Vulnerability Management
Patch Management
Compliance Management
Asset Exposure
Endpoint Controls, Beyond Patching
SanerNow Platform
Documentation
Overview
SecPod SanerNow Cyberhygiene platform is a continuous and automated Vulnerability Management solution built for the modern IT security landscape. SanerNow enables you to go beyond traditional vulnerability management practices and get complete visibility and control over your organization’s attack surface. Leveraging the home-grown world’s largest vulnerability database with 160,000+ security checks, SanerNow runs the fastest scans to discover IT assets, vulnerabilities, misconfigurations, and other security risk exposures. It provides the necessary remediation fixes to mitigate the security loopholes and automates tasks end-to-end to make it a simple daily routine.
SanerNow Use Cases
SanerNow addresses the following business cases:
- Vulnerability Management – Continuously assess vulnerabilities and risks, automated to a daily routine.
- Patch Management – Apply patches on all operating system like Windows, Mac, Linux, and 300+ third-party applications.
- Compliance Management – Comply with regulatory standards benchmarks and achieve continuous compliance (PCI, HIPAA, NIST 800-53, NIST 800-171).
- Asset Exposure – Gain complete visibility and control over your IT assets
- Endpoint Management – Manage endpoints and ensure their system health.
- Endpoint Query Response – Run query and analyze dataset from endpoints. Build response and act upon issues.
Getting Started With SanerNow
Introduction
SanerNowTM is a platform and tools for managing and securing your endpoints. The platform is designed as a SaaS model and provides security and IT management tools on demand.
Please refer to the SanerNow website https://sanernow.com or click on the above
Getting started with SanerNow
There are only a few simple steps to get started with SanerNow.
- Sign Up
- Select a Plan
- Provision Tools
- Update Profile
- Open SanerNow Platform
- Create Account
- Create User
- Deploy Agents
- Use SanerNow Tools
Sign up
On the SanerNow web page https://www.sanernow.com, click “Sign Up” or “Try for free” at the top right.
The first and last name must contain alphanumeric characters. The password needs to have at least one number, one upper case, one lower case and a special character. It must be at least seven characters and no more than 20 characters. The password should only contain these special characters ~ ! @ $ ^ & * ( ) – = _
Click Sign Up to complete registration.
To sign up, enter a valid email address, your name, and password. The email address will be the username for your login.
Note: If you are unable to register, please check your email address to ensure it is valid and that it hasn’t been previously registered.
An email will be sent to you to verify your registration email.
Note: If you don’t receive the email within a few minutes, please check your email spam folder.
Click on the link in the email to finish the verification process. Within a few minutes you should receive a confirmation web page.
You will be redirected to a web page as shown below after email verification. Click Sign In with your email address and password.
Note: Please contact support@staging.secpod.com if you did not receive the registration email or if the Sign Up Confirmation isn’t displayed after clicking the email link. It may take a few minutes for the confirmation to display.
On the SanerNow web page (https://sanernow.com), click Sign In at the top right.
Select Plan (This step is not required if you clicked “Try for free”)
After signing in to SanerNow, you can select a free evaluation or monthly plan.
The Free SanerNow Evaluation plan lets you try out SanerNow tools for up to a month on up to ten endpoints. You can switch to a monthly plan at any time.
The SanerNow Monthly plan includes monthly billing based on tools provisioned and number of endpoints managed. An invoice will be generated after the end of each month, which will be sent to the account registration email address. Please contact support@staging.secpod.com if you will be managing more than 5,000 endpoints.
If you clicked “Try for free”, plan selection is not required. You’ll be taken to “Provision Tools” step.
Select the desired plan and click Next.
Click on next to proceed.
Provision Tools
Select the tools you would like to provision. For the Free Evaluation Plan, you will most likely want to provision all tools. With the Monthly Plan you can then provision specific tools for each account you create. Accounts allow you to segregate endpoints by site and to control user access.
Select the tools to provision and click Next.
Update Profile
Enter billing details to complete the sign up process. Enter your address, state, country, zip code and preferred currency. A valid phone number is required. This information will be used for generating invoices.
Click Save.
Open Saner Platform
Click Open Saner Platform at the top right. You will then be redirected to saner.secpod.com.
Create Account
Create an account or site with a name, organization, valid email address (that will be used for reports and alerts), number of subscriptions and tools to be provisioned.
Once an account or site is created, SanerNow agents will be built. The agents are built specifically for each account or site.
Note: This process takes several minutes. Please be patient.
Note: Later you can create additional accounts or sites by clicking the gear icon at the upper right.
Deploy Agents
SanerNow agents can be deployed to endpoints by using the links on this page. Select the appropriate agent for the endpoint operating system. When using SanerNow, you can also go to Manage > Devices > Deployment and use a URL for downloading agents.
Use SanerNow Tools
Click the icon at the top left corner of the screen to select an account or site to manage.
tools for more detail.
Click Manage > Devices to see device information after agents have been deployed
click on 
at the top center to select SanerNow tools.
Note: If you are unable to view all tools by clicking 
, this could be because some of the tools were not provisioned for this account.
Note: Refer to the SanerNow User Guides in the Documentation section of the SanerNow website for detailed information (www.sanernow.com/documentation).
Note: If you have any issues, please contact Technical Support at support@staging.secpod.com.
Guides
User Guides
- General Settings
- Vulnerability Management
- Asset Management
- Patch Management
- Compliance Management
- Endpoint Detection and Response
- Endpoint Management
- SanerNow Network Scanner
Technical Guides
Release Notes SanerNow 5.1
At SecPod, we strive toward making your journey with us seamless and effective. Our 5.1 release is here with many exciting features and enhancements to help you make the best out of SanerNow.
Overview of what’s in store in SanerNow 5.1
New Features:
- Introducing Trending Reports: We have added 58 new reports to give insights on trending data on Vulnerability, Compliance, and Patching. You can generate these reports on a daily, weekly, monthly, quarterly, and yearly basis.
- Introducing Risk Assessment report: This report will help you understand and analyze the security risks prevalent in your network and identify remediation actions.
- Introducing Patching Impact report: This report will help you understand the impact of the patching activities performed in your network.
- Organization Reports: You can now create Organization reports for Risk Assessment and Patching Impact. This report will fetch and provide information for all the accounts in an organization.
- Introducing New User Role with read-only access: Users with this role will be able to perform read-only operations. You can customize the access at the tool level. For example, you can give full access to Vulnerability Management and read-only access to Patch Management.
- Introducing multi-factor authentication: Supports PingOne multi-factor authentication to enhance security.
New Operating Systems Support:
Introducing support for Rocky Linux (8.3, 8.4, and 8.5) and AlmaLinux (8.4 and 8.5)
Enhancements:
User Interface (UI) Enhancements:
- Redesigned interfaces: Redesigned Control Panel, Admin, and Account dashboard for better Usability.
- Simplifying Agent onboarding experience: Deployment and Device Management options are now available under the Deployment option in Control Panel.
New REST APIs:
- Introducing new APIs for Network scanner: 26 new REST APIs to create, configure, and manage Network Scanner.
- Introducing new APIs for multi-factor authentication: 12 new REST APIs for configuring and managing multi-factor authentication.
- Introducing new APIs for Patch and Device Management: 11 new REST APIs to perform patching, rollback, reboot, and uninstallation of devices.
Updates to existing REST APIs:
- Updates to Default Rest API response format: Default REST API response format will now be in JSON instead of Zip. If you need the response format to be in Zip, the header accept attribute needs to be set as Application/ZIP.
- New custom report elements: We have enhanced report APIs to include 19 new Vulnerability and Patch Management reports.
Tool name changes:
- Asset Management (AM) is now Asset Exposure (AE)
- Endpoint Detection and Response (EDR) is now Endpoint Query Response (EQR)
Along with these new features and enhancements, this release also includes bug fixes.
We hope SecPod SanerNow 5.1 will ease your experience with us to a greater extent. Please mail us at support@secpod.com for any feature requests or enhancements you expect in the product. To learn more about SecPod, visit www.secpod.com.
Release notes SanerNow 5.0
We are thrilled to announce the most exciting release of SecPod in the recent past. SanerNow 5.0 is here to put an end to the eternal search for a full-fledged and automated vulnerability management solution, that needs no scanner appliance, and no spec-heavy dedicated scanner servers, intended to make vulnerability management seamless and automated. SanerNow is going to give a 360 degree vulnerability exposure of all IP enabled devices in your network topology, aiding remediation from the same console. SanerNow’s new paradigm of Security, Risk, and Compliance also comes with numerous other enhancements to make this release even more interesting.
What’s new in SanerNow 5.0
Extending our vulnerability Assessment capabilities to Network Devices
Along with the end-to-end vulnerability management for endpoints, we have now built network scanning capabilities to detect non-endpoint devices and discover vulnerabilities in them. A few of the top capabilities of our network scanner includes:
- Detect the whole network topology, devices, operating system, and service fingerprinting across all IP-enabled devices.
- Discover vulnerabilities and mis-configurations in network enabled devices.
- Perform external security posture analysis of network and endpoint devices.
- Scanner is built on distributed hub and spoke model which will utilize the existing devices to perform network scanning. This will save additional investment in extra appliances or hardware. This distributes the scanning responsibility, achieves speed, and makes the process effortlessly continuous.
- Introducing a detailed device page which will list all the findings of network enabled devices.
- Achieve automated daily vulnerability scans without impacting productivity.
- Ability to perform external vulnerability assessment on any number of target devices.
Other crucial Enhancements
Vulnerability Management
- Introducing New MVE Schema: You can now view detailed description of attacks that exploit vulnerabilities in the “High Fidelity Attacks” view as we have introduced a new MVE (Malware Vulnerability Enumeration) language.
- Introducing Vulnerable Devices and Vulnerabilities view: This view will list detailed information of all vulnerabilities and vulnerable devices in the network. You can also view the risk level based on severity.
- Enhanced vulnerability visibility: Introducing new views to check vulnerabilities by group, vulnerability by OSs, and vulnerability by age.
- Know the most recommended remediation to manage vulnerabilities: Introducing “Top recommended remediation” view. This view will list top-recommended remediations based on CRE (Common Remediation Enumeration) and the number of hosts affected.
Asset Management
- Enhanced visibility in asset management dashboard to support network scanner devices: The “Device Types” view will show the distribution of devices based on the device types and the “Manufacturer view” shows the distribution of devices based on the publisher. The “Other” category is included now to view the list of network scanner devices.
- Redesigned Device view and Application Details view: A new dashboard element is added to represent the Device view and also Application Details view.
- Introducing filters to view only required details in the devices table: Added the Source, OS, Family, and Status filters in the Devices table.
Patch Management
- Enhancements in remediation job and rule creation: Ability to create multiple remediation jobs and automation rules for a single device or a group of devices.
Compliance Management
- Remediate Mis-Configurations within Compliance Management: Introduced “Missing Configuration”, “Automation”, “Rollback”, and “Status” sections in the Compliance Management dashboard to allow rollout of configuration patches. Actions are introduced to create and schedule a task to deploy configuration patches and view the status of all remediation jobs and rules.
- Pie chart view to assess deviations of a group of devices: Added “Deviations By Group” view to show the distribution of deviations based on the group of devices. The details can be assessed with the help of a pie chart.
- Introducing “Top Non-Compliant Rules” view: Added “Top Non-Compliant Rules” pane to show the list of remediation rules with CCE ID.
- Combining views for enhanced visibility: The Benchmarks and the Rule-Based Distribution views are combined for better visibility.
- Introducing “Top remediation recommendation” view: It will list the top recommended remediations based on the CRE and the number of hosts affected.
General Enhancements:
- Introducing new APIs and provided updates to many existing APIs to elevate product integration capabilities.
- Redesigned various views across the product to enhance user experience.
Check out our release notes document for detailed insights on the release.
We hope our new release will take the SanerNow experience to the next level. Please check out our latest update and do share your thoughts on any new enhancements you expect from us. For queries, please mail us at support@staging.secpod.com
Release Notes SanerNow 4.8.0.0
At SecPod, we always strive towards making your endpoint security and management operations smooth and effective. To help you make the best out of SanerNow, we are happy to present SanerNow 4.8.0.0 release with many new enhancements and bug fixes.
Release Summary:
Enhancements in Endpoint Management:
· Ability to check MAC OS disk encryption status: In Endpoint Management checks, a new feature has been added to check the disk encryption status of MAC OS devices.
General Enhancements:
· Adding more custom report elements to choose from: 20 new Report APIs are added to aid you while creating your reports
· Introduced probes for deeper detection of risks: Introduced additional probes for running Cmdlet in Windows and detailed service information collection in Linux. These probes are valuable for deeper detection of vulnerabilities and other security risks.
· Added New APIs for Two-Factor Authentication: Introduced three new APIs to check whether two-factor authentication is enabled/enforced among users and organizations.
· Introduced search filter in User Management: The new filter provides the ability to select multiple users and perform actions such as Enforce/Withdraw two-factor authentication and delete.
· UI enhancements in Manage Device page: “Not Reachable” text is replaced with a new icon to display uninstalled devices.
Enhancements in Patch Management
· Introduced pop-ups to notify task completion: A notification message in the form of a pop-up can be set to show the user after an activity is completed. This is available while setting up remediation job, remediation rule, incident response job, and patch rollback.
· Added Remediation using patch update-id for Windows. This setting will show single assets having KBs with different update-id in both the security and non-security sections of patches.
· Remediation Job Status to show remediated KBs in multiple assets: All remediated KBs present in multiple assets are listed in Remediation Job status.
· Added Rollback Status in Missing Configuration view: New column “Rollback” added to Missing Configuration section to display rollback status.
· Added new device status filter “Saner Uninstalled”: This filter is added to the Patch Management status page to view uninstalled devices.
Enhancements in Asset Management:
· Whitelist/blacklist assets without providing version: Users can add Assets without a version and whitelist or blacklist them. This setting will be applied to all versions of an asset.
Enhancements in Audit Log
· The audit log now captures changes to user role and service provisioning.
· Custom report operations such as create, update and delete are now reported in the audit log.
· On-hover feature added for all columns in audit log page to resolve visibility issues.
Note: Saner agents will be automatically updated as a part of the release.
We hope this latest version will continue to serve you better. Please mail us at support@staging.secpod.com for any feature requests or enhancements you expect in the product.
Release Notes SanerNow 4.7.0.0
Nov 10, 2020
At SecPod, we always work towards delivering exceptional features to help you get the best out of our product. SanerNow 4.7.0.0 comes out with the most awaited Active directory integration along with several new enhancements and bug fixes. This release also includes enhancements on REST API.
To know more about the exciting updates of this release, please look at our release notes below.
Release Summary:
New Feature:
Introducing Active Directory Integration for scaling up operational efficiency.
SanerNow now enables you to seamlessly manage your organizational hierarchy, including Organizational Units (OU), Groups, and Devices with its latest AD integration.
- Sync your AD with SanerNow’s Asset Info: Sync IT assets from your Organization’s active directory into SanerNow’s asset data using built-in and scheduled scanning.
- Automatically scan and track the latest AD changes: Configure rules to automatically scan and synchronize the latest information of OUs, Groups, and Devices. Automatically track important changes, including newly commissioned and decommissioned devices, movements of assets across Groups and OUs, etc.
- Install SanerNow agent through GPO policy: Easily install SanerNow agents your endpoints through AD Group Policy Object (GPO) policy.
Enhancements:
- Effective management of Organization’s hierarchy: Introduced a new entity type, Organization in the hierarchy to contain Accounts, thereby truly representing an organization’s hierarchy.
- Introducing a new user role: “Organization Admin”, a new role to have complete access to manage the entire organization.
- Enhancements in control panel: Redesigned control panel to improve user experience.
- Easy onboarding of organizations: Simplified onboarding of an Organization with quick and easy steps.
- Secure Access using Two Factor Authentication: Introducing two factor authentication for all users across the Organization to tighten security.
- Support for MS Windows Semi-Annual channel: Introducing support for Microsoft Windows Semi-Annual channel.
- Improved patching efficiency for MS OS and other apps: Enhanced patching technology for Microsoft OS and other applications, and improved accuracy in patch reports.
- Auto-detection of Network Proxy: Introducing support to auto-detect network proxy using Proxy Auto-Configuration (PAC) file.
- Enhanced reboot pop-up window: Redesigned reboot pop-up and message windows for better user experience.
- Reflecting the user’s time zone: Time representations are changed to reflect the user’s time zone.
- Enhanced Device and Asset Inventory under Asset Management: Improved Asset Management efficiency in collecting additional device and asset details
- Upgradation of all SanerNow components and third-party libraries:
- Upgraded Ancor OS, application servers, and database components
- Enabled UEFI boot support
- Upgraded the third-party libraries
- Speeding up on-prem server deployment: Introducing auto-configuration of the on-premise server to speed up deployment.
- Enhancements in reports:
- Two new report APIs has been added to support patch compliance and device patch compliance
- Apply custom created templates to other Accounts and set as a rule to the new Accounts under an organization or across multiple organizations.
- A high-level report has been added to analyze device risk posture in the PDF format.
Additionally, several bugs are fixed to improve the reliability, performance, and security of the SanerNow platform.
We hope SecPod SanerNow 4.7.0.0 will ease your endpoint security and management operations to a greater extent. Please mail us at support@staging.secpod.com for any feature request or enhancements you expect in the product.
Release Notes SanerNow 4.6.0.0
July 28, 2020
SanerNow 4.6.0.0 comes out with several enhancements to enrich the product usage experience. . This maintenance release also includes bug fixes to enhance the performance of the SanerNow platform.
Release Summary
Patch Management (PM) module improved with new enhancements
- Enhanced visibility in the Patch Management (PM) Dashboard to understand risks, patches, and the impact of patching at any given time.
- Added search functionality in PM Dashboard, supporting granular searches on all patch metadata.
- Ability to view the impact of patching while creating patching tasks.
- Added search filters in the PM job status page
- Added a new policy to automatically delete inactive devices based on specific criteria.
Others:
- New support introduced to audit SQL based Database Servers
Several bugs have been addressed improving the reliability, performance, and security of the SanerNow platform.
We hope SecPod SanerNow 4.6.0.0 will ease your endpoint security and management operations to a greater extent. Please mail us at support@staging.secpod.com for any feature request or enhancements you expect in the product.
Release Notes SanerNow 4.5.0.0
May 17, 2020
SanerNow 4.5.0.0 brings several enhancements to the Patch Management (PM) module along with a few product performance improvements. This maintenance release also consists of fixes to bugs, security issues, and enhancements to REST API coverage.
Release Summary
Performance Improvements – Enhanced product performance for better usage
- Access SanerNow Dashboards more efficiently now: Significant user experience and performance improvements are made to load the dashboard elements faster.
- Enhanced management for transient devices: Improved support for transient devices changing locations frequently.
- Introducing custom templates for reports: Ability to create a custom template for reports, which can then be applied to all other Customer Accounts or Sites.
Patch Management (PM) – Patch management improved with new functionalities
- Included new filters for better visibility: Added filters to identify inactive devices and list devices by their operating system version and build number.
- Introducing a single click filter: A single-click filter is introduced to list third-party application patches by the operating system family.
- Test and deploy Firmware and non-security patches now: Firmware and non-security patches are included in the Test and Deploy feature. This would allow users to verify patches in a testbed and then approve for production rollout.
- Enhancements to save bandwidth usage: The patching jobs are now sent only to the applicable devices in the selected group of devices significantly improving the performance and reducing network bandwidth utilization.
General enhancements and bug fixes
- Fixed few security issues in the platform.
- Inconsistency in the SanerNow agent upgrade is addressed considering a fail-over situation.
- More indicaors are added to show the agent’s remediation progress.
- Various bugs are resolved on dashboards, reports, and other tools.
We hope SecPod SanerNow 4.5.0.0 will ease your endpoint security and management operations to a greater extent. Please mail us at support@staging.secpod.com for any feature request or enhancements you expect in the product.
Release Notes SanerNow 4.4.0.0
March 19, 2020
At SecPod, we strive towards delivering solution to enhance user experience. SanerNow 4.4.0.0 comes with a bundle of new additions, enhancements and bug fixes to increase efficient product usage. In this release we have brought several enhancements to Patch Management, Endpoint detection and response and Agent Deployment Tool, covering other general enhancements and bug fixes as well.
Patch Management (PM) – Enhancing patch management for better visibility
- Introducing device view and patch view: A new dashboard element is added to represent a Device view, with the option to switch to Patch view. The Device view shows a list of all applicable patches per device, risks, patch-ability status, etc along with a single click option to create a remediation job.
- Check patch repository reachability status and resolve issues: Patch repository reachability status added on the dashboard to diagnose issues related to patching.
- Introducing all new device-based reports: Device-based Report APIs are added in Patch Management (PM) under Reports. The APIs such as Devices with Missing Security Patches, Missing Configuration, Most Critical Patches to give you better insight on effective patching, Patches for Paid-Products or licensed products, Missing Patches of Non-reachable devices.
- Insightful error messages to resolve patching obstacles: Error codes and reasons are added to better understand Status on Patch Remediation and Automation tasks.
- Show customized alerts on functional end-user systems before initiating remediation: Reboot alert messages can be provided on fixing missing patches, automation or rollback tasks that notifies logged-in users on endpoints to save their work and prepare for the reboot of endpoints. A similar notification can also be sent before remediation tasks, alerting the user about the scheduled activity.
- Enhanced Saner agents to comply with Windows Update component: Saner agents are now intelligent to gather any inconsistency with the Windows Update component and resolve issues automatically.
Endpoint Detection and Response (EDR) – Optimizing Endpoint Detection and response for improved performance:
- Increased scalability to view huge data: EDR performance enhanced to load data for a large number of devices, assisting with scalability.
- Introducing filters to view only required details: Status filters are also added in EDR for viewing a subset of data from endpoints.
Agent Deployment – Enhanced agent deployment tool to increase efficiency
Analyse, act and deploy agents according to the requirements of end-user computer: Saner Agent Deployment Tool is now smarter to gather pre-requisites and deploy agents with ease. It also allows users to deploy agents with single-sign-on credentials.
General enhancements and bug fixes
- Microsoft Operating system details are added with a specific release version wherever Operating System names are displayed across the platform.
- Various bugs are resolved on dashboards, reports, and patch management tasks.
- Mac OS X agent adheres to the Mac OS X application signing and notarization guidelines.
We hope SecPod SanerNow 4.4.0.0 will ease your endpoint security management to a greater extent. Please mail us at support@staging.secpod.com for any feature request or enhancements you expect in the product.
Release Notes SanerNow 4.3.0.0
February 3, 2020
SanerNow 4.3.0.0 brings several enhancements to Patch Management (PM) tool. This maintenance release also includes fixes to major bugs, security issues and enhances Rest API coverage.
Release Summary
- Operating System (OS) upgrade, a one-click OS version upgrade is introduced. This feature installs necessary Security KBs, and upgrades the system to the latest version.
- Reboot Scheduler is introduced to schedule the reboots to a particular time. Reboot jobs are listed in the PM status page to track the reboot progress.
- Added color scheme to charts in reports.
- Inconsistency in the ‘Windows Update’ component is automatically resolved.
- Superseded and older patches are suppressed and only the latest security patches are listed.
- Non-Security patches are added to the individual device details page, in addition to the security patches.
- Rest API coverage is enhanced to include newer APIs and improved security validations.
- Inconsistencies while moving the device from one account to another account is addressed.
- Upgraded 3rd party dependent libraries to the latest version.
Release Notes SanerNow 4.2.2.1
June 28, 2019
SanerNow 4.2.2.1 enriches API coverage in custom reports and extends web service support for software deployment.
Introducing new Custom Report APIs for
- Summary of Patch Aging
- Detailed Information on Up-To-Date Assets
- Listing assets without patch released by vendor
- Vulnerability Metrics that is updated to show total number of vulnerabilities
- Overall Remediation information
- Vulnerability Statistics
- Vulnerability Count of Active and Inactive Devices
Release Notes SanerNow 4.2.2.0
June 14, 2019
SanerNow 4.2.2.0 provides more control over task scheduling, support for non-persistent desktop virtualization devices and minor bug fixes.
Task Scheduling
Extended the scheduler in PM Automation, EDR Detection and Response, EM Checks and Actions to have flexibility in scheduling patching and other tasks. Specifically, users can now choose selective months, weeks, days or any date to schedule tasks.
Non-Persistent Device Support
Support added for non-persistent desktop virtualized devices – agents are activated when such devices are initiated and are gracefully deactivated when shut down. This will ensure subscriptions are not locked down with an instance that is not running and are available for deploying on live systems.
Release Notes SanerNow 4.2.1.0
May 06, 2019
SanerNow 4.2.1.0 introduces a unique, easy to use report generation tool with various data export APIs and report builder charts and tables. It also brings support for two new operating systems and further enhances AI driven search assistant.
Custom report generation
A unique and easy to use report generation and customization tool is introduced with 100s of pre-built data export APIs, report builder charts and tables. With this, users will have the facility to create custom reports, export, and schedule periodic backup of those reports. An intuitive user interface allows you to build custom dashboards, save and export these dashboards across SanerNow tools.
- Create custom reports,
- Predefined APIs for all SanerNow tools and their functions
- An intuitive search interface to find or determine the right API
- Apply filters to extract information of specific interest and plot them as data tables and charts
- Export created report into PDF or send e-mail
- Schedule backup of these reports for periodic export and sending e-mails
- Export each data section into CSV
- Build reports and set them as Default for periodic viewing
- The current Default reports are made available as Canned Reports. With this release, you can also customize these reports.
- The Reports tool is built for high performance.
New platform support
- Alpine Linux – Alpine Linux is a Linux distribution based on musl and BusyBox, primarily designed for security, simplicity, and resource efficiency. The SanerNow agent is now available to deploy on this platform.
- Windows Server 2019 – Microsoft Windows Server 2019 is the latest version of the Microsoft server operating system. The SanerNow agent is now available to deploy on this platform.
Enhancements to Plasma
Plasma is a Beta version of an intelligent machine learning based search assistant. This will be continuously enhanced to become smarter. New enhancements include,
- More search suggestions
- Filtering capability to reduce the scope of results
- Minor bug fixes
Other enhancements
- Patch Management: Dates have been added to show when the remediation/patching task was performed on an individual device.
- Endpoint Management:
- USB Mass storage device and USB port blocking support is now supported on all Linux systems.
- Blocking of devices by Device ID (device instance ID) is now supported in Windows and Linux.
- Track EOL (End of Life) and EOS (End of Support) products across the platform. Such products are marked as Outdated.
- Live system metrics on an individual device page (Click on the hostname under Manage -> Devices page to view this feature). This has a control to fetch system metrics only when refreshed, thus helps save network bandwidth.
Release Notes SanerNow 4.2.0.0
March 03, 2019
SanerNow 4.2.0.0 introduces Plasma, a beta version of a smart search assistant. New features are also introduced in Patch Management to further simplify endpoint patching.
Plasma
Plasma is a Beta version of an intelligent machine learning based search assistant. This marks the first release of Plasma which is intended to do smarter, AI (artificial intelligence) powered searches. This will be continuously enhanced to become smarter.
- User Assist – Searches as you type across 1000+ documents to provide navigational help on the platform.
- Discover – Search across platform’s rich endpoint data and indicators to discover meaningful information.
Patch Management
- Test and Deploy – Test patches in a test environment before deployment. Administrators can create a test task and provide automation rules to deploy after validating results of the test task. This is useful to rollout patches in a production environment after testing in an identical test environment.
- Batch Remediation – Administrators are able to include pre and post scripts to be bundled in a remediation job or rule. Pre-scripts are executed before the remediation task and post-scripts are executed once a remediation task completes. This feature is only available for security patches. Additionally, our content research team will add script-based patching to cover vulnerabilities that do not have vendor patches.
- Firmware Patching – With an increasing number of attacks targeting the underlying hardware system, firmware patching has become a critical need. Firmware patches can now be applied on Microsoft Windows systems.
- Reboot Control – Logged-in users are now able to postpone reboots until a specific time.
- Retry Remediation – The Patch Management Status page now lets you re-attempt already created remediation tasks. A copy of the remediation job is created which can be edited and applied.
- Detailed Remediation Status – Remediation status now includes Received, Initiated and Done to provide more visibility on tasks being performed.
- Stop Ongoing Remediation Task – Ongoing remediation tasks can now be stopped to release devices that haven’t yet accepted the task. This will free devices for other remediation tasks.
- Dashboard changes – A smart Patch Compliance calculator has been added to identify the number of patches required to patch a minimal number of devices to eliminate the maximum number of vulnerabilities. Patch compliance for devices and assets are also shown.
- Bug Fixes and Performance – Various issues have been addressed.
Endpoint Management
- Extended support to handle .bat, .sh, .reg, .deb, .rpm, .exe, .msp, .msi via zip file upload section under Software Deployment.
Device Management
- Users can move Devices across accounts. This is useful when employees move to different locations or move to new projects, etc.
- E-mail alerts are now provided when Saner agents are uninstalled.
Release Notes SanerNow 4.1.1.0
November 22, 2018
Software deployment
- Deploy Software packages from array of pre-packaged list of Software applications to Saner enabled systems. We have 100’s of pre-bundled packages to choose from for Windows, Linux and Mac OS X.
- Create rules to deploy Software packages for new devices while new systems are being provisioned. All your pre-selected Software packages are deployed at one go. This helps making your systems ready to use with all essential software.
- Create your own deployer package and roll out across all Saner enabled endpoint systems. The deployer packages can be exe, MSI, archived files with script and other installers or it can even be a download URL.
- Uninstall Software applications across endpoint systems to remove rogue applications, blacklisted applications, license violating applications or unauthorized software at one go across all affected systems.
Real-time communication
- Continuous, real-time visibility is a must for security operations. With new, web-socket based communication between the agents and the server, everything becomes instant. Sending a scan request, performing a query, monitoring system activities, scheduling an Action in response to a security event are all immediate.
Live system health
- System details now include trending graphs showing CPU, RAM, Network and Disk usage. Click on a device to witness live data from an endpoint, the most simple and sophisticated means to monitor system health.
Role based user access
- Introducing Role-based User Access – to delegate users to handle one or more Saner services across multiple accounts.
Password protect Saner agent service
- The Saner agent service is now password protected. Any unauthorized uninstallation of Saner agent is prevented unless configured password is supplied.
Others
- Account administrators can alter device subscription limit for accounts and extend account expiry date
- Improved Microsoft patching
- Endpoint Protection Software displays devices without Anti-Virus software installed in addition to devices that are under risk
- Performance improvements
- Saner agent upgrade and scan optimization on agents
- Bug and security fixes
Release Notes SanerNow 4.1
September 05, 2018
- Patch Management Automation now supports security and non-security patches. A software patch can fix security vulnerabilities or improve the usability and performance. While creating an automation task, users can select from two options, either apply security patches only or apply both security and non-security patches.
- Patch Rollback is now available for Linux and Mac operating systems. Saner tracks rollback point for a software asset while applying a patch. This helps revert changes and restores applications or operating systems to the last best-known version/configuration.
- Saner users can prioritize patches based on severity. Patches are categorized as Critical, High, Medium and Low. A typical use-case would be to allow remediation tasks to qualify only critical patches for Software applications on various devices.
- All scans now run in “Low” mode by default. This would ensure Saner agents consume minimal resources while a scan is run. A CPU threshold value can also be set to restrict resource utilization. This configuration can be altered using Settings.
- Simplified Group and Device filtering.
- Revamped patch automation and Remediation Status interface for better usability, with the ability to filter by Group/Devices and also by the family of Operating System.
- Saner agents can now recover themselves in case of an abnormal shutdown of a system.
- Other bugs and usability concerns are addressed.
Release Notes SanerNow 4.0.0.5
- Updated Code Signing Certificate and signed all executables and binaries.
