Merge pull request #223 from OVAL-Community/oval6-develop

Merge oval6-develop into master for OVAL 6 release

Author: vanderpol

guidelines/community-organization/oval-leadership-board.rst

@@ -24,7 +24,7 @@ Current Members
   * `Canonical <https://canonical.com/>`_ - Eduardo Barretto
   * `Cisco <https://www.cisco.com/>`_ - Omar Santos
   * `Center for Internet Security <https://www.cisecurity.org>`_ - Justin Burr, Tim Rosner
-  * `Defense Information Systems Agency (DISA) <https://www.disa.mil/>`_ - Jamaal Spearman, Brady Alleman
+  * `Defense Information Systems Agency (DISA) <https://www.disa.mil/>`_ - Jamaal Spearman, Brady Alleman, Brian Snodgrass
   * `HCL Group <https://hcl.com/>`_ - Anurag Srivastava
   * `Modulo <https://www.modulo.com/>`_ - Alberto Bastos
   * `National Institute of Standards and Technology (NIST) <https://www.nist.gov/>`_ - Dragos Prisaca, Bob Gendler

guidelines/conf.py

@@ -24,9 +24,9 @@
 author = 'The OVAL community with notable contributions by David Ries (jovalcm.com), Adam Montville (cisecurity.org), and Bill Munyan (cisecurity.org).'
 
 # The short X.Y version
-version = '5.12'
+version = '6.0'
 # The full version, including alpha/beta/rc tags
-release = '5.12'
+release = '6.0'
 
 
 # -- General configuration ---------------------------------------------------

guidelines/getting-started.rst

@@ -76,103 +76,107 @@ variables
   Variables provide a way to group one or more values for consistent reference within other OVAL content.
 |
 
