes protocol name, local ip address, local port, program name, foreign address, foreign port, process id and user id.

Child Elements	Description
Foreign address	This element specifies foreign ip address, which is connected to listening server.
Foreign full address	This element specifies foreign ip address including port, which is connected to listening server.
Foreign port	This element specifies foreign port, which is connected to listening server
Local address	This element specifies local ip address on which server is listening
Local full address	This element specifies full ip address including port on which server is listening.
Local port	This element specifies local port on which server is listening.
Process ID (PID)	This element specifies the pid of a listening server program.
Program name	This element specifies the name of a listening server program.
Protocol	This element specifies the name for the protocol used by listening server.
User ID	This element specifies the name of a listening server program.

Installed Applications

This is used to collect information about installed applications on the system. It includes application name, version, release, architecture, epoch value.

Child Elements	Description
Application architecture	This element specifies the architecture for which the package was built, like : i386, ppc, sparc, noarch.
Application name	This element specifies the installed package name.
Application release	This element specifies the release number of the build, changed by the vendor/builder.
Application version	This element specifies the version number of the build.
Application epoch	This element specifies the epoch value. Example: 0, 1, (none)
Application EVR	This element specifies the EVR(Epoch-Version-Release string). Example:0:3.13.0-73.116
Application last use	This element specifies the last use date of an application.
Application publisher	This element specifies the application publisher information.

Network Interfaces

The interface test enumerate various attributes about the interfaces on a system.

Child Elements	Description
Broadcast address	This element specifies the broadcast address. A broadcast address is typically the IP address with the host portion set to either all zeros or all ones. Note that the IP address can be IPv4 or IPv6.
Flag	The flag entity represents the interface flag line, which generally contains flags like “UP” to denote an active interface, “PROMISC” to note that the interface is listening for Ethernet frames not specifically addressed to it, and others. This element can be included multiple times in a system characteristic item in order to record a multitude of flags. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like this that refer to items that can occur an unbounded number of times.
Hardware Address	The Hardware Address entity is the hardware or MAC address of the physical network card. MAC addresses should be formatted according to the IEEE 802-2001 standard which states that a MAC address is a sequence of six octet values, separated by hyphens, where each octet is represented by two hexadecimal digits. Uppercase letters should also be used to represent the hexadecimal digits A through F.
IP address of an interface	This element specifies the IP address. Note that the IP address can be IPv4 or IPv6. If IP address is an IPv6 address, this entity will be expressed as an IPv6 address prefix using CIDR notation and the netmask entity will not be collected.
Name	This element specifies the name of an interface.
Netmask	This element specifies the subnet mask for the IP address. Note that If IP address of an interface entity contains an IPv6 address prefix, this entity will not be collected.
Type	This element specifies the type of interface which is limited to certain set of values.

IP forwarding status

This is used to collect information about the IP forward settings. It includes IP forwarding status which can be either enabled or disabled.

Child Elements	Description
IP forwarding status	This element specifies ip forwarding is enabled or disabled.

IP tables rules

This is used to collect various information about IP table rules. It includes chain type, number packets matched to rule, packets size, action to be taken when rule matches (ACCEPT, DROP), pack flow direction, source ip address, destination ip address, rule desc etc.

Child Elements	Description
Bytes	This element specifies aggregate size of the packets in bytes, that matched particular rule.
Chain type	This element specifies IP tables chain name.
Destination	This element specifies the destination IP address or subnet of the traffic.
In	This element specifies interface name from which the packet flows in.
Option	This element indicates IP options (Rarely used).
Out	This element specifies interface name from which the packet flows out.
Packets	This element specifies the number of packets, that matched particular rule.
Protocol	This element specifies protocol name for a particular rule.
Rule description	This element specifies the short description of the particular rule.
Source	This element specifies the source IP address or subnet of the traffic.
Target	This element specifies what should be done when packet matches the rule eg: ACCEPT. DROP etc.

Kernel Information

This is used to collect various information about loaded kernel. It includes kernel version, kernel image path, kernel on which device/volume and kernel arguments.

Child Elements	Description
Arguments	This element indicates loaded kernel kernel arguments.
Device	This element indicates location of the kernel on which device or volume.
Kernel image path	This element specified the kernel image path.
Kernel version	This element indicates loaded kernel kernel version.

Kernel Modules

This is used to collect various information about modules loaded into the kernel. It includes kernel module name, kernel module depending on which module and module status.

Child Elements	Description
Kernel module name	This element specifies the module name.
Kernel module status	This element specifies the what load state the module is in eg: Live, Loading etc.
Kernel module used-by	This element specifies the module name which are depending another module in order to function.

Logged-in Users

This is used to collect various information about logged-in users. It includes user name, device tty, remote logged in host name, time when entry made, process id and record type.

Child Elements	Description
Host	This element indicates hostname for remote login or kernel version for run-level messages
Process ID(PID)	This element indicates the PID of login process.
Time	This element indicates the time when entry was made.
tty	This element indicates device name of tty.
Type	This element indicates the type of record.
User name	This element indicates logged-in user name.

Mount points

This is used to collect various information about mounted partitions. It includes disk filesystem name, file system type, disk size, disk space used, available disk space, disk use in terms of percentage and disk mounted path.

Child Elements	Description
Disk file-system name	This element indicates filesystem name.
Disk mounted on	This element indicates disk mounted path.
Disk size	This element indicates total disk partition size (in bytes).
Disk space available	This element indicates available disk space (in bytes).
Disk space used	This element indicates used disk space (in bytes).
Disk use percentage	This element indicates used disk space in percentage.

Partitions

This is used to check the information associated with partitions on the local system.

Child Elements	Description
Device	This element contains a string that represents the name of the device.
FS type	This element contains a string that represents the type of filesystem on a partition.
Mount options	This element contains a string that represents the mount options associated with a partition.
Mount point	This element contains a string that represents the mount point of a partition on the local system.
Space left	This element contains an integer that represents the number of blocks left on a partition.
Space used	This element contains an integer that represents the number of blocks used on a partition.
Total space	This element contains an integer that represents the total number of blocks on a partition.
UUID	This element contains a string that represents the universally unique identifier associated with a partition.

Password/User Information

This is used to collect various information about system users. It includes user name, password, user id, group id, user information, user home directory path and login shell.

Child Elements	Description
GCOS(comment field)	This element indicates user information. Usually, it contains the full username. Some programs (for example, finger(1)) display information from this field. GECOS stands for “General Electric Comprehensive Operating System”,which was renamed to GCOS when GE’s large systems ision was sold to Honeywell. Dennis Ritchie has reported: “Sometimes we sent printer output or batch jobs to the GCOS machine. The gcos field in the password file was a place to stash the information for the $IDENTcard. Not elegant.”
Group ID	This element indicates group id of a particular group.
Home directory	This element specifies path to home directory of a particular user.
Login shell	This element specifies login shell of a particular user.
Password	This element indicates local user password
User ID	This element indicates user id of a particular user.
User name	This element indicates local user name.

Port/Network Connection

Information about open ports and network connections.

Child Elements	Description
Local address	This element specifies the local IP address the listening port is bound to. Note that the IP address can be IPv4 or IPv6.
Local port	This element specifies the number assigned to the local listening port.
Protocol	This element specifies the type of listening port. It is restricted to either TCP or UDP.
Process ID(PID)	The id given to the process that is associated with the specified listening port.
Foreign address	This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
Foreign port	This is the TCP or UDP port to which the program communicates.
Process name	This element specifies the name of a listening server program.
Port state	This element indicates the port state.

Process

Information about running processes.

Child Elements	Description
Command line	This is the string used to start the process. It includes any parameters that are part of the command line.
Exec shield	This element specifies execute shield status.
Execution time	This is the cumulative CPU time, formatted in [DD-]HH:MM:SS where DD is the number of days when execution time is 24 hours or more.
Login UID	The loginuid shows which account a user gained access to the system with. The /proc/XXXX/loginuid shows this value.
Process ID(PID)	This is the process ID of the process.
Posix capability	An effective capability associated with the process. See linux/include/linux/capability.h for more information.
Parent process ID	This is the process ID of the process’s parent process.
Priority	This is the scheduling priority with which the process runs. This can be adjusted with the nice command or nice() system call.
Process name	This is the name of the processes.td>
Real UID	This element specifies the real UID.
SE Linux domain label	An SE Linux domain label associated with the process.
Session ID	The session ID of the process.
Start time	This is the time of day the process started formatted in HH:MM:SS if the same day the process started or formatted as MMM_DD (Ex.: Feb_5) if process started the previous day or further in the past.
tty	This is the TTY on which the process was started, if applicable.
User ID	This is the effective user id which represents the actual privileges of the process.

RPC Map Information

This is used to collect various information about rpm program from /etc/rpc. It includes remote procedure call(RPC) program name, program number and program aliases.

Child Elements	Description
RPC aliases	This element specifies the aliases for the RPC program.
RPC program name	This element specifies the native name for the RPC program.
RPC program number	This element specifies the official number for the RPC program.

RPC Network Connections

This is used to collect various information about RPC connection using rpcinfo. It includes remote procedure call(RPC) program name, program id, program version, transport protocol used, ip address and program owner.

Child Elements	Description
Address	This element specifies the IP address of the RPC program.
Network ID	This element specifies, which transport protocol is used.
Owner	This element specifies an owner for the RPC program.
RPC program ID	This element specifies the RPC program id.
RPC program name	This element specifies the RPC program name.
RPC program version	This element specifies the RPC program version.

RPM Information

This is used to check the RPM header information for a given RPM package.

Child Elements	Description
Architecture	This is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686.
Epoch	This is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or ‘(none)’ as returned by rpm) the string ‘(none)’ should be used.. This number is not revealed by a normal query of the RPM’s information — you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q –qf ‘%{EPOCH}\n’ installed_rpm For an RPM file that has not been installed: rpm -qp –qf ‘%{EPOCH}\n’ rpm_file
EVR	This represents the epoch, version, and release fields as a single version string. It has the form “EPOCH:VERSION-RELEASE”. Note that a null epoch (or ‘(none)’ as returned by rpm) is equivalent to ‘0’ and would hence have the form 0:VERSION-RELEASE. Comparisons involving this datatype should follow the algorithm of librpm’s rpmvercmp() function
Extended name	This represents the name, epoch, version, release, and architecture fields as a single version string. It has the form “NAME-EPOCH:VERSION-RELEASE.ARCHITECTURE”. Note that a null epoch (or ‘(none)’ as returned by rpm) is equivalent to ‘0’ and would hence have the form NAME-0:VERSION-RELEASE.ARCHITECTURE.
Name	This is the package name to check.
Release	This is the release number of the build, changed by the vendor/builder.
Signature key ID	This field contains the 64-bit PGP key ID that the RPM issuer (generally the original operating system vendor) uses to sign the key. Note that the value should NOT contain a hyphen to separate the higher 32-bits from the lower 32-bits. It should simply be a 16 character hex string. PGP is used to verify the authenticity and integrity of the RPM being considered. Software packages and patches are signed cryptographically to allow administrators to allay concerns that the distribution mechanism has been compromised, whether that mechanism is web site, FTP server, or even a mirror controlled by a hostile party. OVAL uses this field most of all to confirm that the package installed on the system is that shipped by the vendor, since comparing package version numbers against patch announcements is only programmatically valid if the installed package is known to contain the patched code.
Version	This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 21.11.4.

RPM file verify

This is used to verify the integrity of the in idual files in installed RPMs. File path is mandatory for this query while submitting to agents.

Child Elements	Description
File path*	This element specifies the absolute path for a file or directory in the specified package.
Architecture	This is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686.
Capabilities differ	The size_differs entity aligns with the ninth character (‘P’ flag) in the character string in the output generated by running rpm -V on a specific file.
Configuration file	The configuration_file entity represents the configuration file attribute marker that may be present on a file.
Device differs	The device_differs entity aligns with the fourth character (‘D’ flag) in the character string in the output generated by running rpm -V on a specific file.
Documentation file	The documentation_file entity represents the documentation file attribute marker that may be present on a file.
Epoch	This is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or ‘(none)’ as returned by rpm) the string ‘(none)’ should be used.. This number is not revealed by a normal query of the RPM’s information — you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q –qf ‘%{EPOCH}\n’ installed_rpm For an RPM file that has not been installed: rpm -qp –qf ‘%{EPOCH}\n’ rpm_file
Extended name	This represents the name, epoch, version, release, and architecture fields as a single version string. It has the form “NAME-EPOCH:VERSION-RELEASE.ARCHITECTURE”. Note that a null epoch (or ‘(none)’ as returned by rpm) is equivalent to ‘0’ and would hence have the form NAME-0:VERSION-RELEASE.ARCHITECTURE.
Ghost file	The ghost_file entity represents the ghost file attribute marker that may be present on a file.
Group differs	The group_differs entity aligns with the seventh character (‘U’ flag) in the character string in the output generated by running rpm -V on a specific file.
License file	The license_file entity represents the license file attribute marker that may be present on a file.
Link mismatch	The link_mismatch entity aligns with the fifth character (‘L’ flag) in the character string in the output generated by running rpm -V on a specific file.
MD5 differs	This entity aligns with the third character (‘5’ flag) in the character string in the output generated by running rpm -V on a specific file.
Mode differs	This entity aligns with the second character (‘M’ flag) in the character string in the output generated by running rpm -V on a specific file.
Modified time differs	This entity aligns with the eighth character (‘T’ flag) in the character string in the output generated by running rpm -V on a specific file.
Name	This is the package name to check.
Ownership differs	The ownership_differs entity aligns with the sixth character (‘U’ flag) in the character string in the output generated by running rpm -V on a specific file.
ReadMe file	The readme_file entity represents the readme file attribute marker that may be present on a file.
Release	This is the release number of the build, changed by the vendor/builder.
Size differs	The size_differs entity aligns with the first character (‘S’ flag) in the character string in the output generated by running rpm -V on a specific file.
Version	This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 21.11.4.

RPM verify package

This is used to verify the integrity of installed RPMs.