Release Notes SanerNow 4.0.0.4
- Fixed cross-site scripting and remote code execution vulnerabilities that existed in update logo feature in Account Management that allows attackers to define potentially untrusted Javascript running within a web browser. Thanks to Sumit Birajdar helping us discover the vulnerability.
- Integrated support for Fedora 28 operating system.
- Patch Management supports MSI file format for remediating vulnerabilities in Windows Systems.
- Fixed configuration file corruption issue on force shutdown/restart of devices using backup mechanism.
- Minor bug fixes.
Release Notes SanerNow 4.0.0.3
- Introduced device status on group-based view in Manage page.
- Fixed Mail settings update for Administrators and Accounts/Sites.
- Added persistence of task scheduling in Endpoint Management (EM) and Endpoint Detection and Response (EDR).
- Minor bug fixes.
Release Notes SanerNow 4.0.0.2
- Fixed host counters in Assets License Section in PDF reports. Fixed detection counters in IoC and IoA Sections under Endpoint Detection and Response (EDR) PDF reports.
- Fixed Remediation action issues in Compliance Management (CM).
- Other minor bug fixes.
Release Notes SanerNow 4.0.0.1
- Fixed scheduling software deployment tasks in Endpoint Detection and Response (EDR).
- Added hostnames of devices associated to a specific Software/Hardware License in in CSV report of Asset Management.
- Fixed an update issue in Sensitive Data Detection detection scripts under Endpoint Management (EM) .
- Fixed scheduler update issue in System Health detection scripts under Endpoint Management (EM)
SanerNow Architecture
SanerNow’s platform-centric approach is designed on the same principles as that of an operating system. The core (‘kernel’) performs the analytical computations required to detect aberrations and deviations. The ‘shell’ provides the ability to query, monitor and make changes. The ‘user/application layer’ helps transform these computations to support various use cases.
SanerNow is built with these four primary concepts:
- Query the system to get visibility
- Monitor for changes and aberrations as they occur
- Analyze the system for risks and threats
- Respond to fix the issues
Key platform features include:
- Continuous monitoring: System controls
- Principle of Self-Healing: Detect and fix vulnerabilities, Identify unwanted/unused assets and uninstall them, Monitor the anti-virus program status, and start it if it is not running, Detect IoC/IoAs and respond to the threats.
- Speed: Deploy SanerNow in minutes, scan 1000s of endpoints in less than 5 minutes
- Scalability
- Multi-tenancy, multi-user and role-based access
- High-performance:Retrieve search results in less than a second
- Agents: Support for Windows, Linux and Mac OS X
SanerNow is a scalable analytics and correlation engine. It works with the SanerNow agent that resides on endpoint devices to collect and transmit data to the SanerNow server. SanerNow server correlates the data from agents on endpoint devices with compliance standards and best practices, and vulnerability and threat intelligence to provide real-time endpoint management and protection capabilities.
Scalability and Ease-of-use
SanerNow provides an intuitive registration interface and efficient authentication mechanism to safeguard customers’ data. It provisions and meters tools and services to a large number of devices in a subscription-based model. It scales from ten to thousands of devices under each account. Each endpoint in an organization subscribes to our platform. An agent is installed harnessing the power of each endpoint and exchanges information with our platform with minimal use of CPU and memory resources.
Simple and Intuitive
Effortlessly deploy and manage devices with this platform that provides numerous ways to install agents. You can deploy using our deployment tool, rollout silent installation using your organization’s deployment tool or share via a unique URL.
Each endpoint communicates with platform using web services. Our platform also provides mechanisms to integrate with other platforms via Web services or SDKs.
Optimization Algorithms
SanerNow platform serves relevant checks and actions based on the type of endpoint widely categorized as Windows-based, Mac operating systems and other Linux operating systems. The checks and actions catered from the platform are finely refined to the version of operating system running on the endpoint. This avoids exchange of large data from and to agents. Optimized algorithms are in place at agents and server to perform scan within minutes and analyze data for different tools. The data sent from agents is designed to optimize network usage, for quick responses and accurate information timely tested in our labs.
Visibility and Continuous Protection within Minutes
Finely crafted reports gives you an insight of overall security posture of your organization and drills down to detailed account of vulnerabilities, compliance issues, incidents and reponses, missing and installed patches and 100+ checks on endpoint management. Alerts give you instant notifications on possible warnings that needs to addressed on your endpoints. You can also get instant notifications on actions taken based on checks.
Detection and Response Automation
SanerNow also provides an easy means to audit and automate responses based on detection scripts. These actions can be scheduled in a timely manner to minimize user intervention at every level possible.
Platforms Supported
SanerNow Supported Operating Systems
- Microsoft Windows 7
- Microsoft Windows 8.1
- Microsoft Windows 10
- Microsoft Windows Server 2008
- Microsoft Windows Server 2008 R2
- Microsoft Windows Server 2012
- Microsoft Windows Server 2012 R2
- Microsoft Windows Server 2016
- Microsoft Windows Server 2019
- Microsoft Windows Server Semi-Annual-Channel
- Apple Mac OS X 10.10
- Apple Mac OS X 10.11
- Apple Mac OS X 10.12
- Apple Mac OS X 10.13
- Apple Mac OS X 10.14
- Apple Mac OS X 10.15
- Ubuntu 14.04
- Ubuntu 16.04
- Ubuntu 18.04
- Ubuntu 18.10
- Ubuntu 20.04
- Ubuntu 20.10
- Ubuntu 21.10
- Debian 7
- Debian 8
- Debian 9
- Debian 10
- Amazon Linux
- Amazon Linux 2
- Redhat Enterprise Linux 5
- Redhat Enterprise Linux 6
- Redhat Enterprise Linux 7
- Redhat Enterprise Linux 8
- CentOS 5
- CentOS 6
- CentOS 7
- CentOS 8
- Oracle Linux 5
- Oracle Linux 6
- Oracle Linux 7
- Oracle Linux 8
- Fedora 27
- Fedora 28
- Fedora 29
- Fedora 31
- Fedora 32
- Linux Mint 17
- Linux Mint 18
- Linux Mint 19
- Linux Mint 20
- Linux Mint Debian Edition 3 Cindy
- Linux Mint Debian Edition 4
- Alpine Linux 3.9
- Alpine Linux 3.10
- Alpine Linux 3.11
SanerNow Feature Map
SanerNow addresses the following business cases:
- Vulnerability Management – Continuously assess risks, automated to a daily routine.
- Patch Management – Apply operating system and third-party application patches for Windows, Linux and Mac OS X.
- Compliance Management – Comply with regulatory standards benchmarks and achieve continuous compliance (PCI, HIPAA, NIST 800-53, NIST 800-171).
- Asset Management – Discover and manage assets.
- Endpoint Management – Manage endpoints and ensure their well-being.
- Endpoint Threat Detection and Response – Detect and Respond to Indicators of Attack (IoA) and Indicators of Compromise (IoC).
Security Content and Intelligence
The security intelligence hosted at our content repository feeding the SanerNow platform.
INDEX
- Security Content Statistics
- OVAL Definitions Platform Coverage
- OVAL Definitions Class-wise Distribution
- OVAL Definitions Family-wise Distribution
- Application and OS Remediation Coverage
- Compliance Benchmark Coverage
- List of Vulnerability to Exploit/Malware Mapping covered in SanerNow
- List of IoA (Indicators of Attack) covered in SanerNow
Security Content Statistics
| Content | Coverage | |
Loading Data | ||
OVAL Definitions Platform Coverage
| Platform | OVAL Definitions | |
Loading Data | ||
OVAL Definitions Class-wise Distribution
| OVAL Class | OVAL Definitions | |
Loading Data | ||
OVAL Definitions Family-wise Distribution
| OVAL Family | OVAL Definitions | |
Loading Data | <tr | |
Application and OS Remediation Coverage
| Sl.No. | OVAL Definitions | |
Loading Data | ||
Compliance Benchmark Coverage
| Benchmark for OS | General Compliance | SecPod Compliance | NIST 800-171 | NIST 800-53 | PCI 3.2 | HIPAA 45 CFR 164 |
Loading Data | ||||||
List of Vulnerability to Exploit/Malware Mapping covered in SanerNow
| Sl. No. | MVE (Malware Vulnerability Enumeration) | |
Loading Data | ||
List of IoA (Indicators of Attack) covered in SanerNow
| Sl. No. | IoA (Indicators Of Attack) | |
Loading Data | ||
Windows Probes
Access token
An access token used to check the properties of Windows access token as well as in idual privileges and rights associated with it.
| Child Elements | Description |
| Assign primary token privilege | If Assign primary token privilege is enabled, it allows a parent process to replace an access token that is associated with a child process. |
| Audit privilege | If Audit privilege is enabled, it allows a process to generate audit records in the security log. The security log can be used to trace unauthorized system access. |
| Backup privilege | If Backup privilege is enabled, it allows the user to circumvent file and directory permissions to back up the system. The privilege is selected only when an application attempts access by using the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply. |
| Batch logon right | If an account is assigned the Batch logon right right, it can log on using the batch logon type. |
| Change notify privilege | If Change notify privilege is enabled, it allows the user to pass through folders to which the user otherwise has no access while navigating an object path in the NTFS file system or in the registry. This privilege does not allow the user to list the content of a folder; it allows the user only to traverse its directories. |
| Create global privilege | If Create global privilege is enabled, it allows the user to create named file mapping objects in the global namespace during Terminal Services sessions. |
| Create page file privilege | If Create page file privilege is enabled, it allows the user to create and change the size of a pagefile. |
| Create permanent privilege | If Create permanent privilege is enabled, it allows a process to create a directory object in the object manager. It is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode have this privilege inherently. |
| Create symbolic link privilege | If Create symbolic link privilege is enabled, it allows users to create symbolic links. |
| Create token privilege | If Create token privilege is enabled, it allows a process to create an access token by calling NtCreateToken() or other token-creating APIs. |
| Security principle | The Security principle element identifies an access token to test for. Security principles include users or groups with either local or domain accounts, and computer accounts created when a computer joins a domain. In Windows, security principles are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. User rights and permissions to access objects such as Active Directory objects, files, and registry settings are assigned to security principles. In a domain environment, security principles should be identified in the form: “domain\trustee name”. For local security principles use: “computer name\trustee name”. For built-in accounts on the system, use the trustee name without a domain. |
| Debug privilege | If Debug privilege is enabled, it allows the user to attach a debugger to any process. It provides access to sensitive and critical operating system components. |
| Deny batch logon right | If an account is assigned the Deny batch logon right right, it is explicitly denied the ability to log on using the batch logon type. |
| Deny interactive logon right | If an account is assigned the Deny interactive logon right right, it is explicitly denied the ability to log on using the interactive logon type. |
| Deny network logon right | If an account is assigned the Deny network logon right right, it is explicitly denied the ability to log on using the network logon type. |
| Deny Remote interactive logon right | If an account is assigned the Deny Remote interactive logon right right, it is explicitly denied the ability to log on through Terminal Services. |
| Deny service logon right | If an account is assigned the Deny service logon right right, it is explicitly denied the ability to log on using the service logon type. |
| Enable delegation privilege | If Enable delegation privilege is enabled, it allows the user to change the Trusted for Delegation setting on a user or computer object in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flags on the object. |
| Impersonate privilege | If Impersonate privilege is enabled, it allows the user to impersonate a client after authentication. |
| Increase base priority privilege | If Increase base priority privilege is enabled, it allows a user to increase the base priority class of a process. |
| Increase quota privilege | If Increase quota privilege is enabled, it allows a process that has access to a second process to increase the processor quota assigned to the second process. |
| Increase working set privilege | If Increase working set privilege is enabled, it allows a user to increase a process working set. |
| Interactive logon right | If an account is assigned the Interactive logon right right, it can log on using the interactive logon type. |
| Load driver privilege | If Load driver privilege is enabled, it allows a user to install and remove drivers for Plug and Play devices. |
| Lock memory privilege | If Lock memory privilege is enabled, it allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. |
| Machine account privilege | If Machine account privilege is enabled, it allows the user to add a computer to a specific domain. |
| Manage volume privilege | If Manage volume privilege is enabled, it allows a non-administrative or remote user to manage volumes or disks. |
| Network logon right | If an account is assigned the Network logon right right, it can log on using the network logon type. |
| Profile single process privilege | If Profile single process privilege is enabled, it allows a user to sample the performance of an application process. |
| Re-label privilege | If Re-label privilege is enabled, it allows a user to modify an object label. |
| Remote interactive logon right | If an account is assigned the Remote interactive logon right right, it can log on to the computer by using a Remote Desktop connection. |
| Remote shutdown privilege | If Remote shutdown privilege is enabled, it allows a user to shut down a computer from a remote location on the network. |
| Restore privilege | If Restore privilege is enabled, it allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principle as the owner of an object. |
| Security privilege | If Security privilege is enabled, it allows a user to specify object access auditing options for in idual resources such as files, Active Directory objects, and registry keys. A user who has this privilege can also view and clear the security log from Event Viewer. |
| Service logon right | If an account is assigned the Service logon right right, it can log on using the service logon type. |
| Shutdown privilege | If Shutdown privilege is enabled, it allows a user to shut down the local computer. |
| Sync agent privilege | If Sync agent privilege is enabled, it allows a process to read all objects and properties in the directory, regardless of the protection on the objects and properties. It is required in order to use Lightweight Directory Access Protocol (LDAP) directory synchronization (Dirsync) services. |
| System environment privilege | If System environment privilege is enabled, it allows modification of system environment variables either by a process through an API or by a user through System Properties. |
| System profile privilege | If System profile privilege is enabled, it allows a user to sample the performance of system processes. |
| System time privilege | If System time privilege is enabled, it allows the user to adjust the time on the computer’s internal clock. It is not required to change the time zone or other display characteristics of the system time. |
| Take ownership | If Take ownership privilege is enabled, it allows a user to take ownership of any securable object in the system, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads. |
| TCB privilege | If TCB privilege is enabled, it allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. |
| Timezone privilege | If Timezone privilege is enabled, it allows the user to change the time zone. |
| Trusted credentials management access right | If an account is assigned this right, it can access the Credential Manager as a trusted caller. |
| Undock privilege | If Undock privilege is enabled, it allows the user of a portable computer to undock the computer by clicking Eject PC on the Start menu. |
| Unsolicited input privilege | If Unsolicited input privilege is enabled, it allows the user to read unsolicited data from a terminal device. |
Active directory
This is used to check information about specific entries in active directory.
| Child Elements | Description |
| ADS type | The type of information that the specified attribute represents. |
| Attribute | Specifies a named value contained by the object. |
| Naming context | Each object in active directory exists under a certain naming context (also known as a partition). A naming context is defined as a single object in the Directory Information Tree (DIT) along with every object in the tree subordinate to it. There are three default naming contexts in Active Directory: domain, configuration, and schema. |
| Object class | The name of the class of which the object is an instance. |
| Relative distinguished name | This is used to uniquely identify an object inside the specified naming context. It contains all the parts of the object’s distinguished name except those outlined by the naming context. |
| Value | The actual value of the specified Active Directory attribute. Note that while an Active Directory attribute can contain structured data where it is necessary to collect multiple related fields that can be described by the ‘record’ datatype, it is not always the case. It also is possible that an Active Directory attribute can contain only a single value or an array of values. In these cases, there is not a name to uniquely identify the corresponding field which is a requirement for fields in the ‘record’ datatype. As a result, the name of the Active Directory attribute will be used to uniquely identify the field and satisfy this requirement. |
Anti-virus information
This is used to collect information about an installed Antivirus applications.
| Child Elements | Description |
| Antivirus name | This element specifies a display name of a installed antivirus product. |
| Instance GUID | This entity holds a string that represents the GUID of a particular group. |
| Path to signed product executable | This element specifies the absolute path to antivirus product exe file on the machine. |
| Path to signed reporting executable | This element specifies the absolute path to antivirus reporting exe file on the machine. |
| Product enabled | This element specifies whether product is enabled/disabled. |
| Product state | This element specifies a state value. When this value is converted to HEX, the bits specify if product is enabled/disabled and whether definitions are up-to-date or outdated. |
| Product up-to-date | This element specifies whether product is up-to-date. |
ARP Cache
This is used to collect various information about address resolution protocol cache table.
| Child Elements | Description |
| Host IP | This element specifies host IP address. |
| Interface Index | Applicable to only Windows. This element specifies value for the network interface associated with this IP address. This index value may change when a network adapter is disabled and then enabled, or under other circumstances, and should not be considered persistent. |
| Interface locally unique ID index | Applicable to only Windows. This element specifies unique identifier (LUID) for the network interface associated with this IP address. |
| Reachability time | Applicable to only Windows. The Reachability time specifies time, in milliseconds, that a node assumes a neighbor is reachable after having received a reachability confirmation. |
| MAC address | This element specifies physical hardware address of the adapter for the network interface associated with this IP address. |
| Interface Type | Applicable to only Windows. This element specifies interface type as defined by the Internet Assigned Names Authority (IANA) |
| Neighbour state | Applicable to only Windows. The state of a network neighbour IP address as defined in RFC 2461. This member can be one of the values from the NL_NEIGHBOR_STATE enumeration type that is defined in the Nldef.h header file. https://msdn.microsoft.com/en-us/library/gg159207.aspx |
Audit Event Policy
This is used to check different types of events the system should audit.
| Child Elements | Description |
| Account logon | Audit attempts to log on to or log off of the system. Also, audit attempts to make a network connection. |
| Account management | Audit attempts to create, delete, or change user or group accounts. Also, audit password changes. |
| Detailed tracking | Audit specific events, such as program activation, some forms of handle duplication, indirect access to an object, and process exit. Note that this activity is also known as process tracking. |
| Directory service access | Audit attempts to access the directory service. |
| Logon | Audit attempts to log on to or log off of the system. Also, audit attempts to make a network connection. |
| Object access | Audit attempts to access securable objects, such as files. |
| Policy change | Audit attempts to change Policy object rules. |
| Privilege use | Audit attempts to use privileges. |
| System | Audit attempts to shut down or restart the computer. Also, audit events that affect system security or the security log. |
Audit Event Policy Subcategories
This is used to check the audit event policy settings on a Windows system. These settings are used to specify which system and network events are monitored. For example, If Credential validation element has a value of AUDIT_FAILURE, it means that the system is configured to log all unsuccessful attempts to validate a user account on a system. It is important to note that these audit event policy settings are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information on each setting.
| Child Elements | Description |
| Account lockout | Audit the events produced by a failed attempt to log onto a locked out account. |
| Application generated | Audit the events produced by applications that use the Windows Auditing API. |
| Application group management | Audit the events produced by changes to application groups. |
| Audit policy changes | Audit the events produced by changes in security audit policy settings. |
| Authentication policy change | Audit the events produced by changes to the authentication policy. |
| Authorization policy change | Audit the events produced by changes to the authorization policy. |
| Certificate services | Audit the events produced by operations on Active Directory Certificate Services. |
| Computer account management | Audit the events produced by changes to computer accounts. |
| Credential validation | Audit the events produced during the validation of a user’s logon credentials. |
| Detailed directory service | Audit the events produced by detailed Active Directory Domain Services replication between domain controllers. |
| Detailed file share | Audit the events produced by attempts to access files and folders on a shared folder. |
| Directory service access | Audit the events produced when a Active Directory Domain Services object is accessed. |
| Directory service changes | Audit the events produced when changes are made to Active Directory Domain Services objects. |
| Directory service replication | Audit the events produced when two Active Directory Domain Services domain controllers are replicated. |
| Distribution group management | Audit the events produced by changes to distribution groups. |
| Audit DPAPI(data protection) activity | Audit the events produced when requests are made to the Data Protection application interface. |
| File share | Audit the events produced by attempts to access a shared folder. |
| File system | Audit the events produced user attempts to access file system objects. |
| Filtering platform connection | Audit the events produced by connections that are allowed or blocked by Windows Filtering Platform. |
| Filtering platform packet drop | Audit the events produced by packets that are dropped by Windows Filtering Platform. |
| Filtering platform policy change | Audit the events produced by changes to the Windows Filtering Platform. |
| Handle manipulation | Audit the events produced when a handle is opened or closed. |
| IPSec driver | Audit the events produced by the IPsec filter driver. |
| IPSec extended mode | Audit the events produced by Internet Key Exchange and Authenticated Internet protocol during Extended Mode negotiations. |
| IPSec main mode | Audit the events produced by Internet Key Exchange and Authenticated Internet protocol during Main Mode negotiations. |
| IPSec quick mode | Audit the events produced by Internet Key Exchange and Authenticated Internet protocol during Quick Mode negotiations. |
| Kerberos authentication service | Audit the events produced by Kerberos authentication ticket-granting requests. |
| Kerberos service ticket operations | Audit the events produced by Kerberos service ticket requests. |
| Kerberos ticket events (Deprecated) | Audit the events produced during the validation of Kerberos tickets provided for a user account logon request. |
| Kernel object | Audit the events produced by attempts to access the system kernel. |
| Log off | Audit the events produced by closing a logon session. |
| Logon | Audit the events produced by attempts to log onto a user account. |
| MPSSVC rule level policy change | Audit the events produced by changes to policy rules used by the Windows Firewall. |
| Network policy server | Audit the events produced by RADIUS and Network Access Protection user access requests. |
| Non-sensitive privilege | Audit the events produced by the use of non-sensitive privileges. |
| Other account logon events | Audit the events produced by changes to user accounts that are not covered by other events in the Account Logon category. |
| Other account management events | Audit the events produced by other user account changes that are not covered by other events in the Account Management category. |
| Other logon logoff events | Audit the events produced by other logon/logoff based events that are not covered in the Logon/Logoff category. |
| Other object access events | Audit the events produced by the management of Task Scheduler jobs or COM+ objects. |
| Other polict change events | Audit the events produced by other security policy changes that are not covered other events in the Policy Change category. |
| Other privilege use events | This is currently not used and has been reserved by Microsoft for use in the future. |
| Other system events | Audit the events produced by the startup and shutdown, security policy processing, and cryptography key file and migration operations of the Windows Firewall. |
| Security state change | Audit the events produced by changes in the security state. |
| Process creation | Audit the events produced when a process is created or starts. |
| Process termination | Audit the events produced when a process ends. |
| Registry | Audit the events produced by attempts to access registry objects. |
| RPC events | Audit the events produced by inbound remote procedure call connections. |
| Security Account Manager(SAM) | Audit the events produced by attempts to access Security Accounts Manager objects. |
| Security group management | Audit the events produced by changes to security groups. |
| Security system extension | Audit the events produced by the security system extensions or services. |
| Sensitive privilege use | Audit the events produced by the use of sensitive privileges. |
| Special logon | Audit the events produced by special logons. |
| System integrity | Audit the events that indicate that the integrity security subsystem has been violated. |
| User account management | Audit the events produced by changes to user accounts. |
Auto Logon Last Logon Last Reboot
This is used to collect auto login is enabled or not, last user logon time and last system restart time.
| Child Elements | Description |
| Last boot up time | This element specifies date and time the operating system was last restarted. It is in datetime format such as 20180226090624.652230+330 |
| Last logon | This element specifies last log on timestamp. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). |
| User name | This element specifies the name of a particular user. |
| Auto admin logon | This element specifies automatic logon feature is enabled or not. Automatic logon uses the domain, user name, and password stored in the registry to log users on to the computer when the system starts.� |
| Auto logon enabled user name | This element specifies the last user name entered in the Log On to Windows dialog box. This entry is required if you have configured Windows to log on automatically by setting the value of Auto admin logon to 1. |
BIOS Information
This is used to collect various information about BIOS.
| Child Elements | Description |
| BIOS Manufacture | This element specifies manufacturer of this software element. This value comes from the Vendor member of the BIOS Information structure in the SMBIOS information. |
| BIOS Name | The BIOS Name element used to identify the software element. |
| BIOS Serial Number | This element specifies serial number of the software element |
| System Management BIOS Version | This element specifies BIOS version as reported by SMBIOS. This value comes from the BIOS Version member of the BIOS Information structure in the SMBIOS information. |
| BIOS Status | This element specifies current status of BIOS. Various operational and nonoperational status can be defined. |
| BIOS Version | This element specifies version of the BIOS. This string is created by the BIOS manufacturer |
| BIOS Language | This element specifies name of the current BIOS language. |
Bit Locker Information
This is used to collect bit-locker enabled device information.
| Child Elements | Description |
| Device ID | This element specifies an unique identifier for the volume on this system. |
| Drive letter | This element specifies the drive letter of the volume. |
| Status | This element specifies the status of the volume, whether or not Bit-Locker is protecting the volume. |
| Volume ID | This element specifies a persistent identifier for the volume on this system. |
Computer Information
This is used to collect various information about computer system.
`
| Child Elements | Description |
| Base board serial number | This element represents the base board serial number. |
| Boot device | This element specifies the name of the disk drive from which the Windows operating system starts. |
| BIOS serial number | This element represents the BIOS serial number. |
| Cache Size | This element specifies the size of the total processor cache. A cache is an external memory area that has a faster access time than the main RAM memory. |
| CPU | This element specifies name of the processor. |
| CPU cores | This element specifies the number of CPU cores. |
| CPU Architecture | This element specifies processor architecture used by the platform. |
| CPU usage | This element specified CPU usage in percentage. |
| Disk description | This element specifies description of the disk drive. |
| Disk name | This element specifies the short description of the disk drive – a one-line string. |
| Disk drive serial number | This element specifies serial number of the disk drive. |
| Disk size | This element specifies size of the disk drive (in bytes). |
| Disk type | This element specifies a numeric value that corresponds to the type of disk drive this logical disk represents. |
| Network total bytes received | This element represents the number of bytes received. |
| Network total bytes transmitted | This element represents the number of bytes transmitted. |
| Network total bytes(received/transmitted) | This element represents the total number of bytes received and transmitted. |
| Operating system architecture | This element specifies the architecture of the operating system. |
| Operating system name | This element specifies the name of the operating system. |
| Operating system serial number | This element represents the operating system serial number. |
| Free RAM | This element specifies free system memory size in bytes. |
| RAM usage | This element specifies used system memory size in percentage. |
| RAM used | This element specifies used system memory size in bytes. |
| System name | This element specifies system name. |
| System time synchronization status | This element specifies if system time is synchronised with server using Network Time Protocol(NTP). Value is either true or false |
| System product name | This element specifies the system hardware name. |
| System product version | This element specifies the system hardware version. |
| System uptime | This element specifies the number of milliseconds that have elapsed since the system was started. |
| Total RAM | This element specifies system total memory size in bytes. |
| Timezone name | This element specifies the timezone such as Indian Standard Time. |
| Timezone difference | This element specifies the difference in timezone in hours. |
| Volume name | This element specifies volume name of the logical disk. Constraints: Maximum 32 characters. |
Device information
This is used to collect information about plug and play devices.
| Child Elements | Description |
| Device description | This element specifies description of the device. |
| Device driver | This element specifies the path of the service that supports the device. |
| Device GUID | This element specifies the globally unique identifier (GUID) of the device. |
| Device hardware ID | This element specifies the hardware ID of the device. |
| Device instance ID | This element specifies the instance ID of the device. |
| Device manufacture | This element specifies manufacturer of the device. |
| Device name | This element specifies label given to the device. |
| Device status | This element specifies the current status of the device. Various operational and nonoperational statuses can be defined. |
| Device type | This element specifies the type of the device. |
DNS cache
DNS cache is used to check the time to live and IP addresses associated with a domain name. The time to live and IP addresses for a particular domain name are retrieved from the DNS cache on the local system. The entries in the DNS cache can be collected using Microsoft’s DnsGetCacheDataTable() and DnsQuery() API calls.
| Child Elements | Description |
| Domain name | The Domain name element contains a string that represents a domain name that was collected from the DNS cache on the local system. |
| IP address | The IP address element contains a string that represents an IP address associated with the specified domain name that was collected from the DNS cache on the local system. Note that the IP address can be IPv4 or IPv6. |
| TTL | The ttl element contains an integer that represents the time to live in seconds of the DNS cache entry. |
Environment Variables
This is used to check an environment variable for the specified process, which is identified by its process ID, on the system .
| Child Elements | Description |
| Name | This element describes the name of an environment variable. |
| Process ID(PID) | The process ID of the process from which the environment variable was retrieved. |
| Value | The actual value of the specified environment variable. |
Events
This is used to collect information about Security events, System events and Application events.
| Child Elements | Description |
| channel | This element specifies one of the following channels Security, System or Application |
| Computer | This element specifies the time at which this entry was submitted. |
| Data | This element specifies fields of an event |
| Event ID | This element specifies a number identifying the particular event type. The value is specific to the event source for the event, and is used with source name to locate a description string in the message file for the event source. |
| Level | The level element is numeric value which specifies a classification of the event severity. |
| String:Channel | This element specifies one of the following channels Security, System or Application |
| String:Keyword | This element specifies a set of categories or tags that can be used to filter or search for events. |
| String:Level | The level element is a string value which specifies a classification of the event severity. |
| String:Message | This element specifies description of the event. |
| String:Opcode | This element specifies what activity the application or component was doing when the event was triggered. |
| String:Provider | This element specifies provider of the event |
| System time | This element specifies the time of the computer at which the event occurred. |
Family of Operating System
This is used to check the family a certain system belongs to. This test basically allows the high level system types (window, unix, ios, etc.) to be tested.
| Child Elements | Description |
| Family of Operating System | This element describes the high-level system OS type to test against. Please refer to the definition of the EntityFamilyType for more information about the possible values. |
File
This is used to check metadata associated with files. File path is mandatory for this query while submitting to agents.
| Child Elements | Description |
| Access time | Time of last access of file. Valid on NTFS but not on FAT formatted disk drives. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). |
| Creation time | Time of creation of file. Valid on NTFS but not on FAT formatted disk drives. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). |
| Company | This entity defines a company name to be found within the version-information structure. |
| Development class | The Development class element allows the distinction to be made between the GDR development environment and the QFE development environment. This field holds the text found in front of the mmmmmm-nnnn version, for example srv03_gdr. |
| File name | This element specifies name of the file on the machine. |
| File path* | This element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath. |
| Internal name | This entity defines an internal name to be found within the version-information structure. |
| Language | This entity defines a language to be found within the version-information structure. |
| Modified time | Time of last modification of file. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). |
| Microsoft checksum | The checksum of the file as supplied by Microsoft’s MapFileAndCheckSum function. |
| Original filename | This entity defines an original filename to be found within the version-information structure. |
| Owner | The owner element is a string that contains the name of the owner. The name should be specified in the DOMAIN\username format. |
| Product name | This entity defines a product name to be found within the version-information structure. |
| Product version | This entity defines a product version to be found within the version-information structure. |
| Size | The size element is the size of the file in bytes. |
| Type | The type element marks whether the file is a directory, named pipe, standard file, etc. These types are the return values for GetFileType, with the exception of FILE_ATTRIBUTE_DIRECTORY which is obtained by looking at GetFileAttributesEx. NOTE: Should this entity be split into two in future versions of the language as there are other values associated with GetFileAttributesEx that are not represented here? |
| Version | The version element is the delimited version string of the file. |
| Windows view | The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. |
File Audit Permissions
This is used to check the audit permissions associated with Windows files. Note that the trustee’s audited permissions are the audit permissions that the SACL grants to the trustee or to any groups of which the trustee is a member. File path is mandatory for this query while submitting to agents.