-An Annotated Sample
+Sample Definition (OVAL 6.0 encapsulated style)
+  tests, objects, states and variables are encapsulated within the OVAL definition.  This makes for much easier to read defintions, and much more portable content, you can copy a defintion from one content file to another.
 -------------------
-
-Below is a sample OVAL definition file::
-
-  <?xml version="1.0" encoding="UTF-8"?>
-  <oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd">
-  <generator>
-  <!--
-  The generator element provides metadata about the tool/application used to develop the OVAL Content.
-  -->
-  <oval:schema_version>5.11.2</oval:schema_version>
-  <oval:timestamp>2018-07-31T17:30:20</oval:timestamp>
-  </generator>
-
-  <definitions>
-   <!--
-   The definitions element contains the OVAL definition(s) to be exchanged.
-   -->
-   <definition class="compliance" id="oval:org.oval-community.example:def:1" version="1">
-   <!--
-   This definition checks compliance.
-   -->
-      <metadata>
-         <!--
-         The metadata element contains information about the definition, including its title and description. This definition checks whether WinRM traffic is encrypted or not.
-         -->
-            <title>WinRM Traffic Must be Encrypted</title>
-            <affected family="windows">
-               <platform>Microsoft Windows Server 2016</platform>
-            </affected>
-         <reference ref_id="CCE-46378-6" ref_url="http://cce.mitre.org" source="CCE"/>
-         <description>The Windows Remote Management (WinRM) client must not allow unencrypted traffic.</description>
-      </metadata>
-   <notes>
-   <note>This sample was based on an OVAL definition included in the Windows Server 2016 STIG available at https://iase.disa.mil/ </note>
-   </notes>
-   criteria operator="AND">
-      <!--
-      The criteria element specifies the assertion to be tested using information gathered from the endpoint.
-      -->
-         <criterion comment="Verifies 'WinRM Client: Allow unencrypted traffic' is set to 'Disabled'" test_ref="oval:org.oval-community.example:tst:1"/>\
-            <!--
-            The criterion elements define logical terms in the assertion. This criteria only uses 1 criterion element to check if 'WinRM Client: Allow unencrypted traffic' is set to 'Disabled'.
-
-            By default, the truth values returned by the tests are AND'ed to determine the truth value of the assertion.
-            -->
-      </criteria>
-   </definition>
-  </definitions>
-
-  <tests>
-   <!--
-   The tests element contains the OVAL Test(s). OVAL Tests specify what to search for on an endpoint (i.e., objects) and what is expected to be found (i.e., states).
-
-   The registry_test is used to check information in the Windows registry.
-   -->
-      <registry_test check="all" check_existence="at_least_one_exists" comment="WinRM Client: Allow unencrypted traffic is set to 'Disabled'" id="oval:org.oval-community.example:tst:1" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
-         <!--
-         This registry_test checks that 'Allow unencrypted traffic' is set to 'Disabled'.
-         -->
-         <object object_ref="oval:org.oval-community.example:obj:1"/>
-         <state state_ref="oval:org.oval-community.example:ste:1"/>
-      </registry_test>
-  </tests>
-
-  <objects>
-   <!--
-   The objects element contains the OVAL Object(s).
-
-   The registry_object is used to search for information in the Windows registry.
-   -->
-      <registry_object comment="WinRM Cl ient: AllowUnencryptedTraffic registry key" id="oval:org.oval-community.example:obj:1" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
-         <!--
-         This registry_object specifies that the registry key containing the policy definition for 'WinRM Client: Allow unencrypted traffic' should be checked.
-         -->
-            <hive datatype="string" operation="equals">HKEY_LOCAL_MACHINE</hive>
-            <key datatype="string" operation="equals">Software\Policies\Microsoft\Windows\WinRM\Client</key>
-            <name datatype="string" operation="equals">AllowUnencryptedTraffic</name>
-      </registry_object>
-  </objects>
-
-  <states>
-   <!--
-   The states element contains the OVAL State(s).
-
-   The registry_state is used to describe information expected to be found in the Windows registry.
-   -->
-      <registry_state comment="Reg_Dword equals 0" id="oval:org.oval-community.example:ste:1" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
-         <type>reg_dword</type>
-            <!--
-            This registry_state specifies that an integer matching '0' is expected to be found in the registry.
-            -->
-         <value datatype="int" operation="equals">0</value>
-      </registry_state>
-  </states>
-
+<snippet>
+  <content><![CDATA[
+.. code-block:: ${1:type}
+  :linenos:
+  
+    <oval_definitions xmlns="urn:oval:v6:definitions" 
+    xmlns:independent-def="urn:oval:v6:definitions:independent" 
+    xmlns:win-def="urn:oval:v6:definitions:windows" 
+    xmlns:oval="urn:oval:v6:common" 
+    xmlns:oval-def="urn:oval:v6:definitions" 
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+    
+    xsi:schemaLocation="urn:oval:v6:definitions https://raw.githubusercontent.com/OVAL-Community/OVAL/refs/heads/6.0_release/oval-schemas/oval-definitions-schema.xsd 
+    urn:oval:v6:common https://raw.githubusercontent.com/OVAL-Community/OVAL/refs/heads/6.0_release/oval-schemas/oval-common-schema.xsd
+    urn:oval:v6:definitions:windows https://raw.githubusercontent.com/OVAL-Community/OVAL/refs/heads/6.0_release/oval-schemas/windows-definitions-schema.xsd
+    urn:oval:v6:definitions:independent https://raw.githubusercontent.com/OVAL-Community/OVAL/refs/heads/6.0_release/oval-schemas/independent-definitions-schema.xsd">
+    <generator>
+        <oval:product_name>A human being</oval:product_name>
+        <oval:schema_version>6.0</oval:schema_version>
+        <oval:timestamp>2024-12-13T17:30:20</oval:timestamp>
+    </generator>
+    <definitions>
+        <encapsulated_definition id="oval:oval-community:def:1" version="2" class="inventory">
+            <metadata>
+                <title>Windows is installed</title>
+                <description>Computer is in the windows family</description>
+            </metadata>
+            <criteria>
+                <criterion test_ref="oval:oval-community:tst:1" comment="The installed operating system belongs to the Microsoft Windows family" />
+            </criteria>
+            <tests>
+                <family_test xmlns="urn:oval:v6:definitions:independent" id="oval:oval-community:tst:1" version="1" check="all" comment="The installed operating system belongs to the Microsoft Windows family">
+                    <object object_ref="oval:oval-community:obj:1" />
+                    <state state_ref="oval:oval-community:ste:1" />
+                </family_test>
+            </tests>
+            <objects>
+                <family_object xmlns="urn:oval:v6:definitions:independent" id="oval:oval-community:obj:1" version="1" comment="OS family" />
+            </objects>
+            <states>
+                <family_state xmlns="urn:oval:v6:definitions:independent" id="oval:oval-community:ste:1" version="1" comment="Microsoft Windows family">
+                    <family>windows</family>
+                </family_state>
+            </states>
+        </encapsulated_definition>
+    </definitions>
+    </oval_definitions>
+
+
+Sample OVAL 6.0 definition file (non-encapsulated style)
+  This style has separate silos of data for definitions, tests, objects, states, variables.  This makes for easy sharing of existing tests, objects, states, variables within a single file, but can make the file very hard to read/understand/maintain.  It also makes it very challenging to copy a definition from one file to another.
+-------------------
+<snippet>
+  <content><![CDATA[
+.. code-block:: ${1:type}
+  :linenos:
+
+  <oval_definitions xmlns="urn:oval:v6:definitions" 
+    xmlns:independent-def="urn:oval:v6:definitions:independent" 
+    xmlns:win-def="urn:oval:v6:definitions:windows" 
+    xmlns:oval="urn:oval:v6:common" 
+    xmlns:oval-def="urn:oval:v6:definitions" 
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+    
+    xsi:schemaLocation="urn:oval:v6:definitions https://raw.githubusercontent.com/OVAL-Community/OVAL/refs/heads/6.0_release/oval-schemas/oval-definitions-schema.xsd 
+    urn:oval:v6:common https://raw.githubusercontent.com/OVAL-Community/OVAL/refs/heads/6.0_release/oval-schemas/oval-common-schema.xsd
+    urn:oval:v6:definitions:windows https://raw.githubusercontent.com/OVAL-Community/OVAL/refs/heads/6.0_release/oval-schemas/windows-definitions-schema.xsd
+    urn:oval:v6:definitions:independent https://raw.githubusercontent.com/OVAL-Community/OVAL/refs/heads/6.0_release/oval-schemas/independent-definitions-schema.xsd">
+    <generator>
+        <oval:product_name>A human being</oval:product_name>
+        <oval:schema_version>6.0</oval:schema_version>
+        <oval:timestamp>2024-12-13T17:30:20</oval:timestamp>
+    </generator>
+    <definitions>
+        <definition id="oval:oval-community:def:1" version="2" class="inventory">
+            <metadata>
+                <title>Windows is installed</title>
+                <description>Computer is in the windows family</description>
+            </metadata>
+            <criteria>
+                <criterion test_ref="oval:oval-community:tst:1" comment="The installed operating system belongs to the Microsoft Windows family" />
+            </criteria>
+        </definition>
+    </definitions>
+    <tests>
+        <family_test xmlns="urn:oval:v6:definitions:independent" id="oval:oval-community:tst:1" version="1" check="all" comment="The installed operating system belongs to the Microsoft Windows family">
+            <object object_ref="oval:oval-community:obj:1" />
+            <state state_ref="oval:oval-community:ste:1" />
+        </family_test>
+    </tests>
+    <objects>
+        <family_object xmlns="urn:oval:v6:definitions:independent" id="oval:oval-community:obj:1" version="1" comment="OS family" />
+    </objects>
+    <states>
+        <family_state xmlns="urn:oval:v6:definitions:independent" id="oval:oval-community:ste:1" version="1" comment="Microsoft Windows family">
+            <family>windows</family>
+        </family_state>
+    </states>
   </oval_definitions>
 