Child Elements	Description
Architecture	This is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686.
Dependency check passed	The dependency_check_passed entity indicates whether or not the dependency check passed. If the dependency check is not performed, due to the ‘nodeps’ behavior, this entity must not be collected.
Epoch	This is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or ‘(none)’ as returned by rpm) the string ‘(none)’ should be used.. This number is not revealed by a normal query of the RPM’s information — you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q –qf ‘%{EPOCH}\n’ installed_rpm For an RPM file that has not been installed: rpm -qp –qf ‘%{EPOCH}\n’ rpm_file
Extended name	This element specifies the extended name.
Name	This is the package name to check.
Release	This is the release number of the build, changed by the vendor/builder.
Verification script successful	The verification_script_successful entity indicates whether or not the verification script executed successfully. If the verification script is not executed, due to the ‘noscripts’ behavior, this entity must not be collected.
Version	This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 21.11.4.

Run level

This is used to check information about which run-level specified services are scheduled to exist at. For more information see the output generated by a chkconfig –list.

Child Elements	Description
Kill	This entity determines if the process is supposed to be killed at the specified run-level.
Run level	This entity refers to the system run-level associated with a service. A run-level is defined as a software configuration of the system that allows only a selected group of processes to exist.
Service name	This entity refers the name associated with a service. This name is usually the filename of the script file located in the /etc/init.d directory.
Start	This entity determines if the process is scheduled to be spawned at the specified run-level.

SE Linux Boolean

This is used to check the current and pending status of a SELinux boolean.

Child Elements	Description
Current Status	The current_status entity represents the current state of the specified SELinux boolean.
Name	The name of the SELinux boolean.
Pending Status	The pending_status entity represents the pending state of the specified SELinux boolean.

Services

This is used to collect information about services. It includes service name and status.

Child Elements	Description
Service name	This specifies the service name.
Service status	This specifies the status of the service.

Shadow file(/etc/shadow)

This is used to check information from the /etc/shadow file for a specific user. This file contains user’s password, password ageing and lockout information.

Child Elements	Description
Change allowed	This specifies how often in days a user may change their password. It can also be thought of as the minimum age of a password.
Change list	This is the date of the last password change in days since 1/1/1970.
Change required	This describes how long a user can keep a password before the system forces her to change it.
Encryption method	The encrypt_method entity describes method that is used for hashing passwords.
Expiry date	This specifies when will the account’s password expire, in days since 1/1/1970.
Days before account inactive	This entity describes the number days of account inactivity for which the system will wait after a password expires before locking the account. Unix systems are generally configured to only allow a given password to last for a fixed period of time.
Days warning for expiration	This describes how long before password expiration the system begins warning the user. The system will warn the user at each login.
Flag	This is a reserved field that the shadow file may use in the future.
Password	This is the encrypted version of the user’s password.
User name	This is the name of the user being checked.

Shell History

This is used to collect various information about shell history. It includes user name, used-id, history file path and command from history file.

Child Elements	Description
Command	This element specifies history of executed commands.
History file	This element specifies history file path.
UID	This element specifies history belongs to which user id.
User name	This element specifies history belongs to which user.

Sudo Users

This is used to collect sudo users. It includes user name which has sudo access.

Child Elements	Description
Sudo user name	This element specifies sudo username.

System Control

This is used to check the values associated with the kernel parameters that are used by the local system.

Child Elements	Description
Name	This element contains a string that represents the name of a kernel parameter that was collected from the local system.
Value	This element contains a string that represents the value(s) associated with the specified kernel parameter.

System DHCP Information

This is used to collect system Dynamic Host Configuration Protocol (DHCP) information. It includes DHCP enabled, DHCP server ip address, netmask, gateway ip address, interface type, lease time, lease renew/rebind time and interface description.

Child Elements	Description
DHCP enabled	This element specifies the value that specifies whether the dynamic host configuration protocol (DHCP) is enabled for this adapter.
DHCP interface	This element specifies DHCP interface
Gateway IP	This element specifies the ip address of the gateway for this adapter.
MAC Address	This element specifies the hardware address for the adapter.
Interface description	This element specifies an ANSI character string that contains the description of the adapter.
Interface type	This element specifies the adapter type.
IP mask	This element specifies the list of ip addresses associated with this adapter.
Lease expire time	This element specifies the time when the current DHCP lease expires.
Lease rebind time	This element specifies DHCP lease rebind time.
Lease renew time	This element specifies DHCP lease renew time.
Lease time	This element specifies DHCP lease time.
DHCP server IP	This element specifies the address of the DHCP server for this adapter.

System DNS Information

This is used to collect domain name and domain name system ip information. It includes domain name and dns server ip address

Child Elements	Description
DNS server IP	This element specifies the list of dns server ip address used by the local computer.
Domain name	This element specifies the domain in which the local computer is registered.

System Executable shield status

Executable shield status gives information if data memory is executable/non-executable or/and program memory is writable/non-writable.

Child Elements	Description
Executable shield status	This element specifies the executable shield No eXecute (NX) and eXecute Disable (XD) status. For Example: NX (Execute Disable) protection active

System Route Information

This is used to collect system route information. It includes destination, ip address, gateway, netmask, flags, metric and interface name.

Child Elements	Description
Destination	This element specifies the destination IP address or subnet of the traffic for a specific route entry.
Flags	This element specifies the flag for a specific route entry.
Gateway	This element specifies the gateway for a specific route entry.
Network Interfaces	This element specifies the interface for a specific route entry.
Metric	This element specifies the metric for a specific route entry.
Netmask	This element specifies the netmask for a specific route entry.

System ASLR Status

This is used to collect address space layout randomization(ASLR) status. This technique give some protection against buffer overflow attacks by randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.

Child Elements	Description
ASLR status	This element specifies the system ASLR status. 0- The process address space randomization is off. 1 – The addresses of mmap base, stack and VDSO page are randomized. 2 – Additionally heap randomization enabled.

Text File Content

This looks at the content of a text file (aka a configuration file) by looking at in idual lines. File path, pattern and instance are mandatory for this query while submitting to agents.

Child Elements	Description
File path*	This element specifies the absolute path for a file on the machine. A directory cannot be specified as a file path.
Pattern/Text*	This entity represents a block of text or regular expression that is used to define a block of text. Subexpression notation (parenthesis) is used to call out a value(s) to test against. For example, the pattern abc(.*)xyz would look for a block of text in the file that starts with abc and ends with xyz, with the subexpression being all the characters that exist in between. Note that If pattern can match more than one block of text starting at the same point, then it matches the longest. Subexpressions also match the longest possible substrings, subject to the constraint that the whole match be as long as possible, with subexpressions starting earlier in the pattern taking priority over ones starting later.
Instance*	The instance entity calls out which match of the pattern is being represented by this item. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. The main purpose of this entity is too provide uniqueness for different items that results from multiple matches of a given pattern against the same file.
Sub-expression	The sub-expression entity represents the value of a subexpression in the specified pattern. If multiple subexpressions are specified in the pattern, then multiple entities are presented.
Windows view	Not applicable for Unix based systems. The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of ’32_bit’ indicates the Item was collected from the 32-bit view. A value of ’64-bit’ indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. This entity only applies to 64-bit Microsoft Windows operating systems.

Unix name(uname)

This is used to collect various information about operating system. It includes hardware id, operating system name, version, release, processor type, time zone and locale.

Child Elements	Description
Locale	This element specifies the locale
Machine class	This element specifies the hardware identifier
Node name	This element indicates name of the present machine in some undefined network
Operating system name	This element specifies the name of the operating system.
Operating system release	This element specifies the release version of the operating system.
Operating system version	This element specifies the version of the operating system.
Processor type	This element specifies the hardware identifier
Time zone	This element specifies the time zone

Wireless Information

This is used to collect various information about wireless connection. It includes wireless name, state, mac address, SSID, interface description, network is infrastructure or ad hoc, frequency, receiving rate, transmission rate, signal quality and security enabled or disabled.

Child Elements	Description
WLAN BSS Network type	This element specifies whether the network is infrastructure or ad hoc.
WLAN frequency	This element specifies wireless frequency.
WLAN Interface description	This element specifies the wireless interface description.
WLAN Interface name	This element specifies the wireless interface name.
WLAN Interface state	This element specifies the state of the wireless interface
WLAN MAC address	This element specifies physical hardware address wireless interface.
WLAN Receiving rate	This element specifies the receiving rate of the association.
WLAN Security enabled	This element specifies whether security is enabled on the network. A value of TRUE indicates that security is enabled, otherwise it is not.
WLAN Signal quality	This element specifies a percentage value that represents the signal quality of the network.
WLAN SSID	This element specifies the contains the SSID of the association.
WLAN Transmission rate	This element specifies the transmission rate of the association.

System unit dependency

This element is used to check the dependencies of the specific units.

Child Elements	Description
Dependency	This entity refers to the name of a unit that was confirmed to be a dependency of the given unit.
Unit	This entity refers to the full systemd unit name, which has a form of “$name.$type”. For example “cupsd.service”. This name is usually also the filename of the unit configuration file located in the /etc/systemd/ and /usr/lib/systemd/ directories.

Systemd unit property

This element is used to retrieve information about systemd units in form of properties. For more information see the output generated by systemctl show $unit.

Child Elements	Description
Property	The name of the property associated with a systemd unit.
Unit	The unit entity refers to the full systemd unit name, which has a form of “$name.$type”. For example “cupsd.service”. This name is usually also the filename of the unit configuration file located in the /etc/systemd/ and /usr/lib/systemd/ directories.
Value	The value of the property associated with a systemd unit.

App armor status

This is used to check properties representing the counts of profiles and processes as per the results of the “apparmor_status” or “aa-status” command.

Child Elements	Description
Complain mode processes count	Displays the number of processes in complain mode
Complain mode profiles count	Displays the number of profiles in complain mode
Enforce mode processes count	Displays the number of processes in enforce mode
Enforce mode profiles count	Displays the number of profiles in enforce mode
Loaded profiles count	Displays the number of loaded profiles
Processes with profiles count	Displays the number of processes which have profiles defined
Unconfined processes with profiles count	Displays the number of processes which are unconfined but have a profile defined

Symlink

This is used to obtain canonical path information for symbolic links. File path is a mandatory field while submitting to agents.

Child Elements	Description
Filepath*	Specifies the filepath used to create the object.
Canonical path	Specifies the canonical path for the target of a symbolic link file specified by the filepath.

Routing table

This is used to check information about the IPv4 and IPv6 routing table entries found in a system’s primary routing table. It is important to note that only numerical addresses will be collected and that their symbolic representations will not be resolved. This equivalent to using the ‘-n’ option with route(8) or netstat(8). Destination is a mandatory field while submitting to agents.

Child Elements	Description
Destination*	The destination IP address prefix of the routing table entry. This is the destination IP address and netmask/prefix-length expressed using CIDR notation.
Flags	The flags associated with the specified routing table entry.
Gateway	The gateway of the specified routing table entry.
Interface name	The name of the interface associated with the routing table entry.

File extended attribute

This is used to check extended attribute values associated with UNIX files, of the sort returned by the getfattr command or getxattr() system call. This will collect all UNIX file types (directory, regular file, character device, block device, fifo, symbolic link, and socket). File path and attribute name are mandatory fields while submitting to agents.

Child Elements	Description
Attribute name*	This is the extended attribute’s name, identifier or key.
File path*	The filepath element specifies the absolute path for a file on the machine. A directory can be specified as a filepath.
Value	The value entity represents the extended attribute’s value or contents. To check for an attribute with no value assigned to it, this entity would be used with an empty value.

GConf

This is used to check the attributes and value(s) associated with GConf preference keys. This can be used to define the preference keys to collect and the sources from which to collect the preference keys. Key and source are mandatory fields while submitting to agents

Child Elements	Description
Is default?	Is the preference key value the default value. If true, the preference key value is the default value. If false, the preference key value is not the default value.
Is writable?	Is the preference key writable? If true, the preference key is writable. If false, the preference key is not writable.
Key*	The preference key to check.
Source*	The source used to look up the preference key. This element specifies the source from which to collect the preference key. The source is represented by the absolute path to a GConf XML file as XML is the current backend for GConf. Note that other backends may become available in the future.
Time modified	The time the preference key was last modified in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
Type	The type of the preference key.
User modified	The user who last modified the preference key.
Value	The value of the preference key.

Virtual Memory Statistics (vmstat)

Virtual Memory Statistics (vmstat) reports information about processes, memory, paging, block IO, traps, and cpu activity.

Child Elements	Description
Blocks received	Blocks received from a block device.
Blocks sent	Blocks sent to a block device.
Buffer memory	The amount of memory used as buffers.
Cache memory	The amount of memory used as cache.
Context switches	The number of context switches per second.
CPU time idle	Time spent idle. Prior to Linux 2.5.41, this includes IO-wait time.
CPU time IO	Time spent waiting for IO. Prior to Linux 2.5.41, included in idle.
CPU time kernel code	Time spent running kernel code (system time).
CPU time non-kernel code	Time spent running non-kernel code (user time, including nice time).
CPU time virtual machine	Time stolen from a virtual machine. Prior to Linux 2.6.11, unknown.
Idle memory	The amount of idle memory.
Interrupts	The number of interrupts per second, including the clock.
Memory swapped in	The amount of memory swapped in from disk.
Memory swapped out	The amount of memory swapped to disk.
Runnable processes	The number of runnable processes (running or waiting for run time).
Uninterruptible sleep processes	The number of processes in uninterruptible sleep.
Virtual memory used	The amount of virtual memory used.

System time

This is used to track the current date and time in the system.

Child Elements	Description
Date	Current day in the system.
Day	Current weekday in the system.
Epoch time	Current local UNIX time in the system.
Hour	Current hour in the system.
Local timezone	Current local timezone in the system.
Minutes	Current minutes in the system.
Month	Current month in the system.
Year	Current year in the system.
Seconds	Current seconds in the system.
Timestamp	Current timestamp (log format) in the system.

SUID bin binary

Retrieves all the files from /bin, /sbin, /usr/bin, /usr/sbin,/usr/local/bin, /usr/local/sbin, /tmp in the target system that are setuid enabled.