| Child Elements | Description |
| Access system security | Indicates access to a system access control list (SACL). |
| File append data | Grants the right to append data to the file. |
| File delete child | Right to delete a directory and all the files it contains (its children), even If files are read-only. |
| File execute | Grants the right to execute a file. |
| File read attributes | Grants the right to read file attributes. |
| File read data | Grants the right to read data from the file. |
| File read ea | Grants the right to read extended attributes. |
| File write attributes | Grants the right to change file attributes. |
| File write data | Grants the right to write data to the file. |
| File write ea | Grants the right to write extended attributes. |
| File path* | This element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath. |
| Generic all | Read, write, and execute access. |
| Generic execute | Execute access. |
| Generic read | Read access. |
| Generic write | Write access. |
| Standard delete | The right to delete the object. |
| Standard read control | The right to read the information in the object’s Security Descriptor, not including the information in the SACL. |
| Standard synchronize | The right to use the object for synchronization. This enables a thread to wait until the object is in the signalled state. Some object types do not support this access right. |
| Standard write DAC | The right to modify the DACL in the object’s Security Descriptor. |
| Standard write owner | The right to change the owner in the object’s Security Descriptor. |
| Trustee SID | The Trustee SID element is the unique SID that associated a user, group, system, or program (such as a Windows service). |
| Windows view | The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. |
File Effective Rights
This will collect directories and all Windows file types (FILE_TYPE_CHAR, FILE_TYPE_DISK, FILE_TYPE_PIPE, FILE_TYPE_REMOTE, and FILE_TYPE_UNKNOWN). File path is mandatory for this query while submitting to agents.
| Child Elements | Description |
| Access system security | Indicates access to a system access control list (SACL). |
| File append data | Grants the right to append data to the file, or if a directory, grants the right to add a sub-directory to the directory. |
| File delete child | Right to delete a directory and all the files it contains (its children), even If files are read-only. |
| File execute | Grants the right to execute a file, or if a directory, the right to traverse the directory. |
| File read attributes | Grants the right to read file, or directory, attributes. |
| File read data | Grants the right to read data from the file, or if a directory, grants the right to list the content of the directory. |
| File read ea | Grants the right to read extended attributes. |
| File write attributes | Grants the right to change file, or directory, attributes. |
| File write data | Grants the right to write data to the file, or if a directory, grants the right to add a file to the directory. |
| File write ea | Grants the right to write extended attributes. |
| File path* | This element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath. |
| Generic all | Read, write, and execute access. |
| Generic execute | Execute access. |
| Generic read | Read access. |
| Generic write | Write access. |
| Standard delete | The right to delete the object. |
| Standard read control | The right to read the information in the object’s Security Descriptor, not including the information in the SACL. |
| Standard synchronize | The right to use the object for synchronization. This enables a thread to wait until the object is in the signalled state. Some object types do not support this access right. |
| Standard write DAC | The right to modify the DACL in the object’s Security Descriptor. |
| Standard write owner | The right to change the owner in the object’s Security Descriptor. |
| Trustee SID | The Trustee SID element is the unique SID that associated a user, group, system, or program (such as a Windows service). |
| Windows view | The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. |
filehash58
This is used for a file hash of specific file(s). This only implies on regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. File path is mandatory for this query while submitting to agents.
| Child Elements | Description |
| File path* | This entity specifies the directory component of the absolute path to a file on the machine. |
| Hash | This entity specifies the result of applying the hash algorithm to the file. |
| Hash type | This entity specifies the hash algorithm to use when collecting the hash for each of the specified files. |
| Windows view | The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems. |
Firewall
This is used to collect firewall status on private, public and domain profiles and inbound/outbound traffic information.
| Child Elements | Description |
| Allow inbound traffic | This element specifies the value for the default action for inbound traffic. It can be either allowed or blocked. |
| Allow outbound traffic | This element specifies the value for the default action for outbound traffic. It can be either allowed or blocked. |
| Block inbound traffic | This element specifies the value of the BlockAllInboundTraffic property. This property indicates whether inbound traffic is blocked for a specified profile. |
| Display notifications | This element specifies the value of the NotificationsDisabled property. This property indicates whether notifications are enabled or disabled for a specified profile. |
| Profile | This element specifies name of the profile i.e Public, Private or Domain |
| Status | This element specifies the value of the FirewallEnabled property. This property indicates whether the firewall is enabled or disabled for a specified profile. |
| Unicast response to multicasr broadcast | This element specifies the value of the UnicastResponseToMulticastBroadcastDisabled property. This property indicates whether the firewall should allow unicast incoming responses to outgoing multicast and broadcast traffic. |
Group
This collects different users and subgroups that directly belong to specific groups (identified by name). When this collects the groups on the system, it only includes the local and built-in group accounts and not domain group accounts. However, it is important to note that domain group accounts can still be looked up. Also, note that the subgroups of the group will not be resolved to find indirect user and group members. If subgroups need to be resolved, it should be done using the SID query.
| Child Elements | Description |
| Group | This element holds a string that represents the name of a particular group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, groups should be identified in the form: “domain\group name”. For local groups use: “computer name\group name”. For built-in accounts on the system, use the group name without a domain. |
| Sub-group | Applicable only for Windows systems. A string that represents the name of a particular subgroup in the specified group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, the subgroups should be identified in the form: “domain\group name”. In a local environment, the subgroups should be identified in the form: “computer name\group name”. If subgroups are built-in groups, the subgroups should be identified in the form: “group name” without a domain component. |
| User | Applicable only for Windows systems. This element holds a string that represents the name of a particular user. In Windows, user names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in the form: “domain\user name”. For local users use: “computer name\user name”. For built-in accounts on the system, use the user name without a domain. |
Group SID
This defines the specific group(s) identified by SID.
| Child Elements | Description |
| Group SID | This entity holds a string that represents the SID of a particular group. |
| Sub-group SID | This entity holds a string that represents the SID of particular subgroup in the specified group. This entity can be included multiple times in a system characteristic item in order to record that a group contains a number of different subgroups. |
| User SID | This entity holds a string that represents the SID of particular user in the specified group. |
Installed Applications
This is used to collect information about installed application on the system.
| Child Elements | Description |
| Application date | This element specifies installed application date. |
| Application name | This element specifies installed application name. |
| Application last use | This element specifies the last use date of an application. |
| Application path | This element specifies installed application path on the machine. |
| Application publisher | This element specifies the application publisher information. |
| Application version | This element specifies installed application version |
| Install location | This element specifies installed location on the machine. |
Installed Patches
This is used to collect information about installed application on the system.
| Child Elements | Description |
| Description | This element specifies the description of the patch. |
| Patch ID | The Patch ID element is unique identifier associated with a particular update. |
| Patch installed by | This element specifies the person who installed the update. If this value is unknown, the property is empty. |
| Patch installed on | This element specifies the date that the update was installed. If this value is unknown, the property is empty. |
| Patch rollback available | This element specifies if rollback is possible for this patch. Possible values are TRUE or FALSE. An empty value appears if it cannot be determined. |
| Patch severity | This element specifies severity of a patch. Possible values: Important, Critical, etc. An empty value appears if it cannot be determined. |
| Patch size | This element specifies size of a patch. Values are specified in bytes. A value UNKNOWN appears if patch size cannot be determined. |
Network Interfaces
The interface test enumerate various attributes about the interfaces on a system.
| Child Elements | Description |
| Active type | This element specifies the active interfaces. |
| Address type | This element specifies the address type or state of a specific interface. Each interface can be associated with more than one value meaning the Address type element can occur multiple times in a system characteristic item. |
| Broadcast address | This element specifies the broadcast address. A broadcast address is typically the IP address with the host portion set to either all zeros or all ones. Note that the IP address can be IPv4 or IPv6. |
| Hardware Address | The Hardware Address entity is the hardware or MAC address of the physical network card. MAC addresses should be formatted according to the IEEE 802-2001 standard which states that a MAC address is a sequence of six octet values, separated by hyphens, where each octet is represented by two hexadecimal digits. Uppercase letters should also be used to represent the hexadecimal digits A through F. |
| Index | This element specifies index that identifies the interface. |
| IP address of an interface | This element specifies the IP address. Note that the IP address can be IPv4 or IPv6. If IP address is an IPv6 address, this entity will be expressed as an IPv6 address prefix using CIDR notation and the netmask entity will not be collected. |
| Name | This element specifies the name of an interface. |
| Netmask | This element specifies the subnet mask for the IP address. Note that If IP address of an interface entity contains an IPv6 address prefix, this entity will not be collected. |
| Type | This element specifies the type of interface which is limited to certain set of values. |
Account Lockout Policy
The lockout policy test enumerates various attributes associated with lockout information for users and global groups in the security database.
| Child Elements | Description |
| Force log-off | Specifies, in seconds, the amount of time between the end of the valid logon time and the time when the user is forced to log off the network. A value of TIMEQ_FOREVER (-1) indicates that the user is never forced to log off. A value of zero indicates that the user will be forced to log off immediately when the valid logon time expires. See the USER_MODALS_INFO_0 structure returned by a call to NetUserModalsGet(). |
| Lockout duration | Specifies, in seconds, how long a locked account remains locked before it is automatically unlocked. See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet(). |
| Lockout observation window | Specifies the maximum time, in seconds, that can elapse between any two failed logon attempts before lockout occurs. See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet(). |
| Lockout threshold | Specifies the number of invalid password authentications that can occur before an account is marked “locked out.” See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet(). |
Operating System Information
This is used to collect various information about installed operating system.
| Child Elements | Description |
| Build version | This element specifies the build number of an operating system. It can be used for more precise version information than product release version numbers. |
| OS Architecture | This element specifies the Architecture of the operating system, as opposed to the processor. |
| OS Country code | This element specifies the code for the country/region that an operating system uses. Values are based on international phone dialling prefixes-also referred to as IBM country/region codes. |
| OS Locale | This element specifies the language identifier used by the operating system. A language identifier is a standard international numeric abbreviation for a country/region. |
| Operating system name | This element specifies the operating system instance within a computer system. |
| Operating system version | This element specifies the operating system instance within a computer system. |
| Service pack major | This element specifies the major version number of the service pack installed on the computer system. If no service pack has been installed, the value is 0 (zero). |
| Service pack minor | This element specifies the minor version number of the service pack installed on the computer system. If no service pack has been installed, the value is 0 (zero). |
Password Policy
Specific policy items associated with passwords. It is important to note that these policies are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information. Information is stored in the SAM or Active Directory but is encrypted or hidden so the registry and activedirectory are of no use. If this can be figured out, then the password policy is not needed.
| Child Elements | Description |
| Maximum password age | Specifies, in seconds, the maximum allowable password age. A value of TIMEQ_FOREVER (-1) indicates that the password never expires. The minimum valid value for this element is ONE_DAY (86400). |
| Minimum password age | Specifies the minimum number of seconds that can elapse between the time a password changes and when it can be changed again. A value of zero indicates that no delay is required between password updates. |
| Minimum password length | Specifies the minimum allowable password length. Valid values for this element are zero through PWLEN. |
| Password hint length | Specifies the length of password history maintained. A new password cannot match any of the previous usrmod0_password_hist_len passwords. Valid values for this element are zero through DEF_MAX_PWHIST. |
| Password complexity | A boolean value that signifies whether passwords must meet the complexity requirements put forth by the operating system. |
| Reversible encryption | Determines whether or not passwords are stored using reversible encryption. |
Port/Network Connection
Information about open ports and network connections.
| Child Elements | Description |
| Local address | This element specifies the local IP address the listening port is bound to. Note that the IP address can be IPv4 or IPv6. |
| Local port | This element specifies the number assigned to the local listening port. |
| Protocol | This element specifies the type of listening port. It is restricted to either TCP or UDP. |
| Process ID(PID) | The id given to the process that is associated with the specified listening port. |
| Foreign address | This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6. |
| Foreign port | This is the TCP or UDP port to which the program communicates. |
Printer Effective Rights
This item stores the effective rights of a printer that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee’s effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.
| Child Elements | Description |
| Printer name | This entity specifies the name of the printer. |
| Trustee SID | This entity specifies the SID that associated a user, group, system, or program (such as a Windows service). |
| Standard delete | The right to delete the object. |
| Standard read control | The right to read the information in the object’s security descriptor, not including the information in the SACL. |
| Standard write DAC | The right to modify the DACL in the object’s security descriptor. |
| Standard write owner | The right to change the owner in the object’s security descriptor. |
| Standard synchronize | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaller state. Some object types do not support this access right. |
| Access system security | Indicates access to a system access control list (SACL). |
| Generic read | Read access. |
| Generic write | Write access. |
| Generic execute | Execute access. |
| Generic all | Read, write, and execute access. |
| Printer access administer | Printer access administer |
| Printer access use | Printer access use |
| Job access administer | Job access administer |
| Job access read | Job access read |
Process
Information about running processes.
| Child Elements | Description |
| Creation time | The Creation time entity represents the creation time of the process. The value of this entity represents the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). See the GetProcessTimes function lpCreationTime. |
| Current directory | The Current directory entity represents the current path to the executable file for the process. |
| DEP enabled | The DEP enabled entity represents whether or not data execution prevention (DEP) is enabled. See the GetProcessDEPPolicy function lpFlags. |
| Image path | The Image path entity represents the name of the executable file for the process. |
| Name | This element indicates name of the process. |
| Parent process ID | The id given to the parent of the process that is created for the specified command line. |
| Priority | The base priority of the process. |
| Primary windows text | This represents the title of the primary window of the process. See the GetWindowText function. |
| Process ID(PID) | The id given to the process that is created for a specified command line. |
| Process memory | Virtual memory is an approach to make use of the secondary storage devices as an extension of the primary storage of the computer. |
| Swap size | This element specified the swap size in bytes. |
Registry
The windows registry item specifies information that can be collected about a particular registry key. Hive, Key and Name are mandatory fields while submitting to agents.
| Child Elements | Description |
| Hive* | The hive that the registry key belongs to. |
| Key* | This element describes a registry key to be gathered. Note that the hive portion of the string should not be included, as this data can be found under the hive element. If xsi:nil attribute is set to true, then the item being represented is the higher level hive. Using xsi:nil here will result in a status of ‘does not exist’ for the type, and value entities since these entities are not associated with a hive by itself. Note that when xsi:nil is used for the key element, the name element should also be nilled. |
| Name* | This element describes the name of a registry key. If xsi:nil attribute is set to true, then the item being represented is the higher level key. Using xsi:nil here will result in a status of ‘does not exist’ for the type, and value entities since these entities are not associated with a key by itself. |
| Last write time | The last time that the key or any of its value entries was modified. The value of this entity represents the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). Last write time can be queried on a hive, key, or name. When collecting only information about a registry hive the last write time will be the time the hive or any of its entries was written to. When collecting only information about a registry hive and key the last write time will be the time the key or any of its entries was written to. When collecting only information about a registry name the last write time will be the time the name was written to. See the RegQueryInfoKey function lpftLastWriteTime. |
| Type | Specifies the type of data stored by the registry key. For example: REG_BINARY, REG_DWORD, REG_QWORD etc. |
| Value | This entity holds the actual value of the specified registry key. The representation of the value as well as the associated datatype attribute depends on type of data stored in the registry key. If specified registry key is of type REG_BINARY, then the datatype attribute should be set to ‘binary’ and the data represented by the value entity should follow the xsd:hexBinary form. (each binary octet is encoded as two hex digits) If registry key is of type REG_DWORD or REG_QWORD, then the datatype attribute should be set to ‘int’ and the value entity should represent the data as an integer. If specified registry key is of type REG_EXPAND_SZ, then the datatype attribute should be set to ‘string’ and the pre-expanded string should be represented by the value entity. If specified registry key is of type REG_MULTI_SZ, then multiple value entities should exist to describe the array of strings, with each value element holds a single string. In the end, there should be the same number of value entities as there are strings in the reg_multi_sz array. If specified registry key is of type REG_SZ, then the datatype should be ‘string’ and the value entity should be a copy of the string. |
| Windows view | The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of ’32_bit’ indicates the Item was collected from the 32-bit view. A value of ’64-bit’ indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. |
Registry Key Audit Permissions
The windows registry item specifies information that can be collected about a particular registry key. Hive and Key are mandatory fields while submitting to agents.
| Child Elements | Description |
| Hive* | This element specifies the hive of a registry key on the machine from which the SACL was retrieved. |
| Key* | This element specifies a registry key on the machine from which the SACL was retrieved. Note that the hive portion of the string should not be included, as this data should be found under the hive element. |
| Access system security | Indicates access to a system access control list (SACL). |
| Create link | Create link |
| Create sub-key | Create sub-key |
| Enumerate sub-keys | Enumerate sub-keys |
| Generic read | Read access. |
| Generic write | Write access. |
| Generic execute | Execute access. |
| Generic all | Read, write, and execute access. |
| Notify | Notify |
| Query value | Query value |
| Set value | Set value |
| Standard delete | The right to delete the object. |
| Standard read control | The right to read the information in the object’s security descriptor, not including the information in the SACL. |
| Standard write DAC | The right to modify the DACL in the object’s security descriptor. |
| Standard write owner | The right to change the owner in the object’s security descriptor. |
| Trustee SID | The security identifier (SID) of the specified trustee name. |
| Windows view | The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of ’32_bit’ indicates the Item was collected from the 32-bit view. A value of ’64-bit’ indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. |
| Wow64 64bit key | Wow64 64bit key |
| Wow64 32 bit key | Wow64 32 bit key |
| Wow64 result | Wow64 result |
Registry Key Effective Rights
This item stores the effective rights of a registry key that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee’s effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api. Hive and Key are mandatory fields while submitting to agents.
| Child Elements | Description |
| Hive* | The hive that the registry key belongs to. |
| Key* | This element describes a registry key to be gathered. Note that the hive portion of the string should not be included, as this data can be found under the hive element. If xsi:nil attribute is set to true, then the item being represented is the higher level hive. |
| Trustee SID | This entity specifies the SID that associated a user, group, system, or program (such as a Windows service). |
| Standard delete | The right to delete the object. |
| Standard read control | The right to read the information in the object’s security descriptor, not including the information in the SACL. |
| Standard write DAC | The right to modify the DACL in the object’s security descriptor. |
| Standard write owner | The right to change the owner in the object’s security descriptor. |
| Access system security | Indicates access to a system access control list (SACL). |
| Generic read | Read access. |
| Generic write | Write access. |
| Generic execute | Execute access. |
| Generic all | Read, write, and execute access. |
| Query value | Query value |
| Set value | Set value |
| Create sub-key | Create sub-key |
| Enumerate sub-keys | Enumerate sub-keys |
| Notify | Notify |
| Create link | Create link |
| Wow64 64bit key | Wow64 64bit key |
| Wow64 32 bit key | Wow64 32 bit key |
| Wow64 result | Wow64 result |
| Windows view | The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of ’32_bit’ indicates the Item was collected from the 32-bit view. A value of ’64-bit’ indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. |
Run command history
This is used to collect history of run command.
| Child Elements | Description |
| History | This element specifies the history of run command. |
Scheduled Programs
This is used to collect various information about scheduled task.
| Child Elements | Description |
| Task name | This element specifies the scheduled task name. |
| Task enabled | The Task enabled element is a boolean value that indicates If registered task is enabled. |
| Task state | This element specifies the operational state task. |
| Task path | This element specifies the the path to where the registered task is stored on the machine. |
| Last run time | This element specifies the time the registered task was last run. Data appears in timestamp format such as 1519706807. |
| Next run time | This element specifies the time when the registered task is next scheduled to run. Data appears in timestamp format such as 1520409600. |
Service Effective Rights
This item stores the effective rights of a service that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee’s effective rights are determined by checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.
| Child Elements | Description |
| Service name | This element specifies a service on the machine from which to retrieve the DACL. Note that the Service name element should contain the actual name of the service and not its display name that is found in Control Panel->Administrative Tools->Services. For example, if you wanted to check the effective rights of the Automatic Updates service you would specify ‘wuauserv’ for the Service name element not ‘Automatic Updates’. |
| Trustee SID | This element specifies the SID that is associated with a user, group, system, or program (such as a Windows service). |
| Standard delete | This permission is required to call the DeleteService function to delete the service. |
| Standard read control | This permission is required to call the QueryServiceObjectSecurity function to query the security descriptor of the service object. |
| Standard write DAC | This permission is required to call the SetServiceObjectSecurity function to modify the Dacl member of the service object’s security descriptor. |
| Standard write owner | This permission is required to call the SetServiceObjectSecurity function to modify the Owner and Group members of the service object’s security descriptor. |
| Generic read | Read access (STANDARD_RIGHTS_READ, SERVICE_QUERY_CONFIG, SERVICE_QUERY_STATUS, SERVICE_INTERROGATE, SERVICE_ENUMERATE_DEPENDENTS). |
| Generic write | Write access (STANDARD_RIGHTS_WRITE, SERVICE_CHANGE_CONFIG). |
| Generic execute | Execute access (STANDARD_RIGHTS_EXECUTE, SERVICE_START, SERVICE_STOP, SERVICE_PAUSE_CONTINUE, SERVICE_USER_DEFINED_CONTROL). |
| Service query configuration | This permission is required to call the QueryServiceConfig and QueryServiceConfig2 functions to query the service configuration. |
| Service change configuration | This permission is required to call the ChangeServiceConfig or ChangeServiceConfig2 function to change the service configuration. |
| Service query statistics | This permission is required to call the QueryServiceStatusEx function to ask the service control manager about the status of the service. |
| Service enumeration dependents | This permission is required to call the EnumDependentServices function to enumerate all the services dependent on the service. |
| Service start | This permission is required to call the StartService function to start the service. |
| Service stop | This permission is required to call the ControlService function to stop the service. |
| Service pause | This permission is required to call the ControlService function to pause or continue the service. |
| Service interrogate | This permission is required to call the ControlService function to ask the service to report its status immediately. |
| Service user-defined | This permission is required to call the ControlService function to specify a user-defined control code. |
Services
This is used to collect different metadata associated with a windows service.
| Child Elements | Description |
| Service name | This element specifies the name of a service in the service control manager database. |
| Service display name | This element specifies the service’s display name. The display name is same as it appears in the Windows Services control panel utility. |
| Service status | This element specifies the current status of the service. |
| Service start type | This element specifies a value that indicates how the service starts. |
| Service dependency | This element specifies the dependent services names. |
| Service description | This element specifies the service description. |
Shared Resources
This is used to collect different metadata associated with a windows service.
| Child Elements | Description |
| Netname | The share name of the resource. |
| Shared type | The type of the shared resource. |
| Maximum uses | The maximum number of concurrent connections that the shared resource can accommodate. |
| Current uses | The number of current connections to the shared resource. |
| Local path | The local path for the shared resource. |
| Access read permission | Permission to read data from a resource and, by default, to execute the resource. |
| Access write permission | Permission to write data to the resource. |
| Access create permission | Permission to create an instance of the resource (such as a file); data can be written to the resource as the resource is created. |
| Access execute Permission | Permission to execute the resource. |
| Access delete permission | Permission to delete the resource. |
| Access attribute permission | Permission to modify the resource’s attributes (such as the date and time when a file was last modified). |
| Access permanent permission | Permission to modify the permissions (read, write, create, execute, and delete) assigned to a resource for a user or application. |
| Access all permissions | Permission to read, write, create, execute, and delete resources, and to modify their attributes and permissions. |
sharedresourceauditedpermissions
This is used to collect different metadata associated with a windows service.
| Child Elements | Description |
| Netname | This entity specifies the name associated with a particular shared resource. |
| Trustee SID | This entity specifies the SID that associated a user, group, system, or program (such as a Windows service). |
| Standard delete | The right to delete the object. |
| Standard read control | The right to read the information in the object’s security descriptor, not including the information in the SACL. |
| Standard write DAC | The right to modify the DACL in the object’s security descriptor. |
| Standard write owner | The right to change the owner in the object’s security descriptor. |
| Standard synchronize | The right to use the object for synchronization. This enables a thread to wait until the object is in the signalled state. Some object types do not support this access right. |
| Access system security | Indicates access to a system access control list (SACL). |
| Generic read | Read access. |
| Generic write | Write access. |
| Generic execute | Execute access. |
| Generic all | Read, write, and execute access. |
Shared resource effective rights
This is used to collect different metadata associated with a windows service.
| Child Elements | Description |
| Netname | This entity specifies the name associated with a particular shared resource. |
| Trustee SID | This entity specifies the SID that associated a user, group, system, or program (such as a Windows service). |
| Standard delete | The right to delete the object. |
| Standard read control | The right to read the information in the object’s security descriptor, not including the information in the SACL. |
| Standard write DAC | The right to modify the DACL in the object’s security descriptor. |
| Standard write owner | The right to change the owner in the object’s security descriptor. |
| Standard synchronize | The right to use the object for synchronization. This enables a thread to wait until the object is in the signalled state. Some object types do not support this access right. |
| Access system security | Indicates access to a system access control list (SACL). |
| Generic read | Read access. |
| Generic write | Write access. |
| Generic execute | Execute access. |
| Generic all | Read, write, and execute access. |
SID
This is used to check properties associated with any shared resource on the system.
| Child Elements | Description |
| Trustee name | This element specifies the trustee name associated with a particular SID. In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: “domain\trustee name”. For local trustee names use: “computer name\trustee name”. For built-in accounts on the system, use the trustee name without a domain. |
| Trustee SID | The security identifier (SID) of the specified trustee name. |
| Trustee domain | The domain of the specified trustee name. |
SID SID
This is used to check properties associated with any shared resource on the system.
| Child Elements | Description |
| Trustee domain | The domain of the specified trustee name. |
| Trustee name | This element specifies the trustee name associated with a particular SID. In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: “domain\trustee name”. For local trustee names use: “computer name\trustee name”. For built-in accounts on the system, use the trustee name without a domain. |
| Trustee SID | The security identifier (SID) of the specified trustee name. |
System Autorun
This is used to collect information about startup applications.
| Child Elements | Description |
| Application name | This element specifies the file name of the startup command. |
| Caption | This element specifies the short description of the startup command. |
| Command | This element specifies the command run by the startup command. |
| Description | This element specifies description of the startup command. |
| Location | This element specifies the path where the startup command resides on the disk file system. |
| User | This element specifies the user name for whom this startup command will run. |
System DEP Policy
This is used to collect information about system Data Execution Prevention (DEP) status.
| Child Elements | Description |
| DEP Policy | This element specifies the DEP policy status on the system. |
System DHCP Information
This is used to collect system Dynamic Host Configuration Protocol (DHCP) information.
| Child Elements | Description |
| DHCP enabled | This element specifies the value that specifies whether the dynamic host configuration protocol (DHCP) is enabled for this adapter. |
| DHCP Server IP | This element specifies the address of the DHCP server for this adapter. |
| Lease obtained time | This element specifies the time when the current DHCP lease was obtained. |
| Lease expire time | This element specifies the time when the current DHCP lease expires. |
| IP mask | This element specifies the list of ip addresses associated with this adapter. |
| Gateway IP | This element specifies the ip address of the gateway for this adapter. |
| Description | This element specifies an ANSI character string that contains the description of the adapter. |
| MAC Address | This element specifies the hardware address for the adapter. |
| Type | This element specifies the adapter type. |
System DNS Information
This is used to collect domain name and domain name system ip information.
| Child Elements | Description |
| Domain name | This element specifies the domain in which the local computer is registered. |
| DNS server IP | This element specifies the list of dns server ip address used by the local computer. |
System UAC Policy
This is used to collect information about system User Account Control (UAC) status.
| Child Elements | Description |
| System UAC Policy | This element specifies the UAC policy status on the system. |
Text File Content
This element looks at the content of a text file (aka a configuration file) by looking at in idual lines. File path, pattern and instance are mandatory for this query while submitting to agents.
| Child Elements | Description |
| File path* | This element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath. |
| Pattern/Text* | This entity represents a block of text or regular expression that is used to define a block of text. Subexpression notation (parenthesis) is used to call out a value(s) to test against. For example, the pattern abc(.*)xyz would look for a block of text in the file that starts with abc and ends with xyz, with the subexpression being all the characters that exist in between. Note that If pattern can match more than one block of text starting at the same point, then it matches the longest. Subexpressions also match the longest possible substrings, subject to the constraint that the whole match be as long as possible, with subexpressions starting earlier in the pattern taking priority over ones starting later. |
| Instance* | The instance entity calls out which match of the pattern is being represented by this item. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. The main purpose of this entity is too provide uniqueness for different items that results from multiple matches of a given pattern against the same file. |
| Sub-expression | The subexpression entity represents the value of a subexpression in the specified pattern. If multiple subexpressions are specified in the pattern, then multiple entities are presented. Note that this in OVAL definition schema only allows a single subexpression entity. This means that this will check that all (or at least one, none, etc.) the subexpressions pass the same check. This means that the order of multiple subexpression entities in the item does not matter. |
| Windows view | The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of ’32_bit’ indicates the Item was collected from the 32-bit view. A value of ’64-bit’ indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. This entity only applies to 64-bit Microsoft Windows operating systems. |
User SID
This allows collection of different groups (identified by SID) that a user belongs to.
| Child Elements | Description |
| User SID | A string the represents the SID of a particular user. |
| Enabled | A boolean that represents whether the particular user is enabled or not. |
| Group SID | A string that represents the SID of a particular group. If specified user belongs to more than one group, then multiple Group SID elements should exist. If specified user is not a member of a single group, then a single Group SID element should exist with a status of ‘does not exist’. Ifre is an error determining the groups that the user belongs to, then a single Group SID element should be included with a status of ‘error’. |
WMI
The wmi57 outlines information to be checked through Microsoft’s WMI interface. Namespace and Windows Query Language(WQL) are mandatory fields while submitting to agents.
| Child Elements | Description |
| Namespace* | The WMI namespaces of the specific object. |
| Windows Query Language(WQL)* | A WQL query used to identify the object(s) specified. Any valid WQL query is allowed with one exception, all fields must be named. For example SELECT name, age FROM … is valid, but SELECT * FROM … is not valid. This is because the record entity supports only named fields. |
| Result | This entity holds the results of the specified WQL statement. |
WSUS SCCM Information
This is used to collect configuration details about Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM).
| Child Elements | Description |
| User Windows update server | The UseWUServer element if set to 1 specifies to use wsus server settings. |
| No auto update | This element specifies enable/disable automatic updates. |
| Auto update options | This element specifies how to download and notify updates. |
| Windows update server | This element specifies URL of the WSUS server used by Automatic Updates. |
| Windows update status server | This element specifies HTTP(S) URL of the server to which reporting information will be sent for client computers that use the WSUS server configured by the WUServer key |
WUA Update Searcher
This outlines information defined through the Search method of the IUpdateSearcher interface as part of Microsoft’s WUA (Windows Update Agent) API. This information is related to the current patch level in a Windows environment. Search criteria is a mandatory field while submitting query to agents.
| Child Elements | Description |
| Search criteria* | This entity specifies a search criteria to use when generating a search result. The string used for the search criteria entity must match the custom search language for Search method of the IUpdateSearcher interface. The string consists of criteria that are evaluated to determine which updates to return. The Search method performs a synchronous search for updates by using the current configured search options. For more information about possible search criteria, please see the Search method of the IUpdateSearcher interface. |
| Update ID | This entity specifies a string that represents a revision-independent identifier of an update. This information is part of the IUpdateIdentity interface that is part of the result of the IUpdateSearcher interface’s Search method. Note that multiple update identifiers can be associated with a give search criteria and thus multiple entities can exist for this item. |
Volume
The volume item enumerates various attributes about a particular volume mounted to a machine. This includes the various system flags returned by GetVolumeInformation(). It is important to note that these system flags are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information.
