|
| 1 | +<?xml version="1.0" encoding="UTF-8"?> |
| 2 | +<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" |
| 3 | + xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" |
| 4 | + xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" |
| 5 | + xmlns:panos-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#panos" |
| 6 | + xmlns:sch="http://purl.oclc.org/dsdl/schematron" |
| 7 | + targetNamespace="http://oval.mitre.org/XMLSchema/oval-definitions-5#panos" |
| 8 | + elementFormDefault="qualified" version="5.11"> |
| 9 | + <xsd:import namespace="http://oval.mitre.org/XMLSchema/oval-definitions-5" schemaLocation="oval-definitions-schema.xsd"/> |
| 10 | + <xsd:annotation> |
| 11 | + <xsd:documentation> |
| 12 | + The following is a description of the elements, types, and attributes that compose the Palo Alto (PAN-OS)-specific |
| 13 | + tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension |
| 14 | + of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a |
| 15 | + set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and |
| 16 | + should provide the information necessary to understand what each element and attribute represents. This document |
| 17 | + is intended for developers and assumes some familiarity with XML. A high level description of the interaction |
| 18 | + between the different tests and their relationship to the Core Definition Schema is not outlined here. |
| 19 | + </xsd:documentation> |
| 20 | + <xsd:documentation> |
| 21 | + This schema was originally developed by William Munyan at cisecurity.org. The OVAL Schema is maintained by the |
| 22 | + OVAL Community. For more information, including how to get involved in the project and how to submit change |
| 23 | + requests, please visit the OVAL website at http://oval.cisecurity.org. |
| 24 | + </xsd:documentation> |
| 25 | + <xsd:appinfo> |
| 26 | + <schema>Palo Alto (PAN-OS) Definitions</schema> |
| 27 | + <version>5.11.2:2.0</version> |
| 28 | + <date>03/30/2021 09:00:00 AM</date> |
| 29 | + <terms_of_use> |
| 30 | + For the portion subject to the copyright in the United States: Copyright (c) 2016 United States Government. |
| 31 | + All rights reserved. Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of |
| 32 | + this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the |
| 33 | + OVAL License for the specific language governing permissions and limitations for use of this schema. When |
| 34 | + distributing copies of the OVAL Schema, this license header must be included. |
| 35 | + </terms_of_use> |
| 36 | + <sch:ns prefix="oval-def" uri="http://oval.mitre.org/XMLSchema/oval-definitions-5"/> |
| 37 | + <sch:ns prefix="panos-def" uri="http://oval.mitre.org/XMLSchema/oval-definitions-5#panos"/> |
| 38 | + <sch:ns prefix="xsi" uri="http://www.w3.org/2001/XMLSchema-instance"/> |
| 39 | + </xsd:appinfo> |
| 40 | + </xsd:annotation> |
| 41 | + |
| 42 | + <!-- ============================================================================ --> |
| 43 | + <!-- ================================ CONFIG TEST ============================= --> |
| 44 | + <!-- ============================================================================ --> |
| 45 | + <xsd:element name="config_test" substitutionGroup="oval-def:test"> |
| 46 | + <xsd:annotation> |
| 47 | + <xsd:documentation> |
| 48 | + The config_test is used to check the properties of the XML output from a PAN-OS XML API request to export the |
| 49 | + current running configuration. This is a request to the API at "https://[PAN-OS-DEVICE]/api/?type=export&category=configuration". |
| 50 | + The response to this request is an XML payload rooted with a "response" element and including device-specific information. |
| 51 | + It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType |
| 52 | + description for more information. The required object element references a config_object and the optional state |
| 53 | + element specifies the data to check. |
| 54 | + </xsd:documentation> |
| 55 | + <xsd:appinfo> |
| 56 | + <oval:element_mapping> |
| 57 | + <oval:test>config_test</oval:test> |
| 58 | + <oval:object>config_object</oval:object> |
| 59 | + <oval:state>config_state</oval:state> |
| 60 | + <oval:item target_namespace="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#panos">config_item</oval:item> |
| 61 | + </oval:element_mapping> |
| 62 | + </xsd:appinfo> |
| 63 | + <xsd:appinfo> |
| 64 | + <sch:pattern id="panos-def_configtst"> |
| 65 | + <sch:rule context="panos-def:config_test/panos-def:object"> |
| 66 | + <sch:assert test="@object_ref=ancestor::oval-def:oval_definitions/oval-def:objects/panos-def:config_object/@id"><sch:value-of select="../@id"/> - the object child element of a config_test must reference a config_object</sch:assert> |
| 67 | + </sch:rule> |
| 68 | + <sch:rule context="panos-def:config_test/panos-def:state"> |
| 69 | + <sch:assert test="@state_ref=ancestor::oval-def:oval_definitions/oval-def:states/panos-def:config_state/@id"><sch:value-of select="../@id"/> - the state child element of a config_test must reference a config_state</sch:assert> |
| 70 | + </sch:rule> |
| 71 | + </sch:pattern> |
| 72 | + </xsd:appinfo> |
| 73 | + </xsd:annotation> |
| 74 | + <xsd:complexType> |
| 75 | + <xsd:complexContent> |
| 76 | + <xsd:extension base="oval-def:TestType"> |
| 77 | + <xsd:sequence> |
| 78 | + <xsd:element name="object" type="oval-def:ObjectRefType"/> |