Child Elements	Description
Path	This entity specifies the path in the system.
Permission	This entity specifies the permission associated with the user namd and path.
User	This entity specifies the user name.

SUID bin file

Retrieves all the files from /bin, /sbin, /usr/bin, /usr/sbin,/usr/local/bin, /usr/local/sbin, /tmp in the target system that are setuid enabled.

Child Elements	Description
Path	This entity specifies the path in the system.
Permission	This entity specifies the permission associated with the user namd and path.
User	This entity specifies the user name.

Grand Unified Bootloader (grub)

GRUB(Grand Unified Boot loader) is the default boot loader for many Linux distributions. Boot loader plays a major role in bring up the system into running state. Infact boot loader is the first program that runs when a computer is switched on. This helps in transferring control to an operating system kernel.

Child Elements	Description
Command line default	The default command line.
Default	The default operating system to boot if you do not hit any key.
Initrd	The initrd image to boot the kernel with.
Kernel	The linux kernel image to load along with all the options for it.
Menu entry	The partition where /boot directory is. All paths will be relative to this partition.
Root	The partition where /boot directory is. All paths will be relative to this partition.
Timeout	The time in seconds to wait before the default operating system is booted.

Boot priority policy

This defines the operating system boot priority policy. The Linux boot loader though (called Grub), usually defaults to booting Linux.

Child Elements	Description
Menu entry	This element defines the title entry and it starts an operating system section by default unless any other title line is found.

SUID bin binary

Retrieves all the files from /bin, /sbin, /usr/bin, /usr/sbin,/usr/local/bin, /usr/local/sbin, /tmp in the target system that are setuid enabled.

Child Elements	Description
User	This entity specifies the user name.
Path	This entity specifies the path in the system.
Permission	This entity specifies the permission associated with the user namd and path.

XML File Content

Child Elements	Description
File path*	This element specifies the absolute path for a file on the machine. A directory cannot be specified as a file path.
XPath*	Specifies an XPath 1.0 expression to evaluate against the XML file specified by the filename entity. This XPath 1.0 expression must evaluate to a list of zero or more text values which will be accessible in OVAL via instances of the value_of entity. Any results from evaluating the XPath 1.0 expression other than a list of text strings (e.g., a nodes set) is considered an error. The intention is that the text values be drawn from instances of a single, uniquely named element or attribute. However, an OVAL interpreter is not required to verify this, so the author should define the XPath expression carefully. Note that “equals” is the only valid operator for the xpath entity.
Value of	This element checks the value(s) of the text node(s) or attribute(s) found.
Windows view	The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems.

Missing Patches

This is used to investigate missing patches and security fixes in a computer system.

Child Elements	Description
Patch description	This element describes a patch.
Patch ID	A unique identification number associated with a patch.
Patch name	This element specifies the patch name.
Patch rollback available	This element specifies if rollback is possible for this patch. Possible values are TRUE or FALSE. An empty value appears if it cannot be determined.
Patch severity	This element specifies severity of a patch. Possible values: Important, Critical, etc. An empty value appears if it cannot be determined.
Patch size	This element specifies size of a patch. Values are specified in bytes. A value UNKNOWN appears if patch size cannot be determined.
Reboot required	This element specifies if reboot is required after patch installation. Passible values are TRUE or FALSE.
Platform CPE	This element specifies platform CPE ID associated with the patch.
Product CPE	This element specifies product CPE ID associated with the patch. Note: This value is empty when a patch is associated with an operating system.

Mac Probes

Account Information

This is used to collect all users’ information. It includes user name, user ID, group ID, real name, home directory and login shell information.

Child Elements	Description
Group ID	This element represents the group ID of this account.
Home directory	This element specifies the home directory for this user account.
Login shell	This element specifies the login shell for this user account.
Password	This element specifies obfuscated (*****) or encrypted password for this user.
Real name	This element specifies user’s real name, aka gecos field of /etc/passwd.
User ID	The numeric user id, or uid, is the third column of each user’s entry in /etc/passwd. This element represents the owner of the file.
User name	This element specifies the user of the account to gather information from.

ARP Cache

This is used to collect various information about address resolution protocol(ARP) cache table. It includes host IP address, mac address, interface name from ARP cache table.

Child Elements	Description
Host IP	This element specifies host IP address.
MAC address	This element specifies physical hardware address of the adapter for the network interface associated with this IP address.
Network Interfaces	This element specifies device interface.
Permanent	This element specifies if an ARP entry is permanent or not.

Authorization Database

This is used to check the properties of the plist-style XML output from the security authorizationdb read right-name command, for reading information about rights authorizations on MacOSX. Right name and XPath are mandatory to query the database.

Child Elements	Description
Right name*	This element specifies the right name to be queried (read) from the authorization database.
Value of	This element checks the value(s) of the text node(s) or attribute(s) found.
XPath*	This element specifies an Xpath expression describing the text node(s) or attribute(s) to look at. Any valid Xpath 1.0 statement is usable with one exception, at most one field may be identified in the Xpath.

Anti-virus information

This is used to collect information about an installed Antivirus applications.

Child Elements	Description
Antivirus name	This element specifies a display name of a installed antivirus product.
Antivirus path	This element specifies installed path of a installed antivirus product.
Antivirus version	This element specifies version of a installed antivirus product.

BIOS Information

This is used to collect various information about BIOS (basic input/output system). It includes bios name, version, manufacture, serial number, smbios version, and bios status.

Child Elements	Description
BIOS Name	This element used to identify the software element.
BIOS Serial Number	This element specifies serial number of the software element.
BIOS SMC Version	This element specifies version of the BIOS SMC(Standard Microsystems)
BIOS Status	This element specifies current status of BIOS. Various operational and non-operational status can be defined.
BIOS Version	This element specifies version of the BIOS. This string is created by the BIOS manufacturer.

Computer Information

This is used to collect various information about computer system. It includes CPU, RAM, ROM, swap memory, virtual memory, disk, operating system, cache size, host name, model name, serial name etc.

Child Elements	Description
Address Sizes	This element specifies the CPU address size info.
Cache size	This element specifies the size of the total processor cache (in bytes). A cache is an external memory area that has a faster access time than the main RAM memory.
CPU	This element specifies name of the processor.
CPU Architecture	This element specifies processor architecture used by the platform.
CPU cores	This element specifies number of cores.
CPU family	This element specifies authoritatively identifies the type of processor in the system.
CPU Speed	This element specifies speed of the processor in megahertz.
CPU usage	This element specified CPU usage in percentage.
Disk model	This element specifies the disk model name – a one-line string.
Disk name	This element specifies the short description of the disk drive – a one-line string.
Disk removable device	This element specifies the disk is removable or not.
Disk size	This element specifies the total size of the disk drive in bytes.
Free RAM	This element specifies system free memory size in bytes.
Free swap size	This element specifies system free swap size in bytes.
Host name	This element specifies the label that is assigned to a computer.
Model name	This element specifies the CPU model info.
Network total bytes received	This element represents the number of bytes received.
Network total bytes transmitted	This element represents the number of bytes transmitted.
Network total bytes(received/transmitted)	This element represents the total number of bytes received and transmitted.
Operating system architecture	This element specifies the architecture of the operating system.
Operating system name	This element specifies the name of the operating system.
Operating system release	This element specifies the release version of the operating system.
Operating system version	This element specifies the version of the operating system.
RAM usage	This element specifies used system memory size in percentage.
RAM used	This element specifies used system memory size in bytes.
Serial number	This element specifies the BIOS serial number.
System name	This element specifies system name.
System product name	This element specifies the system hardware name.
System time synchronization status	This element specified if system time is synchronised with server using Network Time Protocol(NTP). Value is either true or false
System uptime	This element specifies the time elapsed since the system was started.
Timezone name	This element specifies the timezone such as Asia/Kolkata.
Total RAM	This element specifies system total memory size in bytes.
Total swap size	This element specifies system total swap size in bytes.
Total virtual memory allocated	This element specifies system total virtual memory size in bytes.

Core Storage

This is used to check the properties of the plist-style XML output from the “diskutil cs list -plist” command, for reading information about the CoreStorage setup on MacOSX. UUID and XPath are mandatory to query the database.

Child Elements	Description
UUID*	This element specifies the UUID of the volume about which the plist information was retrieved.
Value of	This element checks the value(s) of the text node(s) or attribute(s) found.
XPath*	This element specifies an Xpath expression describing the text node(s) or attribute(s) to look at. Any valid Xpath 1.0 statement is usable with one exception, at most one field may be identified in the Xpath.

Cron

This is used to collect various information about cron jobs. It includes user name, scheduled job and command.

Child Elements	Description
Scheduled	This element specifies the scheduled time for a particular cron job.
Scheduled command	This element indicates command to be executed at scheduled time.
User name	This element specifies the username for which cron job is scheduled.

Device information

This is used to collect information about installed devices on the system. It includes device name, driver, subsystem, device path, class and subclass.

Child Elements	Description
Device driver	This element specifies driver used by the device.
Device name	This element specifies the installed devices name.
Device manufacture	This element specifies manufacturer of the device.
Device model	This element identifies the device model
Device path	This element specifies the logical path within the device node
Device serial	This element specifies the serial number the device
Device size	This element specifies the total size of the device in bytes (Applicable for USB and Media)
Device type	This element specifies the type of the device.

Disk Utility

This is used to collect various information to verify disks on a Mac OS system. File path and Device are mandatory for this query.

Child Elements	Description
Device*	This element specifies represents the disk on a Mac OS system to verify. Please see diskutil(8) for instructions on how to specify the device.
File path*	This element specifies the absolute path for a file or directory on the specified device.
Group execute	This element specifies the group execution permission of a file.
Group read	This element specifies the group read permission of a file.
Group write	This element specifies the group write permission of a file.
Others execute	This element specifies the execute permission of a file for other users.
Others read	This element specifies the read permission of a file for other users.
Others write	This element specifies the write permission of a file for other users.
User execute	This element specifies the user execute permission.
User read	This element specifies the user read permission.
User write	This element specifies the user write permission of a file.

Gatekeeper

This is used to collect information to check the status of Gatekeeper and any unsigned applications that have been granted execute permission.

Child Elements	Description
Enabled	This element specifies the status of Gatekeeper assessments.
Unlabeled	This element specifies the path to an unsigned application folder to which Gatekeeper has granted execute permission.

Hosts File(/etc/hosts)

This used to collect various information about hosts from /etc/hosts. It includes host IP address and host name.

Child Elements	Description
Host IP	This element specifies host IP address.
Host name	This element specifies the label that is assigned to a computer.

Operating System Information

This is used to collect various information about installed operating system.

Child Elements	Description
Build version	This element specifies the build number of an operating system. It can be used for more precise version information than product release version numbers.
Copyright	This element specifies the copyrights of the operating system.
Operating system name	This element specifies the operating system instance within a computer system.
Service pack major	This element specifies the major version number of the service pack installed on the computer system. If no service pack has been installed, the value is 0 (zero).
Service pack minor	This element specifies the minor version number of the service pack installed on the computer system. If no service pack has been installed, the value is 0 (zero).
Service pack patch	This element specifies the patch version of the service pack installed on the computer system. If no service pack has been installed, the value is 0 (zero).

Protocols File(/etc/protocols)

This is used to collect various information about protocol from /etc/protocols. It includes protocol name, protocol number and protocol aliases.

Child Elements	Description
Protocol aliases	This element specifies the aliases for the protocol.
Protocol name	This element specifies the native name for the protocol.
Protocol number	This element specifies the official number for the protocol.

Services File(/etc/services)

This is used to collect various information about service from /etc/services. It includes service name, service port, service protocol and service aliases.

Child Elements	Description
Service aliases	This element specifies alternative names for the same service.
Service name	This element specifies the service name.
Service port	This element specifies port the service is offered on.
Service protocol	This element specifies, which transport protocol is used.

Family of Operating System

This is used to collect operating system family standard values being windows, unix or macos(Mac OS).

Child Elements	Description
family of operating system	This element specifies operating system family.

File

This is used to check metadata associated with files. File path is mandatory for this query while submitting to agents.

Child Elements	Description
File path*	This element specifies the location of the file.
Access time	This element specifies access time of a file.
Creation time	This element specifies creation time of a file (in timestamp format).
File md5 sum	This element specifies md5 sum of a file.
File name	This element specifies the name of the file.
Group execute	This element specifies the group execution permission of a file.
Group read	This element specifies the group read permission of a file.
Group ID	This element specifies the group ID for a file.
Group write	This element specifies the group write permission of a file.
Has extended ACL	This element specifies the access control list existences for a file.
Modified time	This element specifies the modified time of a file.
Others execute	This element specifies the execute permission of a file for other users.
Others read	This element specifies the read permission of a file for other users.
Others write	This element specifies the write permission of a file for other users.
Set group User ID	This element specifies the group user id.
Size	This element specifies the size of a file (in bytes).
Sticky bit	This element specifies the sticky bit of a file.
Owner User ID	This element specifies the owners user id.
Type	This element specifies the type of the file.
User execute	This element specifies the user execute permission.
User read	This element specifies the user read permission.
User ID	This element specifies the user id of a file.
User write	This element specifies the user write permission of a file.

Group

This is used to collect various information about the groups. It includes group name and group id.

Child Elements	Description
Group	This element specifies the group name.
Group ID	This element specifies the group id.

Inet-Listening Servers

This is used to collect various information about listening ports. It includes protocol name, local ip address, local port, program name, foreign address, foreign port, process id and user id.

Child Elements	Description
Foreign address	This element specifies foreign ip address, which is connected to listening server.
Foreign full address	This element specifies foreign ip address including port, which is connected to listening server.
Foreign port	This element specifies foreign port, which is connected to listening server
Local address	This element specifies local ip address on which server is listening
Local full address	This element specifies full ip address including port on which server is listening.
Local port	This element specifies local port on which server is listening.
Process ID (PID)	This element specifies the pid of a listening server program.
Program name	This element specifies the name of a listening server program.
Protocol	This element specifies the name for the protocol used by listening server.
User ID	This element specifies the name of a listening server program.