| Child Elements | Description |
| Root path | A string that contains the root directory of the volume to be described. A trailing backslash is required. For example, you would specify \\MyServer\MyShare as “\\MyServer\MyShare\”, or the C drive as “C:\”. |
| File system | The type of filesystem. For example FAT or NTFS. |
| Name | The name of the volume. |
| Drive type | The drive type of the volume. |
| Volume Maximum Compoment Length | This element specifies the maximum length, in TCHARs, of a file name component that a specified file system supports. A file name component is the portion of a file name between backslashes. The value that is stored in the variable that *lpMaximumComponentLength points to is used to indicate that a specified file system supports long names. For example, for a FAT file system that supports long names, the function stores the value 255, rather than the previous 8.3 indicator. Long names can also be supported on systems that use the NTFS file system. |
| Serial number | The volume serial number. |
| Case sensitive search | The file system supports case-sensitive file names. |
| Case preserved names | The file system preserves the case of file names when it places a name on disk. |
| Unicode on disk | The file system supports Unicode in file names as they appear on disk. |
| Persistent ACLs | The file system preserves and enforces ACLs. For example, NTFS preserves and enforces ACLs, and FAT does not. |
| File compression | The file system supports file-based compression. |
| Volume quota | The file system supports disk quotas. |
| Supports sparse files | The file system supports sparse files. |
| Supports reparse points | The file system supports reparse points. |
| Supports remote storage | The specified volume is a compressed volume; for example, a DoubleSpace volume. |
| Is volume compressed? | The specified volume is a compressed volume; for example, a DoubleSpace volume. |
| Supports object IDs | The file system supports object identifiers. |
| Supports encryption | The file system supports the Encrypted File System (EFS). |
| Named streams | The file system supports named streams. |
| File read-only volumes | The specified volume is read-only. |
| File sequential write once | The file system supports one time writes in sequential order. |
| File supports transactions | The file system supports transaction processing. |
| File supports hard links | The file system supports direct links to other devices and partitions. |
| File supports extended attributes | The file system supports extended attributes. |
| File supports open by file ID | The file system supports fileID. |
| File supports usn journal | The file system supports update sequence number journals. |
Wireless Information
This is used to collect various information about wireless connection (WLAN).
| Child Elements | Description |
| WLAN Interface GUID | This element holds a string that represents the GUID of an wireless interface. |
| WLAN Interface description | This element specifies the wireless interface description. |
| WLAN Interface state | This element specifies the state of the wireless interface |
| WLAN Connection Mode | This element specifies the mode of connection. |
| WLAN Profile name | This element specifies the profile name associated with the network. If network does not have a profile, this member will be empty. If multiple profiles are associated with the network, there will be multiple entries with the same SSID in the visible network list. |
| WLAN SSID | This element specifies the contains the SSID of the association. |
| WLAN BSS Network type | This element specifies whether the network is infrastructure or ad hoc. |
| WLAN MAC address | This element specifies physical hardware address wireless interface. |
| WLAN Physical network type | The WLAN Physical network type element indicates the physical type of the association. |
| WLAN Physical index | This element specifies the list of PHY types. |
| WLAN Signal quality | This element specifies a percentage value that represents the signal quality of the network. |
| WLAN Receiving rate | This element specifies the receiving rate of the association. |
| WLAN Transmission rate | This element specifies the transmission rate of the association. |
| WLAN Security enabled | This element specifies whether security is enabled on the network. A value of TRUE indicates that security is enabled, otherwise it is not. |
| WLAN 802.11 enabled | This element specifies whether 802.1X is enabled for this connection. |
| WLAN Authentication algorithm | This element specifies currently used authentication algorithm. |
| WLAN Cipher algorithm | This element specifies currently used cipher algorithm. |
User
This is used to check information about Windows users. When this collects the users on the system, it only includes the local and built-in user accounts and not domain user accounts. However, it is important to note that domain user accounts can still be looked up. Also, note that the collection of groups, for which a user is a member, is not recursive. The groups that will be collected are those for which the user is a direct member. For example, if a user is a member of group A, and group A is a member of group B, the only group that will be collected is group A.
| Child Elements | Description |
| Enabled | This element holds a boolean value that specifies whether the particular user account is enabled or not. |
| Group | A string that represents the name of a particular group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, groups should be identified in the form: “domain\group name”. For local groups use: “computer name\group name”. For built-in accounts on the system, use the group name without a domain.The group element can be included multiple times in a system characteristic item in order to record that a user can be a member of a number of different groups. |
| Last logon | The date and time when the last logon occurred. This value is stored as the number of seconds that have elapsed since 00:00:00, January 1, 1970, GMT. |
| User | This entity holds a string that represents the name of a particular user. In Windows, user names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in the form: “domain\user name”. For local users use: “computer name\user name”. For built-in accounts on the system, use the user name without a domain. |
| Domain logon | The Domain logon holds a string that represents the name of a particular domain user. |
| Is elevated? | The iselevated holds a string that represents the user name should have admin rights. |
User SID
This is used to check information about Windows users. When this check collects the user SIDs on the system, it should only include the local and built-in user SIDs and not domain user SIDs. However, it is important to note that domain user SIDs can still be looked up. Also, note that the collection of groups, for which a user is a member, is not recursive. The only groups that will be collected are those for which the user is a direct member. For example, if a user is a member of group A, and group A is a member of group B, the only group that will be collected is group A.
| Child Elements | Description |
| Enabled | This element holds a boolean value that specifies whether the particular user account is enabled or not. |
| Group SID | A string the represents the SID of a particular group. The Group SID element can be included multiple times in a system characteristic item in order to record that a user can be a member of a number of different groups. |
| Last Logon | The date and time when the last logon occurred. This value is stored as the number of seconds that have elapsed since 00:00:00, January 1, 1970, GMT. |
| Name | This entity indicates the name of the user. |
| User SID | This entity holds a string that represents the SID of a particular user. |
License
The entity is used to check the content of a particular entry in the Windows registry HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions key, ProductPolicy value. Access to this data is exposed by the functions NtQueryLicenseValue (and also, in version 6.0 and higher, ZwQueryLicenseValue) in NTDLL.DLL. Name is a mandatory field while submitting to agents.
| Child Elements | Description |
| name* | The name of the license. |
| type | This entity provides the type of data that is expected: REG_SZ (0x01) for a string; REG_BINARY (0x03) for binary data; REG_DWORD (0x04) for a DWORD. |
| value | attribute should be set to ‘binary’ and the data represented by the value entity should follow the xsd:hexBinary form. (each binary octet is encoded as two hex digits) If the value being checked is of type REG_DWORD, then the datatype attribute should be set to ‘int’ and the value entity should represent the data as an integer. If the specified registry key is of type REG_SZ, then the datatype should be ‘string’ and the value entity should be a copy of the string. |
NTUser
This element defines the different metadata associated with a ntuser.dat file. This includes the key, name, type, and value. Key and name are mandatory fields while submitting to agents.
| Child Elements | Description |
| Account type | The account_type element describes if the user account is a local account or domain account. |
| date_modified | Time of last modification of file. The integer should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). |
| Days since modified | The number of days since the ntuser.dat file was last modified. The value should be rounded up to the next whole integer. |
| Enabled | The enabled element describes if the user account is enabled or disabled. |
| File path | This element describes the file path of the ntuser.dat file. |
| Key* | This element describes a registry key normally found in the HKCU hive to be tested. |
| Last write time | The last time that the key or any of its value entries was modified. The value of this entity represents the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). Last write time can be queried on a key or name. When collecting only information about a registry key the last write time will be the time the key or any of its entities was written to. When collecting only information about a registry name the last write time will be the time the name was written to. See the RegQueryInfoKey function lpftLastWriteTime. Data appears in timestamp format such as 1520409600. |
| Logged on | The logged_on element describes if the user account is currently logged on to the computer. |
| Name* | This element describes the name of a value of a registry key. |
| SID | This element holds a string that represents the SID of a particular user. |
| Username | This entity holds a string that represents the name of a particular user. In Windows, user names are case-insensitive. In a domain environment, users should be identified in the form: “domain\user name”. For local users use: “computer name\user name”. |
| Type | This entity allows a test to be written against the registry type associated with the specified registry key(s). |
| Value | The entity specifies value of the registry key. |
System Metric
This is used to check the value of a particular Windows system metric. Access to this information is exposed by the GetSystemMetrics function in User32.dll.
| Child Elements | Description |
| Index | This entity corresponds to the index entity. |
| Value | This entity provides the value of the system metric. |
User right
This entity is used to enumerate all of the trustees/SIDs that have been granted a specific user right/privilege.
| Child Elements | Description |
| Trustee name | This entity is the unique name associated with the SID that has been granted the specified user right/privilege. A trustee can be associated with a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. In a domain environment, trustee names should be identified in the form: “domain\trustee name”. For local trustee names use: “computer name\trustee name”. For built-in accounts on the system, use the trustee name without a domain. |
| Trustee SID | This entity identifies the SID that has been granted the specified user right/privilege. |
| User right | This entity holds a string that represents the name of a particular user right/privilege. |
Junction
This used to obtain canonical path information for junctions (reparse points) on Windows filesystems. Path is a mandatory filed while submitting to agents.
| Child Elements | Description |
| Path* | This specifies the path. |
| Canonical path | This specifies the canonical path for the target of a Windows junction specified by the path. |
| Windows view | This is used to indicate which view (32-bit or 64-bit), the associated path applies to. |
PE Header
This defines the different metadata associated with the header of a PE file. For more information, please see the documentation for the IMAGE_FILE_HEADER and IMAGE_OPTIONAL_HEADER structures. File path is a mandatory field while submitting to agents.
| Child Elements | Description |
| Address of entry point | This entity is an unsigned 32-bit integer (DWORD) that specifies the address where the loader will begin execution. |
| Base of code | This entity is an unsigned 32-bit integer (DWORD) that specifies the relative virtual address where the file’s code section begins. |
| Base of data | This entity is an unsigned 32-bit integer (DWORD) that specifies the relative virtual address where the file’s data section begins. |
| Checksum | This entity is an unsigned 32-bit integer (DWORD) that specifies the checksum of the image file. |
| DLL characteristics | This entity is an unsigned 32-bit integer (DWORD) that specifies the set of flags indicating the circumstances under which a DLL’s initialization function will be called. |
| File path* | This element specifies the absolute path for a PE file on the machine. A directory cannot be specified as a file path. |
| Header signature | This entity is the signature of the header. |
| Number of sections | This entity is an unsigned 16-bit integer (WORD) that specifies the number of sections in the file. |
| Number of symbols | This entity is an unsigned 32-bit integer (DWORD) that specifies the number of symbols in the COFF symbol table. |
| Pointer to symbol table | This entity is an unsigned 32-bit integer (DWORD) that specifies the file offset of the COFF symbol table. |
| Target machine type | This entity is an unsigned 16-bit integer (WORD) that specifies the target architecture that the file is intended for. |
| Time date stamp | This entity is an unsigned 32-bit integer (DWORD) that specifies the time that the linker produced the file. The value is represented as the number of seconds since January 1, 1970, 00:00:00. |
| Size of optional header | This entity is an unsigned 32-bit integer (DWORD) that specifies the size of an optional header in bytes. |
| Image file aggressive working set trim | This entity is a boolean value that specifies that the working set should be aggressively trimmed. |
| Image file debug stripped | This entity is a boolean value that specifies that the debugging information is stored separately in a .dbg file. |
| Image file executable image | This entity is a boolean value that specifies if the file is executable. |
| Image file large address aware | This entity is a boolean value that specifies that the application can handle addresses larger than 2GB. |
| Image file local symbols stripped | This entity is a boolean value that specifies if the local symbols are stripped from the file. |
| Image file line numbers stripped | This entity is a boolean value that specifies if the line numbers are stripped from the file. |
| Image file 16bit machine | This entity is a boolean value that specifies that the computer supports 16-bit words. |
| Image file 32bit machine | This entity is a boolean value that specifies that the computer supports 32-bit words. |
| Image file bytes reversed low | This entity is a boolean value that specifies that the bytes of the word are reversed. |
| Image file dll | This entity is a boolean value that specifies that the image is a DLL. |
| Image file relocs stripped | This entity is a boolean value that specifies if the relocation information is stripped from the file. |
| Image file removable run from swap | This entity is a boolean value that specifies that the image is on removable media, copy and run from the swap file. |
| Image file system | This entity is a boolean value that specifies that the image is a system file. |
| Image file up system only | This entity is a boolean value that specifies that the file should only be run on a uniprocessor computer. |
| Image file dll | This entity is a boolean value that specifies that the image is a DLL. |
| Image file up system only | This entity is a boolean value that specifies that the file should only be run on a uniprocessor computer. |
| Image file bytes reversed high | This entity is a boolean value that specifies that the bytes of the word are reversed. |
| Magic number | This entity is an unsigned 16-bit integer (WORD) that specifies the state of the image file. |
| Major linker version | This entity is a BYTE that specifies the major version of the linker that produced the file. |
| Minor linker version | This entity is a BYTE that specifies the minor version of the linker that produced the file. |
| Image base address | This entity is an unsigned 32-bit integer (DWORD) that specifies the preferred address of the first byte of the image when it is loaded into memory. |
| Section alignment | This entity is an unsigned 32-bit integer (DWORD) that specifies the alignment of the sections loaded into memory. |
| File alignment | This entity is an unsigned 32-bit integer (DWORD) that specifies the alignment of the raw data of sections in the image file. |
| Loader flags | This entity is an unsigned 32-bit integer (DWORD) that specifies the loader flags of the header. |
| Major operating system version | This entity is an unsigned 16-bit integer (WORD) that specifies the major version of the operating system required to use this executable. |
| Minor operating system version | This entity is an unsigned 16-bit integer (WORD) that specifies the minor version of the operating system required to use this executable. |
| Major image version | This entity is an unsigned 16-bit integer (WORD) that specifies the major version number of the image. |
| Minor image version | This entity is an unsigned 32-bit integer (DWORD) that specifies the minor version number of the image. |
| Major subsystem version | This entity is an unsigned 16-bit integer (WORD) that specifies the major version of the subsystem required to run the executable. |
| Minor subsystem version | This entity is an unsigned 16-bit integer (WORD) that specifies the minor version of the subsystem required to run the executable. |
| Number of RVA and sizes | This entity is an unsigned 32-bit integer (DWORD) that specifies the number of directory entries in the remainder of the optional header. |
| Real number of directory entries | This entity is the real number of data directory entries in the remainder of the optional header calculated by enumerating the directory entries. |
| Size of code | This entity is an unsigned 32-bit integer (DWORD) that specifies the total size of all of the code sections (in bytes). |
| Size of headers | This entity is an unsigned 32-bit integer (DWORD) that specifies the total combined size of the MS-DOS stub, PE header, and the section headers (in bytes). |
| Size of heap reserve | This entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to reserve for the local heap. |
| Size of heap commit | This entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to commit for the local heap. |
| Size of image | This entity is an unsigned 32-bit integer (DWORD) that specifies the total size of the image including all of the headers (in bytes). |
| Size of initialized data | This entity is an unsigned 32-bit integer (DWORD) that specifies the total size of all of the sections that are composed of initialized data (in bytes). |
| Size of stack commit | This entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to commit for the stack. |
| Size of stack reserve | This entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to reserve for the stack. |
| Size of uninitialized data | This entity is an unsigned 32-bit integer (DWORD) that specifies the total size of all of the sections that are composed of uninitialized data (in bytes). |
| Subsystem | This entity is an unsigned 32-bit integer (DWORD) that specifies the type of subsystem that the executable uses for its user interface. |
| Windows view | The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. |
User Access Control(UAC)
This element specifies the different settings that are available under User Access Control. A user access control test will reference a specific instance of this state that defines the exact settings that need to be evaluated.
| Child Elements | Description |
| Admin approval mode | Admin Approval Mode for the Built-in Administrator account. |
| Detect installations | Detect application installations and prompt for elevation. |
| Elevation prompt admin | Behavior of the elevation prompt for administrators in Admin Approval Mode. |
| Elevation prompt standard | Behavior of the elevation prompt for standard users. |
| Elevate signed executables | Only elevate executables that are signed and validated. |
| Elevate UI access | Only elevate UIAccess applications that are installed in secure locations. |
| Run admins AAM | Run all administrators in Admin Approval Mode. |
| Secure desktop | Switch to the secure desktop when prompting for elevation. |
| Virtualize write failures | Virtualize file and registry write failures to per-user locations. |
XML File Content
This element is used by a xml file content test to define the specific piece of an xml file(s) to be evaluated. This will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. The set of files to be evaluated will be identified with a complete File path. File path and XPath are mandatory fields while submitting to agents.
| Child Elements | Description |
| File path* | This element specifies the absolute path for a file on the machine. A directory cannot be specified as a file path. |
| XPath* | Specifies an XPath 1.0 expression to evaluate against the XML file specified by the filename entity. This XPath 1.0 expression must evaluate to a list of zero or more text values which will be accessible in OVAL via instances of the value_of entity. Any results from evaluating the XPath 1.0 expression other than a list of text strings (e.g., a nodes set) is considered an error. The intention is that the text values be drawn from instances of a single, uniquely named element or attribute. However, an OVAL interpreter is not required to verify this, so the author should define the XPath expression carefully. Note that “equals” is the only valid operator for the xpath entity. |
| Value of | This element checks the value(s) of the text node(s) or attribute(s) found. |
| Windows view | The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems. |
Software Licenses
This is used to collect information of Software Licenses. It includes software name and license information.
| Child Elements | Description |
| Software family | This element specifies the family of the software application. |
| Software name | This element specifies the name of the software application. |
| Software license | This element specifies the license serial number of the software application. |
| Software version | This element specifies the version of the software application. |
Partition
This is used to check the information associated with partitions on the local system.
| Child Elements | Description |
| Disk name | This element represents the drive letter or disk name. |
| Disk description | This element specifies the description associated with the disk. |
| Disk type | This element specified the type of disk. For example, Local Disk. |
| Volume name | This element specifies the name associated with the volume. |
| Space left | This element contains an integer that represents the number of blocks left on a partition (in bytes). |
| Space used | This element contains an integer that represents the number of blocks used on a partition (in bytes). |
| Total space | This element contains an integer that represents the total number of blocks on a partition (in bytes). |
Missing Patches
This is used to investigate missing patches and security fixes in a computer system.
| Child Elements | Description |
| Patch description | This element describes a patch. |
| Patch ID | A unique identification number associated with a patch. |
| Patch name | This element specifies the patch name. |
| Patch rollback available | This element specifies if rollback is possible for this patch. Possible values are TRUE or FALSE. An empty value appears if it cannot be determined. |
| Patch severity | This element specifies severity of a patch. Possible values: Important, Critical, etc. An empty value appears if it cannot be determined. |
| Patch size | This element specifies size of a patch. Values are specified in bytes. A value UNKNOWN appears if patch size cannot be determined. |
| Reboot required | This element specifies if reboot is required after patch installation. Passible values are TRUE or FALSE. |
| Platform CPE | This element specifies platform CPE ID associated with the patch. |
| Product CPE | This element specifies product CPE ID associated with the patch. Note: This value is empty when a patch is associated with an operating system. |
Linux Probes
| Child Elements | Description |
| Child Elements | Description |
ARP Cache
This is used to collect various information about address resolution protocol(ARP) cache table. It includes host IP address, mac address, interface name from ARP cache table.
| Child Elements | Description |
| Host IP | This element specifies host IP address. |
| Network Interfaces | This element specifies device interface. |
| MAC address | This element specifies physical hardware address of the adapter for the network interface associated with this IP address. |
| Permanent | This element specifies if an ARP entry is permanent or not. |
BIOS Information
This is used to collect various information about BIOS (basic input/output system). It includes bios name, version, manufacture, serial number, smbios version, and bios status.
| Child Elements | Description |
| BIOS Manufacture | This element specifies manufacturer of this software element. This value comes from the vendor of the BIOS Information structure in the SMBIOS information. |
| BIOS Name | This element used to identify the software element. |
| BIOS Serial Number | This element specifies serial number of the software element. |
| System Management BIOS Version | This element specifies BIOS version as reported by SMBIOS. This value comes from the version of the BIOS information structure in the SMBIOS information. |
| BIOS Status | This element specifies current status of BIOS. Various operational and non-operational status can be defined. |
| BIOS Version | This element specifies version of the BIOS. This string is created by the BIOS manufacturer. |
Anti-virus information
This is used to collect information about an installed Antivirus applications.
| Child Elements | Description |
| Antivirus name | This element specifies a display name of a installed antivirus product. |
| Antivirus evr | This represents the epoch, version, and release fields as a single version string. It has the form “EPOCH:VERSION-RELEASE”. |
| Antivirus epoch | Restriction of oval-def:EntityStateAnySimpleType. See schema for details. |
| Antivirus release | Restriction of oval-def:EntityStateAnySimpleType. See schema for details. |
| Antivirus version | This element specifies version of a installed antivirus product. |
Computer Information
This is used to collect various information about computer system. It includes CPU, RAM, ROM, swap memory, virtual memory, disk, operating system, cache size, host name, model name, serial name etc.
| Child Elements | Description |
| Address Sizes | This element specifies the CPU address size info. |
| Buffers | This element specifies the amount of RAM, in kilobytes, used for file buffers. |
| Cache size | This element specifies the size of the total processor cache (in bytes). A cache is an external memory area that has a faster access time than the main RAM memory. |
| CPU | This element specifies name of the processor. |
| CPU Speed | This element specifies speed of the processor in megahertz. |
| CPU Architecture | This element specifies processor architecture used by the platform. |
| CPU cores | This element specifies number of cores. |
| CPU family | This element specifies authoritatively identifies the type of processor in the system. |
| CPU usage | This element specified CPU usage in percentage. |
| Disk model | This element specifies the disk model name – a one-line string. |
| Disk name | This element specifies the short description of the disk drive – a one-line string. |
| Disk removable device | This element specifies the disk is removable or not. |
| Disk size | This element specifies the total size of the disk drive (in bytes). |
| Free RAM | This element specifies system free memory size in bytes. |
| Host name | This element specifies the label that is assigned to a computer. |
| Model name | This element specifies the CPU model info. |
| Network total bytes received | This element represents the number of bytes received. |
| Network total bytes transmitted | This element represents the number of bytes transmitted. |
| Network total bytes(received/transmitted) | This element represents the total number of bytes received and transmitted. |
| Operating system architecture | This element specifies the architecture of the operating system. |
| Operating system name | This element specifies the name of the operating system. |
| Operating system release | This element specifies the release version of the operating system. |
| Operating system version | This element specifies the version of the operating system. |
| RAM used | This element specifies used system memory size in bytes. |
| Total RAM | This element specifies system total memory size in bytes. |
| ROM model | This element specifies the rom model name – a one-line string. |
| ROM name | This element specifies the short description of the rom – a one-line string. |
| ROM removable device | This element specifies the rom is removable or not. |
| ROM size | This element specifies the size of the rom. |
| Serial number | This element specifies the BIOS serial number. |
| Shared memory | This element specifies system shared memory size in bytes. |
| Free swap size | This element specifies system free swap size in bytes. |
| Total swap size | This element specifies system total swap size in bytes. |
| System name | This element specifies system name. |
| System product name | This element specifies the system hardware name. |
| System time synchronization status | This element specified if system time is synchronised with server using Network Time Protocol(NTP). Value is either true or false |
| System uptime | This element specifies the time elapsed since the system was started. |
| Timezone name | This element specifies the timezone such as Asia/Kolkata. |
| Total virtual memory allocated | This element specifies system total virtual memory size in bytes. |
Cron
This is used to collect various information about cron jobs. It includes user name, scheduled job and command.
| Child Elements | Description |
| Scheduled | This element specifies the scheduled time for a particular cron job. |
| Scheduled command | This element indicates command to be executed at scheduled time. |
| User name | This element specifies the username for which cron job is scheduled. |
Device information
This is used to collect information about installed devices on the system. It includes device name, driver, subsystem, device path, class and subclass.
| Child Elements | Description |
| Device class | This element describes a type of device |
| Device driver | This element specifies driver used by the device. |
| Device manufacture | This element specifies manufacturer of the device. |
| Device name | This element specifies the device name. |
| Device path | This element specifies the logical path within the device node |
| Device subclass | This element specifies the support of the class |
| Device subsystem | This element retrieves the subsystem of the device. |
DPKG Information
This is used to check information of a DPKG package.
| Child Elements | Description |
| Architecture | This is the architecture for which the package was built, like : i386, ppc, sparc, noarch. |
| Epoch | Restriction of oval-def:EntityStateAnySimpleType. See schema for details. |
| EVR | This represents the epoch, version, and release fields as a single version string. It has the form “EPOCH:VERSION-RELEASE”. |
| Name | This is the DPKG package name to check. |
| Release | Restriction of oval-def:EntityStateAnySimpleType. See schema for details. |
| Version | Restriction of oval-def:EntityStateAnySimpleType. See schema for details. |
Environment Variables
This is used to collect system environment variable information. It includes environment variable name, value and process id.
| Child Elements | Description |
| Name | This element specifies name of the environment variable |
| Process ID(PID) | This element specifies pid of a process |
| Value | This element specifies value of the environment variable |
Hosts File(/etc/hosts)
This used to collect various information about hosts from /etc/hosts. It includes host IP address and host name.
| Child Elements | Description |
| Host IP | This element specifies host IP address. |
| Host name | This element specifies the label that is assigned to a computer. |
Protocols File(/etc/protocols)
This is used to collect various information about protocol from /etc/protocols. It includes protocol name, protocol number and protocol aliases.
| Child Elements | Description |
| Protocol aliases | This element specifies the aliases for the protocol. |
| Protocol name | This element specifies the native name for the protocol. |
| Protocol number | This element specifies the official number for the protocol. |
Services File(/etc/services)
This is used to collect various information about service from /etc/services. It includes service name, service port, service protocol and service aliases.
| Child Elements | Description |
| Service aliases | This element specifies alternative names for the same service. |
| Service name | This element specifies the service name. |
| Service port | This element specifies port the service is offered on. |
| Service protocol | This element specifies, which transport protocol is used. |
Family of Operating System
This is used to collect operating system family standard values being windows, unix or macos(Mac OS).
| Child Elements | Description |
| family of operating system | This element specifies operating system family. |
File
This is used to check metadata associated with files. File path is mandatory for this query while submitting to agents.
| Child Elements | Description |
| Access time | This element specifies access time of a file. |
| Creation time | This element specifies creation time of a file (in timestamp format). |
| File md5 sum | This element specifies md5 sum of a file. |
| File name | This element specifies name of the file on the machine. |
| File path* | This element specifies the location of the file. |
| Group execute | This element specifies the group execution permission of a file. |
| Group read | This element specifies the group read permission of a file. |
| Group ID | This element specifies the group ID for a file. |
| Group write | This element specifies the group write permission of a file. |
| Has extended ACL | This element specifies the access control list existences for a file. |
| Modified time | This element specifies the modified time of a file. |
| Others execute | This element specifies the execute permission of a file for other users. |
| Others read | This element specifies the read permission of a file for other users. |
| Others write | This element specifies the write permission of a file for other users. |
| Set group User ID | This element specifies the group user id. |
| Size | This element specifies the size of a file (in bytes). |
| Sticky bit | This element specifies the sticky bit of a file. |
| Owner User ID | This element specifies the owners user id. |
| Type | This element specifies the type of the file. |
| User execute | This element specifies the user execute permission. |
| User read | This element specifies the user read permission. |
| User ID | This element specifies the user id of a file. |
| User write | This element specifies the user write permission of a file. |
Group
This is used to collect various information about the groups. It includes group name and group id.
| Child Elements | Description |
| Group | This element specifies the group name. |
| Group ID | This element specifies the group id. |
Interface Listeners
This is used to check what applications such as packet sniffers that are bound to an interface on the system. This is limited to applications that are listening on AF_PACKET sockets. Furthermore, only applications bound to an ethernet interface should be collected.
| Child Elements | Description |
| Hardware address | This is the hardware address associated with the interface. |
| Interface name | This is the name of the interface (eth0, eth1, fw0, etc.). |
| Process ID (PID) | The pid is the process ID of a specific process |
| Program name | This is the name of the communicating program. |
| Protocol | This is the physical layer protocol used by the AF_PACKET socket. |
| User ID | The numeric user id, or UID, is the third column of each user’s entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program. |
Inet-Listening Servers (Deprecated)
This is used to collect various information about listening ports. It includes protocol name, local ip address, local port, program name, foreign address, foreign port, process id and user id.
| Child Elements | Description |
| Foreign address | This element specifies foreign ip address, which is connected to listening server. |
| Foreign full address | This element specifies foreign ip address including port, which is connected to listening server. |
| Foreign port | This element specifies foreign port, which is connected to listening server |
| Local address | This element specifies local ip address on which server is listening |
| Local full address | This element specifies full ip address including port on which server is listening. |
| Local port | This element specifies local port on which server is listening. |
| Process ID (PID) | This element specifies the pid of a listening server program. |
| Program name | This element specifies the name of a listening server program. |
| Protocol | This element specifies the name for the protocol used by listening server. |
| User ID | This element specifies the name of a listening server program. |
Installed Applications
This is used to collect information about installed applications on the system. It includes application name, version, release, architecture, epoch value.
| Child Elements | Description |
| Application architecture | This element specifies the architecture for which the package was built, like : i386, ppc, sparc, noarch. |
| Application name | This element specifies the installed package name. |
| Application release | This element specifies the release number of the build, changed by the vendor/builder. |
| Application version | This element specifies the version number of the build. |
| Application epoch | This element specifies the epoch value. Example: 0, 1, (none) |
| Application EVR | This element specifies the EVR(Epoch-Version-Release string). Example:0:3.13.0-73.116 |
| Application last use | This element specifies the last use date of an application. |
| Application publisher | This element specifies the application publisher information. |
Network Interfaces
The interface test enumerate various attributes about the interfaces on a system.
| Child Elements | Description |
| Broadcast address | This element specifies the broadcast address. A broadcast address is typically the IP address with the host portion set to either all zeros or all ones. Note that the IP address can be IPv4 or IPv6. |
| Flag | The flag entity represents the interface flag line, which generally contains flags like “UP” to denote an active interface, “PROMISC” to note that the interface is listening for Ethernet frames not specifically addressed to it, and others. This element can be included multiple times in a system characteristic item in order to record a multitude of flags. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like this that refer to items that can occur an unbounded number of times. |
| Hardware Address | The Hardware Address entity is the hardware or MAC address of the physical network card. MAC addresses should be formatted according to the IEEE 802-2001 standard which states that a MAC address is a sequence of six octet values, separated by hyphens, where each octet is represented by two hexadecimal digits. Uppercase letters should also be used to represent the hexadecimal digits A through F. |
| IP address of an interface | This element specifies the IP address. Note that the IP address can be IPv4 or IPv6. If IP address is an IPv6 address, this entity will be expressed as an IPv6 address prefix using CIDR notation and the netmask entity will not be collected. |
| Name | This element specifies the name of an interface. |
| Netmask | This element specifies the subnet mask for the IP address. Note that If IP address of an interface entity contains an IPv6 address prefix, this entity will not be collected. |
| Type | This element specifies the type of interface which is limited to certain set of values. |
IP forwarding status
This is used to collect information about the IP forward settings. It includes IP forwarding status which can be either enabled or disabled.
| Child Elements | Description |
| IP forwarding status | This element specifies ip forwarding is enabled or disabled. |
IP tables rules
This is used to collect various information about IP table rules. It includes chain type, number packets matched to rule, packets size, action to be taken when rule matches (ACCEPT, DROP), pack flow direction, source ip address, destination ip address, rule desc etc.
| Child Elements | Description |
| Bytes | This element specifies aggregate size of the packets in bytes, that matched particular rule. |
| Chain type | This element specifies IP tables chain name. |
| Destination | This element specifies the destination IP address or subnet of the traffic. |
| In | This element specifies interface name from which the packet flows in. |
| Option | This element indicates IP options (Rarely used). |
| Out | This element specifies interface name from which the packet flows out. |
| Packets | This element specifies the number of packets, that matched particular rule. |
| Protocol | This element specifies protocol name for a particular rule. |
| Rule description | This element specifies the short description of the particular rule. |
| Source | This element specifies the source IP address or subnet of the traffic. |
| Target | This element specifies what should be done when packet matches the rule eg: ACCEPT. DROP etc. |
Kernel Information
This is used to collect various information about loaded kernel. It includes kernel version, kernel image path, kernel on which device/volume and kernel arguments.
