diff --git a/oval-schemas/macos-definitions-schema.xsd b/oval-schemas/macos-definitions-schema.xsd
index 10345c0..341413a 100644
--- a/oval-schemas/macos-definitions-schema.xsd
+++ b/oval-schemas/macos-definitions-schema.xsd
@@ -13,8 +13,8 @@
The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
MacOS Definition
- 5.11.1:1.3
- 05/24/2019 09:00:00 AM
+ 5.11.1:1.4
+ 04/03/2020 09:00:00 AM
For the portion subject to the copyright in the United States: Copyright (c) 2016 United States Government. All rights reserved. Copyright (c) 2019, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
@@ -138,6 +138,11 @@
The login shell for this user account.
+
+
+ The generated UID for this user account. The UID is related to File Vault.
+
+
@@ -372,6 +377,276 @@
+
+
+
+
+ The disabledservice_test is used to check the status of daemons/agents disabled via the launchd service, via the command 'launchctl print-disabled <domain>'. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a disabledservice_object and the optional state element specifies the data to check.
+
+
+ disabledservice_test
+ disabledservice_object
+ disabledservice_state
+ disabledservice_item
+
+
+
+
+
+ - the object child element of a disabledservice_test must reference a disabledservice_object
+
+
+ - the state child element of a disabledservice_test must reference a disabledservice_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The disabledservice_object element is used by a disabledservice_test to define the service domain to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A disabledservice_object consists of a domain entity that contains the name of the domain that will be queried for disabled services.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies the domain to be queried. The only valid operation for this field is "equals".
+
+
+
+ - operation attribute for the domain entity of a disabledservice_object should be 'equals'
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The disabledservice_state element defines a value used to evaluate the result of a specific disabledservice_object item.
+
+
+
+
+
+
+
+ Specifies the name of the domain used to create the object.
+
+
+
+
+ Specifies the name of the service disabled in the domain.
+
+
+
+
+ Specifies the actual status of the service as indicated by the output of the 'launchctl print-disabled <domain>' command.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The diskinfo_test is used to inspect the contents of 'diskutil info <device ID>' command output. It extends the standard TestType
+ as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object
+ element references an diskinfo_object and the optional state element references an diskinfo_state that specifies the information to check.
+
+
+
+ diskinfo_test
+ diskinfo_object
+ diskinfo_state
+ diskinfo_item
+
+
+
+
+
+ - the object child element of an diskinfo_test must reference an diskinfo_object
+
+
+ - the state child element of an diskinfo_test must reference an diskinfo_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The diskinfo_object is used by an diskinfo_test to define the scope of disks on the local system that should be collected using the 'diskutil
+ info <name>' command. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the
+ ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again,
+ please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The device_identifier element specifies the name(s) of the disk whose information should be collected
+ from the local system. Use a wildcard pattern to collect information for all disk devices.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The diskinfo_state contains entities that are used to check against retrieved disk information.
+
+
+
+
+
+
+
+ The device identifier.
+
+
+
+
+ The value of the volume name field (if any).
+
+
+
+
+ The value of the file system personality field (if any).
+
+
+
+
+ The value of the removable media field (if any).
+
+
+
+
+ The value of the device location field (if any).
+
+
+
+
+ The value of the solid state flag.
+
+
+
+
+ The value of the read-only volume flag.
+
+
+
+
+ Whether or not FileVault is enabled on the disk.
+
+
+
+
+ The mount point for this disk (if any).
+
+
+
+
+ The value of the SMART status field (if any).
+
+
+
+
+
+ The value of the encrypted status field (if any). This is typically present for external drives,
+ not APFS drives with FileVault active (for which this field does not exist).
+
+
+
+
+
+ The value of an APFS userid (for non-APFS disks, this does not exist).
+
+
+
+
+
+
+
+
@@ -385,6 +660,17 @@
diskutil_item
+
+
+ 5.11.2
+ The diskutil_test has been deprecated. The underlying capability was rendered obsolete in MacOS X 10.11 (El Capitan), and then removed altogether from the platform in MacOS X 10.12 (Sierra).
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
@@ -412,6 +698,17 @@
The diskutil_object element is used by a diskutil_test to define the volumes containing packages to be verified on a Mac OS system. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+ 5.11.2
+ The diskutil_object has been deprecated. The underlying capability was rendered obsolete in MacOS X 10.11 (El Capitan), and then removed altogether from the platform in MacOS X 10.12 (Sierra).