Installed Applications

This is used to collect information about installed applications on the system. It includes application name, version, architecture, path, developer and last used.

Child Elements	Description
Application architecture	This element specifies the architecture for which the package was built, like : i386, ppc, sparc, noarch.
Application developer	This element specifies the developer of the installed application
Application last use	This element specifies the last use date of an application.
Application name	This element specifies the installed package name.
Application path	This element specifies the path in which the application is installed.
Application publisher	This element specifies the application publisher information.
Application version	This element specifies the version number of the build.

launchd (unified service-management)

This is used to collect information and status of daemons/agents, applications, processes and scripts running in a system.

Child Elements	Description
Label	This element specifies the daemon to be queried.
Process ID(pid)	This element specifies the process ID of the daemon (if any).
Status	This element specifies the last exit code of the daemon (if any), or if < 0, indicates the negative of the signal that interrupted processing. For example, a value of -15 would indicate that the job was terminated via a SIGTERM.

Network Interfaces

The interface test enumerate various attributes about the interfaces on a system.

Child Elements	Description
Broadcast address	This element specifies the broadcast address. A broadcast address is typically the IP address with the host portion set to either all zeros or all ones. Note that the IP address can be IPv4 or IPv6.
Flag	The flag entity represents the interface flag line, which generally contains flags like “UP” to denote an active interface, “PROMISC” to note that the interface is listening for Ethernet frames not specifically addressed to it, and others. This element can be included multiple times in a system characteristic item in order to record a multitude of flags. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like this that refer to items that can occur an unbounded number of times.
Hardware Address	The Hardware Address entity is the hardware or MAC address of the physical network card. MAC addresses should be formatted according to the IEEE 802-2001 standard which states that a MAC address is a sequence of six octet values, separated by hyphens, where each octet is represented by two hexadecimal digits. Uppercase letters should also be used to represent the hexadecimal digits A through F.
IP address of an interface	This element specifies the IP address. Note that the IP address can be IPv4 or IPv6. If IP address is an IPv6 address, this entity will be expressed as an IPv6 address prefix using CIDR notation and the netmask entity will not be collected.
Name	This element specifies the name of an interface.
Netmask	This element specifies the subnet mask for the IP address. Note that If IP address of an interface entity contains an IPv6 address prefix, this entity will not be collected.
Type	This element specifies the type of interface which is limited to certain set of values.

IP forwarding status

This is used to collect information about the IP forward settings. It includes IP forwarding status which can be either enabled or disabled.

Child Elements	Description
IP forwarding status	This element specifies ip forwarding is enabled or disabled.

Packet filter control(pfctl)

This is used to collect various information about packet filter control. It includes action, direction, interface, protocol source, destination, flags and state information.

Child Elements	Description
Action	This element specifies action to be taken when a specified rule matches. For example: PASS or BLOCK.
Direction	This element specifies the packet flow direction.
Destination	This element specifies the destination IP address or subnet of the traffic.
Flags	This element specifies different flags associated with the rule.
Interface	This element specifies network interface for a specific rule.
Protocol	This element specifies the protocol associated with the rule.
Source	This element specifies the source IP address or subnet of the traffic.
State	This element specifies different states associated with the rule. For example: no state, keep state, modulate state, synproxy state.

Kernel Information

This is used to collect various information about loaded kernel. It includes kernel version, kernel image path, kernel on which device/volume and kernel arguments.

Child Elements	Description
Arguments	This element indicates loaded kernel kernel arguments.
Device	This element indicates location of the kernel on which device or volume.
Kernel image path	This element specified the kernel image path.
Kernel version	This element indicates loaded kernel kernel version.

Key chain

This is used to collect various information to check the properties of the plist-style XML output from the ‘security show-keychain-info keychain’ command. File path is mandatory for this query.

Child Elements	Description
File path*	This element specifies the filepath of the keychain.
Lock on sleep	This element specifies whether the keychain is configured to lock when the computer sleeps.
Time out	This element specifies the inactivity timeout (in seconds) for the keychain, or 0 if there is no timeout.

Logged-in Users

This is used to collect various information about logged-in users. It includes user name, device tty, remote logged in host name, time when entry made, process id and record type.

Child Elements	Description
Host	This element indicates hostname for remote login or kernel version for run-level messages
Process ID(PID)	This element indicates the PID of login process.
Time	This element indicates the time when entry was made (in seconds).
tty	This element indicates device name of tty.
Type	This element indicates the type of record.
User name	This element indicates logged-in user name.

Mount points

Child Elements	Description
Disk file-system name	This element indicates filesystem name.
Disk mounted on	This element indicates disk mounted path.
Disk size	This element indicates total disk partition size (in bytes).
Disk space available	This element indicates available disk space (in bytes).
Disk space used	This element indicates used disk space (in bytes).
Disk use percentage	This element indicates used disk space in percentage.

Non-volatile random-access memory (NVRAM)

This is used to collect information about Non-volatile random-access memory (NVRAM). It pulls data from the ‘nvram -p’ output. It includes variable and value associated with it.

Child Elements	Description
NVRAM variable	This element indicates variable name.
NVRAM value	This element indicates value associated with the variable.

Partitions

The partition_test is used to check the information associated with partitions on the local system.

Child Elements	Description
Device	This element contains a string that represents the name of the device.
FS type	This element contains a string that represents the type of filesystem on a partition.
Mount point	This element contains a string that represents the mount point of a partition on the local system.
Space left	This element contains an integer that represents the number of blocks left on a partition.
Space used	This element contains an integer that represents the number of blocks used on a partition.
Total space	This element contains an integer that represents the total number of blocks on a partition.
UUID	This element contains a string that represents the universally unique identifier associated with a partition.

Password/User Information

This is used to collect various information about system users. It includes user name, password, user id, group id, user information, user home directory path and login shell.

Child Elements	Description
GCOS(comment field)	This element indicates user information. Usually, it contains the full username. Some programs (for example, finger(1)) display information from this field. GECOS stands for “General Electric Comprehensive Operating System”,which was renamed to GCOS when GE’s large systems ision was sold to Honeywell. Dennis Ritchie has reported: “Sometimes we sent printer output or batch jobs to the GCOS machine. The gcos field in the password file was a place to stash the information for the $IDENTcard. Not elegant.”
Group ID	This element indicates group id of a particular group.
Home directory	This element specifies path to home directory of a particular user.
Login shell	This element specifies login shell of a particular user.
Password	This element indicates local user password
User ID	This element indicates user id of a particular user.
User name	This element indicates local user name.

Property List(plist)

Information associated with property list preference keys. File path, App ID and Key entities are mandatory for this query.

Child Elements	Description
App ID*	The unique application identifier that specifies the application to use when looking up the preference key (e.g. com.apple.Safari).
File path*	The absolute path to a plist file (e.g. ~/Library/Preferences/com.apple.Safari.plist). A directory cannot be specified as a filepath.
Instance	The instance of the preference key found in the plist. The first instance of a matching preference key is given the instance value of 1, the second instance of a matching preference key is given the instance value of 2, and so on. Instance values must be assigned using a depth-first approach. Note that the main purpose of this entity is to provide uniqueness for the different plist items that result from multiple instances of a given preference key in the same plist file.
Key*	The preference key to be checked.
Type	The type of the preference key to be checked.
Value	The value of the preference key to be checked.

Port/Network Connection

Information about open ports and network connections.

Child Elements	Description
Local address	This element specifies the local IP address the listening port is bound to. Note that the IP address can be IPv4 or IPv6.
Local full address	This element specifies the full local IP address the listening port is bound to. Note that the IP address can be IPv4 or IPv6.
Local port	This element specifies the number assigned to the local listening port.
Protocol	This element specifies the type of listening port. It is restricted to either TCP or UDP.
Process ID(PID)	The id given to the process that is associated with the specified listening port.
Foreign address	This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
Foreign full address	This is the full IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
Foreign port	This is the TCP or UDP port to which the program communicates.
Process name	This element specifies the name of a listening server program.
Port state	This element indicates the port state.
User ID	This element specifies the user id using this port.

Process

Information about running processes.

Child Elements	Description
Command line	This is the string used to start the process. It includes any parameters that are part of the command line.
Exec shield	This element specifies execute shield status.
Execution time	This is the cumulative CPU time, formatted in [DD-]HH:MM:SS where DD is the number of days when execution time is 24 hours or more.
Login UID	The loginuid shows which account a user gained access to the system with. The /proc/XXXX/loginuid shows this value.
Process ID(PID)	This is the process ID of the process.
Posix capability	An effective capability associated with the process. See linux/include/linux/capability.h for more information.
Parent process ID	This is the process ID of the process’s parent process.
Priority	This is the scheduling priority with which the process runs. This can be adjusted with the nice command or nice() system call.
Process name	This is the name of the processes.td>
Real UID	This element specifies the real UID.
SE Linux domain label	An SE Linux domain label associated with the process.
Session ID	The session ID of the process.
Start time	This is the time of day the process started formatted in HH:MM:SS if the same day the process started or formatted as MMM_DD (Ex.: Feb_5) if process started the previous day or further in the past.
tty	This is the TTY on which the process was started, if applicable.
User ID	This is the effective user id which represents the actual privileges of the process.

Resource Limit

This is used to collect information to check system resource limits for launchd.

Child Elements	Description
Core current	This element specifies the argest size (in bytes) core file that may be created.
Core limit	This element specifies core hard limit (in bytes).
CPU current	This element specifies the maximum amount of CPU time (in seconds) to be used by each process.
CPU limit	This element specifies CPU hard limit.
Data current	This element specifies the maximum size (in bytes) of the data segment for a process; this defines how far a program may extend its break with the sbrk(2) system call.
Data limit	This element specifies data hard limit (in bytes).
Filesize current	This element specifies the largest size (in bytes) file that may be created.
Filesize limit	This element specifies filesize hard limit.
Maxfiles current	This element specifies the maximum number of open files for this process.
Maxfiles limit	This element specifies maxfiles hard limit (in bytes).
Maxproc current	This element specifies the maximum number of simultaneous processes for this user id.
Maxproc limit	This element specifies maxproc hard limit.
Memlock current	This element specifies the maximum size (in bytes) which a process may lock into memory using the mlock(2) function.
Memlock limit	This element specifies memlock hard limit (in bytes).
RSS current	This element specifies the maximum size (in bytes) to which a process’s resident set size may grow. This imposes a limit on the amount of physical memory to be given to a process; if memory is tight, the system will prefer to take memory from processes that are exceeding their declared resident set size.
RSS limit	This element specifies rss hard limit (in bytes).
Stack current	This element specifies the maximum size (in bytes) of the stack segment for a process; this defines how far a program’s stack segment may be extended. Stack extension is performed automatically by the system.
Stack limit	This element specifies stack hard limit (in bytes).

RPC Map Information

This is used to collect various information about rpm program from /etc/rpc. It includes remote procedure call(RPC) program name, program number and program aliases.

Child Elements	Description
RPC aliases	This element specifies the aliases for the RPC program.
RPC program name	This element specifies the native name for the RPC program.
RPC program number	This element specifies the official number for the RPC program.

RPC Network Connections

Child Elements	Description
Address	This element specifies the IP address of the RPC program.
Network ID	This element specifies, which transport protocol is used.
Owner	This element specifies an owner for the RPC program.
RPC program ID	This element specifies the RPC program id.
RPC program name	This element specifies the RPC program name.
RPC program version	This element specifies the RPC program version.

Services

This is used to collect information about services. It includes service name and status.

Child Elements	Description
Service name	This specifies the service name.
Service status	This specifies the status of the service.

Shell History

This is used to collect various information about shell history. It includes user name, used-id, history file path and command from history file.

Child Elements	Description
Command	This element specifies history of executed commands.
History file	This element specifies history file path.
UID	This element specifies history belongs to which user id.
User name	This element specifies history belongs to which user.

Software Updates

This is used to used to access automatic software update information.

Child Elements	Description
Schedule	This element specifies whether automatic checking is enabled (true).
Software title	This element specifies the title string for an available (not installed) software update.

Sudo Users

This is used to collect sudo users. It includes user name which has sudo access.

Child Elements	Description
Sudo user name	This element specifies sudo username.

System Control

This is used to check the values associated with the kernel parameters that are used by the local system.

Child Elements	Description
Name	This element contains a string that represents the name of a kernel parameter that was collected from the local system.
Value	This element contains a string that represents the value(s) associated with the specified kernel parameter.

System DHCP Information

Child Elements	Description
DHCP enabled	This element specifies the value that specifies whether the dynamic host configuration protocol (DHCP) is enabled for this adapter.
DHCP interface	This element specifies DHCP interface
Gateway IP	This element specifies the ip address of the gateway for this adapter.
MAC Address	This element specifies the hardware address for the adapter.
Interface type	This element specifies the adapter type.
IP mask	This element specifies the list of ip addresses associated with this adapter.
Lease rebind time	This element specifies DHCP lease rebind time.
Lease renew time	This element specifies DHCP lease renew time.
Lease time	This element specifies DHCP lease time.
DHCP server IP	This element specifies the address of the DHCP server for this adapter.

System DNS Information

This is used to collect domain name and domain name system ip information. It includes domain name and dns server ip address

Child Elements	Description
DNS server IP	This element specifies the list of dns server ip address used by the local computer.
Domain name	This element specifies the domain in which the local computer is registered.

System Profiler

This is used to check the properties of the plist-style XML output from the system_profiler -xml datatype command, for reading information about system inventory data on MacOSX. Data type and XPath are mandatory to query the database.

Child Elements	Description
Data type*	This element specifies data type of the value desired.
Value of	This element checks the value(s) of the text node(s) or attribute(s) found.
XPath*	This element specifies an Xpath expression describing the text node(s) or attribute(s) to look at. Any valid Xpath 1.0 statement is usable with one exception, at most one field may be identified in the Xpath.

System Route Information

This is used to collect system route information. It includes destination, ip address, gateway, netmask, flags, metric, MTU, type and interface name.