| Child Elements | Description |
| Arguments | This element indicates loaded kernel kernel arguments. |
| Device | This element indicates location of the kernel on which device or volume. |
| Kernel image path | This element specified the kernel image path. |
| Kernel version | This element indicates loaded kernel kernel version. |
Kernel Modules
This is used to collect various information about modules loaded into the kernel. It includes kernel module name, kernel module depending on which module and module status.
| Child Elements | Description |
| Kernel module name | This element specifies the module name. |
| Kernel module status | This element specifies the what load state the module is in eg: Live, Loading etc. |
| Kernel module used-by | This element specifies the module name which are depending another module in order to function. |
Logged-in Users
This is used to collect various information about logged-in users. It includes user name, device tty, remote logged in host name, time when entry made, process id and record type.
| Child Elements | Description |
| Host | This element indicates hostname for remote login or kernel version for run-level messages |
| Process ID(PID) | This element indicates the PID of login process. |
| Time | This element indicates the time when entry was made. |
| tty | This element indicates device name of tty. |
| Type | This element indicates the type of record. |
| User name | This element indicates logged-in user name. |
Mount points
This is used to collect various information about mounted partitions. It includes disk filesystem name, file system type, disk size, disk space used, available disk space, disk use in terms of percentage and disk mounted path.
| Child Elements | Description |
| Disk file-system name | This element indicates filesystem name. |
| Disk mounted on | This element indicates disk mounted path. |
| Disk size | This element indicates total disk partition size (in bytes). |
| Disk space available | This element indicates available disk space (in bytes). |
| Disk space used | This element indicates used disk space (in bytes). |
| Disk use percentage | This element indicates used disk space in percentage. |
Partitions
This is used to check the information associated with partitions on the local system.
| Child Elements | Description |
| Device | This element contains a string that represents the name of the device. |
| FS type | This element contains a string that represents the type of filesystem on a partition. |
| Mount options | This element contains a string that represents the mount options associated with a partition. |
| Mount point | This element contains a string that represents the mount point of a partition on the local system. |
| Space left | This element contains an integer that represents the number of blocks left on a partition. |
| Space used | This element contains an integer that represents the number of blocks used on a partition. |
| Total space | This element contains an integer that represents the total number of blocks on a partition. |
| UUID | This element contains a string that represents the universally unique identifier associated with a partition. |
Password/User Information
This is used to collect various information about system users. It includes user name, password, user id, group id, user information, user home directory path and login shell.
| Child Elements | Description |
| GCOS(comment field) | This element indicates user information. Usually, it contains the full username. Some programs (for example, finger(1)) display information from this field. GECOS stands for “General Electric Comprehensive Operating System”,which was renamed to GCOS when GE’s large systems ision was sold to Honeywell. Dennis Ritchie has reported: “Sometimes we sent printer output or batch jobs to the GCOS machine. The gcos field in the password file was a place to stash the information for the $IDENTcard. Not elegant.” |
| Group ID | This element indicates group id of a particular group. |
| Home directory | This element specifies path to home directory of a particular user. |
| Login shell | This element specifies login shell of a particular user. |
| Password | This element indicates local user password |
| User ID | This element indicates user id of a particular user. |
| User name | This element indicates local user name. |
Port/Network Connection
Information about open ports and network connections.
| Child Elements | Description |
| Local address | This element specifies the local IP address the listening port is bound to. Note that the IP address can be IPv4 or IPv6. |
| Local port | This element specifies the number assigned to the local listening port. |
| Protocol | This element specifies the type of listening port. It is restricted to either TCP or UDP. |
| Process ID(PID) | The id given to the process that is associated with the specified listening port. |
| Foreign address | This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6. |
| Foreign port | This is the TCP or UDP port to which the program communicates. |
| Process name | This element specifies the name of a listening server program. |
| Port state | This element indicates the port state. |
Process
Information about running processes.
| Child Elements | Description |
| Command line | This is the string used to start the process. It includes any parameters that are part of the command line. |
| Exec shield | This element specifies execute shield status. |
| Execution time | This is the cumulative CPU time, formatted in [DD-]HH:MM:SS where DD is the number of days when execution time is 24 hours or more. |
| Login UID | The loginuid shows which account a user gained access to the system with. The /proc/XXXX/loginuid shows this value. |
| Process ID(PID) | This is the process ID of the process. |
| Posix capability | An effective capability associated with the process. See linux/include/linux/capability.h for more information. |
| Parent process ID | This is the process ID of the process’s parent process. |
| Priority | This is the scheduling priority with which the process runs. This can be adjusted with the nice command or nice() system call. |
| Process name | This is the name of the processes.td> |
| Real UID | This element specifies the real UID. |
| SE Linux domain label | An SE Linux domain label associated with the process. |
| Session ID | The session ID of the process. |
| Start time | This is the time of day the process started formatted in HH:MM:SS if the same day the process started or formatted as MMM_DD (Ex.: Feb_5) if process started the previous day or further in the past. |
| tty | This is the TTY on which the process was started, if applicable. |
| User ID | This is the effective user id which represents the actual privileges of the process. |
RPC Map Information
This is used to collect various information about rpm program from /etc/rpc. It includes remote procedure call(RPC) program name, program number and program aliases.
| Child Elements | Description |
| RPC aliases | This element specifies the aliases for the RPC program. |
| RPC program name | This element specifies the native name for the RPC program. |
| RPC program number | This element specifies the official number for the RPC program. |
RPC Network Connections
This is used to collect various information about RPC connection using rpcinfo. It includes remote procedure call(RPC) program name, program id, program version, transport protocol used, ip address and program owner.
| Child Elements | Description |
| Address | This element specifies the IP address of the RPC program. |
| Network ID | This element specifies, which transport protocol is used. |
| Owner | This element specifies an owner for the RPC program. |
| RPC program ID | This element specifies the RPC program id. |
| RPC program name | This element specifies the RPC program name. |
| RPC program version | This element specifies the RPC program version. |
RPM Information
This is used to check the RPM header information for a given RPM package.
| Child Elements | Description |
| Architecture | This is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686. |
| Epoch | This is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or ‘(none)’ as returned by rpm) the string ‘(none)’ should be used.. This number is not revealed by a normal query of the RPM’s information — you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q –qf ‘%{EPOCH}\n’ installed_rpm For an RPM file that has not been installed: rpm -qp –qf ‘%{EPOCH}\n’ rpm_file |
| EVR | This represents the epoch, version, and release fields as a single version string. It has the form “EPOCH:VERSION-RELEASE”. Note that a null epoch (or ‘(none)’ as returned by rpm) is equivalent to ‘0’ and would hence have the form 0:VERSION-RELEASE. Comparisons involving this datatype should follow the algorithm of librpm’s rpmvercmp() function |
| Extended name | This represents the name, epoch, version, release, and architecture fields as a single version string. It has the form “NAME-EPOCH:VERSION-RELEASE.ARCHITECTURE”. Note that a null epoch (or ‘(none)’ as returned by rpm) is equivalent to ‘0’ and would hence have the form NAME-0:VERSION-RELEASE.ARCHITECTURE. |
| Name | This is the package name to check. |
| Release | This is the release number of the build, changed by the vendor/builder. |
| Signature key ID | This field contains the 64-bit PGP key ID that the RPM issuer (generally the original operating system vendor) uses to sign the key. Note that the value should NOT contain a hyphen to separate the higher 32-bits from the lower 32-bits. It should simply be a 16 character hex string. PGP is used to verify the authenticity and integrity of the RPM being considered. Software packages and patches are signed cryptographically to allow administrators to allay concerns that the distribution mechanism has been compromised, whether that mechanism is web site, FTP server, or even a mirror controlled by a hostile party. OVAL uses this field most of all to confirm that the package installed on the system is that shipped by the vendor, since comparing package version numbers against patch announcements is only programmatically valid if the installed package is known to contain the patched code. |
| Version | This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 21.11.4. |
RPM file verify
This is used to verify the integrity of the in idual files in installed RPMs. File path is mandatory for this query while submitting to agents.
| Child Elements | Description |
| File path* | This element specifies the absolute path for a file or directory in the specified package. |
| Architecture | This is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686. |
| Capabilities differ | The size_differs entity aligns with the ninth character (‘P’ flag) in the character string in the output generated by running rpm -V on a specific file. |
| Configuration file | The configuration_file entity represents the configuration file attribute marker that may be present on a file. |
| Device differs | The device_differs entity aligns with the fourth character (‘D’ flag) in the character string in the output generated by running rpm -V on a specific file. |
| Documentation file | The documentation_file entity represents the documentation file attribute marker that may be present on a file. |
| Epoch | This is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or ‘(none)’ as returned by rpm) the string ‘(none)’ should be used.. This number is not revealed by a normal query of the RPM’s information — you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q –qf ‘%{EPOCH}\n’ installed_rpm For an RPM file that has not been installed: rpm -qp –qf ‘%{EPOCH}\n’ rpm_file |
| Extended name | This represents the name, epoch, version, release, and architecture fields as a single version string. It has the form “NAME-EPOCH:VERSION-RELEASE.ARCHITECTURE”. Note that a null epoch (or ‘(none)’ as returned by rpm) is equivalent to ‘0’ and would hence have the form NAME-0:VERSION-RELEASE.ARCHITECTURE. |
| Ghost file | The ghost_file entity represents the ghost file attribute marker that may be present on a file. |
| Group differs | The group_differs entity aligns with the seventh character (‘U’ flag) in the character string in the output generated by running rpm -V on a specific file. |
| License file | The license_file entity represents the license file attribute marker that may be present on a file. |
| Link mismatch | The link_mismatch entity aligns with the fifth character (‘L’ flag) in the character string in the output generated by running rpm -V on a specific file. |
| MD5 differs | This entity aligns with the third character (‘5’ flag) in the character string in the output generated by running rpm -V on a specific file. |
| Mode differs | This entity aligns with the second character (‘M’ flag) in the character string in the output generated by running rpm -V on a specific file. |
| Modified time differs | This entity aligns with the eighth character (‘T’ flag) in the character string in the output generated by running rpm -V on a specific file. |
| Name | This is the package name to check. |
| Ownership differs | The ownership_differs entity aligns with the sixth character (‘U’ flag) in the character string in the output generated by running rpm -V on a specific file. |
| ReadMe file | The readme_file entity represents the readme file attribute marker that may be present on a file. |
| Release | This is the release number of the build, changed by the vendor/builder. |
| Size differs | The size_differs entity aligns with the first character (‘S’ flag) in the character string in the output generated by running rpm -V on a specific file. |
| Version | This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 21.11.4. |
RPM verify package
This is used to verify the integrity of installed RPMs.
| Child Elements | Description |
| Architecture | This is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686. |
| Dependency check passed | The dependency_check_passed entity indicates whether or not the dependency check passed. If the dependency check is not performed, due to the ‘nodeps’ behavior, this entity must not be collected. |
| Epoch | This is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or ‘(none)’ as returned by rpm) the string ‘(none)’ should be used.. This number is not revealed by a normal query of the RPM’s information — you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q –qf ‘%{EPOCH}\n’ installed_rpm For an RPM file that has not been installed: rpm -qp –qf ‘%{EPOCH}\n’ rpm_file |
| Extended name | This element specifies the extended name. |
| Name | This is the package name to check. |
| Release | This is the release number of the build, changed by the vendor/builder. |
| Verification script successful | The verification_script_successful entity indicates whether or not the verification script executed successfully. If the verification script is not executed, due to the ‘noscripts’ behavior, this entity must not be collected. |
| Version | This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 21.11.4. |
Run level
This is used to check information about which run-level specified services are scheduled to exist at. For more information see the output generated by a chkconfig –list.
| Child Elements | Description |
| Kill | This entity determines if the process is supposed to be killed at the specified run-level. |
| Run level | This entity refers to the system run-level associated with a service. A run-level is defined as a software configuration of the system that allows only a selected group of processes to exist. |
| Service name | This entity refers the name associated with a service. This name is usually the filename of the script file located in the /etc/init.d directory. |
| Start | This entity determines if the process is scheduled to be spawned at the specified run-level. |
SE Linux Boolean
This is used to check the current and pending status of a SELinux boolean.
| Child Elements | Description |
| Current Status | The current_status entity represents the current state of the specified SELinux boolean. |
| Name | The name of the SELinux boolean. |
| Pending Status | The pending_status entity represents the pending state of the specified SELinux boolean. |
Services
This is used to collect information about services. It includes service name and status.
| Child Elements | Description |
| Service name | This specifies the service name. |
| Service status | This specifies the status of the service. |
Shadow file(/etc/shadow)
This is used to check information from the /etc/shadow file for a specific user. This file contains user’s password, password ageing and lockout information.
| Child Elements | Description |
| Change allowed | This specifies how often in days a user may change their password. It can also be thought of as the minimum age of a password. |
| Change list | This is the date of the last password change in days since 1/1/1970. |
| Change required | This describes how long a user can keep a password before the system forces her to change it. |
| Encryption method | The encrypt_method entity describes method that is used for hashing passwords. |
| Expiry date | This specifies when will the account’s password expire, in days since 1/1/1970. |
| Days before account inactive | This entity describes the number days of account inactivity for which the system will wait after a password expires before locking the account. Unix systems are generally configured to only allow a given password to last for a fixed period of time. |
| Days warning for expiration | This describes how long before password expiration the system begins warning the user. The system will warn the user at each login. |
| Flag | This is a reserved field that the shadow file may use in the future. |
| Password | This is the encrypted version of the user’s password. |
| User name | This is the name of the user being checked. |
Shell History
This is used to collect various information about shell history. It includes user name, used-id, history file path and command from history file.
| Child Elements | Description |
| Command | This element specifies history of executed commands. |
| History file | This element specifies history file path. |
| UID | This element specifies history belongs to which user id. |
| User name | This element specifies history belongs to which user. |
Sudo Users
This is used to collect sudo users. It includes user name which has sudo access.
| Child Elements | Description |
| Sudo user name | This element specifies sudo username. |
System Control
This is used to check the values associated with the kernel parameters that are used by the local system.
| Child Elements | Description |
| Name | This element contains a string that represents the name of a kernel parameter that was collected from the local system. |
| Value | This element contains a string that represents the value(s) associated with the specified kernel parameter. |
System DHCP Information
This is used to collect system Dynamic Host Configuration Protocol (DHCP) information. It includes DHCP enabled, DHCP server ip address, netmask, gateway ip address, interface type, lease time, lease renew/rebind time and interface description.
| Child Elements | Description |
| DHCP enabled | This element specifies the value that specifies whether the dynamic host configuration protocol (DHCP) is enabled for this adapter. |
| DHCP interface | This element specifies DHCP interface |
| Gateway IP | This element specifies the ip address of the gateway for this adapter. |
| MAC Address | This element specifies the hardware address for the adapter. |
| Interface description | This element specifies an ANSI character string that contains the description of the adapter. |
| Interface type | This element specifies the adapter type. |
| IP mask | This element specifies the list of ip addresses associated with this adapter. |
| Lease expire time | This element specifies the time when the current DHCP lease expires. |
| Lease rebind time | This element specifies DHCP lease rebind time. |
| Lease renew time | This element specifies DHCP lease renew time. |
| Lease time | This element specifies DHCP lease time. |
| DHCP server IP | This element specifies the address of the DHCP server for this adapter. |
System DNS Information
This is used to collect domain name and domain name system ip information. It includes domain name and dns server ip address
| Child Elements | Description |
| DNS server IP | This element specifies the list of dns server ip address used by the local computer. |
| Domain name | This element specifies the domain in which the local computer is registered. |
System Executable shield status
Executable shield status gives information if data memory is executable/non-executable or/and program memory is writable/non-writable.
| Child Elements | Description |
| Executable shield status | This element specifies the executable shield No eXecute (NX) and eXecute Disable (XD) status. For Example: NX (Execute Disable) protection active |
System Route Information
This is used to collect system route information. It includes destination, ip address, gateway, netmask, flags, metric and interface name.
| Child Elements | Description |
| Destination | This element specifies the destination IP address or subnet of the traffic for a specific route entry. |
| Flags | This element specifies the flag for a specific route entry. |
| Gateway | This element specifies the gateway for a specific route entry. |
| Network Interfaces | This element specifies the interface for a specific route entry. |
| Metric | This element specifies the metric for a specific route entry. |
| Netmask | This element specifies the netmask for a specific route entry. |
System ASLR Status
This is used to collect address space layout randomization(ASLR) status. This technique give some protection against buffer overflow attacks by randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.
| Child Elements | Description |
| ASLR status | This element specifies the system ASLR status. 0- The process address space randomization is off. 1 – The addresses of mmap base, stack and VDSO page are randomized. 2 – Additionally heap randomization enabled. |
Text File Content
This looks at the content of a text file (aka a configuration file) by looking at in idual lines. File path, pattern and instance are mandatory for this query while submitting to agents.
| Child Elements | Description |
| File path* | This element specifies the absolute path for a file on the machine. A directory cannot be specified as a file path. |
| Pattern/Text* | This entity represents a block of text or regular expression that is used to define a block of text. Subexpression notation (parenthesis) is used to call out a value(s) to test against. For example, the pattern abc(.*)xyz would look for a block of text in the file that starts with abc and ends with xyz, with the subexpression being all the characters that exist in between. Note that If pattern can match more than one block of text starting at the same point, then it matches the longest. Subexpressions also match the longest possible substrings, subject to the constraint that the whole match be as long as possible, with subexpressions starting earlier in the pattern taking priority over ones starting later. |
| Instance* | The instance entity calls out which match of the pattern is being represented by this item. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. The main purpose of this entity is too provide uniqueness for different items that results from multiple matches of a given pattern against the same file. |
| Sub-expression | The sub-expression entity represents the value of a subexpression in the specified pattern. If multiple subexpressions are specified in the pattern, then multiple entities are presented. |
| Windows view | Not applicable for Unix based systems. The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of ’32_bit’ indicates the Item was collected from the 32-bit view. A value of ’64-bit’ indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. This entity only applies to 64-bit Microsoft Windows operating systems. |
Unix name(uname)
This is used to collect various information about operating system. It includes hardware id, operating system name, version, release, processor type, time zone and locale.
| Child Elements | Description |
| Locale | This element specifies the locale |
| Machine class | This element specifies the hardware identifier |
| Node name | This element indicates name of the present machine in some undefined network |
| Operating system name | This element specifies the name of the operating system. |
| Operating system release | This element specifies the release version of the operating system. |
| Operating system version | This element specifies the version of the operating system. |
| Processor type | This element specifies the hardware identifier |
| Time zone | This element specifies the time zone |
Wireless Information
This is used to collect various information about wireless connection. It includes wireless name, state, mac address, SSID, interface description, network is infrastructure or ad hoc, frequency, receiving rate, transmission rate, signal quality and security enabled or disabled.
| Child Elements | Description |
| WLAN BSS Network type | This element specifies whether the network is infrastructure or ad hoc. |
| WLAN frequency | This element specifies wireless frequency. |
| WLAN Interface description | This element specifies the wireless interface description. |
| WLAN Interface name | This element specifies the wireless interface name. |
| WLAN Interface state | This element specifies the state of the wireless interface |
| WLAN MAC address | This element specifies physical hardware address wireless interface. |
| WLAN Receiving rate | This element specifies the receiving rate of the association. |
| WLAN Security enabled | This element specifies whether security is enabled on the network. A value of TRUE indicates that security is enabled, otherwise it is not. |
| WLAN Signal quality | This element specifies a percentage value that represents the signal quality of the network. |
| WLAN SSID | This element specifies the contains the SSID of the association. |
| WLAN Transmission rate | This element specifies the transmission rate of the association. |
System unit dependency
This element is used to check the dependencies of the specific units.
| Child Elements | Description |
| Dependency | This entity refers to the name of a unit that was confirmed to be a dependency of the given unit. |
| Unit | This entity refers to the full systemd unit name, which has a form of “$name.$type”. For example “cupsd.service”. This name is usually also the filename of the unit configuration file located in the /etc/systemd/ and /usr/lib/systemd/ directories. |
Systemd unit property
This element is used to retrieve information about systemd units in form of properties. For more information see the output generated by systemctl show $unit.
| Child Elements | Description |
| Property | The name of the property associated with a systemd unit. |
| Unit | The unit entity refers to the full systemd unit name, which has a form of “$name.$type”. For example “cupsd.service”. This name is usually also the filename of the unit configuration file located in the /etc/systemd/ and /usr/lib/systemd/ directories. |
| Value | The value of the property associated with a systemd unit. |
App armor status
This is used to check properties representing the counts of profiles and processes as per the results of the “apparmor_status” or “aa-status” command.
| Child Elements | Description |
| Complain mode processes count | Displays the number of processes in complain mode |
| Complain mode profiles count | Displays the number of profiles in complain mode |
| Enforce mode processes count | Displays the number of processes in enforce mode |
| Enforce mode profiles count | Displays the number of profiles in enforce mode |
| Loaded profiles count | Displays the number of loaded profiles |
| Processes with profiles count | Displays the number of processes which have profiles defined |
| Unconfined processes with profiles count | Displays the number of processes which are unconfined but have a profile defined |
Symlink
This is used to obtain canonical path information for symbolic links. File path is a mandatory field while submitting to agents.
| Child Elements | Description |
| Filepath* | Specifies the filepath used to create the object. |
| Canonical path | Specifies the canonical path for the target of a symbolic link file specified by the filepath. |
Routing table
This is used to check information about the IPv4 and IPv6 routing table entries found in a system’s primary routing table. It is important to note that only numerical addresses will be collected and that their symbolic representations will not be resolved. This equivalent to using the ‘-n’ option with route(8) or netstat(8). Destination is a mandatory field while submitting to agents.
| Child Elements | Description |
| Destination* | The destination IP address prefix of the routing table entry. This is the destination IP address and netmask/prefix-length expressed using CIDR notation. |
| Flags | The flags associated with the specified routing table entry. |
| Gateway | The gateway of the specified routing table entry. |
| Interface name | The name of the interface associated with the routing table entry. |
File extended attribute
This is used to check extended attribute values associated with UNIX files, of the sort returned by the getfattr command or getxattr() system call. This will collect all UNIX file types (directory, regular file, character device, block device, fifo, symbolic link, and socket). File path and attribute name are mandatory fields while submitting to agents.
| Child Elements | Description |
| Attribute name* | This is the extended attribute’s name, identifier or key. |
| File path* | The filepath element specifies the absolute path for a file on the machine. A directory can be specified as a filepath. |
| Value | The value entity represents the extended attribute’s value or contents. To check for an attribute with no value assigned to it, this entity would be used with an empty value. |
GConf
This is used to check the attributes and value(s) associated with GConf preference keys. This can be used to define the preference keys to collect and the sources from which to collect the preference keys. Key and source are mandatory fields while submitting to agents
| Child Elements | Description |
| Is default? | Is the preference key value the default value. If true, the preference key value is the default value. If false, the preference key value is not the default value. |
| Is writable? | Is the preference key writable? If true, the preference key is writable. If false, the preference key is not writable. |
| Key* | The preference key to check. |
| Source* | The source used to look up the preference key. This element specifies the source from which to collect the preference key. The source is represented by the absolute path to a GConf XML file as XML is the current backend for GConf. Note that other backends may become available in the future. |
| Time modified | The time the preference key was last modified in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970. |
| Type | The type of the preference key. |
| User modified | The user who last modified the preference key. |
| Value | The value of the preference key. |
Virtual Memory Statistics (vmstat)
Virtual Memory Statistics (vmstat) reports information about processes, memory, paging, block IO, traps, and cpu activity.
| Child Elements | Description |
| Blocks received | Blocks received from a block device. |
| Blocks sent | Blocks sent to a block device. |
| Buffer memory | The amount of memory used as buffers. |
| Cache memory | The amount of memory used as cache. |
| Context switches | The number of context switches per second. |
| CPU time idle | Time spent idle. Prior to Linux 2.5.41, this includes IO-wait time. |
| CPU time IO | Time spent waiting for IO. Prior to Linux 2.5.41, included in idle. |
| CPU time kernel code | Time spent running kernel code (system time). |
| CPU time non-kernel code | Time spent running non-kernel code (user time, including nice time). |
| CPU time virtual machine | Time stolen from a virtual machine. Prior to Linux 2.6.11, unknown. |
| Idle memory | The amount of idle memory. |
| Interrupts | The number of interrupts per second, including the clock. |
| Memory swapped in | The amount of memory swapped in from disk. |
| Memory swapped out | The amount of memory swapped to disk. |
| Runnable processes | The number of runnable processes (running or waiting for run time). |
| Uninterruptible sleep processes | The number of processes in uninterruptible sleep. |
| Virtual memory used | The amount of virtual memory used. |
System time
This is used to track the current date and time in the system.
| Child Elements | Description |
| Date | Current day in the system. |
| Day | Current weekday in the system. |
| Epoch time | Current local UNIX time in the system. |
| Hour | Current hour in the system. |
| Local timezone | Current local timezone in the system. |
| Minutes | Current minutes in the system. |
| Month | Current month in the system. |
| Year | Current year in the system. |
| Seconds | Current seconds in the system. |
| Timestamp | Current timestamp (log format) in the system. |
SUID bin binary
Retrieves all the files from /bin, /sbin, /usr/bin, /usr/sbin,/usr/local/bin, /usr/local/sbin, /tmp in the target system that are setuid enabled.
| Child Elements | Description |
| Path | This entity specifies the path in the system. |
| Permission | This entity specifies the permission associated with the user namd and path. |
| User | This entity specifies the user name. |
SUID bin file
Retrieves all the files from /bin, /sbin, /usr/bin, /usr/sbin,/usr/local/bin, /usr/local/sbin, /tmp in the target system that are setuid enabled.
| Child Elements | Description |
| Path | This entity specifies the path in the system. |
| Permission | This entity specifies the permission associated with the user namd and path. |
| User | This entity specifies the user name. |
Grand Unified Bootloader (grub)
GRUB(Grand Unified Boot loader) is the default boot loader for many Linux distributions. Boot loader plays a major role in bring up the system into running state. Infact boot loader is the first program that runs when a computer is switched on. This helps in transferring control to an operating system kernel.
| Child Elements | Description |
| Command line default | The default command line. |
| Default | The default operating system to boot if you do not hit any key. |
| Initrd | The initrd image to boot the kernel with. |
| Kernel | The linux kernel image to load along with all the options for it. |
| Menu entry | The partition where /boot directory is. All paths will be relative to this partition. |
| Root | The partition where /boot directory is. All paths will be relative to this partition. |
| Timeout | The time in seconds to wait before the default operating system is booted. |
Boot priority policy
This defines the operating system boot priority policy. The Linux boot loader though (called Grub), usually defaults to booting Linux.
| Child Elements | Description |
| Menu entry | This element defines the title entry and it starts an operating system section by default unless any other title line is found. |
SUID bin binary
Retrieves all the files from /bin, /sbin, /usr/bin, /usr/sbin,/usr/local/bin, /usr/local/sbin, /tmp in the target system that are setuid enabled.
| Child Elements | Description |
| User | This entity specifies the user name. |
| Path | This entity specifies the path in the system. |
| Permission | This entity specifies the permission associated with the user namd and path. |
XML File Content
This element is used by a xml file content test to define the specific piece of an xml file(s) to be evaluated. This will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. The set of files to be evaluated will be identified with a complete File path. File path and XPath are mandatory fields while submitting to agents.
| Child Elements | Description |
| File path* | This element specifies the absolute path for a file on the machine. A directory cannot be specified as a file path. |
| XPath* | Specifies an XPath 1.0 expression to evaluate against the XML file specified by the filename entity. This XPath 1.0 expression must evaluate to a list of zero or more text values which will be accessible in OVAL via instances of the value_of entity. Any results from evaluating the XPath 1.0 expression other than a list of text strings (e.g., a nodes set) is considered an error. The intention is that the text values be drawn from instances of a single, uniquely named element or attribute. However, an OVAL interpreter is not required to verify this, so the author should define the XPath expression carefully. Note that “equals” is the only valid operator for the xpath entity. |
| Value of | This element checks the value(s) of the text node(s) or attribute(s) found. |
| Windows view | The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems. |
Missing Patches
This is used to investigate missing patches and security fixes in a computer system.
| Child Elements | Description |
| Patch description | This element describes a patch. |
| Patch ID | A unique identification number associated with a patch. |
| Patch name | This element specifies the patch name. |
| Patch rollback available | This element specifies if rollback is possible for this patch. Possible values are TRUE or FALSE. An empty value appears if it cannot be determined. |
| Patch severity | This element specifies severity of a patch. Possible values: Important, Critical, etc. An empty value appears if it cannot be determined. |
| Patch size | This element specifies size of a patch. Values are specified in bytes. A value UNKNOWN appears if patch size cannot be determined. |
| Reboot required | This element specifies if reboot is required after patch installation. Passible values are TRUE or FALSE. |
| Platform CPE | This element specifies platform CPE ID associated with the patch. |
| Product CPE | This element specifies product CPE ID associated with the patch. Note: This value is empty when a patch is associated with an operating system. |
Mac Probes
Account Information
This is used to collect all users’ information. It includes user name, user ID, group ID, real name, home directory and login shell information.
| Child Elements | Description |
| Group ID | This element represents the group ID of this account. |
| Home directory | This element specifies the home directory for this user account. |
| Login shell | This element specifies the login shell for this user account. |
| Password | This element specifies obfuscated (*****) or encrypted password for this user. |
| Real name | This element specifies user’s real name, aka gecos field of /etc/passwd. |
| User ID | The numeric user id, or uid, is the third column of each user’s entry in /etc/passwd. This element represents the owner of the file. |
| User name | This element specifies the user of the account to gather information from. |
ARP Cache
This is used to collect various information about address resolution protocol(ARP) cache table. It includes host IP address, mac address, interface name from ARP cache table.
| Child Elements | Description |
| Host IP | This element specifies host IP address. |
| MAC address | This element specifies physical hardware address of the adapter for the network interface associated with this IP address. |
| Network Interfaces | This element specifies device interface. |
| Permanent | This element specifies if an ARP entry is permanent or not. |
Authorization Database
This is used to check the properties of the plist-style XML output from the security authorizationdb read right-name command, for reading information about rights authorizations on MacOSX. Right name and XPath are mandatory to query the database.
| Child Elements | Description |
| Right name* | This element specifies the right name to be queried (read) from the authorization database. |
| Value of | This element checks the value(s) of the text node(s) or attribute(s) found. |
| XPath* | This element specifies an Xpath expression describing the text node(s) or attribute(s) to look at. Any valid Xpath 1.0 statement is usable with one exception, at most one field may be identified in the Xpath. |
Anti-virus information
This is used to collect information about an installed Antivirus applications.
| Child Elements | Description |
| Antivirus name | This element specifies a display name of a installed antivirus product. |
| Antivirus path | This element specifies installed path of a installed antivirus product. |
| Antivirus version | This element specifies version of a installed antivirus product. |
BIOS Information
This is used to collect various information about BIOS (basic input/output system). It includes bios name, version, manufacture, serial number, smbios version, and bios status.
| Child Elements | Description |
| BIOS Name | This element used to identify the software element. |
| BIOS Serial Number | This element specifies serial number of the software element. |
| BIOS SMC Version | This element specifies version of the BIOS SMC(Standard Microsystems) |
| BIOS Status | This element specifies current status of BIOS. Various operational and non-operational status can be defined. |
| BIOS Version | This element specifies version of the BIOS. This string is created by the BIOS manufacturer. |
Computer Information
This is used to collect various information about computer system. It includes CPU, RAM, ROM, swap memory, virtual memory, disk, operating system, cache size, host name, model name, serial name etc.
