OVAL(R) Processing Model

Producing OVAL Results is the process by which detailed system state information is evaluated against the expected state of a system and represented in a standardized format. This standardized format conveys the results of the evaluation which can indicate the presence of a vulnerability, compliance to a policy, installation of software, or even the presence of malware artifacts. Additionally, the results can be consumed by other tools where they can be interpreted and used to inform remediation of discovered issues.

OVAL Definition Evaluation is the process examining the characteristics of a system and applying one or more logical statements about those characteristics to determine an overall result for the system state that the OVAL Definition describes. Each OVAL Definition has zero or one logical criteria components, which are combined using logical operators, such as 'AND' and 'OR'. The overall result of evaluating an OVAL Definition is determined by evaluating its criteria component. This process is described in detail in the following section.

When evaluating a deprecated OVAL Definition, that does not have a criteria construct, the OVAL Definition MUST evaluate to 'not evaluated'. If a deprecated OVAL Definition contains a criteria construct, the OVAL Definition SHOULD evaluate as if it were not deprecated. However, the OVAL Definition MAY evaluate to 'not evaluted'.

A criteria component of an OVAL Definition combines one or more logical statements in order to determine a result value. A criteria can be made up of other criteria, criterion, or extend_definitions, along with an operator property that specifies how to logically combine the specified logical statements. For more information on how to combine the individual results of the logical statements specified within a criteria, see . The result value of the criteria is determined by first evaluating the operator property to combine the logical statements and then evaluating the negate property. See for additional information on how to negate the result of the criteria.

If a value for the applicability_check property is specified on the criteria construct, in an OVAL Definition, the applicability_check property and value MUST be replicated on the criteria construct in the OVAL Results.

The result of a criterion construct is the result of the OVAL Test that it references, after the negate property has been applied. See for additional information on how to negate the result of an OVAL Test. The variable_instance property of the criterion is carried over from the variable_instance value of the referenced OVAL Test.

If a value for the applicability_check property is specified on the criterion construct, in an OVAL Definition, the applicability_check property and value MUST be replicated on the criterion construct in the OVAL Results.

The result of an extend_definition construct is the result of the OVAL Definition, that it references, after the negate property has been applied. See for additional information on how to negate the result of an OVAL Definition. The variable_instance property of the extend_definition is carried over from the variable_instance value of the referenced OVAL Definition.

If a value for the applicability_check property is specified on the extend_definition construct, in an OVAL Definition, the applicability_check property and value MUST be replicated on the extend_definition construct in the OVAL Results.

When the negate property is 'true', the final result of a construct MUST be the logical complement of its result value. That is, for any construct that evaluates to 'true', the final result would become 'false', and vice versa. The negate property does not apply to non-Boolean result values. If a non-Boolean result value is encountered, the final result MUST be the non-Boolean result value. If the negate property is set to 'false', the final result of a construct will be its original result value.

The value of the variable_instance property is derived from the variable_instance values of the OVAL Definitions and OVAL Tests that are referenced within the OVAL Definition's criteria. When an OVAL Definition references another OVAL Definition or an OVAL Test that makes use of an OVAL Variable, each collection of values assigned to the OVAL Variable MUST be differentiated by incrementing the variable_instance property. The variable_instance value is incremented once for each assigned collection of values for the OVAL Variable. When more than one collection of values is assigned to an OVAL Variable, an OVAL Definition will appear in the definitions section once for each assigned collection of values.

An OVAL Test is the standardized representation of an assertion about the state of a system. An OVAL Test contains references to an OVAL Object that specifies which system data to collect and zero or more OVAL States that specify the expected state of the collected system data. OVAL Test Evaluation is the process of comparing the collected set of system data, as OVAL Items, to zero or more OVAL States. The result of the OVAL Test Evaluation is then determined by combining the results of the following three test evaluation parameters: Existence Check Evaluation - The process of determining whether or not the number of OVAL Items, that match the specified OVAL Object, satisfy the requirements specified by the check_existence property. Check Evaluation - The process of determining whether or not the number of collected OVAL Items, specified by the check property, match the specified OVAL States. State Operator Evaluation - The process of combining the individual results, from the comparison of an OVAL Item to the specified OVAL States, according to the state_operator property.

Existence Check Evaluation is the process of determining whether or not the number of OVAL Items, that match the specified OVAL Object, satisfy the requirements specified by the check_existence property. The check_existence property specifies how many OVAL Items that match the specified OVAL Object must exist on the system in order for the OVAL Test to evaluate to 'true'. To determine if the check_existence property is satisfied, the status of each OVAL Item collected by the OVAL Object must be examined. The following tables describe how each ExistenceEnumeration value affects the result of the Existence Check Evaluation. The far left column identifies the ExistenceEnumeration value in question, and the middle column specifies the different combinations of individual OVAL Item status values that may be found (EX = exist; DE = does not exist; ER = error; NC = not collected). The last column specifies the final result of the Existence Check Evaluation according to the combination of individual OVAL Item status values.