Child Elements	Description
Destination	This element specifies the destination IP address or subnet of the traffic for a specific route entry.
Flags	This element specifies the flag for a specific route entry.
Gateway	This element specifies the gateway for a specific route entry.
Network Interfaces	This element specifies the interface for a specific route entry.
Metric	This element specifies the metric for a specific route entry.
Maximum transmission unit(MTU)	This element specifies maximum transmission unit.
Netmask	This element specifies the netmask for a specific route entry.
Type	This element specifies the type of route. Example: local, static, router, gateway

System Setup

This is used to collect system setup properties.

Child Elements	Description
Allow power button to sleep computer	This element specifies the value that specifies whether the dynamic host configuration protocol (DHCP) is enabled for this adapter.
Computer name	This element specifies the computer’s name.
Computer sleep	This element specifies the computer sleep inactivity timer, or 0 for never.
Disable keyboard when enclosure lock is engaged	This element specifies whether the keyboard is locked when the closure lock is engaged.
Display sleep	This element specifies the display sleep inactivity timer, or 0 for never.
Harddisk sleep	This element specifies the hard disk sleep inactivity timer, or 0 for never.
Kernel boot architecture setting	This element specifies the kernel boot architecture setting.
Network time server	This element specifies the network time server.
Remote Apple events	This element specifies whether remote Apple events are enabled.
Remote login	This element specifies whether remote logins are allowed.
Restart freeze	This element specifies whether the computer will restart after freezing.
Startup disk	This element specifies the startup disk.
Using network time	This element specifies whether the machine is using network time.
Wait for startup after power failure	This element specifies the number of seconds the computer waits to start up after a power failure.
Wake on modem	This element specifies whether the computer will wake up if the modem is accessed.
Wake on network access	This element specifies whether the computer will wake up if the network is accessed.

Text File Content

This looks at the content of a text file (aka a configuration file) by looking at in idual lines. File path, pattern and instance are mandatory for this query while submitting to agents.

Child Elements	Description
File path*	This element specifies the absolute path for a file on the machine. A directory cannot be specified as a file path.
Pattern*	The pattern entity represents a regular expression that is used to define a block of text. Subexpression notation (parenthesis) is used to call out a value(s) to test against. For example, the pattern abc(.*)xyz would look for a block of text in the file that starts with abc and ends with xyz, with the subexpression being all the characters that exist in between. Note that If pattern can match more than one block of text starting at the same point, then it matches the longest. Subexpressions also match the longest possible substrings, subject to the constraint that the whole match be as long as possible, with subexpressions starting earlier in the pattern taking priority over ones starting later.
Instance*	The instance entity calls out which match of the pattern is being represented by this item. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. The main purpose of this entity is too provide uniqueness for different items that results from multiple matches of a given pattern against the same file.
Text	The text entity represents the block of text that matched the specified pattern.
Sub-expression	The sub-expression entity represents the value of a subexpression in the specified pattern. If multiple subexpressions are specified in the pattern, then multiple entities are presented.
Windows view	Not applicable for Unix based systems. The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of ’32_bit’ indicates the Item was collected from the 32-bit view. A value of ’64-bit’ indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. This entity only applies to 64-bit Microsoft Windows operating systems.

Unix name(uname)

This is used to collect various information about operating system. It includes hardware id, operating system name, version, release, processor type, time zone and locale.

Child Elements	Description
Locale	This element specifies the locale
Machine class	This element specifies the hardware identifier
Node name	This element indicates name of the present machine in some undefined network
Operating system name	This element specifies the name of the operating system.
Operating system release	This element specifies the release version of the operating system.
Operating system version	This element specifies the version of the operating system.
Processor type	This element specifies the hardware identifier
Time zone	This element specifies the time zone

Wireless Information

Child Elements	Description
WLAN BSS Network type	This element specifies whether the network is infrastructure or ad hoc.
WLAN Physical mode	This element represents the bandwidth of wireless frequency, example: 802.11 a,b,g,n.
WLAN Interface name	This element specifies the wireless interface name.
WLAN MAC address	This element specifies physical hardware address wireless interface.
WLAN Receiving rate	This element specifies the receiving rate of the association (in decibel-milliwatt/dBm).
WLAN Security	This element specifies security used to prevent unauthorized access to the network. Example: WPA, WEP
WLAN SSID	This element specifies the contains the SSID of the association.
WLAN Transmission rate	This element specifies the transmission rate of the association.

Symlink

This is used to obtain canonical path information for symbolic links. File path is a mandatory field while submitting to agents.

Child Elements	Description
Canonical path	Specifies the canonical path for the target of a symbolic link file specified by the filepath.
Filepath*	Specifies the filepath used to create the object.

Routing table

Child Elements	Description
Destination*	The destination IP address prefix of the routing table entry. This is the destination IP address and netmask/prefix-length expressed using CIDR notation.
Flags	The flags associated with the specified routing table entry.
Gateway	The gateway of the specified routing table entry.
Interface name	The name of the interface associated with the routing table entry.

File extended attribute

Child Elements	Description
Attribute name*	This is the extended attribute’s name, identifier or key.
File path*	The filepath element specifies the absolute path for a file on the machine. A directory can be specified as a filepath.
Value	The value entity represents the extended attribute’s value or contents. To check for an attribute with no value assigned to it, this entity would be used with an empty value.

GConf

Child Elements	Description
Is default?	Is the preference key value the default value. If true, the preference key value is the default value. If false, the preference key value is not the default value.
Is writable?	Is the preference key writable? If true, the preference key is writable. If false, the preference key is not writable.
Key*	The preference key to check.
Source*	The source used to look up the preference key. This element specifies the source from which to collect the preference key. The source is represented by the absolute path to a GConf XML file as XML is the current backend for GConf. Note that other backends may become available in the future.
Time modified	The time the preference key was last modified in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
Type	The type of the preference key.
User modified	The user who last modified the preference key.
Value	The value of the preference key.

Property list ‘plist’ (With App ID)

Note: Do not combine Property list ‘plist’ (With File path) with this query.
This is used to check the value(s) associated with property list preference keys. It can be used to represent any plist file in XML form (whether its native format is ASCII text, binary, or XML), permitting the use of the XPATH query language to explore its contents. App ID and XPath are mandatory fields while submitting to agents.

Child Elements	Description
App id*	The unique application identifier that specifies the application to use when looking up the preference key (e.g. com.apple.Safari).
Value of	The value of the preference key.
XPath*	Specifies an XPath 1.0 expression to evaluate against the XML representation of the plist file specified by the filename or app_id entity. Note that “equals” is the only valid operator for the xpath entity.

Property list ‘plist’ (With File path)

Note: Do not combine Property list ‘plist’ (With App ID) with this query.
This is used to check the value(s) associated with property list preference keys. It can be used to represent any plist file in XML form (whether its native format is ASCII text, binary, or XML), permitting the use of the XPATH query language to explore its contents. File path command XPath are mandatory fields while submitting to agents.

Child Elements	Description
File path*	The absolute path to a plist file (e.g. /Library/Preferences/com.apple.TimeMachine.plist). A directory cannot be specified as a filepath.
Value of	The value of the preference key.
XPath*	Specifies an XPath 1.0 expression to evaluate against the XML representation of the plist file specified by the filename or app_id entity. Note that “equals” is the only valid operator for the xpath entity.

</ >
< id=”Macxmlfilecontent” class=”col-md-12″>

XML File Content

Child Elements	Description
File path*	This element specifies the absolute path for a file on the machine. A directory cannot be specified as a file path.
XPath*	Specifies an XPath 1.0 expression to evaluate against the XML file specified by the filename entity. This XPath 1.0 expression must evaluate to a list of zero or more text values which will be accessible in OVAL via instances of the value_of entity. Any results from evaluating the XPath 1.0 expression other than a list of text strings (e.g., a nodes set) is considered an error. The intention is that the text values be drawn from instances of a single, uniquely named element or attribute. However, an OVAL interpreter is not required to verify this, so the author should define the XPath expression carefully. Note that “equals” is the only valid operator for the xpath entity.
Value of	This element checks the value(s) of the text node(s) or attribute(s) found.
Windows view	The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems.

Software Licenses

This is used to collect information of Software Licenses. It includes software name and license information.

Child Elements	Description
Software family	This element specifies the family of the software application.
Software name	This element specifies the name of the software application.
Software license	This element specifies the license serial number of the software application.
Software version	This element specifies the version of the software application.

Missing Patches

This is used to investigate missing patches and security fixes in a computer system.

Child Elements	Description
Patch description	This element describes a patch.
Patch ID	A unique identification number associated with a patch.
Patch name	This element specifies the patch name.
Patch rollback available	This element specifies if rollback is possible for this patch. Possible values are TRUE or FALSE. An empty value appears if it cannot be determined.
Patch severity	This element specifies severity of a patch. Possible values: Important, Critical, etc. An empty value appears if it cannot be determined.
Patch size	This element specifies size of a patch. Values are specified in bytes. A value UNKNOWN appears if patch size cannot be determined.
Reboot required	This element specifies if reboot is required after patch installation. Passible values are TRUE or FALSE.
Platform CPE	This element specifies platform CPE ID associated with the patch.
Product CPE	This element specifies product CPE ID associated with the patch. Note: This value is empty when a patch is associated with an operating system.

Common Probes

Environment Variables

This is used to collect system environment variable information. It includes environment variable name, value and process id.

Child Elements	Description
Name	This element specifies name of the environment variable
Process ID(PID)	This element specifies PID of a process
Value	This element specifies value of the environment variable

Family of Operating System

This is used to collect operating system(OS) family, standard values being windows, unix or macos(Mac OS).

Child Elements	Description
family of operating system	This element specifies operating system family.

Text File Content

This looks at the content of a text file (aka a configuration file) by looking at in idual lines. File path, pattern and instance are mandatory while submitting to agents.

Child Elements	Description
File path*	This element specifies the absolute path for a file on the machine. A directory cannot be specified as a file path.
Pattern/Text*	This entity represents a block of text or regular expression that is used to define a block of text. Subexpression notation (parenthesis) is used to call out a value(s) to test against. For example, the pattern abc(.*)xyz would look for a block of text in the file that starts with abc and ends with xyz, with the subexpression being all the characters that exist in between. Note that If pattern can match more than one block of text starting at the same point, then it matches the longest. Subexpressions also match the longest possible substrings, subject to the constraint that the whole match be as long as possible, with subexpressions starting earlier in the pattern taking priority over ones starting later.
Instance*	The instance entity calls out which match of the pattern is being represented by this item. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. The main purpose of this entity is too provide uniqueness for different items that results from multiple matches of a given pattern against the same file.
Sub-expression	The sub-expression entity represents the value of a subexpression in the specified pattern. If multiple subexpressions are specified in the pattern, then multiple entities are presented.
Windows view	Not applicable for Unix based systems. The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of ’32_bit’ indicates the Item was collected from the 32-bit view. A value of ’64-bit’ indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. This entity only applies to 64-bit Microsoft Windows operating systems.

XML File Content

Child Elements	Description
File path*	This element specifies the absolute path for a file on the machine. A directory cannot be specified as a file path.
Value of	This element checks the value(s) of the text node(s) or attribute(s) found.
Windows view	The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems.
XPath*	Specifies an XPath 1.0 expression to evaluate against the XML file specified by the filename entity. This XPath 1.0 expression must evaluate to a list of zero or more text values which will be accessible in OVAL via instances of the value_of entity. Any results from evaluating the XPath 1.0 expression other than a list of text strings (e.g., a nodes set) is considered an error. The intention is that the text values be drawn from instances of a single, uniquely named element or attribute. However, an OVAL interpreter is not required to verify this, so the author should define the XPath expression carefully. Note that “equals” is the only valid operator for the xpath entity.

SanerNow Responses

Actions that can be performed on endpoints

Enable device

Enables specified device names from the list. Select the devices to be enabled.

Parameter	Description
Not applicable	Not applicable

Disable device

Disables specified device names from the list. Select the devices to be disabled.

Parameter	Description
Not applicable	Not applicable

Add ARP entry

Adds a specified ARP(Address Resolution Protocol) entry into the ARP cache.

Parameter	Description
Network Interface Index	The local index value for the network interface associated with this IP address. This index value may change when a network adapter is disabled and then enabled, or under other circumstances, and should not be considered persistent.
Network Interface Locally Unique ID	The locally unique identifier (LUID) for the network interface associated with this IP address. Value must be always 0.
IP Address	The IP address of the system. This member can be an IPv6 address or an IPv4 address.
MAC Address	The physical hardware address of the adapter for the network interface associated with this IP address.

Delete ARP entry

Deletes a specified ARP entry from the ARP cache.

Parameter	Description
Network Interface Index	The local index value for the network interface associated with this IP address. This index value may change when a network adapter is disabled and then enabled, or under other circumstances, and should not be considered persistent.
Network Interface Locally Unique ID	The locally unique identifier (LUID) for the network interface associated with this IP address. Value must be always 0.
IP Address	The IP address of the system. This member can be an IPv6 address or an IPv4 address.
MAC Address	The physical hardware address of the adapter for the network interface associated with this IP address.

Modify ARP entry

Modifies a specified ARP entry from the ARP cache.

Parameter	Description
Network Interface Index	The local index value for the network interface associated with this IP address. This index value may change when a network adapter is disabled and then enabled, or under other circumstances, and should not be considered persistent.
Network Interface Locally Unique ID	The locally unique identifier (LUID) for the network interface associated with this IP address. Value must be always 0.
IP Address	The IP address of the system. This member can be an IPv6 address or an IPv4 address.
MAC Address	The physical hardware address of the adapter for the network interface associated with this IP address.

Flush all ARP entries

Flush all arp entries from the ARP cache.

Parameter	Description

Enable device

Enables specified device names from the list. Select the devices to be enabled.

Parameter	Description
Not applicable	Not applicable

Disable device

Disables specified device names from the list. Select the devices to be disabled.

Parameter	Description
Not applicable	Not applicable

Add ARP entry

Adds a specified ARP(Address Resolution Protocol) entry into the ARP cache.