| Child Elements | Description |
| Address Sizes | This element specifies the CPU address size info. |
| Cache size | This element specifies the size of the total processor cache (in bytes). A cache is an external memory area that has a faster access time than the main RAM memory. |
| CPU | This element specifies name of the processor. |
| CPU Architecture | This element specifies processor architecture used by the platform. |
| CPU cores | This element specifies number of cores. |
| CPU family | This element specifies authoritatively identifies the type of processor in the system. |
| CPU Speed | This element specifies speed of the processor in megahertz. |
| CPU usage | This element specified CPU usage in percentage. |
| Disk model | This element specifies the disk model name – a one-line string. |
| Disk name | This element specifies the short description of the disk drive – a one-line string. |
| Disk removable device | This element specifies the disk is removable or not. |
| Disk size | This element specifies the total size of the disk drive in bytes. |
| Free RAM | This element specifies system free memory size in bytes. |
| Free swap size | This element specifies system free swap size in bytes. |
| Host name | This element specifies the label that is assigned to a computer. |
| Model name | This element specifies the CPU model info. |
| Network total bytes received | This element represents the number of bytes received. |
| Network total bytes transmitted | This element represents the number of bytes transmitted. |
| Network total bytes(received/transmitted) | This element represents the total number of bytes received and transmitted. |
| Operating system architecture | This element specifies the architecture of the operating system. |
| Operating system name | This element specifies the name of the operating system. |
| Operating system release | This element specifies the release version of the operating system. |
| Operating system version | This element specifies the version of the operating system. |
| RAM usage | This element specifies used system memory size in percentage. |
| RAM used | This element specifies used system memory size in bytes. |
| Serial number | This element specifies the BIOS serial number. |
| System name | This element specifies system name. |
| System product name | This element specifies the system hardware name. |
| System time synchronization status | This element specified if system time is synchronised with server using Network Time Protocol(NTP). Value is either true or false |
| System uptime | This element specifies the time elapsed since the system was started. |
| Timezone name | This element specifies the timezone such as Asia/Kolkata. |
| Total RAM | This element specifies system total memory size in bytes. |
| Total swap size | This element specifies system total swap size in bytes. |
| Total virtual memory allocated | This element specifies system total virtual memory size in bytes. |
Core Storage
This is used to check the properties of the plist-style XML output from the “diskutil cs list -plist” command, for reading information about the CoreStorage setup on MacOSX. UUID and XPath are mandatory to query the database.
| Child Elements | Description |
| UUID* | This element specifies the UUID of the volume about which the plist information was retrieved. |
| Value of | This element checks the value(s) of the text node(s) or attribute(s) found. |
| XPath* | This element specifies an Xpath expression describing the text node(s) or attribute(s) to look at. Any valid Xpath 1.0 statement is usable with one exception, at most one field may be identified in the Xpath. |
Cron
This is used to collect various information about cron jobs. It includes user name, scheduled job and command.
| Child Elements | Description |
| Scheduled | This element specifies the scheduled time for a particular cron job. |
| Scheduled command | This element indicates command to be executed at scheduled time. |
| User name | This element specifies the username for which cron job is scheduled. |
Device information
This is used to collect information about installed devices on the system. It includes device name, driver, subsystem, device path, class and subclass.
| Child Elements | Description |
| Device driver | This element specifies driver used by the device. |
| Device name | This element specifies the installed devices name. |
| Device manufacture | This element specifies manufacturer of the device. |
| Device model | This element identifies the device model |
| Device path | This element specifies the logical path within the device node |
| Device serial | This element specifies the serial number the device |
| Device size | This element specifies the total size of the device in bytes (Applicable for USB and Media) |
| Device type | This element specifies the type of the device. |
Disk Utility
This is used to collect various information to verify disks on a Mac OS system. File path and Device are mandatory for this query.
| Child Elements | Description |
| Device* | This element specifies represents the disk on a Mac OS system to verify. Please see diskutil(8) for instructions on how to specify the device. |
| File path* | This element specifies the absolute path for a file or directory on the specified device. |
| Group execute | This element specifies the group execution permission of a file. |
| Group read | This element specifies the group read permission of a file. |
| Group write | This element specifies the group write permission of a file. |
| Others execute | This element specifies the execute permission of a file for other users. |
| Others read | This element specifies the read permission of a file for other users. |
| Others write | This element specifies the write permission of a file for other users. |
| User execute | This element specifies the user execute permission. |
| User read | This element specifies the user read permission. |
| User write | This element specifies the user write permission of a file. |
Gatekeeper
This is used to collect information to check the status of Gatekeeper and any unsigned applications that have been granted execute permission.
| Child Elements | Description |
| Enabled | This element specifies the status of Gatekeeper assessments. |
| Unlabeled | This element specifies the path to an unsigned application folder to which Gatekeeper has granted execute permission. |
Hosts File(/etc/hosts)
This used to collect various information about hosts from /etc/hosts. It includes host IP address and host name.
| Child Elements | Description |
| Host IP | This element specifies host IP address. |
| Host name | This element specifies the label that is assigned to a computer. |
Operating System Information
This is used to collect various information about installed operating system.
| Child Elements | Description |
| Build version | This element specifies the build number of an operating system. It can be used for more precise version information than product release version numbers. |
| Copyright | This element specifies the copyrights of the operating system. |
| Operating system name | This element specifies the operating system instance within a computer system. |
| Service pack major | This element specifies the major version number of the service pack installed on the computer system. If no service pack has been installed, the value is 0 (zero). |
| Service pack minor | This element specifies the minor version number of the service pack installed on the computer system. If no service pack has been installed, the value is 0 (zero). |
| Service pack patch | This element specifies the patch version of the service pack installed on the computer system. If no service pack has been installed, the value is 0 (zero). |
Protocols File(/etc/protocols)
This is used to collect various information about protocol from /etc/protocols. It includes protocol name, protocol number and protocol aliases.
| Child Elements | Description |
| Protocol aliases | This element specifies the aliases for the protocol. |
| Protocol name | This element specifies the native name for the protocol. |
| Protocol number | This element specifies the official number for the protocol. |
Services File(/etc/services)
This is used to collect various information about service from /etc/services. It includes service name, service port, service protocol and service aliases.
| Child Elements | Description |
| Service aliases | This element specifies alternative names for the same service. |
| Service name | This element specifies the service name. |
| Service port | This element specifies port the service is offered on. |
| Service protocol | This element specifies, which transport protocol is used. |
Family of Operating System
This is used to collect operating system family standard values being windows, unix or macos(Mac OS).
| Child Elements | Description |
| family of operating system | This element specifies operating system family. |
File
This is used to check metadata associated with files. File path is mandatory for this query while submitting to agents.
| Child Elements | Description |
| File path* | This element specifies the location of the file. |
| Access time | This element specifies access time of a file. |
| Creation time | This element specifies creation time of a file (in timestamp format). |
| File md5 sum | This element specifies md5 sum of a file. |
| File name | This element specifies the name of the file. |
| Group execute | This element specifies the group execution permission of a file. |
| Group read | This element specifies the group read permission of a file. |
| Group ID | This element specifies the group ID for a file. |
| Group write | This element specifies the group write permission of a file. |
| Has extended ACL | This element specifies the access control list existences for a file. |
| Modified time | This element specifies the modified time of a file. |
| Others execute | This element specifies the execute permission of a file for other users. |
| Others read | This element specifies the read permission of a file for other users. |
| Others write | This element specifies the write permission of a file for other users. |
| Set group User ID | This element specifies the group user id. |
| Size | This element specifies the size of a file (in bytes). |
| Sticky bit | This element specifies the sticky bit of a file. |
| Owner User ID | This element specifies the owners user id. |
| Type | This element specifies the type of the file. |
| User execute | This element specifies the user execute permission. |
| User read | This element specifies the user read permission. |
| User ID | This element specifies the user id of a file. |
| User write | This element specifies the user write permission of a file. |
Group
This is used to collect various information about the groups. It includes group name and group id.
| Child Elements | Description |
| Group | This element specifies the group name. |
| Group ID | This element specifies the group id. |
Inet-Listening Servers
This is used to collect various information about listening ports. It includes protocol name, local ip address, local port, program name, foreign address, foreign port, process id and user id.
| Child Elements | Description |
| Foreign address | This element specifies foreign ip address, which is connected to listening server. |
| Foreign full address | This element specifies foreign ip address including port, which is connected to listening server. |
| Foreign port | This element specifies foreign port, which is connected to listening server |
| Local address | This element specifies local ip address on which server is listening |
| Local full address | This element specifies full ip address including port on which server is listening. |
| Local port | This element specifies local port on which server is listening. |
| Process ID (PID) | This element specifies the pid of a listening server program. |
| Program name | This element specifies the name of a listening server program. |
| Protocol | This element specifies the name for the protocol used by listening server. |
| User ID | This element specifies the name of a listening server program. |
Installed Applications
This is used to collect information about installed applications on the system. It includes application name, version, architecture, path, developer and last used.
| Child Elements | Description |
| Application architecture | This element specifies the architecture for which the package was built, like : i386, ppc, sparc, noarch. |
| Application developer | This element specifies the developer of the installed application |
| Application last use | This element specifies the last use date of an application. |
| Application name | This element specifies the installed package name. |
| Application path | This element specifies the path in which the application is installed. |
| Application publisher | This element specifies the application publisher information. |
| Application version | This element specifies the version number of the build. |
launchd (unified service-management)
This is used to collect information and status of daemons/agents, applications, processes and scripts running in a system.
| Child Elements | Description |
| Label | This element specifies the daemon to be queried. |
| Process ID(pid) | This element specifies the process ID of the daemon (if any). |
| Status | This element specifies the last exit code of the daemon (if any), or if < 0, indicates the negative of the signal that interrupted processing. For example, a value of -15 would indicate that the job was terminated via a SIGTERM. |
Network Interfaces
The interface test enumerate various attributes about the interfaces on a system.
| Child Elements | Description |
| Broadcast address | This element specifies the broadcast address. A broadcast address is typically the IP address with the host portion set to either all zeros or all ones. Note that the IP address can be IPv4 or IPv6. |
| Flag | The flag entity represents the interface flag line, which generally contains flags like “UP” to denote an active interface, “PROMISC” to note that the interface is listening for Ethernet frames not specifically addressed to it, and others. This element can be included multiple times in a system characteristic item in order to record a multitude of flags. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like this that refer to items that can occur an unbounded number of times. |
| Hardware Address | The Hardware Address entity is the hardware or MAC address of the physical network card. MAC addresses should be formatted according to the IEEE 802-2001 standard which states that a MAC address is a sequence of six octet values, separated by hyphens, where each octet is represented by two hexadecimal digits. Uppercase letters should also be used to represent the hexadecimal digits A through F. |
| IP address of an interface | This element specifies the IP address. Note that the IP address can be IPv4 or IPv6. If IP address is an IPv6 address, this entity will be expressed as an IPv6 address prefix using CIDR notation and the netmask entity will not be collected. |
| Name | This element specifies the name of an interface. |
| Netmask | This element specifies the subnet mask for the IP address. Note that If IP address of an interface entity contains an IPv6 address prefix, this entity will not be collected. |
| Type | This element specifies the type of interface which is limited to certain set of values. |
IP forwarding status
This is used to collect information about the IP forward settings. It includes IP forwarding status which can be either enabled or disabled.
| Child Elements | Description |
| IP forwarding status | This element specifies ip forwarding is enabled or disabled. |
Packet filter control(pfctl)
This is used to collect various information about packet filter control. It includes action, direction, interface, protocol source, destination, flags and state information.
| Child Elements | Description |
| Action | This element specifies action to be taken when a specified rule matches. For example: PASS or BLOCK. |
| Direction | This element specifies the packet flow direction. |
| Destination | This element specifies the destination IP address or subnet of the traffic. |
| Flags | This element specifies different flags associated with the rule. |
| Interface | This element specifies network interface for a specific rule. |
| Protocol | This element specifies the protocol associated with the rule. |
| Source | This element specifies the source IP address or subnet of the traffic. |
| State | This element specifies different states associated with the rule. For example: no state, keep state, modulate state, synproxy state. |
Kernel Information
This is used to collect various information about loaded kernel. It includes kernel version, kernel image path, kernel on which device/volume and kernel arguments.
| Child Elements | Description |
| Arguments | This element indicates loaded kernel kernel arguments. |
| Device | This element indicates location of the kernel on which device or volume. |
| Kernel image path | This element specified the kernel image path. |
| Kernel version | This element indicates loaded kernel kernel version. |
Key chain
This is used to collect various information to check the properties of the plist-style XML output from the ‘security show-keychain-info keychain’ command. File path is mandatory for this query.
| Child Elements | Description |
| File path* | This element specifies the filepath of the keychain. |
| Lock on sleep | This element specifies whether the keychain is configured to lock when the computer sleeps. |
| Time out | This element specifies the inactivity timeout (in seconds) for the keychain, or 0 if there is no timeout. |
Logged-in Users
This is used to collect various information about logged-in users. It includes user name, device tty, remote logged in host name, time when entry made, process id and record type.
| Child Elements | Description |
| Host | This element indicates hostname for remote login or kernel version for run-level messages |
| Process ID(PID) | This element indicates the PID of login process. |
| Time | This element indicates the time when entry was made (in seconds). |
| tty | This element indicates device name of tty. |
| Type | This element indicates the type of record. |
| User name | This element indicates logged-in user name. |
Mount points
This is used to collect various information about mounted partitions. It includes disk filesystem name, file system type, disk size, disk space used, available disk space, disk use in terms of percentage and disk mounted path.
| Child Elements | Description |
| Disk file-system name | This element indicates filesystem name. |
| Disk mounted on | This element indicates disk mounted path. |
| Disk size | This element indicates total disk partition size (in bytes). |
| Disk space available | This element indicates available disk space (in bytes). |
| Disk space used | This element indicates used disk space (in bytes). |
| Disk use percentage | This element indicates used disk space in percentage. |
Non-volatile random-access memory (NVRAM)
This is used to collect information about Non-volatile random-access memory (NVRAM). It pulls data from the ‘nvram -p’ output. It includes variable and value associated with it.
| Child Elements | Description |
| NVRAM variable | This element indicates variable name. |
| NVRAM value | This element indicates value associated with the variable. |
Partitions
The partition_test is used to check the information associated with partitions on the local system.
| Child Elements | Description |
| Device | This element contains a string that represents the name of the device. |
| FS type | This element contains a string that represents the type of filesystem on a partition. |
| Mount point | This element contains a string that represents the mount point of a partition on the local system. |
| Space left | This element contains an integer that represents the number of blocks left on a partition. |
| Space used | This element contains an integer that represents the number of blocks used on a partition. |
| Total space | This element contains an integer that represents the total number of blocks on a partition. |
| UUID | This element contains a string that represents the universally unique identifier associated with a partition. |
Password/User Information
This is used to collect various information about system users. It includes user name, password, user id, group id, user information, user home directory path and login shell.
| Child Elements | Description |
| GCOS(comment field) | This element indicates user information. Usually, it contains the full username. Some programs (for example, finger(1)) display information from this field. GECOS stands for “General Electric Comprehensive Operating System”,which was renamed to GCOS when GE’s large systems ision was sold to Honeywell. Dennis Ritchie has reported: “Sometimes we sent printer output or batch jobs to the GCOS machine. The gcos field in the password file was a place to stash the information for the $IDENTcard. Not elegant.” |
| Group ID | This element indicates group id of a particular group. |
| Home directory | This element specifies path to home directory of a particular user. |
| Login shell | This element specifies login shell of a particular user. |
| Password | This element indicates local user password |
| User ID | This element indicates user id of a particular user. |
| User name | This element indicates local user name. |
Property List(plist)
Information associated with property list preference keys. File path, App ID and Key entities are mandatory for this query.
| Child Elements | Description |
| App ID* | The unique application identifier that specifies the application to use when looking up the preference key (e.g. com.apple.Safari). |
| File path* | The absolute path to a plist file (e.g. ~/Library/Preferences/com.apple.Safari.plist). A directory cannot be specified as a filepath. |
| Instance | The instance of the preference key found in the plist. The first instance of a matching preference key is given the instance value of 1, the second instance of a matching preference key is given the instance value of 2, and so on. Instance values must be assigned using a depth-first approach. Note that the main purpose of this entity is to provide uniqueness for the different plist items that result from multiple instances of a given preference key in the same plist file. |
| Key* | The preference key to be checked. |
| Type | The type of the preference key to be checked. |
| Value | The value of the preference key to be checked. |
Port/Network Connection
Information about open ports and network connections.
| Child Elements | Description |
| Local address | This element specifies the local IP address the listening port is bound to. Note that the IP address can be IPv4 or IPv6. |
| Local full address | This element specifies the full local IP address the listening port is bound to. Note that the IP address can be IPv4 or IPv6. |
| Local port | This element specifies the number assigned to the local listening port. |
| Protocol | This element specifies the type of listening port. It is restricted to either TCP or UDP. |
| Process ID(PID) | The id given to the process that is associated with the specified listening port. |
| Foreign address | This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6. |
| Foreign full address | This is the full IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6. |
| Foreign port | This is the TCP or UDP port to which the program communicates. |
| Process name | This element specifies the name of a listening server program. |
| Port state | This element indicates the port state. |
| User ID | This element specifies the user id using this port. |
Process
Information about running processes.
| Child Elements | Description |
| Command line | This is the string used to start the process. It includes any parameters that are part of the command line. |
| Exec shield | This element specifies execute shield status. |
| Execution time | This is the cumulative CPU time, formatted in [DD-]HH:MM:SS where DD is the number of days when execution time is 24 hours or more. |
| Login UID | The loginuid shows which account a user gained access to the system with. The /proc/XXXX/loginuid shows this value. |
| Process ID(PID) | This is the process ID of the process. |
| Posix capability | An effective capability associated with the process. See linux/include/linux/capability.h for more information. |
| Parent process ID | This is the process ID of the process’s parent process. |
| Priority | This is the scheduling priority with which the process runs. This can be adjusted with the nice command or nice() system call. |
| Process name | This is the name of the processes.td> |
| Real UID | This element specifies the real UID. |
| SE Linux domain label | An SE Linux domain label associated with the process. |
| Session ID | The session ID of the process. |
| Start time | This is the time of day the process started formatted in HH:MM:SS if the same day the process started or formatted as MMM_DD (Ex.: Feb_5) if process started the previous day or further in the past. |
| tty | This is the TTY on which the process was started, if applicable. |
| User ID | This is the effective user id which represents the actual privileges of the process. |
Resource Limit
This is used to collect information to check system resource limits for launchd.
| Child Elements | Description |
| Core current | This element specifies the argest size (in bytes) core file that may be created. |
| Core limit | This element specifies core hard limit (in bytes). |
| CPU current | This element specifies the maximum amount of CPU time (in seconds) to be used by each process. |
| CPU limit | This element specifies CPU hard limit. |
| Data current | This element specifies the maximum size (in bytes) of the data segment for a process; this defines how far a program may extend its break with the sbrk(2) system call. |
| Data limit | This element specifies data hard limit (in bytes). |
| Filesize current | This element specifies the largest size (in bytes) file that may be created. |
| Filesize limit | This element specifies filesize hard limit. |
| Maxfiles current | This element specifies the maximum number of open files for this process. |
| Maxfiles limit | This element specifies maxfiles hard limit (in bytes). |
| Maxproc current | This element specifies the maximum number of simultaneous processes for this user id. |
| Maxproc limit | This element specifies maxproc hard limit. |
| Memlock current | This element specifies the maximum size (in bytes) which a process may lock into memory using the mlock(2) function. |
| Memlock limit | This element specifies memlock hard limit (in bytes). |
| RSS current | This element specifies the maximum size (in bytes) to which a process’s resident set size may grow. This imposes a limit on the amount of physical memory to be given to a process; if memory is tight, the system will prefer to take memory from processes that are exceeding their declared resident set size. |
| RSS limit | This element specifies rss hard limit (in bytes). |
| Stack current | This element specifies the maximum size (in bytes) of the stack segment for a process; this defines how far a program’s stack segment may be extended. Stack extension is performed automatically by the system. |
| Stack limit | This element specifies stack hard limit (in bytes). |
RPC Map Information
This is used to collect various information about rpm program from /etc/rpc. It includes remote procedure call(RPC) program name, program number and program aliases.
| Child Elements | Description |
| RPC aliases | This element specifies the aliases for the RPC program. |
| RPC program name | This element specifies the native name for the RPC program. |
| RPC program number | This element specifies the official number for the RPC program. |
RPC Network Connections
This is used to collect various information about RPC connection using rpcinfo. It includes remote procedure call(RPC) program name, program id, program version, transport protocol used, ip address and program owner.
| Child Elements | Description |
| Address | This element specifies the IP address of the RPC program. |
| Network ID | This element specifies, which transport protocol is used. |
| Owner | This element specifies an owner for the RPC program. |
| RPC program ID | This element specifies the RPC program id. |
| RPC program name | This element specifies the RPC program name. |
| RPC program version | This element specifies the RPC program version. |
Services
This is used to collect information about services. It includes service name and status.
| Child Elements | Description |
| Service name | This specifies the service name. |
| Service status | This specifies the status of the service. |
Shell History
This is used to collect various information about shell history. It includes user name, used-id, history file path and command from history file.
| Child Elements | Description |
| Command | This element specifies history of executed commands. |
| History file | This element specifies history file path. |
| UID | This element specifies history belongs to which user id. |
| User name | This element specifies history belongs to which user. |
Software Updates
This is used to used to access automatic software update information.
| Child Elements | Description |
| Schedule | This element specifies whether automatic checking is enabled (true). |
| Software title | This element specifies the title string for an available (not installed) software update. |
Sudo Users
This is used to collect sudo users. It includes user name which has sudo access.
| Child Elements | Description |
| Sudo user name | This element specifies sudo username. |
System Control
This is used to check the values associated with the kernel parameters that are used by the local system.
| Child Elements | Description |
| Name | This element contains a string that represents the name of a kernel parameter that was collected from the local system. |
| Value | This element contains a string that represents the value(s) associated with the specified kernel parameter. |
System DHCP Information
This is used to collect system Dynamic Host Configuration Protocol (DHCP) information. It includes DHCP enabled, DHCP server ip address, netmask, gateway ip address, interface type, lease time and lease renew/rebind time.
| Child Elements | Description |
| DHCP enabled | This element specifies the value that specifies whether the dynamic host configuration protocol (DHCP) is enabled for this adapter. |
| DHCP interface | This element specifies DHCP interface |
| Gateway IP | This element specifies the ip address of the gateway for this adapter. |
| MAC Address | This element specifies the hardware address for the adapter. |
| Interface type | This element specifies the adapter type. |
| IP mask | This element specifies the list of ip addresses associated with this adapter. |
| Lease rebind time | This element specifies DHCP lease rebind time. |
| Lease renew time | This element specifies DHCP lease renew time. |
| Lease time | This element specifies DHCP lease time. |
| DHCP server IP | This element specifies the address of the DHCP server for this adapter. |
System DNS Information
This is used to collect domain name and domain name system ip information. It includes domain name and dns server ip address
| Child Elements | Description |
| DNS server IP | This element specifies the list of dns server ip address used by the local computer. |
| Domain name | This element specifies the domain in which the local computer is registered. |
System Profiler
This is used to check the properties of the plist-style XML output from the system_profiler -xml datatype command, for reading information about system inventory data on MacOSX. Data type and XPath are mandatory to query the database.
| Child Elements | Description |
| Data type* | This element specifies data type of the value desired. |
| Value of | This element checks the value(s) of the text node(s) or attribute(s) found. |
| XPath* | This element specifies an Xpath expression describing the text node(s) or attribute(s) to look at. Any valid Xpath 1.0 statement is usable with one exception, at most one field may be identified in the Xpath. |
System Route Information
This is used to collect system route information. It includes destination, ip address, gateway, netmask, flags, metric, MTU, type and interface name.
| Child Elements | Description |
| Destination | This element specifies the destination IP address or subnet of the traffic for a specific route entry. |
| Flags | This element specifies the flag for a specific route entry. |
| Gateway | This element specifies the gateway for a specific route entry. |
| Network Interfaces | This element specifies the interface for a specific route entry. |
| Metric | This element specifies the metric for a specific route entry. |
| Maximum transmission unit(MTU) | This element specifies maximum transmission unit. |
| Netmask | This element specifies the netmask for a specific route entry. |
| Type | This element specifies the type of route. Example: local, static, router, gateway |
System Setup
This is used to collect system setup properties.
| Child Elements | Description |
| Allow power button to sleep computer | This element specifies the value that specifies whether the dynamic host configuration protocol (DHCP) is enabled for this adapter. |
| Computer name | This element specifies the computer’s name. |
| Computer sleep | This element specifies the computer sleep inactivity timer, or 0 for never. |
| Disable keyboard when enclosure lock is engaged | This element specifies whether the keyboard is locked when the closure lock is engaged. |
| Display sleep | This element specifies the display sleep inactivity timer, or 0 for never. |
| Harddisk sleep | This element specifies the hard disk sleep inactivity timer, or 0 for never. |
| Kernel boot architecture setting | This element specifies the kernel boot architecture setting. |
| Network time server | This element specifies the network time server. |
| Remote Apple events | This element specifies whether remote Apple events are enabled. |
| Remote login | This element specifies whether remote logins are allowed. |
| Restart freeze | This element specifies whether the computer will restart after freezing. |
| Startup disk | This element specifies the startup disk. |
| Using network time | This element specifies whether the machine is using network time. |
| Wait for startup after power failure | This element specifies the number of seconds the computer waits to start up after a power failure. |
| Wake on modem | This element specifies whether the computer will wake up if the modem is accessed. |
| Wake on network access | This element specifies whether the computer will wake up if the network is accessed. |
Text File Content
This looks at the content of a text file (aka a configuration file) by looking at in idual lines. File path, pattern and instance are mandatory for this query while submitting to agents.
| Child Elements | Description |
| File path* | This element specifies the absolute path for a file on the machine. A directory cannot be specified as a file path. |
| Pattern* | The pattern entity represents a regular expression that is used to define a block of text. Subexpression notation (parenthesis) is used to call out a value(s) to test against. For example, the pattern abc(.*)xyz would look for a block of text in the file that starts with abc and ends with xyz, with the subexpression being all the characters that exist in between. Note that If pattern can match more than one block of text starting at the same point, then it matches the longest. Subexpressions also match the longest possible substrings, subject to the constraint that the whole match be as long as possible, with subexpressions starting earlier in the pattern taking priority over ones starting later. |
| Instance* | The instance entity calls out which match of the pattern is being represented by this item. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. The main purpose of this entity is too provide uniqueness for different items that results from multiple matches of a given pattern against the same file. |
| Text | The text entity represents the block of text that matched the specified pattern. |
| Sub-expression | The sub-expression entity represents the value of a subexpression in the specified pattern. If multiple subexpressions are specified in the pattern, then multiple entities are presented. |
| Windows view | Not applicable for Unix based systems. The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of ’32_bit’ indicates the Item was collected from the 32-bit view. A value of ’64-bit’ indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. This entity only applies to 64-bit Microsoft Windows operating systems. |
Unix name(uname)
This is used to collect various information about operating system. It includes hardware id, operating system name, version, release, processor type, time zone and locale.
| Child Elements | Description |
| Locale | This element specifies the locale |
| Machine class | This element specifies the hardware identifier |
| Node name | This element indicates name of the present machine in some undefined network |
| Operating system name | This element specifies the name of the operating system. |
| Operating system release | This element specifies the release version of the operating system. |
| Operating system version | This element specifies the version of the operating system. |
| Processor type | This element specifies the hardware identifier |
| Time zone | This element specifies the time zone |
Wireless Information
This is used to collect various information about wireless connection. It includes wireless name, state, mac address, SSID, interface description, network is infrastructure or ad hoc, frequency, receiving rate, transmission rate, signal quality and security enabled or disabled.
| Child Elements | Description |
| WLAN BSS Network type | This element specifies whether the network is infrastructure or ad hoc. |
| WLAN Physical mode | This element represents the bandwidth of wireless frequency, example: 802.11 a,b,g,n. |
| WLAN Interface name | This element specifies the wireless interface name. |
| WLAN MAC address | This element specifies physical hardware address wireless interface. |
| WLAN Receiving rate | This element specifies the receiving rate of the association (in decibel-milliwatt/dBm). |
| WLAN Security | This element specifies security used to prevent unauthorized access to the network. Example: WPA, WEP |
| WLAN SSID | This element specifies the contains the SSID of the association. |
| WLAN Transmission rate | This element specifies the transmission rate of the association. |
Symlink
This is used to obtain canonical path information for symbolic links. File path is a mandatory field while submitting to agents.
| Child Elements | Description |
| Canonical path | Specifies the canonical path for the target of a symbolic link file specified by the filepath. |
| Filepath* | Specifies the filepath used to create the object. |
Routing table
This is used to check information about the IPv4 and IPv6 routing table entries found in a system’s primary routing table. It is important to note that only numerical addresses will be collected and that their symbolic representations will not be resolved. This equivalent to using the ‘-n’ option with route(8) or netstat(8). Destination is a mandatory field while submitting to agents.
| Child Elements | Description |
| Destination* | The destination IP address prefix of the routing table entry. This is the destination IP address and netmask/prefix-length expressed using CIDR notation. |
| Flags | The flags associated with the specified routing table entry. |
| Gateway | The gateway of the specified routing table entry. |
| Interface name | The name of the interface associated with the routing table entry. |
File extended attribute
This is used to check extended attribute values associated with UNIX files, of the sort returned by the getfattr command or getxattr() system call. This will collect all UNIX file types (directory, regular file, character device, block device, fifo, symbolic link, and socket). File path and attribute name are mandatory fields while submitting to agents.
| Child Elements | Description |
| Attribute name* | This is the extended attribute’s name, identifier or key. |
| File path* | The filepath element specifies the absolute path for a file on the machine. A directory can be specified as a filepath. |
| Value | The value entity represents the extended attribute’s value or contents. To check for an attribute with no value assigned to it, this entity would be used with an empty value. |
GConf
This is used to check the attributes and value(s) associated with GConf preference keys. This can be used to define the preference keys to collect and the sources from which to collect the preference keys. Key and source are mandatory fields while submitting to agents
| Child Elements | Description |
| Is default? | Is the preference key value the default value. If true, the preference key value is the default value. If false, the preference key value is not the default value. |
| Is writable? | Is the preference key writable? If true, the preference key is writable. If false, the preference key is not writable. |
| Key* | The preference key to check. |
| Source* | The source used to look up the preference key. This element specifies the source from which to collect the preference key. The source is represented by the absolute path to a GConf XML file as XML is the current backend for GConf. Note that other backends may become available in the future. |
| Time modified | The time the preference key was last modified in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970. |
| Type | The type of the preference key. |
| User modified | The user who last modified the preference key. |
| Value | The value of the preference key. |
Property list ‘plist’ (With App ID)
Note: Do not combine Property list ‘plist’ (With File path) with this query.
This is used to check the value(s) associated with property list preference keys. It can be used to represent any plist file in XML form (whether its native format is ASCII text, binary, or XML), permitting the use of the XPATH query language to explore its contents. App ID and XPath are mandatory fields while submitting to agents.
| Child Elements | Description |
| App id* | The unique application identifier that specifies the application to use when looking up the preference key (e.g. com.apple.Safari). |
| Value of | The value of the preference key. |
| XPath* | Specifies an XPath 1.0 expression to evaluate against the XML representation of the plist file specified by the filename or app_id entity. Note that “equals” is the only valid operator for the xpath entity. |
Property list ‘plist’ (With File path)
Note: Do not combine Property list ‘plist’ (With App ID) with this query.