 
@@ -215,18 +219,20 @@ XCCDF
   The `eXtensible Configuration Checklist Description Format <https://csrc.nist.gov/projects/security-content-automation-protocol/scap-specifications/xccdf>`_ language describes security checklists. Documents in this format may reference OVAL components or documents, as well as ones from other standards, creating a portable and flexible checklist.
 |
 
-SCE
-  The `Script Check Engine <https://www.open-scap.org/features/other-standards/sce/>`_ complements OVAL with scripts that check things that OVAL cannot or does not. SCE results files are created as an XML. By using XLST transformations, OVAL and SCE results can be aggregated into a single HTML file or PDF document.
-|
-
 CPE
   The `Common Platform Enumeration <https://cpe.mitre.org/specification/>`_ provides a standard naming scheme for IT platforms and systems. OVAL uses it to consistently identify the target platforms of checks and definitions.
 |
 
-Datastreams
-  **Datastream** is a format that consolidates multiple SCAP components into a single file (including OVAL).
+OCIL
+  The `Open Checklist Interactive Language <https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/Specifications/ocil>`_ provides a method for interviewing the end user to answer test that cannot be automated.
+|
+
+SCAP Datastreams
+  The 'SCAP Datastream <https://csrc.nist.gov/projects/security-content-automation-protocol/scap-releases/scap-1-3>`_ is a format that consolidates multiple SCAP components into a single file (including OVAL).
+|
 
-  **ARF**, or the **Asset Reporting Format**, is also called Result Datastream. It consolidates multiple results files into one.
+ARF
+  The `Asset Reporting Format <https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/Specifications/arf>`_ , is also called Result Datastream. It consolidates multiple results files into one.
 |
 
 Next Steps

guidelines/index.rst

@@ -5,12 +5,15 @@
 
 .. _welcome-to-the-guidelines:
 
-The OVAL Community Version 5.12 Documenation
+The OVAL Community Version 6.0 Documenation
 =========================================
 
 Welcome to the guidelines for OVAL, the Open Vulnerability and Assessment Language. These guidelines are designed to explain everything you need to know to start contributing to OVAL (or link you to places to ask questions, should the explanations not suffice), as well as provide a variety of standards and resources to the community.
 
-If you are looking for documentation for OVAL version 5.11.2, please visit:  https://oval-community-guidelines.readthedocs.io/en/5.11.2_release/
+If you are looking for documentation for documentation on previous versions of OVAL
+
+* OVAL version 5.12:  https://oval-community-guidelines.readthedocs.io/en/5.12_release/
+* OVAL version 5.11.2:  https://oval-community-guidelines.readthedocs.io/en/5.11.2_release/
 
 **Notice:**
 
@@ -24,6 +27,12 @@ What is OVAL?
 
 OVAL is an open language built by security experts, system administrators, and software developers to universalize assessment and reporting on the state of computer systems.
 
+What changed in version 6.0?
+--------------------------
+* Removed all deprecated items from OVAL 5.12, in order to substantially decrease the size/complexity of the language.  This was accomplished without removing any functionality from currently published SCAP/OVAL content.  139 different OVAL deprecated tests were removed from 5.12 to 6.0, along with several entire platforms.
+* Added the concept of an 'encapsulated definition', which allows for OVAL definition files to have a new element called 'encapsulated_definition', which contains all of the tests, objects, states and variables needed to perform the given defintion.  This was added to allow content to be easier to write, maintain, and merge with other files.
+* Added new schemas for Vmware ESX and Kubernetes
+
 Who is the OVAL Community?
 --------------------------