Parameter	Description
Network Interface Index	The local index value for the network interface associated with this IP address. This index value may change when a network adapter is disabled and then enabled, or under other circumstances, and should not be considered persistent.
Network Interface Locally Unique ID	The locally unique identifier (LUID) for the network interface associated with this IP address. Value must be always 0.
IP Address	The IP address of the system. This member can be an IPv6 address or an IPv4 address.
MAC Address	The physical hardware address of the adapter for the network interface associated with this IP address.

Delete ARP entry

Deletes a specified ARP entry from the ARP cache.

Parameter	Description
Network Interface Index	The local index value for the network interface associated with this IP address. This index value may change when a network adapter is disabled and then enabled, or under other circumstances, and should not be considered persistent.
Network Interface Locally Unique ID	The locally unique identifier (LUID) for the network interface associated with this IP address. Value must be always 0.
IP Address	The IP address of the system. This member can be an IPv6 address or an IPv4 address.
MAC Address	The physical hardware address of the adapter for the network interface associated with this IP address.

Modify ARP entry

Modifies a specified ARP entry from the ARP cache.

Parameter	Description
Network Interface Index	The local index value for the network interface associated with this IP address. This index value may change when a network adapter is disabled and then enabled, or under other circumstances, and should not be considered persistent.
Network Interface Locally Unique ID	The locally unique identifier (LUID) for the network interface associated with this IP address. Value must be always 0.
IP Address	The IP address of the system. This member can be an IPv6 address or an IPv4 address.
MAC Address	The physical hardware address of the adapter for the network interface associated with this IP address.

Flush all ARP entries

Flush all arp entries from the ARP cache.

Parameter	Description

Flush ARP IPV4 entries

Flush all IPv4 ARP entries from the ARP cache.

Parameter	Description
Not applicable	Not applicable

Flush ARP IPV6 entries

Flush all IPv6 ARP entries from the ARP cache.

Parameter	Description
Not applicable	Not applicable

Block Domain

Block a specified domain name.

Parameter	Description
Domain Name	A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.

Add entry into host file

Adds an entry into the hosts file.

Parameter	Description
Domain Name	A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.
IP Address	The IP address of the system. This member can be an IPv6 address or an IPv4 address.

Delete entry from host file

Deletes an entry from the hosts file.

Parameter	Description
Domain Name	A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.
IP Address	The IP address of the system. This member can be an IPv6 address or an IPv4 address.

Modify entry from host file

Updates an existing hosts entry to new entry.

Parameter	Description
Domain Name	A old domain name present in the hosts file on the system. Domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.
IP Address	An old IP address present in hosts file on the system. This member can be an IPv6 address or an IPv4 address.
New Domain Name	A new domain name. Domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.
New IP Address	The new IP address present in hosts file on the system. This member can be an IPv6 address or an IPv4 address.

Flush all entries from host file

Flush all entries from hosts file.

Parameter	Description
Not applicable	Not applicable

Modify NTP Server

Updates NTP server URL. The Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.

Parameter	Description
NTP Server URL	URL of an NTP server for clock synchronization.

Network connection kill

Kills a specified network connection.

Parameter	Description
Local IP Address	The local IPv4 address for the TCP connection on the local computer. A value of zero indicates the listener can accept a connection on any interface.
Local Port	The local port number in network byte order for the TCP connection on the local computer.
Remote IP Address	The IPv4 address for the TCP connection on the remote computer.
Remote Port	The remote port number in network byte order for the TCP connection on the remote computer.

Start process

Start specified processes using a list of process names. Select process names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Stop process by process ID

Stop specified processes using a list of process IDs. Select process IDs from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Stop process by name

Stop specified processes using a list of process names. Select process names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Process block

Block specified processes from execution using a list of process names. Select process names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Process unblock

Unblock specified processes from execution using a list of process names. Select process names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Quarantine

Isolate a specific file to prevent it from any read/write or execution operations. Enter the absolute path of file to be quarantined.

Parameter	Description
Not applicable	Not applicable

Clean DLL

Cleanup all unwanted shared DLL registry entries from the system.

Parameter	Description
Not applicable	Not applicable

Clean font

Cleanup all unwanted fonts registry entries from the system.

Parameter	Description
Not applicable	Not applicable

Clean help

Cleanup all unwanted system help registry entries from the system.

Parameter	Description
Not applicable	Not applicable

Clean installer

Cleanup all unwanted installer registry entries from the system.

Parameter	Description
Not applicable	Not applicable

Clean MRU(Most Recently Used)

Cleanup recent items, browsing history, run command history, file search history, WordPad recent history, regedit favourites, Microsoft Paint and Media player history, Explorer search history. (Applicable for Windows systems only)

Parameter	Description
Recently opened programs	Recently opened programs
Explorer history	Explorer history
Internet Search Assistant	Internet Search Assistant
Mediaplayer recent files list	Mediaplayer recent files list
MediaPlayer recent URLs list	MediaPlayer recent URLs list
Microsoft Paint history	Microsoft Paint history
Printers, Computers and People	Printers, Computers and People
Recent documents	Recent documents
Regedit last accessed keys history	Regedit last accessed keys history
Registry favourite list	Registry favourite list
Run command history	Run command history
Search history	Search history
Last visited URL history	Last visited URL history
WordPad recent history	WordPad recent history

Clean MUI

Cleanup all unwanted shell MUI(Multilingual User Interface) cache registry entries from the system.

Parameter	Description
Not applicable	Not applicable

Clean start

Cleanup all unwanted startup registry items from the system.

Parameter	Description
Not applicable	Not applicable

Clean system

Cleanup all unwanted system registry entries.

Parameter	Description
Not applicable	Not applicable

Clean uninstaller

Cleanup all unwanted uninstaller registry entries from the system.

Parameter	Description
Not applicable	Not applicable

Clean user

Cleanup all unwanted user registry entries from the system.

Parameter	Description
Not applicable	Not applicable

Add registry

Add a registry entry in the system.

Parameter	Description
Registry Type	The type can be one of the following: 1) key – to create key 2) value – to create a value under a key
Registry Hive	The root key in the registry (e.g HKEY_LOCAL_MACHINE (HKLM), HKEY_USERS (HKU) etc.)
Registry Sub-key	Each root key has its own related keys which are known as sub keys
Registry Data	Name in the name/value pair stored within keys
Registry Value	Data in name/value pair stored within keys
Registry Value Type	The ValueType can be one of the following: REG_SZ, REG_DWORD, REG_BINARY, REG_EXPAND_SZ, REG_MULTI_SZ, REG_QWORD

Modify registry

Modifies an existing registry value entry.

Parameter	Description
Registry Type	The type can be one of the following: 1) key – to create key 2) value – to create a value under a key
Registry Hive	The root key in the registry (e.g HKEY_LOCAL_MACHINE (HKLM), HKEY_USERS (HKU) etc)
Registry Sub-key	Each root key has its own related keys which are known as sub keys
Registry Data	Name in the name/value pair stored within keys
Registry Value	Data in name/value pair stored within keys
Registry Value Type	The ValueType can be one of the following: REG_SZ, REG_DWORD, REG_BINARY, REG_EXPAND_SZ, REG_MULTI_SZ, REG_QWORD

Delete registry

Deletes an existing registry entry.

Parameter	Description
Registry Type	The type can be one of the following: 1) key – to create key 2) value – to create a value under a key
Registry Hive	The root key in the registry (e.g HKEY_LOCAL_MACHINE (HKLM), HKEY_USERS (HKU) etc)
Registry Sub-key	Each root key has its own related keys which are known as sub keys
Registry Data	Name in the name/value pair stored within keys
Registry Value	Data in name/value pair stored within keys
Registry Value Type	The ValueType can be one of the following: REG_SZ, REG_DWORD, REG_BINARY, REG_EXPAND_SZ, REG_MULTI_SZ, REG_QWORD

Service start

Start specified services by service name. Select names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Service stop

Stop specified services by service name. Select names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Service restart

Restart specified services by service name. Select names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Service remove

Remove specified services by service name. Select names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Service start type automatic

Change service start option to automatic mode using service name. Select names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Service start type manual

Change service start option to manual mode using service name. Select names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Service start type disabled

Change service start option to disabled mode using service name. Select names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Remove programs from startup

Removes program entries from Windows startup. Select names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Remove scheduled program

Removes scheduled programs from Windows schedule. Select names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Reboot

Reboots the system.

Parameter	Description
Message	A specified message will be displayed to logged-in user before reboot.
Time in minutes	The specified time(expressed in minutes) after which the system would reboot. Provide a value of 0 to reboot immediately.

Shutdown

Shutdown the system.

Parameter	Description
Message	The specified message will be displayed to logged-in user before shutdown.
Time in minutes	The specified time(expressed in minutes) after which the system would shutdown. Provide a value of 0 to shutdown immediately.

Clean cache

Clean cache for the following – internet cache, dns cache, thumbnail cache, prefetch cache for the current logged-in user.

Parameter	Description
DNS Cache	Cleans up DNS cache. DNS cache stores the locations (IP addresses) of web servers that contain web pages which you have recently viewed.
Internet Cache	Cleans up Internet cache. Internet cache is a temporary storage (caching) of web documents, such as HTML pages and images.
Thumbnail Cache	Cleans up Thumbnail cache. A thumbnail cache is used to store thumbnail images for Windows Explorer’s thumbnail view.
Prefetch Cache	Cleans up Prefetch cache. A prefetch cache is used to help speed up the loading of programs in Windows.

Clean clipboard

Clean the clipboard for the current logged in user.

Parameter	Description
Not applicable	Not applicable

Clean custom path

Delete an file or directory for the current logged-in user. Enter the absolute file or directory path which needs to be deleted.

Parameter	Description
Not applicable	Not applicable

Clear error reports

Clear windows error reports for the current logged-in user.

Parameter	Description
Not applicable	Not applicable

Clean recent places

Clear user recent places for the current logged-in user.

Parameter	Description
Not applicable	Not applicable

Empty recycle-bin

Empty recycle bin for the current logged-in user.

Parameter	Description
Not applicable	Not applicable

Clean CMD history

Clear run command history from the system.

Parameter	Description
Not applicable	Not applicable

Clear temporary files

Clean temporary folders from the system.

Parameter	Description
Not applicable	Not applicable

Clean windows credential

Clear Windows credentials for the current logged-in user.

Parameter	Description
Not applicable	Not applicable

Clear windows update files

Clean windows update files from the system.

Parameter	Description
Not applicable	Not applicable

Enable firewall for all profiles

Enable firewall for all three profiles: domain, private and public. The domain profile applies to networks where the host system can authenticate to a domain controller. The private profile is a user-assigned profile and is used to designate private or home networks. Lastly, the default profile is the public profile, which is used to designate public networks such as Wi-Fi hotspots at coffee shops, airports, and other locations.

Parameter	Description
Not applicable	Not applicable

Enable firewall for domain profile

Enable firewall for domain profile. The domain profile applies to networks where the host system can authenticate to a domain controller.

Parameter	Description
Not applicable	Not applicable

Enable firewall for private profile

Enable firewall for private profile. The private profile is a user-assigned profile and is used to designate private or home networks.

Parameter	Description
Not applicable	Not applicable

Disable firewall for public profile

Enable firewall for public profile. The public profile is used to designate public networks such as Wi-Fi hotspots at coffee shops, airports, and other locations.

Parameter	Description
Not applicable	Not applicable

Disable firewall for all profiles

Disable firewall for all three profiles: domain, private and public. The domain profile applies to networks where the host system can authenticate to a domain controller. The private profile is a user-assigned profile and is used to designate private or home networks. Lastly, the default profile is the public profile, which is used to designate public networks such as Wi-Fi hotspots at coffee shops, airports, and other locations.

Parameter	Description
Not applicable	Not applicable

Disable firewall for domain profile

Disable firewall for domain profile. The domain profile applies to networks where the host system can authenticate to a domain controller.

Parameter	Description
Not applicable	Not applicable

Disable firewall for private profile

Disable firewall for private profile. The private profile is a user-assigned profile and is used to designate private or home networks.

Parameter	Description
Not applicable	Not applicable

Disable firewall for public profile

Disable firewall for public profile. The public profile is used to designate public networks such as Wi-Fi hotspots at coffee shops, airports, and other locations.

Parameter	Description
Not applicable	Not applicable

Application block

Block a specified application from execution. Select names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Application unblock

Unblock the specified application from execution. Select names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Application Management

Install or uninstall applications.

Parameter	Description
Command	The value is either ‘install’ or ‘uninstall’
Install Method	There are two types of installation methods: by uploading the installation file. by entring a URL that servers the installation file
Application executable	Provide the executable path.
URL	URL that servers the installation file.
Application name	Name of the application to uninstall.
Application architecture	The value is either ‘x86’ or ‘x64’
Silent mode option	Option to install the application in silent mode.
Additional options	Any additional command line option that need to be executed.
Application access	To install the application to all users or currently logged on user. The values are ‘AllUser’ or ‘currentUser’
Disable shortcut	To disable shortcut creation, provide the option to disable shortcut.
Notify for reboot	Show a notification window to the user that a reboot is required post installation/uninstallation.

Patch Management

Install a patch.

Parameter	Description
Command	The value is install
Install Method	There are two types of installation methods: by uploading the installation file. by entring a URL that servers the installation file
Application executable	Provide the executable path.
URL	URL that servers the installation file.
Silent mode option	Option to install the application in silent mode.
Additional options	Any additional command line option that need to be executed.
Notify for reboot	Show a notification window to the user that a reboot is required post installation/uninstallation.

Remediation Rule

Rules to Include/Exclude applications, patches, or configuration that takes into effect during remediation of a group of devices. Enable auto reboot to allow machines to restart(as required) after remediation. This avoids user intervention while applying patches to the systems.

Parameter	Description
Not applicable	Not applicable

Remediation job

A Short-lived remediation task to include application patches/configuration that can be applied to a customized set of devices. Enable auto reboot to allow machines to reboot multiple times while remediation. This avoids user intervention while applying patches to the systems.

Parameter	Description
Not applicable	Not applicable

Application block

Block a specified application from execution. Select names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Application unblock

Unblock the specified application from execution. Select names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Enable device

Enables specified device names from the list. Select the devices to be enabled, or enter custom driver names in the input box.