| 79 | + <xsd:element name="state" type="oval-def:StateRefType" minOccurs="0" maxOccurs="unbounded"/> |
| 80 | + </xsd:sequence> |
| 81 | + </xsd:extension> |
| 82 | + </xsd:complexContent> |
| 83 | + </xsd:complexType> |
| 84 | + </xsd:element> |
| 85 | + <xsd:element name="config_object" substitutionGroup="oval-def:object"> |
| 86 | + <xsd:annotation> |
| 87 | + <xsd:documentation> |
| 88 | + The config_object element is used by a config_test to define the object to be evaluated. Each object extends the |
| 89 | + standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description |
| 90 | + for more information. The common set element allows complex objects to be created using filters and set logic. |
| 91 | + Again, please refer to the description of the set element in the oval-definitions-schema. |
| 92 | + </xsd:documentation> |
| 93 | + <xsd:documentation> |
| 94 | + A config_object consists of an xpath entity that contains an XPATH 1.0 query to perform on the PAN-OS API response |
| 95 | + XML data. The response data is assumed to consist of a <response> entity, with arbitrary (i.e., vendor-specific) |
| 96 | + child nodes. |
| 97 | + </xsd:documentation> |
| 98 | + <xsd:appinfo> |
| 99 | + <sch:pattern id="panos-def_paloalto_object_verify_filter_state"> |
| 100 | + <sch:rule context="panos-def:paloalto_object//oval-def:filter"> |
| 101 | + <sch:let name="parent_object" value="ancestor::panos-def:config_object"/> |
| 102 | + <sch:let name="parent_object_id" value="$parent_object/@id"/> |
| 103 | + <sch:let name="state_ref" value="."/> |
| 104 | + <sch:let name="reffed_state" value="ancestor::oval-def:oval_definitions/oval-def:states/*[@id=$state_ref]"/> |
| 105 | + <sch:let name="state_name" value="local-name($reffed_state)"/> |
| 106 | + <sch:let name="state_namespace" value="namespace-uri($reffed_state)"/> |
| 107 | + <sch:assert test="(($state_namespace='http://oval.mitre.org/XMLSchema/oval-definitions-5#panos') and ($state_name='config_state'))">State referenced in filter for <sch:value-of select="name($parent_object)"/> '<sch:value-of select="$parent_object_id"/>' is of the wrong type. </sch:assert> |
| 108 | + </sch:rule> |
| 109 | + </sch:pattern> |
| 110 | + </xsd:appinfo> |
| 111 | + </xsd:annotation> |
| 112 | + <xsd:complexType> |
| 113 | + <xsd:complexContent> |
| 114 | + <xsd:extension base="oval-def:ObjectType"> |
| 115 | + <xsd:sequence> |
| 116 | + <xsd:choice> |
| 117 | + <xsd:element ref="oval-def:set"/> |
| 118 | + <xsd:sequence> |
| 119 | + <xsd:element name="xpath" type="oval-def:EntityObjectStringType"> |
| 120 | + <xsd:annotation> |
| 121 | + <xsd:documentation> |
| 122 | + Specifies an Xpath expression describing the text node(s) or attribute(s) to look at. Any valid |
| 123 | + XPath 1.0 statement is usable with one exception, at most one field may be identified in the XPath. |
| 124 | + This is because the value_of element in the data section is only designed to work against a single |
| 125 | + field. The only valid operator for xpath is equals since there is an infinite number of possible |
| 126 | + XPaths and determinining all those that do not equal a given XPath would be impossible. |
| 127 | + </xsd:documentation> |
| 128 | + <xsd:appinfo> |
| 129 | + <sch:pattern id="panos-def_xmlobjxpath"> |
| 130 | + <sch:rule context="panos-def:config_object/panos-def:xpath"> |
| 131 | + <sch:assert test="not(@operation) or @operation='equals'"><sch:value-of select="../@id"/> - operation attribute for the xpath entity of a config_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)</sch:assert> |
| 132 | + </sch:rule> |
| 133 | + </sch:pattern> |
| 134 | + </xsd:appinfo> |
| 135 | + </xsd:annotation> |
| 136 | + </xsd:element> |
| 137 | + <xsd:element ref="oval-def:filter" minOccurs="0" maxOccurs="unbounded"/> |
| 138 | + </xsd:sequence> |
| 139 | + </xsd:choice> |
| 140 | + </xsd:sequence> |
| 141 | + </xsd:extension> |
| 142 | + </xsd:complexContent> |
| 143 | + </xsd:complexType> |
| 144 | + </xsd:element> |
| 145 | + <xsd:element name="config_state" substitutionGroup="oval-def:state"> |
| 146 | + <xsd:annotation> |
| 147 | + <xsd:documentation> |
| 148 | + The config_state element defines the different information that can be used to evaluate the result of a specific |
| 149 | + config XPath evaluation. This includes the XPath used and the value of this XPath. |
| 150 | + </xsd:documentation> |
| 151 | + </xsd:annotation> |
| 152 | + <xsd:complexType> |
| 153 | + <xsd:complexContent> |
| 154 | + <xsd:extension base="oval-def:StateType"> |
| 155 | + <xsd:sequence> |
| 156 | + <xsd:element name="xpath" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1"> |
| 157 | + <xsd:annotation> |
| 158 | + <xsd:documentation>Specifies an XPath expression describing the text node(s) or attribute(s) to look at.</xsd:documentation> |
| 159 | + </xsd:annotation> |
| 160 | + </xsd:element> |
| 161 | + <xsd:element name="value_of" type="oval-def:EntityStateAnySimpleType" minOccurs="0" maxOccurs="1"> |
| 162 | + <xsd:annotation> |
| 163 | + <xsd:documentation>The value_of element checks the value(s) of the text node(s) or attribute(s) found.</xsd:documentation> |
| 164 | + </xsd:annotation> |
| 165 | + </xsd:element> |
| 166 | + </xsd:sequence> |
| 167 | + </xsd:extension> |
| 168 | + </xsd:complexContent> |
| 169 | + </xsd:complexType> |
| 170 | + </xsd:element> |
| 171 | +</xsd:schema> |
0 commit comments