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
@@ -454,6 +751,17 @@
The diskutil_state element defines the different verification information associated with a disk on a Mac OS system. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+ 5.11.2
+ The diskutil_state has been deprecated. The underlying capability was rendered obsolete in MacOS X 10.11 (El Capitan), and then removed altogether from the platform in MacOS X 10.12 (Sierra).
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
@@ -557,7 +865,183 @@
- The expected symlink of the file/directory.
+ The expected symlink of the file/directory.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The filevault_test is used to determine the status of File Vault disk encryption. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an filevault_object and the optional state element references an filevault_state that specifies the information to check.
+
+
+
+ filevault_test
+ filevault_object
+ filevault_state
+ filevault_item
+
+
+
+
+
+ - the object child element of an filevault_test must reference an filevault_object
+
+
+ - the state child element of an filevault_test must reference an filevault_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The filevault_object is used by a filevault_test to query the status of File Vault. It is a singleton object.
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+ The filevault_state is used to check the filevault status.
+
+
+
+
+
+
+
+ The status element describes the File Vault status of the machine.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for use of variables.
+
+
+
+
+
+
+
+
+
+
+
+ The firmwarepassword_test is used to determine the status of File Vault disk encryption. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an firmwarepassword_object and the optional state element references an firmwarepassword_state that specifies the information to check.
+
+
+
+ firmwarepassword_test
+ firmwarepassword_object
+ firmwarepassword_state
+ firmwarepassword_item
+
+
+
+
+
+ - the object child element of an firmwarepassword_test must reference an firmwarepassword_object
+
+
+ - the state child element of an firmwarepassword_test must reference an firmwarepassword_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The firmwarepassword_object is used by a firmwarepassword_test to query the status of the firmwarepasswd command. It is a singleton object.
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+ The firmwarepassword_state is used to check the firmwarepasswd status.
+
+
+
+
+
+
+
+ The status element describes whether a firmware password is enabled.
@@ -624,6 +1108,11 @@
The status of Gatekeeper assessments.
+
+
+ The status of Gatekeeper enforcement of app developer id.
+
+
The path to an unsigned application folder to which Gatekeeper has granted execute permission.
@@ -950,6 +1439,131 @@
+
+
+
+
+
+ The installhistory_test is used to inspect the install history (SPInstallHistoryDataType) section of the system_profiler command
+ output. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description
+ for more information. The required object element references an installhistory_object and the optional state element references
+ an installhistory_state that specifies the information to check.
+
+
+
+ installhistory_test
+ installhistory_object
+ installhistory_state
+ installhistory_item
+
+
+
+
+
+ - the object child element of an installhistory_test must reference an installhistory_object
+
+
+ - the state child element of an installhistory_test must reference an installhistory_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The installhistory_object is used by an installhistory_test to define the scope of software install history on the local system that should be
+ collected using the "system_profiler SPInstallHistoryDataType" command. Each object extends the standard ObjectType as defined in the
+ oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects
+ to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name element specifies the name(s) of the software item which should be collected from the local
+ system.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The installhistory_state contains entities that are used to check against installed software.
+
+
+
+
+
+
+
+ The name element contains a string that represents the name of a software title that was collected from the local system.
+
+
+
+
+
+ The install_version element contains the version of an installed software item. When this entry is blank or made up of only white-space, the status of the entity must be set to "does not exist".
+
+
+
+
+
+
+ The install_date element contains the date that a software item was installed on the system. The value is an integer expressing the number of seconds which have passed since the epoch, midnight GMT Jan 1, 1970.
+
+
+
+
+
+
+ The package_source element contains the source type of an installed software item.
+
+
+
+
+
+
+
+
+
@@ -1158,7 +1772,7 @@
- This test pulls data from the 'nvram -p' output.
+ This test pulls firmware data from the device using the 'nvram' command.
nvram_test
@@ -1191,7 +1805,7 @@
- The nvram_object element is used by a nvram test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ The nvram_object element is used by an nvram_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
@@ -1215,7 +1829,7 @@
-
+ Used to specify the name of the variable to retrieve. In the case of operations other than 'equals', the scope of variables will be limited to those retrieved via the 'nvram -p' command. Hidden nvram variables can be accessed through direct queries using the 'equals' operation.
@@ -1249,6 +1863,102 @@
+i
+
+
+
+
+ The nvram512_test is used to check the binary values of firmware variables, via the command 'nvram -x -p' or 'nvram -x <variable_name>'. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a nvram512_object and the optional state element specifies the data to check.