Parameter	Description
Not applicable	Not applicable

Disable device

Disables specified device names from the list. Select the devices to be disabled, or enter custom driver names in the input box.

Parameter	Description
Not applicable	Not applicable

Add an entry into /etc/hosts file

Adds an entry into /etc/hosts file.

Parameter	Description
Domain Name	A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.
IP Address	The IP address of the system. This member can be an IPv6 address or an IPv4 address.

Add Protocol Entry

Adds protocol entry into /etc/protocol file. This file describes the various DARPA internet protocols that are available from the TCP/IP subsystem.

Parameter	Description
Protocol Alias	The aliases for the protocol.
Protocol Name	The native name for the protocol. For example ip, tcp, or udp.
Protocol Number	The official number for this protocol as it will appear within the IP header.

Add Route

Adds new routing entry into network routing table.

Parameter	Description
Gateway	The gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network.
Interface Name	The device interface name.
IP Address	The ip address to be added into routing table.
Route Type	This element specifies the route type.
Netmask	A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts. eg: 255.255.255.0

Add Service Entry

Adds service entry into Internet network services list /etc/services file. This file provides a mapping between human-friendly textual names for internet services, and their underlying assigned port numbers and protocol types.

Parameter	Description
Service Alias	The service alias. An optional space or tab separated list of other names for this service.
Service Name	The friendly name the service is known by and looked up under.
Service Port Number	The port number to use for this service.
Service Protocol	The type of protocol to be used. This field should match an entry in the /etc/protocols file.

Block Domain

Block a specified domain name.

Parameter	Description
Domain Name	A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.

Add ARP entry

Add a specified ARP entry into ARP cache.

Parameter	Description
Interface Name	This interface name will be associated with the an arp entry.
IP Address	The IP address of the system. This member can be an IPv6 address or an IPv4 address.
MAC Address	The physical hardware address of the adapter for the network interface associated with this IP address.

Delete ARP entry

Deletes a specified ARP entry from the ARP cache.

Parameter	Description
Interface Name	This interface name will be associated with the an arp entry.
IP Address	The IP address of the system. This member can be an IPv6 address or an IPv4 address.

Delete an entry from /etc/hosts file

Deletes an entry from /etc/hosts file.

Parameter	Description
Domain Name	A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.

Delete Protocol Entry

Deletes protocol entry from /etc/protocol file. This file describes the various DARPA internet protocols that are available from the TCP/IP subsystem.

Parameter	Description
Protocol Name	The native name for the protocol. For example ip, tcp, or udp.
Protocol Number	The official number for this protocol as it will appear within the IP header.

Delete Route

Deletes existing routing entry from network routing table.

Parameter	Description
Gateway	The gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network.
Interface Name	The device interface name.
IP Address	The ip address to be added into routing table.
Route Type	This element specifies the route type.
Netmask	A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts. eg: 255.255.255.0

Delete Service Entry

Delete service entry from Internet network services list /etc/services file. This file provides a mapping between human-friendly textual names for internet services, and their underlying assigned port numbers and protocol types.

Parameter	Description
Service Name	The friendly name the service is known by and looked up under.
Service Port Number	The port number to use for this service.
Service Protocol	The type of protocol to be used. This field should match an entry in the /etc/protocols file.

Disable IP Forwarding

Disables IP forwarding also known as Internet routing. IP forwarding is a concept to make Linux machine to send data from one network to other, this is same as a router.

Parameter	Description
Not applicable	Not applicable

Enable IP Forwarding

Enables IP forwarding also known as Internet routing. IP forwarding is a concept to make Linux machine to send data from one network to other, this is same as a router.

Parameter	Description
Not applicable	Not applicable

Flush all ARP entries

Flush all arp entries from the ARP cache.

Parameter	Description
Not applicable	Not applicable

Flush all entries from /etc/hosts file

Flush all entries from /etc/hosts file.

Parameter	Description
Not applicable	Not applicable

Modify ARP entry

Modifies a specified ARP entry from the ARP cache.

Parameter	Description
Interface Name	The device interface name.
IP Address	The IP address of the system. This member can be an IPv6 address or an IPv4 address.
MAC Address	The physical hardware address of the adapter for the network interface associated with this IP address.

Modify entry from host file

Updates an existing hosts entry to new entry.

Parameter	Description
Domain Name	A old domain name present in the hosts file on the system. Domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.
IP Address	An old IP address present in hosts file on the system. This member can be an IPv6 address or an IPv4 address.
New Domain Name	A new domain name. Domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.
New IP Address	The new IP address present in hosts file on the system. This member can be an IPv6 address or an IPv4 address.

Modify Protocol Entry

Updates existing protocol entry from /etc/protocol file. This file describes the various DARPA internet protocols that are available from the TCP/IP subsystem.

Parameter	Description
New Protocol Alias	The new protocol alias for the protocol.
New Protocol Name	The new protocol name. Native name for the protocol. For example ip, tcp, or udp.
New Protocol Number	The new protocol number. Official number for this protocol as it will appear within the IP header.
Protocol Alias	The protocol alias for the protocol.
Protocol Name	The protocol name. Native name for the protocol. For example ip, tcp, or udp.
Protocol Number	The protocol number. Official number for this protocol as it will appear within the IP header.

Modify Route

Updates existing routing entry with new entry into network routing table.

Parameter	Description
Gateway	The gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network.
Interface Name	The device interface name.
IP Address	The ip address to be added into routing table.
New Gateway	The new gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network.
New Interface Name	The new device interface name.
New IP Address	The new network mask to be added into routing table. A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts.
New Route Type	This element specifies the new route type.
Route Type	This element specifies the old route type.
Netmask	A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts. eg: 255.255.255.0
New Netmask	The new netmask address to be added into routing table.

Modify Service Entry

Updates existing service entry from Internet network services list /etc/services file. This file provides a mapping between human-friendly textual names for internet services, and their underlying assigned port numbers and protocol types.

Parameter	Description
New Service Port Number	The new port number to use for this service.
New Service Protocol	The new type of protocol to be used. This field should match an entry in the /etc/protocols file.
Service Name	The existing friendly name the service is known by and looked up under.
Service Port Number	The existing port number to use for this service.
Service Protocol	The existing type of protocol to be used. This field should match an entry in the /etc/protocols file.

Network connection kill

Kills a specified network connection.

Parameter	Description
Local Port	The local port number in network byte order for the TCP connection on the local computer.

Unblock Domain

Unblock a specified blocked domain name.

Parameter	Description
Domain Name	A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.

Process block

Block specified processes from execution using a list of process names. Select process names from the list or provide comma separated values.

Parameter	Description

Start process

Start specified processes using a list of process names. Select process names from the list or provide comma separated values.

Parameter	Description

Stop process by process ID

Stop specified processes using a list of process IDs. Select process IDs from the list or provide comma separated values.

Parameter	Description

Stop process by name

Stop specified processes using a list of process names. Select process names from the list or provide comma separated values.

Parameter	Description

Process unblock

Unblock specified processes from execution using a list of process names. Select process names from the list or provide comma separated values.

Parameter	Description

Append Firewall(iptables) Rules

Appends rules at the end of IP table.

Parameter	Description
Rules	Ip table rule to be added i/p eg: INPUT -i eth0 -p tcp –dport 110 -j ACCEPT

Change File Ownership

Change ownership of a given filepath.

Parameter	Description
File Path	Absolute filepath
Group name	group to be changed for given filepath (optional)
User name	username to be changed for given filepath.

Change File Permission

Change permission of a given filepath.

Parameter	Description
File Path	Absolute filepath
File Permission	permission similar to “644” for

Delete Firewall(iptables) Rules

Delete rules from the IP tables.

Parameter	Description
Rules	Ip table rule to be deleted i/p eg: INPUT 2

Disable Firewall(iptables)

Disables/Stops firewall.

Parameter	Description
Not applicable	Not applicable

Enable Firewall(iptables)

Enables/Start firewall.

Parameter	Description
Not applicable	Not applicable

Flush Firewall(iptables) Rules

Clears all IP table rules.

Parameter	Description
Not applicable	Not applicable

Insert Firewall(iptables) Rules

Insert rules in the beging for IP tables.

Parameter	Description
Rules	Ip table rule to be added i/p eg: INPUT -i eth0 -p tcp –dport 22 -j ACCEPT

Replace Firewall(iptables) Rules

Replace specific rule from the IP table

Parameter	Description
Rules	ip table rule to be replaced i/p eg: INPUT 2 -i eth0 -p tcp –dport 26 -j ACCEPT

Restart Firewall(iptables)

Restart and reinforce firewall rules.

Parameter	Description
Not applicable	Not applicable

Set ASLR Status

Set Address space layout randomization (ASLR) setting

Parameter	Description
Permanent or Temporary	One of the following setting : permanent or temporary(valid till next reboot)
ASLR Status Value	One of the following setting : 0 – ASLR Off (Process address space randomization off) 1 – ASLR On for mmap base, stack and VDSO page(Conservative randomization) 2 – ASLR On for mmap base, stack, VDSO page and heap (Full randomization)

Set SELinux Status

Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel. It provides information about SE linux setting.

Parameter	Description
SE Linux Status	One of the following setting : 0 – Permissive (SELinux logs warnings instead of enforcing), 1 – Enforcing (SELinux security policy is enforced)

Set sysctl Settings

Set sysctl kernel setting. sysctl is an interface for examining and dynamically changing parameters in Unix-like operating systems.

Parameter	Description
Not applicable	Not applicable

Service restart

Restart specified services by service name. Select names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Service start

Start specified services by service name. Select names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Service stop

Stop specified services by service name. Select names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Mount Filesystem

Mounts a file system to a local folder.

Parameter	Description
Destination Path	This element specified the destination path to mount filesystem.
Read-only value	This element specifies the read only value (true/false)
Source Path	This element specifies the source path to mount a file system.

Reboot

Reboots the system.

Parameter	Description
Message	A specified message will be displayed to logged-in user before reboot.
Time in minutes	The specified time(expressed in minutes) after which the system would reboot. Provide a value of 0 to reboot immediately.

Shutdown

Shutdown the system.

Parameter	Description
Message	The specified message will be displayed to logged-in user before shutdown.
Time in minutes	The specified time(expressed in minutes) after which the system would shutdown. Provide a value of 0 to shutdown immediately.

Unmount Filesystem

Unmount a file system from the local system.

Parameter	Description
Mount Point	This element specifies the mount point where the filesystem is mounted.

Application Management

Install or uninstall applications.

Parameter	Description
Command	The value is either ‘install’ or ‘uninstall’
Install Method	There are three types of installation methods: by uploading the installation file. by using repository such as yum or Advanced Packaging Tool (APT) by entring a URL that servers the installation file
Application executable	Provide the executable path.
Application name	Specify the name of the application to be downloaded from repo.
Silent mode option	Option to install the application in silent mode.

Patch Management

Install a patch.

Parameter	Description
Command	The value is install
Install Method	There are three types of installation methods: by uploading the installation file. by using repository such as yum or Advanced Packaging Tool (APT) by entring a URL that servers the installation file
Application executable	Provide the executable path.
URL	URL that servers the installation file.
Application name	Specify the name of the application to be downloaded from repo.
Silent mode option	Option to install the application in silent mode.

Application block

Block a specified application from execution. Select names from the list or provide comma separated values. Note: In-built applications cannot be blocked in Apple Mac OS X El Capitan and Sierra.

Parameter	Description
Not applicable	Not applicable

Application unblock

Unblock the specified application from execution. Select names from the list or provide comma separated values. Note: In-built applications cannot be unblocked in Apple Mac OS X El Capitan and Sierra.

Parameter	Description
Not applicable	Not applicable

Enable device

Enables specified device names from the list. Select the devices to be enabled, or enter custom driver names in the input box.

Parameter	Description
Not applicable	Not applicable

Disable device

Disables specified device names from the list. Select the devices to be disabled, or enter custom driver names in the input box.

Parameter	Description
Not applicable	Not applicable

Add an entry into /etc/hosts file

Adds an entry into /etc/hosts file.

Parameter	Description
Domain Name	A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.
IP Address	The IP address of the system. This member can be an IPv6 address or an IPv4 address.

Add Protocol Entry

Adds protocol entry into /etc/protocol file. This file describes the various DARPA internet protocols that are available from the TCP/IP subsystem.

Parameter	Description
Protocol Alias	The aliases for the protocol.
Protocol Name	The native name for the protocol. For example ip, tcp, or udp.
Protocol Number	The official number for this protocol as it will appear within the IP header.

Add Route

Adds new routing entry into network routing table.

Parameter	Description
Gateway	The gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network.
Interface Name	The device interface name.
IP Address	The ip address to be added into routing table.
Route Type	This element specifies the route type.
Netmask	A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts. eg: 255.255.255.0

Add Service Entry

Parameter	Description
Service Alias	The service alias. An optional space or tab separated list of other names for this service.
Service Name	The friendly name the service is known by and looked up under.
Service Port Number	The port number to use for this service.
Service Protocol	The type of protocol to be used. This field should match an entry in the /etc/protocols file.

Block Domain

Block a specified domain name.

Parameter	Description
Domain Name	A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.

Add ARP entry

Add a specified ARP entry into ARP cache.

Parameter	Description
Interface Name	This interface name will be associated with the an arp entry.
IP Address	The IP address of the system. This member can be an IPv6 address or an IPv4 address.
MAC Address	The physical hardware address of the adapter for the network interface associated with this IP address.

Delete ARP entry

Deletes a specified ARP entry from the ARP cache.

Parameter	Description
Interface Name	This interface name will be associated with the an arp entry.
IP Address	The IP address of the system. This member can be an IPv6 address or an IPv4 address.

Delete an entry from /etc/hosts file

Deletes an entry from /etc/hosts file.

Parameter	Description
Domain Name	A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.

Delete Protocol Entry

Deletes protocol entry from /etc/protocol file. This file describes the various DARPA internet protocols that are available from the TCP/IP subsystem.

Parameter	Description
Protocol Name	The native name for the protocol. For example ip, tcp, or udp.
Protocol Number	The official number for this protocol as it will appear within the IP header.