This is used to check the value(s) associated with property list preference keys. It can be used to represent any plist file in XML form (whether its native format is ASCII text, binary, or XML), permitting the use of the XPATH query language to explore its contents. File path command XPath are mandatory fields while submitting to agents.
| Child Elements | Description |
| File path* | The absolute path to a plist file (e.g. /Library/Preferences/com.apple.TimeMachine.plist). A directory cannot be specified as a filepath. |
| Value of | The value of the preference key. |
| XPath* | Specifies an XPath 1.0 expression to evaluate against the XML representation of the plist file specified by the filename or app_id entity. Note that “equals” is the only valid operator for the xpath entity. |
</ >
< id=”Macxmlfilecontent” class=”col-md-12″>
XML File Content
This element is used by a xml file content test to define the specific piece of an xml file(s) to be evaluated. This will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. The set of files to be evaluated will be identified with a complete File path. File path and XPath are mandatory fields while submitting to agents.
| Child Elements | Description |
| File path* | This element specifies the absolute path for a file on the machine. A directory cannot be specified as a file path. |
| XPath* | Specifies an XPath 1.0 expression to evaluate against the XML file specified by the filename entity. This XPath 1.0 expression must evaluate to a list of zero or more text values which will be accessible in OVAL via instances of the value_of entity. Any results from evaluating the XPath 1.0 expression other than a list of text strings (e.g., a nodes set) is considered an error. The intention is that the text values be drawn from instances of a single, uniquely named element or attribute. However, an OVAL interpreter is not required to verify this, so the author should define the XPath expression carefully. Note that “equals” is the only valid operator for the xpath entity. |
| Value of | This element checks the value(s) of the text node(s) or attribute(s) found. |
| Windows view | The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems. |
Software Licenses
This is used to collect information of Software Licenses. It includes software name and license information.
| Child Elements | Description |
| Software family | This element specifies the family of the software application. |
| Software name | This element specifies the name of the software application. |
| Software license | This element specifies the license serial number of the software application. |
| Software version | This element specifies the version of the software application. |
Missing Patches
This is used to investigate missing patches and security fixes in a computer system.
| Child Elements | Description |
| Patch description | This element describes a patch. |
| Patch ID | A unique identification number associated with a patch. |
| Patch name | This element specifies the patch name. |
| Patch rollback available | This element specifies if rollback is possible for this patch. Possible values are TRUE or FALSE. An empty value appears if it cannot be determined. |
| Patch severity | This element specifies severity of a patch. Possible values: Important, Critical, etc. An empty value appears if it cannot be determined. |
| Patch size | This element specifies size of a patch. Values are specified in bytes. A value UNKNOWN appears if patch size cannot be determined. |
| Reboot required | This element specifies if reboot is required after patch installation. Passible values are TRUE or FALSE. |
| Platform CPE | This element specifies platform CPE ID associated with the patch. |
| Product CPE | This element specifies product CPE ID associated with the patch. Note: This value is empty when a patch is associated with an operating system. |
Common Probes
Environment Variables
This is used to collect system environment variable information. It includes environment variable name, value and process id.
| Child Elements | Description |
| Name | This element specifies name of the environment variable |
| Process ID(PID) | This element specifies PID of a process |
| Value | This element specifies value of the environment variable |
Family of Operating System
This is used to collect operating system(OS) family, standard values being windows, unix or macos(Mac OS).
| Child Elements | Description |
| family of operating system | This element specifies operating system family. |
Text File Content
This looks at the content of a text file (aka a configuration file) by looking at in idual lines. File path, pattern and instance are mandatory while submitting to agents.
| Child Elements | Description |
| File path* | This element specifies the absolute path for a file on the machine. A directory cannot be specified as a file path. |
| Pattern/Text* | This entity represents a block of text or regular expression that is used to define a block of text. Subexpression notation (parenthesis) is used to call out a value(s) to test against. For example, the pattern abc(.*)xyz would look for a block of text in the file that starts with abc and ends with xyz, with the subexpression being all the characters that exist in between. Note that If pattern can match more than one block of text starting at the same point, then it matches the longest. Subexpressions also match the longest possible substrings, subject to the constraint that the whole match be as long as possible, with subexpressions starting earlier in the pattern taking priority over ones starting later. |
| Instance* | The instance entity calls out which match of the pattern is being represented by this item. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. The main purpose of this entity is too provide uniqueness for different items that results from multiple matches of a given pattern against the same file. |
| Sub-expression | The sub-expression entity represents the value of a subexpression in the specified pattern. If multiple subexpressions are specified in the pattern, then multiple entities are presented. |
| Windows view | Not applicable for Unix based systems. The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of ’32_bit’ indicates the Item was collected from the 32-bit view. A value of ’64-bit’ indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. This entity only applies to 64-bit Microsoft Windows operating systems. |
XML File Content
This element is used by a xml file content test to define the specific piece of an xml file(s) to be evaluated. This will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. The set of files to be evaluated will be identified with a complete File path. File path and XPath are mandatory fields while submitting to agents.
| Child Elements | Description |
| File path* | This element specifies the absolute path for a file on the machine. A directory cannot be specified as a file path. |
| Value of | This element checks the value(s) of the text node(s) or attribute(s) found. |
| Windows view | The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems. |
| XPath* | Specifies an XPath 1.0 expression to evaluate against the XML file specified by the filename entity. This XPath 1.0 expression must evaluate to a list of zero or more text values which will be accessible in OVAL via instances of the value_of entity. Any results from evaluating the XPath 1.0 expression other than a list of text strings (e.g., a nodes set) is considered an error. The intention is that the text values be drawn from instances of a single, uniquely named element or attribute. However, an OVAL interpreter is not required to verify this, so the author should define the XPath expression carefully. Note that “equals” is the only valid operator for the xpath entity. |
SanerNow Responses
Actions that can be performed on endpoints
Enable device
Enables specified device names from the list. Select the devices to be enabled.| Parameter | Description |
| Not applicable | Not applicable |
Disable device
Disables specified device names from the list. Select the devices to be disabled.| Parameter | Description |
| Not applicable | Not applicable |
Add ARP entry
Adds a specified ARP(Address Resolution Protocol) entry into the ARP cache.| Parameter | Description |
| Network Interface Index | The local index value for the network interface associated with this IP address. This index value may change when a network adapter is disabled and then enabled, or under other circumstances, and should not be considered persistent. |
| Network Interface Locally Unique ID | The locally unique identifier (LUID) for the network interface associated with this IP address. Value must be always 0. |
| IP Address | The IP address of the system. This member can be an IPv6 address or an IPv4 address. |
| MAC Address | The physical hardware address of the adapter for the network interface associated with this IP address. |
Delete ARP entry
Deletes a specified ARP entry from the ARP cache.| Parameter | Description |
| Network Interface Index | The local index value for the network interface associated with this IP address. This index value may change when a network adapter is disabled and then enabled, or under other circumstances, and should not be considered persistent. |
| Network Interface Locally Unique ID | The locally unique identifier (LUID) for the network interface associated with this IP address. Value must be always 0. |
| IP Address | The IP address of the system. This member can be an IPv6 address or an IPv4 address. |
| MAC Address | The physical hardware address of the adapter for the network interface associated with this IP address. |
Modify ARP entry
Modifies a specified ARP entry from the ARP cache.| Parameter | Description |
| Network Interface Index | The local index value for the network interface associated with this IP address. This index value may change when a network adapter is disabled and then enabled, or under other circumstances, and should not be considered persistent. |
| Network Interface Locally Unique ID | The locally unique identifier (LUID) for the network interface associated with this IP address. Value must be always 0. |
| IP Address | The IP address of the system. This member can be an IPv6 address or an IPv4 address. |
| MAC Address | The physical hardware address of the adapter for the network interface associated with this IP address. |
Flush all ARP entries
Flush all arp entries from the ARP cache.| Parameter | Description |
Enable device
Enables specified device names from the list. Select the devices to be enabled.| Parameter | Description |
| Not applicable | Not applicable |
Disable device
Disables specified device names from the list. Select the devices to be disabled.| Parameter | Description |
| Not applicable | Not applicable |
Add ARP entry
Adds a specified ARP(Address Resolution Protocol) entry into the ARP cache.| Parameter | Description |
| Network Interface Index | The local index value for the network interface associated with this IP address. This index value may change when a network adapter is disabled and then enabled, or under other circumstances, and should not be considered persistent. |
| Network Interface Locally Unique ID | The locally unique identifier (LUID) for the network interface associated with this IP address. Value must be always 0. |
| IP Address | The IP address of the system. This member can be an IPv6 address or an IPv4 address. |
| MAC Address | The physical hardware address of the adapter for the network interface associated with this IP address. |
Delete ARP entry
Deletes a specified ARP entry from the ARP cache.| Parameter | Description |
| Network Interface Index | The local index value for the network interface associated with this IP address. This index value may change when a network adapter is disabled and then enabled, or under other circumstances, and should not be considered persistent. |
| Network Interface Locally Unique ID | The locally unique identifier (LUID) for the network interface associated with this IP address. Value must be always 0. |
| IP Address | The IP address of the system. This member can be an IPv6 address or an IPv4 address. |
| MAC Address | The physical hardware address of the adapter for the network interface associated with this IP address. |
Modify ARP entry
Modifies a specified ARP entry from the ARP cache.| Parameter | Description |
| Network Interface Index | The local index value for the network interface associated with this IP address. This index value may change when a network adapter is disabled and then enabled, or under other circumstances, and should not be considered persistent. |
| Network Interface Locally Unique ID | The locally unique identifier (LUID) for the network interface associated with this IP address. Value must be always 0. |
| IP Address | The IP address of the system. This member can be an IPv6 address or an IPv4 address. |
| MAC Address | The physical hardware address of the adapter for the network interface associated with this IP address. |
Flush all ARP entries
Flush all arp entries from the ARP cache.| Parameter | Description |
Flush ARP IPV4 entries
Flush all IPv4 ARP entries from the ARP cache.| Parameter | Description |
| Not applicable | Not applicable |
Flush ARP IPV6 entries
Flush all IPv6 ARP entries from the ARP cache.| Parameter | Description |
| Not applicable | Not applicable |
Block Domain
Block a specified domain name.| Parameter | Description |
| Domain Name | A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses. |
Add entry into host file
Adds an entry into the hosts file.| Parameter | Description |
| Domain Name | A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses. |
| IP Address | The IP address of the system. This member can be an IPv6 address or an IPv4 address. |
Delete entry from host file
Deletes an entry from the hosts file.| Parameter | Description |
| Domain Name | A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses. |
| IP Address | The IP address of the system. This member can be an IPv6 address or an IPv4 address. |
Modify entry from host file
Updates an existing hosts entry to new entry.| Parameter | Description |
| Domain Name | A old domain name present in the hosts file on the system. Domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses. |
| IP Address | An old IP address present in hosts file on the system. This member can be an IPv6 address or an IPv4 address. |
| New Domain Name | A new domain name. Domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses. |
| New IP Address | The new IP address present in hosts file on the system. This member can be an IPv6 address or an IPv4 address. |
Flush all entries from host file
Flush all entries from hosts file.| Parameter | Description |
| Not applicable | Not applicable |
Modify NTP Server
Updates NTP server URL. The Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.| Parameter | Description |
| NTP Server URL | URL of an NTP server for clock synchronization. |
Network connection kill
Kills a specified network connection.| Parameter | Description |
| Local IP Address | The local IPv4 address for the TCP connection on the local computer. A value of zero indicates the listener can accept a connection on any interface. |
| Local Port | The local port number in network byte order for the TCP connection on the local computer. |
| Remote IP Address | The IPv4 address for the TCP connection on the remote computer. |
| Remote Port | The remote port number in network byte order for the TCP connection on the remote computer. |
Start process
Start specified processes using a list of process names. Select process names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Stop process by process ID
Stop specified processes using a list of process IDs. Select process IDs from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Stop process by name
Stop specified processes using a list of process names. Select process names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Process block
Block specified processes from execution using a list of process names. Select process names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Process unblock
Unblock specified processes from execution using a list of process names. Select process names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Quarantine
Isolate a specific file to prevent it from any read/write or execution operations. Enter the absolute path of file to be quarantined.| Parameter | Description |
| Not applicable | Not applicable |
Clean DLL
Cleanup all unwanted shared DLL registry entries from the system.| Parameter | Description |
| Not applicable | Not applicable |
Clean font
Cleanup all unwanted fonts registry entries from the system.| Parameter | Description |
| Not applicable | Not applicable |
Clean help
Cleanup all unwanted system help registry entries from the system.| Parameter | Description |
| Not applicable | Not applicable |
Clean installer
Cleanup all unwanted installer registry entries from the system.| Parameter | Description |
| Not applicable | Not applicable |
Clean MRU(Most Recently Used)
Cleanup recent items, browsing history, run command history, file search history, WordPad recent history, regedit favourites, Microsoft Paint and Media player history, Explorer search history. (Applicable for Windows systems only)| Parameter | Description |
| Recently opened programs | Recently opened programs |
| Explorer history | Explorer history |
| Internet Search Assistant | Internet Search Assistant |
| Mediaplayer recent files list | Mediaplayer recent files list |
| MediaPlayer recent URLs list | MediaPlayer recent URLs list |
| Microsoft Paint history | Microsoft Paint history |
| Printers, Computers and People | Printers, Computers and People |
| Recent documents | Recent documents |
| Regedit last accessed keys history | Regedit last accessed keys history |
| Registry favourite list | Registry favourite list |
| Run command history | Run command history |
| Search history | Search history |
| Last visited URL history | Last visited URL history |
| WordPad recent history | WordPad recent history |
Clean MUI
Cleanup all unwanted shell MUI(Multilingual User Interface) cache registry entries from the system.| Parameter | Description |
| Not applicable | Not applicable |
Clean start
Cleanup all unwanted startup registry items from the system.| Parameter | Description |
| Not applicable | Not applicable |
Clean system
Cleanup all unwanted system registry entries.| Parameter | Description |
| Not applicable | Not applicable |
Clean uninstaller
Cleanup all unwanted uninstaller registry entries from the system.| Parameter | Description |
| Not applicable | Not applicable |
Clean user
Cleanup all unwanted user registry entries from the system.| Parameter | Description |
| Not applicable | Not applicable |
Add registry
Add a registry entry in the system.| Parameter | Description |
| Registry Type | The type can be one of the following: 1) key – to create key 2) value – to create a value under a key |
| Registry Hive | The root key in the registry (e.g HKEY_LOCAL_MACHINE (HKLM), HKEY_USERS (HKU) etc.) |
| Registry Sub-key | Each root key has its own related keys which are known as sub keys |
| Registry Data | Name in the name/value pair stored within keys |
| Registry Value | Data in name/value pair stored within keys |
| Registry Value Type | The ValueType can be one of the following: REG_SZ, REG_DWORD, REG_BINARY, REG_EXPAND_SZ, REG_MULTI_SZ, REG_QWORD |
Modify registry
Modifies an existing registry value entry.| Parameter | Description |
| Registry Type | The type can be one of the following: 1) key – to create key 2) value – to create a value under a key |
| Registry Hive | The root key in the registry (e.g HKEY_LOCAL_MACHINE (HKLM), HKEY_USERS (HKU) etc) |
| Registry Sub-key | Each root key has its own related keys which are known as sub keys |
| Registry Data | Name in the name/value pair stored within keys |
| Registry Value | Data in name/value pair stored within keys |
| Registry Value Type | The ValueType can be one of the following: REG_SZ, REG_DWORD, REG_BINARY, REG_EXPAND_SZ, REG_MULTI_SZ, REG_QWORD |
Delete registry
Deletes an existing registry entry.| Parameter | Description |
| Registry Type | The type can be one of the following: 1) key – to create key 2) value – to create a value under a key |
| Registry Hive | The root key in the registry (e.g HKEY_LOCAL_MACHINE (HKLM), HKEY_USERS (HKU) etc) |
| Registry Sub-key | Each root key has its own related keys which are known as sub keys |
| Registry Data | Name in the name/value pair stored within keys |
| Registry Value | Data in name/value pair stored within keys |
| Registry Value Type | The ValueType can be one of the following: REG_SZ, REG_DWORD, REG_BINARY, REG_EXPAND_SZ, REG_MULTI_SZ, REG_QWORD |
Service start
Start specified services by service name. Select names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Service stop
Stop specified services by service name. Select names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Service restart
Restart specified services by service name. Select names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Service remove
Remove specified services by service name. Select names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Service start type automatic
Change service start option to automatic mode using service name. Select names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Service start type manual
Change service start option to manual mode using service name. Select names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Service start type disabled
Change service start option to disabled mode using service name. Select names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Remove programs from startup
Removes program entries from Windows startup. Select names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Remove scheduled program
Removes scheduled programs from Windows schedule. Select names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Reboot
Reboots the system.| Parameter | Description |
| Message | A specified message will be displayed to logged-in user before reboot. |
| Time in minutes | The specified time(expressed in minutes) after which the system would reboot. Provide a value of 0 to reboot immediately. |
Shutdown
Shutdown the system.| Parameter | Description |
| Message | The specified message will be displayed to logged-in user before shutdown. |
| Time in minutes | The specified time(expressed in minutes) after which the system would shutdown. Provide a value of 0 to shutdown immediately. |
Clean cache
Clean cache for the following – internet cache, dns cache, thumbnail cache, prefetch cache for the current logged-in user.| Parameter | Description |
| DNS Cache | Cleans up DNS cache. DNS cache stores the locations (IP addresses) of web servers that contain web pages which you have recently viewed. |
| Internet Cache | Cleans up Internet cache. Internet cache is a temporary storage (caching) of web documents, such as HTML pages and images. |
| Thumbnail Cache | Cleans up Thumbnail cache. A thumbnail cache is used to store thumbnail images for Windows Explorer’s thumbnail view. |
| Prefetch Cache | Cleans up Prefetch cache. A prefetch cache is used to help speed up the loading of programs in Windows. |
Clean clipboard
Clean the clipboard for the current logged in user.| Parameter | Description |
| Not applicable | Not applicable |
Clean custom path
Delete an file or directory for the current logged-in user. Enter the absolute file or directory path which needs to be deleted.| Parameter | Description |
| Not applicable | Not applicable |
Clear error reports
Clear windows error reports for the current logged-in user.| Parameter | Description |
| Not applicable | Not applicable |
Clean recent places
Clear user recent places for the current logged-in user.| Parameter | Description |
| Not applicable | Not applicable |
Empty recycle-bin
Empty recycle bin for the current logged-in user.| Parameter | Description |
| Not applicable | Not applicable |
Clean CMD history
Clear run command history from the system.| Parameter | Description |
| Not applicable | Not applicable |
Clear temporary files
Clean temporary folders from the system.| Parameter | Description |
| Not applicable | Not applicable |
Clean windows credential
Clear Windows credentials for the current logged-in user.| Parameter | Description |
| Not applicable | Not applicable |
Clear windows update files
Clean windows update files from the system.| Parameter | Description |
| Not applicable | Not applicable |
Enable firewall for all profiles
Enable firewall for all three profiles: domain, private and public. The domain profile applies to networks where the host system can authenticate to a domain controller. The private profile is a user-assigned profile and is used to designate private or home networks. Lastly, the default profile is the public profile, which is used to designate public networks such as Wi-Fi hotspots at coffee shops, airports, and other locations.| Parameter | Description |
| Not applicable | Not applicable |
Enable firewall for domain profile
Enable firewall for domain profile. The domain profile applies to networks where the host system can authenticate to a domain controller.| Parameter | Description |
| Not applicable | Not applicable |
Enable firewall for private profile
Enable firewall for private profile. The private profile is a user-assigned profile and is used to designate private or home networks.| Parameter | Description |
| Not applicable | Not applicable |
Disable firewall for public profile
Enable firewall for public profile. The public profile is used to designate public networks such as Wi-Fi hotspots at coffee shops, airports, and other locations.| Parameter | Description |
| Not applicable | Not applicable |
Disable firewall for all profiles
Disable firewall for all three profiles: domain, private and public. The domain profile applies to networks where the host system can authenticate to a domain controller. The private profile is a user-assigned profile and is used to designate private or home networks. Lastly, the default profile is the public profile, which is used to designate public networks such as Wi-Fi hotspots at coffee shops, airports, and other locations.| Parameter | Description |
| Not applicable | Not applicable |
Disable firewall for domain profile
Disable firewall for domain profile. The domain profile applies to networks where the host system can authenticate to a domain controller.| Parameter | Description |
| Not applicable | Not applicable |
Disable firewall for private profile
Disable firewall for private profile. The private profile is a user-assigned profile and is used to designate private or home networks.| Parameter | Description |
| Not applicable | Not applicable |
Disable firewall for public profile
Disable firewall for public profile. The public profile is used to designate public networks such as Wi-Fi hotspots at coffee shops, airports, and other locations.| Parameter | Description |
| Not applicable | Not applicable |
Application block
Block a specified application from execution. Select names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Application unblock
Unblock the specified application from execution. Select names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Application Management
Install or uninstall applications.| Parameter | Description |
| Command | The value is either ‘install’ or ‘uninstall’ |
| Install Method | There are two types of installation methods:
|
| Application executable | Provide the executable path. |
| URL | URL that servers the installation file. |
| Application name | Name of the application to uninstall. |
| Application architecture | The value is either ‘x86’ or ‘x64’ |
| Silent mode option | Option to install the application in silent mode. |
| Additional options | Any additional command line option that need to be executed. |
| Application access | To install the application to all users or currently logged on user. The values are ‘AllUser’ or ‘currentUser’ |
| Disable shortcut | To disable shortcut creation, provide the option to disable shortcut. |
| Notify for reboot | Show a notification window to the user that a reboot is required post installation/uninstallation. |
Patch Management
Install a patch.| Parameter | Description |
| Command | The value is install |
| Install Method | There are two types of installation methods:
|
| Application executable | Provide the executable path. |
| URL | URL that servers the installation file. |
| Silent mode option | Option to install the application in silent mode. |
| Additional options | Any additional command line option that need to be executed. |
| Notify for reboot | Show a notification window to the user that a reboot is required post installation/uninstallation. |
Remediation Rule
Rules to Include/Exclude applications, patches, or configuration that takes into effect during remediation of a group of devices. Enable auto reboot to allow machines to restart(as required) after remediation. This avoids user intervention while applying patches to the systems.| Parameter | Description |
| Not applicable | Not applicable |
Remediation job
A Short-lived remediation task to include application patches/configuration that can be applied to a customized set of devices. Enable auto reboot to allow machines to reboot multiple times while remediation. This avoids user intervention while applying patches to the systems.| Parameter | Description |
| Not applicable | Not applicable |
Application block
Block a specified application from execution. Select names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Application unblock
Unblock the specified application from execution. Select names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Enable device
Enables specified device names from the list. Select the devices to be enabled, or enter custom driver names in the input box.| Parameter | Description |
| Not applicable | Not applicable |
Disable device
Disables specified device names from the list. Select the devices to be disabled, or enter custom driver names in the input box.| Parameter | Description |
| Not applicable | Not applicable |
Add an entry into /etc/hosts file
Adds an entry into /etc/hosts file.| Parameter | Description |
| Domain Name | A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses. |
| IP Address | The IP address of the system. This member can be an IPv6 address or an IPv4 address. |
Add Protocol Entry
Adds protocol entry into /etc/protocol file. This file describes the various DARPA internet protocols that are available from the TCP/IP subsystem.| Parameter | Description |
| Protocol Alias | The aliases for the protocol. |
| Protocol Name | The native name for the protocol. For example ip, tcp, or udp. |
| Protocol Number | The official number for this protocol as it will appear within the IP header. |
Add Route
Adds new routing entry into network routing table.| Parameter | Description |
| Gateway | The gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network. |
| Interface Name | The device interface name. |
| IP Address | The ip address to be added into routing table. |
| Route Type | This element specifies the route type. |
| Netmask | A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts. eg: 255.255.255.0 |
Add Service Entry
Adds service entry into Internet network services list /etc/services file. This file provides a mapping between human-friendly textual names for internet services, and their underlying assigned port numbers and protocol types.| Parameter | Description |
| Service Alias | The service alias. An optional space or tab separated list of other names for this service. |
| Service Name | The friendly name the service is known by and looked up under. |
| Service Port Number | The port number to use for this service. |
| Service Protocol | The type of protocol to be used. This field should match an entry in the /etc/protocols file. |
Block Domain
Block a specified domain name.| Parameter | Description |
| Domain Name | A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses. |
Add ARP entry
Add a specified ARP entry into ARP cache.| Parameter | Description |
| Interface Name | This interface name will be associated with the an arp entry. |
| IP Address | The IP address of the system. This member can be an IPv6 address or an IPv4 address. |
| MAC Address | The physical hardware address of the adapter for the network interface associated with this IP address. |
Delete ARP entry
Deletes a specified ARP entry from the ARP cache.| Parameter | Description |
| Interface Name | This interface name will be associated with the an arp entry. |
| IP Address | The IP address of the system. This member can be an IPv6 address or an IPv4 address. |
Delete an entry from /etc/hosts file
Deletes an entry from /etc/hosts file.| Parameter | Description |
| Domain Name | A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses. |
Delete Protocol Entry
Deletes protocol entry from /etc/protocol file. This file describes the various DARPA internet protocols that are available from the TCP/IP subsystem.| Parameter | Description |
| Protocol Name | The native name for the protocol. For example ip, tcp, or udp. |
| Protocol Number | The official number for this protocol as it will appear within the IP header. |
Delete Route
Deletes existing routing entry from network routing table.| Parameter | Description |
| Gateway | The gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network. |
| Interface Name | The device interface name. |
| IP Address | The ip address to be added into routing table. |
| Route Type | This element specifies the route type. |
| Netmask | A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts. eg: 255.255.255.0 |
Delete Service Entry
Delete service entry from Internet network services list /etc/services file. This file provides a mapping between human-friendly textual names for internet services, and their underlying assigned port numbers and protocol types.| Parameter | Description |
| Service Name | The friendly name the service is known by and looked up under. |
| Service Port Number | The port number to use for this service. |
| Service Protocol | The type of protocol to be used. This field should match an entry in the /etc/protocols file. |
Disable IP Forwarding
Disables IP forwarding also known as Internet routing. IP forwarding is a concept to make Linux machine to send data from one network to other, this is same as a router.| Parameter | Description |
| Not applicable | Not applicable |
Enable IP Forwarding
Enables IP forwarding also known as Internet routing. IP forwarding is a concept to make Linux machine to send data from one network to other, this is same as a router.| Parameter | Description |
| Not applicable | Not applicable |
Flush all ARP entries
Flush all arp entries from the ARP cache.| Parameter | Description |
| Not applicable | Not applicable |
Flush all entries from /etc/hosts file
Flush all entries from /etc/hosts file.| Parameter | Description |
| Not applicable | Not applicable |
Modify ARP entry
Modifies a specified ARP entry from the ARP cache.| Parameter | Description |
| Interface Name | The device interface name. |
| IP Address | The IP address of the system. This member can be an IPv6 address or an IPv4 address. |
| MAC Address | The physical hardware address of the adapter for the network interface associated with this IP address. |
Modify entry from host file
Updates an existing hosts entry to new entry.| Parameter | Description |
| Domain Name | A old domain name present in the hosts file on the system. Domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses. |
| IP Address | An old IP address present in hosts file on the system. This member can be an IPv6 address or an IPv4 address. |
| New Domain Name | A new domain name. Domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses. |
| New IP Address | The new IP address present in hosts file on the system. This member can be an IPv6 address or an IPv4 address. |
Modify Protocol Entry
Updates existing protocol entry from /etc/protocol file. This file describes the various DARPA internet protocols that are available from the TCP/IP subsystem.| Parameter | Description |
| New Protocol Alias | The new protocol alias for the protocol. |
| New Protocol Name | The new protocol name. Native name for the protocol. For example ip, tcp, or udp. |
| New Protocol Number | The new protocol number. Official number for this protocol as it will appear within the IP header. |
| Protocol Alias | The protocol alias for the protocol. |
| Protocol Name | The protocol name. Native name for the protocol. For example ip, tcp, or udp. |
| Protocol Number | The protocol number. Official number for this protocol as it will appear within the IP header. |
Modify Route
Updates existing routing entry with new entry into network routing table.| Parameter | Description |
| Gateway | The gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network. |
| Interface Name | The device interface name. |
| IP Address | The ip address to be added into routing table. |
| New Gateway | The new gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network. |
| New Interface Name | The new device interface name. |
| New IP Address | The new network mask to be added into routing table. A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts. |
| New Route Type | This element specifies the new route type. |
| Route Type | This element specifies the old route type. |
| Netmask | A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts. eg: 255.255.255.0 |
| New Netmask | The new netmask address to be added into routing table. |
Modify Service Entry
Updates existing service entry from Internet network services list /etc/services file. This file provides a mapping between human-friendly textual names for internet services, and their underlying assigned port numbers and protocol types.| Parameter | Description |
| New Service Port Number | The new port number to use for this service. |
| New Service Protocol | The new type of protocol to be used. This field should match an entry in the /etc/protocols file. |
| Service Name | The existing friendly name the service is known by and looked up under. |
| Service Port Number | The existing port number to use for this service. |
| Service Protocol | The existing type of protocol to be used. This field should match an entry in the /etc/protocols file. |
Network connection kill
Kills a specified network connection.| Parameter | Description |
| Local Port | The local port number in network byte order for the TCP connection on the local computer. |
Unblock Domain
Unblock a specified blocked domain name.| Parameter | Description |
| Domain Name | A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses. |
Process block
Block specified processes from execution using a list of process names. Select process names from the list or provide comma separated values.| Parameter | Description |
Start process
Start specified processes using a list of process names. Select process names from the list or provide comma separated values.| Parameter | Description |
Stop process by process ID
Stop specified processes using a list of process IDs. Select process IDs from the list or provide comma separated values.| Parameter | Description |
Stop process by name
Stop specified processes using a list of process names. Select process names from the list or provide comma separated values.| Parameter | Description |
Process unblock
Unblock specified processes from execution using a list of process names. Select process names from the list or provide comma separated values.| Parameter | Description |
Append Firewall(iptables) Rules
Appends rules at the end of IP table.| Parameter | Description |
| Rules | Ip table rule to be added i/p eg: INPUT -i eth0 -p tcp –dport 110 -j ACCEPT |
Change File Ownership
Change ownership of a given filepath.| Parameter | Description |
| File Path | Absolute filepath |
| Group name | group to be changed for given filepath (optional) |
| User name | username to be changed for given filepath. |
Change File Permission
Change permission of a given filepath.| Parameter | Description |
| File Path | Absolute filepath |
| File Permission | permission similar to “644” for |
Delete Firewall(iptables) Rules
Delete rules from the IP tables.| Parameter | Description |
| Rules | Ip table rule to be deleted i/p eg: INPUT 2 |
Disable Firewall(iptables)
Disables/Stops firewall.| Parameter | Description |
| Not applicable | Not applicable |
Enable Firewall(iptables)
Enables/Start firewall.| Parameter | Description |
| Not applicable | Not applicable |
Flush Firewall(iptables) Rules
Clears all IP table rules.| Parameter | Description |
| Not applicable | Not applicable |
Insert Firewall(iptables) Rules
Insert rules in the beging for IP tables.| Parameter | Description |
| Rules | Ip table rule to be added i/p eg: INPUT -i eth0 -p tcp –dport 22 -j ACCEPT |
Replace Firewall(iptables) Rules
Replace specific rule from the IP table| Parameter | Description |
| Rules | ip table rule to be replaced i/p eg: INPUT 2 -i eth0 -p tcp –dport 26 -j ACCEPT |
Restart Firewall(iptables)
Restart and reinforce firewall rules.| Parameter | Description |
| Not applicable | Not applicable |
Set ASLR Status
Set Address space layout randomization (ASLR) setting| Parameter | Description |
| Permanent or Temporary | One of the following setting : permanent or temporary(valid till next reboot) |