+
+
+ nvram512_test
+ nvram512_object
+ nvram512_state
+ nvram512_item
+
+
+
+
+
+ - the object child element of an nvram512_test must reference an nvram512_object
+
+
+ - the state child element of an nvram512_test must reference an nvram512_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The nvram512_object element is used by an nvram512_test to define the service domain to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of the firmware variable being queried.
+
+
+
+
+
+
+
+
+
+
+
+
+ The nvram512_state element defines a value used to evaluate the result of a specific nvram512_object item.
+
+
+
+
+
+
+
+ Specifies the name of the firmware variable that was queried.
+
+
+
+
+ Specifies the binary value of the firmware variable.
+
+
+
+
+
+
+
@@ -1743,6 +2453,92 @@
+
+
+
+
+
+ The profiles_test is used to test aspects of the device configuration profiles installed on the device. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an profiles_object and the optional state element references an profiles_state that specifies the information to check.
+
+
+
+ profiles_test
+ profiles_object
+ profiles_state
+ profiles_item
+
+
+
+
+
+ - the object child element of an profiles_test must reference an profiles_object
+
+
+ - the state child element of an profiles_test must reference an profiles_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The profiles_object is used by a profiles_test to query the status of the 'profiles status -type enrollment' command. It is a singleton object.
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+ The profiles_state is used to check the MDM enrollment status.
+
+
+
+
+
+
+
+ The status element describes whether the device is enrolled in MDM.
+
+
+
+
+ The status element describes whether the device is enrolled in MDM via DEP.
+
+
+
+
+
+
+
+
@@ -2634,7 +3430,7 @@
-
+
The data_type entity provides the datatype value that is desired.
@@ -2667,7 +3463,7 @@
-
+
The data_type entity provides the datatype value that is desired.
@@ -2791,6 +3587,11 @@
Specifies whether the power button can be used to cause the computer to sleep.
+
+
+ Specifies whether the computer will restart after a power failure.
+
+
Specifies whether remote logins are allowed.
@@ -2806,6 +3607,11 @@
Specifies the computer's name.
+
+
+ Specifies the name of the local subnet.
+
+
Specifies the startup disk.
@@ -2834,110 +3640,6 @@
-
-
- The EntityObjectDataTypeType complex type defines the different values that are valid for the data_type entity of a system_profiler object. These values describe the system_profiler XML data to be retrieved. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the index entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values. Please note that the values identified are for the data_type entity and are not valid values for the datatype attribute.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- The empty string value is permitted here to allow for empty elements associated with variable references.
-
-
-
-
-
-
-
- The EntityStateDataTypeType complex type defines the different values that are valid for the data_type entity of a system_profiler state. These values describe the system_profiler XML data to be retrieved. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the index entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values. Please note that the values identified are for the data_type entity and are not valid values for the datatype attribute.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- The empty string value is permitted here to allow for empty elements associated with variable references.
-
-
-
-
-
The EntityStatePermissionCompareType complex type restricts a string value to more, less, or same which specifies if an actual permission is different than the expected permission (more or less restrictive) or if the permission is the same. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
@@ -3023,4 +3725,18 @@
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
diff --git a/oval-schemas/macos-system-characteristics-schema.xsd b/oval-schemas/macos-system-characteristics-schema.xsd
index 895245d..9de5c3f 100644
--- a/oval-schemas/macos-system-characteristics-schema.xsd
+++ b/oval-schemas/macos-system-characteristics-schema.xsd
@@ -13,8 +13,8 @@
The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
MacOS System Characteristics
- 5.11.1:1.2
- 11/30/2016 09:00:00 AM
+ 5.11.1:1.4
+ 04/03/2020 09:00:00 AM
For the portion subject to the copyright in the United States: Copyright (c) 2016 United States Government. All rights reserved. Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
@@ -67,6 +67,11 @@
The login shell for this user account.
+
+
+ The generated UID for this user account. The UID is related to File Vault.
+
+
@@ -135,11 +140,101 @@
+
+
+
+
+ The diskinfo_item contains information retrieved using the 'diskutil info <device ID>' command.
+
+
+
+
+
+
+
+ The device identifier.
+
+
+
+
+ The value of the volume name field (if any).
+
+
+
+
+ The value of the file system personality field (if any).
+
+
+
+
+ The value of the removable media field (if any).
+
+
+
+
+ The value of the device location field (if any).
+
+
+
+
+ The value of the solid state flag.
+
+
+
+
+ The value of the read-only volume flag.