Delete Route

Deletes existing routing entry from network routing table.

Parameter	Description
Gateway	The gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network.
Interface Name	The device interface name.
IP Address	The ip address to be added into routing table.
Route Type	This element specifies the route type.
Netmask	A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts. eg: 255.255.255.0

Delete Service Entry

Parameter	Description
Service Name	The friendly name the service is known by and looked up under.
Service Port Number	The port number to use for this service.
Service Protocol	The type of protocol to be used. This field should match an entry in the /etc/protocols file.

Disable IP Forwarding

Disables IP forwarding also known as Internet routing. IP forwarding is a concept to make Linux machine to send data from one network to other, this is same as a router.

Parameter	Description
Not applicable	Not applicable

Enable IP Forwarding

Enables IP forwarding also known as Internet routing. IP forwarding is a concept to make Linux machine to send data from one network to other, this is same as a router.

Parameter	Description
Not applicable	Not applicable

Flush all ARP entries

Flush all arp entries from the ARP cache.

Parameter	Description
Not applicable	Not applicable

Flush all entries from /etc/hosts file

Flush all entries from /etc/hosts file.

Parameter	Description
Not applicable	Not applicable

Modify ARP entry

Modifies a specified ARP entry from the ARP cache.

Parameter	Description
Interface Name	The device interface name.
IP Address	The IP address of the system. This member can be an IPv6 address or an IPv4 address.
MAC Address	The physical hardware address of the adapter for the network interface associated with this IP address.

Modify entry from host file

Updates an existing hosts entry to new entry.

Parameter	Description
Domain Name	A old domain name present in the hosts file on the system. Domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.
IP Address	An old IP address present in hosts file on the system. This member can be an IPv6 address or an IPv4 address.
New Domain Name	A new domain name. Domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.
New IP Address	The new IP address present in hosts file on the system. This member can be an IPv6 address or an IPv4 address.

Modify Protocol Entry

Updates existing protocol entry from /etc/protocol file. This file describes the various DARPA internet protocols that are available from the TCP/IP subsystem.

Parameter	Description
New Protocol Alias	The new protocol alias for the protocol.
New Protocol Name	The new protocol name. Native name for the protocol. For example ip, tcp, or udp.
New Protocol Number	The new protocol number. Official number for this protocol as it will appear within the IP header.
Protocol Alias	The protocol alias for the protocol.
Protocol Name	The protocol name. Native name for the protocol. For example ip, tcp, or udp.
Protocol Number	The protocol number. Official number for this protocol as it will appear within the IP header.

Modify Route

Updates existing routing entry with new entry into network routing table.

Parameter	Description
Gateway	The gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network.
Interface Name	The device interface name.
IP Address	The ip address to be added into routing table.
New Gateway	The new gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network.
New Interface Name	The new device interface name.
New IP Address	The new network mask to be added into routing table. A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts.
New Route Type	This element specifies the new route type.
Route Type	This element specifies the old route type.
Netmask	A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts. eg: 255.255.255.0
New Netmask	The new netmask address to be added into routing table.

Modify Service Entry

Parameter	Description
New Service Port Number	The new port number to use for this service.
New Service Protocol	The new type of protocol to be used. This field should match an entry in the /etc/protocols file.
Service Name	The existing friendly name the service is known by and looked up under.
Service Port Number	The existing port number to use for this service.
Service Protocol	The existing type of protocol to be used. This field should match an entry in the /etc/protocols file.

Network connection kill

Kills a specified network connection.

Parameter	Description
Local Port	The local port number in network byte order for the TCP connection on the local computer.

Unblock Domain

Unblock a specified blocked domain name.

Parameter	Description
Domain Name	A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.

Process block

Block specified processes from execution using a list of process names. Select process names from the list or provide comma separated values. Note: In-built processes cannot be blocked in Apple Mac OS X El Capitan and Sierra

Parameter	Description

Start process

Start specified processes using a list of process names. Select process names from the list or provide comma separated values.

Parameter	Description

Stop process by process ID

Stop specified processes using a list of process IDs. Select process IDs from the list or provide comma separated values.

Parameter	Description

Stop process by name

Stop specified processes using a list of process names. Select process names from the list or provide comma separated values.

Parameter	Description

Process unblock

Unblock specified processes from execution using a list of process names. Select process names from the list or provide comma separated values. Note: In-built processes cannot be unblocked in Apple Mac OS X El Capitan and Sierra

Parameter	Description

Append Firewall(pfctl) Rules

Appends rules at the end of IP table.

Parameter	Description
Rules	Ip table rule to be added i/p eg: INPUT -i eth0 -p tcp –dport 110 -j ACCEPT

Change File Ownership

Change ownership of a given filepath.

Parameter	Description
File Path	Absolute filepath
Group name	group to be changed for given filepath (optional)
User name	username to be changed for given filepath.

Change File Permission

Change permission of a given filepath.

Parameter	Description
File Path	Absolute filepath
File Permission	permission similar to “644” for

Delete Firewall(pfctl) Rules

Delete rules from the IP tables.

Parameter	Description
Rules	Ip table rule to be deleted i/p eg: INPUT 2

Disable Firewall(pfctl)

Disables/Stops firewall.

Parameter	Description
Not applicable	Not applicable

Enable Firewall(pfctl)

Enables/Start firewall.

Parameter	Description
Not applicable	Not applicable

Flush Firewall(pfctl) Rules

Clears all IP table rules.

Parameter	Description
Not applicable	Not applicable

Insert Firewall(pfctl) Rules

Insert rules in the beging for IP tables.

Parameter	Description
Rules	Ip table rule to be added i/p eg: INPUT -i eth0 -p tcp –dport 22 -j ACCEPT

Replace Firewall(pfctl) Rules

Replace specific rule from the IP table

Parameter	Description
Rules	ip table rule to be replaced i/p eg: INPUT 2 -i eth0 -p tcp –dport 26 -j ACCEPT~INPUT 2 -i eth0 -p tcp –dport 26 -j REJECT

Restart Firewall(pfctl)

Restart and reinforce firewall rules.

Parameter	Description
Not applicable	Not applicable

Set ASLR Status

Set Address space layout randomization (ASLR) setting

Parameter	Description
Permanent or Temporary	One of the following setting : permanent or temporary(valid till next reboot)
ASLR Status Value	One of the following setting : 0 – ASLR Off (Process address space randomization off) 1 – ASLR On for mmap base, stack and VDSO page(Conservative randomization) 2 – ASLR On for mmap base, stack, VDSO page and heap (Full randomization)

Set SELinux Status

Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel. It provides information about SE linux setting.

Parameter	Description
SE Linux Status	One of the following setting : 0 – Permissive (SELinux logs warnings instead of enforcing), 1 – Enforcing (SELinux security policy is enforced)

Set sysctl Settings

Set sysctl kernel setting. sysctl is an interface for examining and dynamically changing parameters in Unix-like operating systems.

Parameter	Description
Not applicable	Not applicable

Service restart

Restart specified services by service name. Select names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Service start

Start specified services by service name. Select names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Service stop

Stop specified services by service name. Select names from the list or provide comma separated values.

Parameter	Description
Not applicable	Not applicable

Mount Filesystem

Mounts a file system to a local folder.

Parameter	Description
Destination Path	This element specified the destination path to mount filesystem.
Read-only value	This element specifies the read only value (true/false)
Source Path	This element specifies the source path to mount a file system.

Reboot

Reboots the system.

Parameter	Description
Message	A specified message will be displayed to logged-in user before reboot.
Time in minutes	The specified time(expressed in minutes) after which the system would reboot. Provide a value of 0 to reboot immediately. It takes about a minute to shutdown in Mac systems.

Shutdown

Shutdown the system.

Parameter	Description
Message	The specified message will be displayed to logged-in user before shutdown.
Time in minutes	The specified time(expressed in minutes) after which the system would shutdown. Provide a value of 0 to shutdown immediately. It takes about a minute to shutdown in Mac systems.

Unmount Filesystem

Unmount a file system from the local system.

Parameter	Description
Mount Point	This element specifies the mount point where the filesystem is mounted.

Application Management

Install or uninstall applications.

Parameter	Description
Command	The value is either ‘install’ or ‘uninstall’
Install Method	There are two types of installation methods: by uploading the installation file. by entring a URL that servers the installation file
Uninstall Method	To uninstall, provide the application name to be removed.
Application executable	Provide the executable path.
Application name	Name of the application to install/uninstall.
URL	URL that servers the installation file.
Additional options	Any additional command line option that need to be executed.

Patch Management

Install a patch.

Parameter	Description
Command	The value is either ‘install’ or ‘uninstall’
Install Method	There are two types of installation methods: by uploading the installation file. by entring a URL that servers the installation file
Application executable	Provide the executable path.
URL	URL that servers the installation file.
Additional options	Any additional command line option that need to be executed.
Notify for reboot	Show a notification window to the user that a reboot is required post installation/uninstallation.

Security Architecture

Deployment Checklist

System Status

Deployment Tool Prerequisites

Security Researcher Hall of Fame

Latest updates from us

SecPod SanerNow integrates with SIRP – Unique End-to-End Endpoint Security and Management combo with a Comprehensive SOAR Solution

December 8, 2020

Read Article

SecPod Featured as Security Solution for WFH by National Centre of Excellence, Government of India

September 15, 2020

Read Article

SecPod and SAT Get Together to Make Organisations More Cyber Hygienic

June 3, 2020

Read Article

Inflow Technologies Partners with SecPod to Enable Faster Delivery of Endpoint Security and Management Solutions

June 1, 2020

Read Article

Launch of SECPOD.ORG

July 10, 2008

Read Article

SecPod Partners with Greenbone

February 25, 2009

Read Article

SecPod Receives Oval Repository Top Contributor Award

July 2, 2009

Read Article

SecPod Wins OVAL Repository Top Contributor Award Once Again

October 5, 2009

Read Article

SecPod Technologies Makes Declaration to Adopt OVAL

December 28, 2010

Read Article

SecPod Technologies Announces the Release of OVAL Definitions Professional Feed

January 2, 2011

Read Article

SecPod Technologies Appoints Greg Pottebaum as Vice President, Business Development

August 12, 2011

Read Article

SecPod Technologies Announces the Release of Beta Version of SCAP Repo

June 22, 2012

Read Article

SecPod Debuts ANCOR and SANER, Its Security Platform and Vulnerability Mitigation Solution

December 12, 2013

Read Article

SecPod Announces SANER Personal, Free Vulnerability Protection Software for Home Computers

December 12, 2013

Read Article

SecPod to Demo SANER – Join Us in NULLCON, Goa 2014 at Booth S-8

February 11, 2014

Read Article

SecPod Announces SANER Business, Vulnerability Management Software for the Enterprise

June 6, 2014

Read Article

SecPod Updates Free SANER Personal Vulnerability Management Solution

June 20, 2014

Read Article

SecPod’s SanerNow Available For MAC OS X Platform

June 12, 2015

Read Article

SecPod Unveils SANER 2.0 with Endpoint Threat Detection and Response

March 6, 2016

Read Article

SecPod Announces Advanced Security to Shield Organizations from Ransomware

August 2, 2016

Read Article

SecPod Supports MSSP with Saner Endpoint Security Platform

August 25, 2016

Read Article

ESG Lab Confirms SanerNow Platform Reduces Complexity, Effort & Cost of Managing & Securing Endpoints

October 5, 2018

Read Article

SecPod SanerNow Wins ”Cutting Edge Vulnerability Assessment, Remediation, Patch & Configuration Management …

October 4, 2018

Read Article

Get notified
about our latest updates

View all our articles keep
your security up to date

SecPod SanerNow helps organizations become more cyber hygienic, by orchestrating and automating endpoint security and management tasks, reducing complexity and improving efficiency.

Overview

SanerNow Use Cases

Getting Started With SanerNow

Introduction

Getting started with SanerNow

Sign up

Select Plan (This step is not required if you clicked “Try for free”)

Provision Tools

Update Profile

Open Saner Platform

Create Account

Deploy Agents

Use SanerNow Tools

Guides

User Guides

Technical Guides

Release Notes SanerNow 4.8.0.0

Release Notes SanerNow 4.7.0.0

Release Summary:

New Feature:

Introducing Active Directory Integration for scaling up operational efficiency.

Enhancements:

Release Notes SanerNow 4.6.0.0

Release Summary

Release Notes SanerNow 4.5.0.0

Release Summary

Release Notes SanerNow 4.4.0.0

Release Notes SanerNow 4.3.0.0

Release Notes SanerNow 4.2.2.1

Release Notes SanerNow 4.2.2.0

Release Notes SanerNow 4.2.1.0

Release Notes SanerNow 4.2.0.0

Release Notes SanerNow 4.1.1.0

Software deployment

Release Notes SanerNow 4.1

Release Notes SanerNow 4.0.0.5

Release Notes SanerNow 4.0.0.4

Release Notes SanerNow 4.0.0.3

Release Notes SanerNow 4.0.0.2

Release Notes SanerNow 4.0.0.1

FAQ – Frequently Asked Questions

Technical FAQ

SanerNow Architecture

Scalability and Ease-of-use

Simple and Intuitive

Optimization Algorithms

Visibility and Continuous Protection within Minutes

Detection and Response Automation

Platforms Supported

SanerNow Supported Operating Systems

SanerNow Feature Map

Security Content and Intelligence

SCAP Content Statistics

OVAL Definitions Platform Coverage

OVAL Definitions Class-wise Distribution

OVAL Definitions Family-wise Distribution

Application and OS Remediation Coverage

Compliance Benchmark Coverage

List of Vulnerability to Exploit/Malware Mapping covered in SanerNow

List of IoA (Indicators of Attack) covered in SanerNow

Windows Probes

Access token

Active directory

Anti-virus information

ARP Cache

Audit Event Policy

Audit Event Policy Subcategories

Auto Logon Last Logon Last Reboot

BIOS Information

Bit Locker Information

Computer Information

Device information

DNS cache

Environment Variables

Events

Family of Operating System

File

File Audit Permissions