| ASLR Status Value | One of the following setting : 0 – ASLR Off (Process address space randomization off) 1 – ASLR On for mmap base, stack and VDSO page(Conservative randomization) 2 – ASLR On for mmap base, stack, VDSO page and heap (Full randomization) |
Set SELinux Status
Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel. It provides information about SE linux setting.| Parameter | Description |
| SE Linux Status | One of the following setting : 0 – Permissive (SELinux logs warnings instead of enforcing), 1 – Enforcing (SELinux security policy is enforced) |
Set sysctl Settings
Set sysctl kernel setting. sysctl is an interface for examining and dynamically changing parameters in Unix-like operating systems.| Parameter | Description |
| Not applicable | Not applicable |
Service restart
Restart specified services by service name. Select names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Service start
Start specified services by service name. Select names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Service stop
Stop specified services by service name. Select names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Mount Filesystem
Mounts a file system to a local folder.| Parameter | Description |
| Destination Path | This element specified the destination path to mount filesystem. |
| Read-only value | This element specifies the read only value (true/false) |
| Source Path | This element specifies the source path to mount a file system. |
Reboot
Reboots the system.| Parameter | Description |
| Message | A specified message will be displayed to logged-in user before reboot. |
| Time in minutes | The specified time(expressed in minutes) after which the system would reboot. Provide a value of 0 to reboot immediately. |
Shutdown
Shutdown the system.| Parameter | Description |
| Message | The specified message will be displayed to logged-in user before shutdown. |
| Time in minutes | The specified time(expressed in minutes) after which the system would shutdown. Provide a value of 0 to shutdown immediately. |
Unmount Filesystem
Unmount a file system from the local system.| Parameter | Description |
| Mount Point | This element specifies the mount point where the filesystem is mounted. |
Application Management
Install or uninstall applications.| Parameter | Description |
| Command | The value is either ‘install’ or ‘uninstall’ |
| Install Method | There are three types of installation methods:
|
| Application executable | Provide the executable path. |
| Application name | Specify the name of the application to be downloaded from repo. |
| Silent mode option | Option to install the application in silent mode. |
Patch Management
Install a patch.| Parameter | Description |
| Command | The value is install |
| Install Method | There are three types of installation methods:
|
| Application executable | Provide the executable path. |
| URL | URL that servers the installation file. |
| Application name | Specify the name of the application to be downloaded from repo. |
| Silent mode option | Option to install the application in silent mode. |
Application block
Block a specified application from execution. Select names from the list or provide comma separated values. Note: In-built applications cannot be blocked in Apple Mac OS X El Capitan and Sierra.| Parameter | Description |
| Not applicable | Not applicable |
Application unblock
Unblock the specified application from execution. Select names from the list or provide comma separated values. Note: In-built applications cannot be unblocked in Apple Mac OS X El Capitan and Sierra.| Parameter | Description |
| Not applicable | Not applicable |
Enable device
Enables specified device names from the list. Select the devices to be enabled, or enter custom driver names in the input box.| Parameter | Description |
| Not applicable | Not applicable |
Disable device
Disables specified device names from the list. Select the devices to be disabled, or enter custom driver names in the input box.| Parameter | Description |
| Not applicable | Not applicable |
Add an entry into /etc/hosts file
Adds an entry into /etc/hosts file.| Parameter | Description |
| Domain Name | A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses. |
| IP Address | The IP address of the system. This member can be an IPv6 address or an IPv4 address. |
Add Protocol Entry
Adds protocol entry into /etc/protocol file. This file describes the various DARPA internet protocols that are available from the TCP/IP subsystem.| Parameter | Description |
| Protocol Alias | The aliases for the protocol. |
| Protocol Name | The native name for the protocol. For example ip, tcp, or udp. |
| Protocol Number | The official number for this protocol as it will appear within the IP header. |
Add Route
Adds new routing entry into network routing table.| Parameter | Description |
| Gateway | The gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network. |
| Interface Name | The device interface name. |
| IP Address | The ip address to be added into routing table. |
| Route Type | This element specifies the route type. |
| Netmask | A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts. eg: 255.255.255.0 |
Add Service Entry
Adds service entry into Internet network services list /etc/services file. This file provides a mapping between human-friendly textual names for internet services, and their underlying assigned port numbers and protocol types.| Parameter | Description |
| Service Alias | The service alias. An optional space or tab separated list of other names for this service. |
| Service Name | The friendly name the service is known by and looked up under. |
| Service Port Number | The port number to use for this service. |
| Service Protocol | The type of protocol to be used. This field should match an entry in the /etc/protocols file. |
Block Domain
Block a specified domain name.| Parameter | Description |
| Domain Name | A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses. |
Add ARP entry
Add a specified ARP entry into ARP cache.| Parameter | Description |
| Interface Name | This interface name will be associated with the an arp entry. |
| IP Address | The IP address of the system. This member can be an IPv6 address or an IPv4 address. |
| MAC Address | The physical hardware address of the adapter for the network interface associated with this IP address. |
Delete ARP entry
Deletes a specified ARP entry from the ARP cache.| Parameter | Description |
| Interface Name | This interface name will be associated with the an arp entry. |
| IP Address | The IP address of the system. This member can be an IPv6 address or an IPv4 address. |
Delete an entry from /etc/hosts file
Deletes an entry from /etc/hosts file.| Parameter | Description |
| Domain Name | A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses. |
Delete Protocol Entry
Deletes protocol entry from /etc/protocol file. This file describes the various DARPA internet protocols that are available from the TCP/IP subsystem.| Parameter | Description |
| Protocol Name | The native name for the protocol. For example ip, tcp, or udp. |
| Protocol Number | The official number for this protocol as it will appear within the IP header. |
Delete Route
Deletes existing routing entry from network routing table.| Parameter | Description |
| Gateway | The gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network. |
| Interface Name | The device interface name. |
| IP Address | The ip address to be added into routing table. |
| Route Type | This element specifies the route type. |
| Netmask | A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts. eg: 255.255.255.0 |
Delete Service Entry
Delete service entry from Internet network services list /etc/services file. This file provides a mapping between human-friendly textual names for internet services, and their underlying assigned port numbers and protocol types.| Parameter | Description |
| Service Name | The friendly name the service is known by and looked up under. |
| Service Port Number | The port number to use for this service. |
| Service Protocol | The type of protocol to be used. This field should match an entry in the /etc/protocols file. |
Disable IP Forwarding
Disables IP forwarding also known as Internet routing. IP forwarding is a concept to make Linux machine to send data from one network to other, this is same as a router.| Parameter | Description |
| Not applicable | Not applicable |
Enable IP Forwarding
Enables IP forwarding also known as Internet routing. IP forwarding is a concept to make Linux machine to send data from one network to other, this is same as a router.| Parameter | Description |
| Not applicable | Not applicable |
Flush all ARP entries
Flush all arp entries from the ARP cache.| Parameter | Description |
| Not applicable | Not applicable |
Flush all entries from /etc/hosts file
Flush all entries from /etc/hosts file.| Parameter | Description |
| Not applicable | Not applicable |
Modify ARP entry
Modifies a specified ARP entry from the ARP cache.| Parameter | Description |
| Interface Name | The device interface name. |
| IP Address | The IP address of the system. This member can be an IPv6 address or an IPv4 address. |
| MAC Address | The physical hardware address of the adapter for the network interface associated with this IP address. |
Modify entry from host file
Updates an existing hosts entry to new entry.| Parameter | Description |
| Domain Name | A old domain name present in the hosts file on the system. Domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses. |
| IP Address | An old IP address present in hosts file on the system. This member can be an IPv6 address or an IPv4 address. |
| New Domain Name | A new domain name. Domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses. |
| New IP Address | The new IP address present in hosts file on the system. This member can be an IPv6 address or an IPv4 address. |
Modify Protocol Entry
Updates existing protocol entry from /etc/protocol file. This file describes the various DARPA internet protocols that are available from the TCP/IP subsystem.| Parameter | Description |
| New Protocol Alias | The new protocol alias for the protocol. |
| New Protocol Name | The new protocol name. Native name for the protocol. For example ip, tcp, or udp. |
| New Protocol Number | The new protocol number. Official number for this protocol as it will appear within the IP header. |
| Protocol Alias | The protocol alias for the protocol. |
| Protocol Name | The protocol name. Native name for the protocol. For example ip, tcp, or udp. |
| Protocol Number | The protocol number. Official number for this protocol as it will appear within the IP header. |
Modify Route
Updates existing routing entry with new entry into network routing table.| Parameter | Description |
| Gateway | The gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network. |
| Interface Name | The device interface name. |
| IP Address | The ip address to be added into routing table. |
| New Gateway | The new gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network. |
| New Interface Name | The new device interface name. |
| New IP Address | The new network mask to be added into routing table. A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts. |
| New Route Type | This element specifies the new route type. |
| Route Type | This element specifies the old route type. |
| Netmask | A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts. eg: 255.255.255.0 |
| New Netmask | The new netmask address to be added into routing table. |
Modify Service Entry
Updates existing service entry from Internet network services list /etc/services file. This file provides a mapping between human-friendly textual names for internet services, and their underlying assigned port numbers and protocol types.| Parameter | Description |
| New Service Port Number | The new port number to use for this service. |
| New Service Protocol | The new type of protocol to be used. This field should match an entry in the /etc/protocols file. |
| Service Name | The existing friendly name the service is known by and looked up under. |
| Service Port Number | The existing port number to use for this service. |
| Service Protocol | The existing type of protocol to be used. This field should match an entry in the /etc/protocols file. |
Network connection kill
Kills a specified network connection.| Parameter | Description |
| Local Port | The local port number in network byte order for the TCP connection on the local computer. |
Unblock Domain
Unblock a specified blocked domain name.| Parameter | Description |
| Domain Name | A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses. |
Process block
Block specified processes from execution using a list of process names. Select process names from the list or provide comma separated values. Note: In-built processes cannot be blocked in Apple Mac OS X El Capitan and Sierra| Parameter | Description |
Start process
Start specified processes using a list of process names. Select process names from the list or provide comma separated values.| Parameter | Description |
Stop process by process ID
Stop specified processes using a list of process IDs. Select process IDs from the list or provide comma separated values.| Parameter | Description |
Stop process by name
Stop specified processes using a list of process names. Select process names from the list or provide comma separated values.| Parameter | Description |
Process unblock
Unblock specified processes from execution using a list of process names. Select process names from the list or provide comma separated values. Note: In-built processes cannot be unblocked in Apple Mac OS X El Capitan and Sierra| Parameter | Description |
Append Firewall(pfctl) Rules
Appends rules at the end of IP table.| Parameter | Description |
| Rules | Ip table rule to be added i/p eg: INPUT -i eth0 -p tcp –dport 110 -j ACCEPT |
Change File Ownership
Change ownership of a given filepath.| Parameter | Description |
| File Path | Absolute filepath |
| Group name | group to be changed for given filepath (optional) |
| User name | username to be changed for given filepath. |
Change File Permission
Change permission of a given filepath.| Parameter | Description |
| File Path | Absolute filepath |
| File Permission | permission similar to “644” for |
Delete Firewall(pfctl) Rules
Delete rules from the IP tables.| Parameter | Description |
| Rules | Ip table rule to be deleted i/p eg: INPUT 2 |
Disable Firewall(pfctl)
Disables/Stops firewall.| Parameter | Description |
| Not applicable | Not applicable |
Enable Firewall(pfctl)
Enables/Start firewall.| Parameter | Description |
| Not applicable | Not applicable |
Flush Firewall(pfctl) Rules
Clears all IP table rules.| Parameter | Description |
| Not applicable | Not applicable |
Insert Firewall(pfctl) Rules
Insert rules in the beging for IP tables.| Parameter | Description |
| Rules | Ip table rule to be added i/p eg: INPUT -i eth0 -p tcp –dport 22 -j ACCEPT |
Replace Firewall(pfctl) Rules
Replace specific rule from the IP table| Parameter | Description |
| Rules | ip table rule to be replaced i/p eg: INPUT 2 -i eth0 -p tcp –dport 26 -j ACCEPT~INPUT 2 -i eth0 -p tcp –dport 26 -j REJECT |
Restart Firewall(pfctl)
Restart and reinforce firewall rules.| Parameter | Description |
| Not applicable | Not applicable |
Set ASLR Status
Set Address space layout randomization (ASLR) setting| Parameter | Description |
| Permanent or Temporary | One of the following setting : permanent or temporary(valid till next reboot) |
| ASLR Status Value | One of the following setting : 0 – ASLR Off (Process address space randomization off) 1 – ASLR On for mmap base, stack and VDSO page(Conservative randomization) 2 – ASLR On for mmap base, stack, VDSO page and heap (Full randomization) |
Set SELinux Status
Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel. It provides information about SE linux setting.| Parameter | Description |
| SE Linux Status | One of the following setting : 0 – Permissive (SELinux logs warnings instead of enforcing), 1 – Enforcing (SELinux security policy is enforced) |
Set sysctl Settings
Set sysctl kernel setting. sysctl is an interface for examining and dynamically changing parameters in Unix-like operating systems.| Parameter | Description |
| Not applicable | Not applicable |
Service restart
Restart specified services by service name. Select names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Service start
Start specified services by service name. Select names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Service stop
Stop specified services by service name. Select names from the list or provide comma separated values.| Parameter | Description |
| Not applicable | Not applicable |
Mount Filesystem
Mounts a file system to a local folder.| Parameter | Description |
| Destination Path | This element specified the destination path to mount filesystem. |
| Read-only value | This element specifies the read only value (true/false) |
| Source Path | This element specifies the source path to mount a file system. |
Reboot
Reboots the system.| Parameter | Description |
| Message | A specified message will be displayed to logged-in user before reboot. |
| Time in minutes | The specified time(expressed in minutes) after which the system would reboot. Provide a value of 0 to reboot immediately. It takes about a minute to shutdown in Mac systems. |
Shutdown
Shutdown the system.| Parameter | Description |
| Message | The specified message will be displayed to logged-in user before shutdown. |
| Time in minutes | The specified time(expressed in minutes) after which the system would shutdown. Provide a value of 0 to shutdown immediately. It takes about a minute to shutdown in Mac systems. |
Unmount Filesystem
Unmount a file system from the local system.| Parameter | Description |
| Mount Point | This element specifies the mount point where the filesystem is mounted. |
Application Management
Install or uninstall applications.| Parameter | Description |
| Command | The value is either ‘install’ or ‘uninstall’ |
| Install Method | There are two types of installation methods:
|
| Uninstall Method | To uninstall, provide the application name to be removed. |
| Application executable | Provide the executable path. |
| Application name | Name of the application to install/uninstall. |
| URL | URL that servers the installation file. |
| Additional options | Any additional command line option that need to be executed. |
Patch Management
Install a patch.| Parameter | Description |
| Command | The value is either ‘install’ or ‘uninstall’ |
| Install Method | There are two types of installation methods:
|
| Application executable | Provide the executable path. |
| URL | URL that servers the installation file. |
| Additional options | Any additional command line option that need to be executed. |
| Notify for reboot | Show a notification window to the user that a reboot is required post installation/uninstallation. |
SanerNow Security Architecture, Best Practices and Policies
Physical security
SanerNow is hosted in industry-leading Amazon Web Services (AWS), in two different locations in the USA. AWS data centers have been tested for security, availability and business continuity
Application security
SanerNow platform is hosted in Amazon Web Services. The infrastructure comprises of firewall, load balancers, hardened OS’es, databases and application servers which are managed and maintained by Amazon.
At SecPod, we take a multifaceted approach to application security, to ensure everything from engineering, including architecture, design and development to quality assurance and deployment processes comply with highest standards of security.
Application Architecture
The hosted platform is protected by AWS’s firewall which offers protection from network related intrusions. The second layer of protection is SanerNow’s protection layer which monitors against offending IPs and users. The application can be accessed only by users with valid credentials, and industry-standard password policies on users are enforced. Two-factor authentication can also be enforced by users. Our platform comes with features to secure business data on the cloud:
- Industry standard Transport Layer Security (TLS v1.2) is enforced
- Identity management through a secure database
- Leveraging SAML for all API based authentications
- IP whitelisting for exclusive access
- Two-factor authentication
- Strict authorization policy
- Multi-tenant architecture with clear boundaries
SanerNow uses a multi-tenant data model to host all customer accounts and data and no customer has access to another customer’s data. Access to the platform by the SecPod employees is also controlled, managed and audited. Access to the platform and the infrastructure are logged for subsequent audits.
Platform Development
SecPod houses Security Research Engineers and they are well-trained in performing white-box audits and black-box testing. With a decade experience in security research domain, each engineer brings the attackers mindset to test and validate the platform to ensure adherence to our highest standards. All major and minor releases are subjected to highest standard of security scrutiny before deploying the platform releases.
Deployment
Deployments to production servers are performed only by trusted and authorized engineers. Only very few pre-authorized engineers have access to SanerNow platform.
Post-deployment monitoring is done by a dedicated 24×7 Support team that monitors the application for suspicious activities or attacks. An escalation matrix up to two levels of engineers has been defined to address contingencies that might occur
An information security team carries out periodic comprehensive application audits. The tests are performed with the help of static analysis tools and aided by manual analysis. Network penetration tests and other black box tests are performed to help identify security vulnerabilities in the application. SanerNow being a security platform, the tools offered by the platform are also used to test the infrastructure in addition to internal and external audits
Data Security
SecPod takes the protection and security of its customer’s data very seriously. The SecPod development team has no access to data on production servers. Changes to the platform, infrastructure are documented extensively as part of an internal change control process.
Our products collect limited information about customers – name, email address and phone – which are retained for account creation. Postal address is requested and retained.
SecPod takes the integrity and protection of customer’s data very seriously. We maintain history of two kinds of data: logs from the system, and customer’s data. All data is stored in AWS platform. Backups are taken every day at multiple locations. Logs are maintained for a duration of 90 days. Customer’s data is backed up to persistent storage every day and retained for the last seven days.
The data at rest is encrypted using AES 256bit standards (key strength – 1024) with the keys being managed by AWS Key Management Service. All data in transit is encrypted using FIPS-140-2 standard encryption over a secure socket connection for all customer accounts hosted on SanerNow.
When an account is deleted, all associated data is destroyed within 7 business days.
Network Security
The SecPod office network where platform is developed, deployed, and managed is secured by firewalls and antivirus software. Firewall logs are stored and reviewed periodically. Audit logs are generated for each remote user session and reviewed. Access to the production environment is via SSH and remote access is possible only via the SecPod’s internal network.
SanerNow platform is hosted in AWS. The SOC and DevOps teams monitor the infrastructure 24×7 for stability and intrusions. End-to-end vulnerability assessments and penetration tests are performed with each quarterly release.
Regulatory Compliance
We implement industry standard security, technical, physical and administrative measures against unauthorized processing of information and against loss, destruction of, or damage to, personal information.
We are working towards SSAE-16 certification and a SOC II report. Our servers are hosted in AWS who are SSAE-16, ISO 27001, and HIPAA compliant.
Reporting issues and threats
If you have found any issues or flaws impacting the data security or privacy of SecPod users, please write to support@staging.secpod.com with relevant information, we’ll act on it immediately.
If you have any questions or doubts, feel free to get in touch with us at support@staging.secpod.com, and we’ll get back to you right away.
Deployment Checklists
Pre-Deployment Checklist
- Is there a proxy to reach Internet (saner.secpod.com) ?
- Any network outgoing rule to be configured to reach saner.secpod.com (HTTPS:443) ?
- Any tool is locally available for software deployment? If not, do you have an Active Directory environment?
- Offices in multiple locations? Do you want to create separate sites and manage each separately with different users?
- How many tool administrators/users are required?
Do you have Administrators/Root access to deploy the agents?
- Do you want scan to run in “Low” mode? Low mode is less CPU-intensive and may take longer scan time
- Do you have local WSUS server (Windows), Yum Repository (RPM Linux), DPKG Repository (Debian/Ubuntu), Apple Mac OS X Update server?
- Are there other products that are managing patching?
- Mail server configurations (Mail account and server details) are required for alerts and reports
FAQ – Frequently Asked Questions
Technical FAQ
How to get started?
Sign Up on www.sanernow.com and select tools required. Go to “Open Console” to create accounts and deploy on agents. Within 10 minutes you should be able to set up 1000 machines and view their reports.
What measures can we take to secure our account?
You can set up a 2-step verification to add an extra layer of security to your account. See section How can we set up two-factor authentication for more details. Adminitrators and Account Administrators can enforce two-factor authentication for all other users.
How is my data secured?
Your data is isolated from others. Multiple techniques are used to ensure data integrity and request/response are verified. Our specialized team ensures that platform passes through multiple layers of security tests. These teams are up-to-date with latest attacks and threats and plays a major role in defining checks for products such as OpenVAS. Your data is secure with us.
How can we set up two-factor authentication?
When you enable two-factor authentication, you add an extra layer of security to your account. You sign in with something you know (your password) and something you have (a code sent to your phone).
To start with, click on ‘turn on’ against two-factor authentication. Open the Google Authenticator app and scan the QR code. You will be provided with 6 digit code in the app. Enter the code in the text box and press Enable button.
On every login, after entering username ans password, you will be promted to enter the code displayed by the Google Authenticator app. These two steps are verified for access to your account.
What is the average size of content downloaded or network utilization by agents from your server during scan?
Though security content download differs depending on the detection of vulnerabilities and configuration issues. An active agent may download an average of 4MB data (only when content requires update/if changed) on Windows machines. Our signatures release cycle is 2-3 times per week. We have devised mechanisms to optimize content download.
How system resources are utilized or how is the CPU performance during scan?
CPU averages at 20-30% in low mode scan. Whereas, in full throttle, scans are speedy and finish within minutes, CPU averages at 50-80% for a few seconds then goes back to 20-30%. Saner service priority is set to normal and operating systems handle it effectively. It will not interfere with your work.
What settings may be required to optimize network during remediation/patching?
Set up a local patch server or a WSUS server in your organization. Agents are designed to detect WSUS server settings and fetch patches from the same. In case, WSUS is not set up on your individual endpoints, you can use EDR section to set up Registry Response. For more details, follow the link, https://support.microsoft.com/en-in/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s
Third party products patches can also be served from a local HTTP/HTTPs/FTP server. Go to Manage> Create Settings > Remediate.
Select Third-party products patch server select Local, a new set of settings will open up to provide server URL. Contact info@staging.secpod.com to get Remediation resource feed for a large setup.
Settings such as buffering patches with bandwidth usage restriction under Manage> Create Settings > Remediate also helps optimize remediation tasks.
How system resources are utilized or how is the CPU performance during remediation?
CPU average is very low during remediation. Patches are queued and taken up sequentially. A scan is performed after remediation job or rule is accomplished. Following graph shows remediation effect on operating system.
Can I configure a time period between which remediation should start and end?
Yes. While setting up remediation job or rule, you can provide remediation timeframe with start and end date-time. For example, in a typical organization, remediation can be set to end at 8:00 a.m in the morning when employees start their day at work. In case, if an automated remediation task is ongoing at 8:00, it will come to its logical end and any reboot and sequential tasks will be taken in the next time interval. However, short-term remediation tasks will end and result will be uploaded.
After configuring a time period between which remediation should start and end, can change it?
In case of remediation automation, we can change the timeframe which takes into effect in the next upcoming time. Short-term remediation tasks cannot be modified.
Can I install a customized patch for remediation or install other applications using Saner?
Yes. You could use Software Deployment in Response section of Endpoint Management. All applications and patches will be installed silently without interfering with users on the endpoints. It is advisable to test your installation and provide appropriate silent option if usual options such as /S is not used.
Can I install a non-security patch also with Saner?
Yes. You could use Software Deployment in Response section of Endpoint Management.
What should I do if a remediation patch is not available?
You could chose to block the application temporarily and unblock later. Go to EDR > Build your own Response > Application Block
How can I remediate commercial licensed products such as Adobe Acrobat or Oracle WebLogic Server?
You could use Software Deployment in Response section of Endpoint Management . Provide a vendor URL to download patch or upload the patch and provide silent option.
Can I find out since how long a vulnerability existed in an organization?
Yes. In VM dashboard, vulnerability patching graph provides insight on how long a vulnerability existed in an organization since its detection on our platform.
What are the next steps to vulnerability detection?
VM gives you a detailed information about existing loopholes making endpoints prone to malware attacks. Next steps would involve strategizing patching activity using PM and ensure endpoint-protection software are up-to-date using EM. Complementary to that, EDR will help realizing any ongoing attack to respond immediately and AM to check if such vulnerable software assets are in regular use or sparingly used.
How can I mitigate vulnerabilities effectively?
You can visualize vulnerability mitigation statistics to prioritze your patching activity. An insight on high fidelity attacks provide you information on tasks that require immediate attention because it is prone to malware attack. Statistics such as vulnerability based on severity scores also aid in determining next steps for vulnerability mitigation.
Can I find out since how long patch was available and not applied in an organization?
Yes. In PM dashboard, patch patching graph provides awareness on when a missing patch was released by vendor and not applied in the endpoints. Patching impact and Configuration Impact are powerful tools to visualize the affect of remediation.
Remediation and Software Patching is a long and tough activity. What if something goes wrong? Is rollback option available?
Our patches are tested by a dedicated team to ensure remediation is accurate and quick. Saner agent has also evolved as part of remediation to ensure speedy ways to achieve patching.
Under any circumstance, a Rollback feature is available for Windows, Linux and Mac operating system patches. Complaince roll back is also in place. Third-party products cannot be reverted but can be reinstalled with the previous version. Go to PM dashboard > click on PM in left panel > Rollback.
Please ensure that you have checked if rollback is possible for a patch before applying remediation because some vendor patches do not support rollback.
Can I know why a particular remediation failed?
Yes. In PM dashboard see ‘Reason for Failure’. You can also check individual remediation tasks status using ‘Job Status summary’ section on the dashboard. Click on expand to dig deep into status.
A patch is available and approved in my WSUS server but Saner remediation is failing. Why?
Each setup is different and some initiatives from your end can help speedy resolution of such issues. Consider checking (on one of the endpoints) if system is configured properly to your WSUS server. Click on Windows Update to see if patch appears in the system. If relevant patch appears in the system, then Saner should be able to fetch it. If not, either WUS is not configured properly or a pre-requisite patch may hinder remediation.
Please note: installing a patch may open up other patches in a software asset. Also, Windows Update software itself may require patching. Consider installing it before any other remediation task.
Please log your observations in the mail and contact info@staging.secpod.com for resolving your case. We will be happy to help.
Can I identify software products which are out-of-life? What actions can be taken for out-of-life products.
Yes. Check AM dashboard > Outdated Applications. Consider installing upgrades using Software Deployment in Response section of Endpoint Management. You may also uninstall such applications using Application Management> uninstall option.
Does Saner provide tracking of software licenses?
Yes. In AM, you could track software licenses and cost incurred to an organization. You can also provide external feed to assess software licenses.
Can I blacklist or whitelist software applications?
Yes. In AM, import blacklisted or whitelisted applications feed (in CSV format) and go to dashboard to check violations if any. Currently, we do not automatically uninstall or block applications using this feed. This can be automated using EDR > Build your own Detection and Response to periodically run response script.
What possible response actions can be executed from Saner?
Response actions are widely categorized into Network, Process, Service, Software Deployment, System, Application and Devices, Security, File, Windows Registry, Tuneup, Startup Programs. Kindly check individual categories for more information. Each category in Response section has a set of actions.
Is it possible to automate reponses/actions on detection scripts?
Yes. In EM, it is possible to create actions based on a set of existing detection scripts.
Can we add more detection scripts in EM?
100+ detection scripts are already defined and ready to use. You could add more using EM > Tools section. In case of any issues or requirements, contact info@staging.secpod.com and we will create it for you.
Can I know the system health of all my endpoints?
Yes. Go to EM > Detection > System Health. Click to get real time data. Visualize Disks space used reaching 90% and high CPU and RAM usage.
Can I command my endpoint to scan now or reboot now?
Yes. Go to Manage>Devices>Select device>Click on ‘Scan now’. For reboot, go to EDR/EM > Response> System and select reboot.
What are the common indicators of compromise/attack?
Endpoint protection software is disabled, applications with unknown publisher, firewall disabled, torrent-like downloads, new application in start up program, common operating system libraries having a different MD5sum, unknown processes running or multiple ports open, disk space running out, to name a few.
What are the existing Compliance benchmark supported by Saner?
SecPod Default Compliance, Vendor recommended (such as Microsoft) General Compliance, NIST-800-53, NIST 800-171, PCI, HIPPA, others such as ISO 27001, WMI, ports, process control, service control, device control, anti-virus compliance etc which can be designed as per user requirement.
Can I remove checks from an existing Compliance benchmark?
Yes, if it does not comply to your organization. Simply deselect the rule or category while creating/editing compliance.
Can I take remediation actions on customized Compliance checks?
Yes. Remediation scripts are automatically generated based on compliance created by users. Go to CM dashboard > Remediation actions to know more.
Why some of the compliance checks shows Not selected or Not checked status?
Some checks which are deselected by you will appear as ‘Not selected’ in the report. Compliance checks that require input from user are mostly ‘Not checked’ unless some data is provided by the user. If any issues, please contact info@staging.secpod.com. Appropriate screenshots of reports/dashboard and agent audit logs will definitely help understand the case.
Can I apply rollback on customized Compliance benchmark?
Yes.
Can I see trending reports?
No. Currently you can back up reports using Reports from left panel that will be emailed automatically on scheduled intervals.
Can I export individual endpoint report?
Yes. Go to Manage > Devices > Click on hostname > Click on Export Device Report.
Can I be alerted on certain incidents on endpoints.
A variety of alerts can be issues to notify on any failed actions, incidents in endpoints, critical vulnerabilities issues, configuration issues, new detection on endpoints, etc. Click on Alerts from left panel to know more.
How long does a scan take?
A typical scan takes under 5 minutes in windows and 1-2 minutes in Linux and Mac Machines. Special mechanisms and algorithms on agents help achieve this.
My scan is prolonged. What can I do?
Contact info@staging.secpod.com with endpoint’s audit log that can be received from Manage>Devices>Click on hostname> Click on Audit Logs. You can also change settings > Log to debug, scan and send spsaneragent.log from the endpoint system under SecPod Saner installation directory/log folder in Windows and /var/log/saner in unix based machines.
System Status
The system is Healthy
Deployment Tool Pre-requisites
SanerNow provides tools to deploy agents on endpoints. SanerNow cloud deployer tool and SanerNow on-premise deployer tool. Cloud deployer tool is available in zip file containing python script. on-premise deployer tool is available in a web portal.
Pre-requisites for SanerNow cloud deployment tool
- Disable remote UACRefer the following doc to disable remote UAC, https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows
- Enable admin$ administrative sharesRefer the following doc to enable administrative shares, https://www.wintips.org/how-to-enable-admin-shares-windows-7/
- Ensure security software is not blocking the installation
- Enable SMBv2 protocolRefer the following doc to enable SMBv2, https://support.microsoft.com/en-in/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windows-and-windows-server
Pre-requisites for SanerNow in-house deployment tool
- Turn on network discovery and file printer sharing,Refer the following doc to turn on, https://www.pugetsystems.com/labs/support-software/How-to-enable-Network-Discovery-and-configure-sharing-options-in-Windows-10-1008/
- Enable SMBv2 protocolRefer the following doc to enable SMBv2, https://support.microsoft.com/en-in/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windows-and-windows-server
- Ensure security software is not blocking the installation
- Ensure “Network Access: Sharing and Security model for local Accounts” is set as ‘Classic : Local users authenticate as themselves’follow the following steps,
- Open ‘Control panel’
- Select ‘Administrative Tools’
- Open ‘Local security policy’
- On the left pane navigate to ‘Security Settings’ => ‘Local policies’ => ‘Security Options’
- On the right pane find ‘Network access: Sharing and security model for local accounts’
- Double-click on it in order to change
- Set it to ‘Classic – Local users authenticate as themselves’
Security Researcher Hall of Fame
If you believe you have discovered a security vulnerability issue, please share the details with us by sending an email to research@secpod.com. Kindly include a detailed description of the issue and steps to reproduce along with the screenshots (if any).
We would like to thank the following individuals for making a responsible disclosure to us.
Sumit Birajdar
Kevin Umsted
Get notified
about our latest updates
View all our articles keep
your security up to date