+
+
+
+
+ Whether or not FileVault is enabled on the disk.
+
+
+
+
+ The mount point for this disk (if any).
+
+
+
+
+ The value of the SMART status field (if any).
+
+
+
+
+
+ The value of the encrypted status field (if any). This is typically present for external drives,
+ not APFS drives with FileVault active (for which this field does not exist).
+
+
+
+
+
+ The value(s) of APFS cryptographic UIDs (if any) for the disk.
+
+
+
+
+
+
+
+
The diskutil_item holds verification information about an individual disk on a Mac OS system. Each diskutil_item contains a device, filepath, and details on how the actual permissions, ownerships and link targets differ from the expected values. For more information, see diskutil(8) or repair_packages(8). It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+ 5.10
+ The diskutil_state has been deprecated. The underlying capability was rendered obsolete in MacOS X 10.11 (El Capitan), and then removed altogether from the platform in MacOS X 10.12 (Sierra).
+
+
+
+ DEPRECATED ITEM: ID:
+
+
+
@@ -251,6 +346,101 @@
+
+
+
+
+ This item stores results from checking a launchd domain for disabled services.
+
+
+
+
+
+
+
+ Specifies the name of the domain used to create the object.
+
+
+
+
+ Specifies the name of the agent/daemon.
+
+
+
+
+ Specifies the actual status of the service as indicated by the output of the 'launchctl print-disabled <domain>' command.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The filevault_item stores information about the status of File Vault on the machine.
+
+
+
+
+
+
+
+
+
+ The status element contains the File Vault status on the machine. If encryption is in progress, the status will be 'encrypting', otherwise it will be 'enabled' or 'disabled'.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+
+
+
+
+ The firmwarepassword_item stores information about the status of the firmwarepasswd command on the machine.
+
+
+
+
+
+
+
+
+
+ The status element describes whether or not a firmware password is enabled on the machine.
+
+
+
+
+
+
+
+
+
@@ -266,6 +456,11 @@
The status of Gatekeeper assessments.
+
+
+ The status of Gatekeeper enforcement of app developer id.
+
+
The path to an unsigned application folder to which Gatekeeper has granted execute permission.
@@ -420,6 +615,56 @@
+
+
+
+
+
+ The installhistory_item stores information retrieved from the system_profiler about installed software on the device.
+ Information is collected from the target endpoint using the "system_profiler SPInstallHistoryDataType" command
+ and output values are parsed from the XML output.
+
+
+
+
+
+
+
+
+
+ The name element contains the name of the software history entry represented by the item.
+
+
+
+
+
+
+ The install_version element contains the version of the installed software item. When this entry is blank or
+ made up of only white-space, the status of the entity should be "does not exist".
+
+
+
+
+
+
+ The install_date element contains the date that the software item was installed on the system. The value is an
+ integer expressing the number of seconds which have passed since the epoch, midnight GMT Jan 1, 1970.
+
+
+
+
+
+
+ The package_source element contains the source of the installed software item.
+
+
+
+
+
+
+
+
+
@@ -508,6 +753,32 @@
+
+
+
+
+ This item stores results from checking a firmware variable via an nvram512_object.
+
+
+
+
+
+
+
+ Specifies the name of the firmware variable that was queried.
+
+
+
+
+ Specifies the binary value of the firmware variable.
+
+
+
+
+
+
+
+
@@ -601,6 +872,38 @@
+
+
+
+
+
+ The profiles_item stores information about the status of device configuration profiles on the machine.
+
+
+
+
+
+
+
+
+
+ The status element describes whether the device is enrolled in MDM.
+
+
+
+
+
+
+ The status element describes whether the device is enrolled in MDM via DEP.
+
+
+
+
+
+
+
+
+
@@ -1005,7 +1308,7 @@
-
+
Specifies the data type that was used in collection.
@@ -1139,58 +1442,6 @@
-
-
- The EntityItemDataTypeType complex type defines the different values that are valid for the data_type entity of a system_profiler item. These values describe the system_profiler XML data to be retrieved. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the index entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values. Please note that the values identified are for the data_type entity and are not valid values for the datatype attribute.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- The empty string value is permitted here to allow for detailed error reporting.
-
-
-
-
-
The EntityItemPermissionCompareType complex type restricts a string value to more, less, or same which specifies if an actual permission is different than the expected permission (more or less restrictive) or if the permission is the same. The empty string is also allowed to support empty elements associated with error conditions.
@@ -1276,4 +1527,18 @@
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+