|| item status value count || || || existence piece is || EX | DE | ER | NC || ||---------------------------||------------------ || 1+ | 0 | 0 | 0 || True || 0 | 0 | 0 | 0 || False || 0+ | 1+ | 0+ | 0+ || False || 0+ | 0 | 1+ | 0+ || Error || 0+ | 0 | 0 | 1+ || Unknown || -- | -- | -- | -- || Not Evaluated || -- | -- | -- | -- || Not Applicable ||---------------------------||------------------

|| item status value count || || || existence piece is || EX | DE | ER | NC || ||---------------------------||------------------ || 0+ | 0+ | 0 | 0+ || True || 1+ | 0+ | 1+ | 0+ || True || -- | -- | -- | -- || False || 0 | 0+ | 1+ | 0+ || Error || -- | -- | -- | -- || Unknown || -- | -- | -- | -- || Not Evaluated || -- | -- | -- | -- || Not Applicable ||---------------------------||------------------

|| item status value count || || || existence piece is || EX | DE | ER | NC || ||---------------------------||------------------ || 1+ | 0+ | 0+ | 0+ || True || 0 | 1+ | 0 | 0 || False || 0 | 0+ | 1+ | 0+ || Error || 0 | 0+ | 0 | 1+ || Unknown || -- | -- | -- | -- || Not Evaluated || -- | -- | -- | -- || Not Applicable ||---------------------------||------------------

|| item status value count || || existence piece is || EX | DE | ER | NC || ||---------------------------||------------------ || 0 | 0+ | 0 | 0 || True || 1+ | 0+ | 0+ | 0+ || False || 0 | 0+ | 1+ | 0+ || Error || 0 | 0+ | 0 | 1+ || Unknown || -- | -- | -- | -- || Not Evaluated || -- | -- | -- | -- || Not Applicable ||---------------------------||------------------

|| item status value count || || || existence piece is || EX | DE | ER | NC || ||---------------------------||------------------ || 1 | 0+ | 0 | 0 || True || 2+ | 0+ | 0+ | 0+ || False || 0 | 0+ | 0 | 0 || False || 0,1 | 0+ | 1+ | 0+ || Error || 0,1 | 0+ | 0 | 1+ || Unknown || -- | -- | -- | -- || Not Evaluated || -- | -- | -- | -- || Not Applicable ||---------------------------||------------------

Check Evaluation is the process of determining whether or not the number of collected OVAL Items, specified by the check property, match the specified OVAL States. The check property specifies how many of the collected OVAL Items must match the specified OVAL States in order for the OVAL Test to evaluate to 'true'. For additional information on how to determine if the check property is satisfied, see .

State Operator Evaluation is the process of combining the individual results, from the comparison of an OVAL Item to the specified OVAL States, according to the state_operator property, to produce a result for the OVAL Test. For additional information on how to determine the final result using the state_operator property, see .

While the final result of the OVAL Test Evaluation is the combination of the results from the three evaluations (Existence Check Evaluation, Check Evaluation, and State Operator Evaluation), how the result is calculated will vary depending upon if the optional collected object section is present in the OVAL System Characteristics. However, in either case, if the result of the Existence Check Evaluation is 'false', the Check and State Operator Evaluations can be ignored and the final result of the OVAL Test will be 'false'.

When the Collected Objects section is not present in the OVAL System Characteristics, all OVAL Items present in the OVAL System Characteristics must be examined. Each OVAL Item MUST be examined to determine which match the OVAL Object according to and . Once the set of matching OVAL Items is determined, they can undergo the three different evaluations that make up OVAL Test Evaluation.

When the Collected Objects section is present in the OVAL System Characteristics the flag value of an OVAL Object, in the Collected Objects section, must be examined before the Existence Check Evaluation is performed. If the OVAL Object, referenced by an OVAL Test, cannot be found in the Collected Objects section, the final result of the OVAL Test MUST be 'unknown'. Otherwise, if the OVAL Object, referenced by an OVAL Test, is found, the following guidelines must be followed when determining the final result of an OVAL Test. If the flag value is 'error', the final result of the OVAL Test MUST be 'error'. If the flag value is 'not collected', the final result of the OVAL Test MUST be 'unknown'. If the flag value is 'not applicable', the final result of the OVAL Test MUST be 'not applicable'. If the flag value is 'does not exist', the final result is determined solely by performing the Check Existence Evaluation. If the flag value is 'complete', the final result is determined by first performing the Check Existence Evaluation followed by the Check Evaluation and State Operator Evaluation. If the flag value is 'incomplete', the final result is determined as follows: If the check_existence property has a value of 'none_exist' and one or more OVAL Items, referenced by the OVAL Object, have a status of 'exists', the final result of the OVAL Test MUST be 'false'. If the check_existence property has a value of 'only one exists' and more than one OVAL Item, referenced by the OVAL Object, has a status of 'exists', the final result of the OVAL Test MUST be 'false'. If the result of the Existence Check Evaluation is true, the following special cases during the Check Evaluation MUST be considered: If the Check Evaluation evaluates to 'false', the final result of the OVAL Test MUST be 'false'. If the check property has a value of 'at least one satisfies' and the check evaluation evaluates to 'true', the final result of the OVAL Test MUST be 'true'. Otherwise, the final result of the OVAL Test MUST be 'unknown'. Value Result error error complete Depends on check_existence and check attributes incomplete Depends on check_existence and check attributes does not exist depends on check_existence and check attributes not collected unknown not applicable not applicable

When an OVAL Test makes use of an OVAL Variable, either directly or indirectly, OVAL Test is evaluated once for each collection of values assigned to the OVAL Variable. Each evaluation result for the OVAL Tests MUST be differentiated by incrementing the variable_instance property once for each assigned collection of values for the OVAL Variable. When more than one collection of values is assigned to an OVAL Variable, an OVAL Test will appear in the tests section once for each assigned collection of values.

At the highest level, OVAL Object Evaluation is the process of collecting OVAL Items based on the constraints specified by the OVAL Object Entities and OVAL Behaviors, if present, in an OVAL Object. An OVAL Object contains the minimal number of OVAL Object Entities needed to uniquely identify the system state information that makes up the corresponding OVAL Item. The methodology used to collect the system state information for the OVAL Items is strictly an implementation detail. Regardless of the chosen methodology, the same OVAL Items MUST be collected on a system for a given OVAL Object except when the flag for the collected OVAL Object has a value of 'incomplete'.

An OVAL Item matches an OVAL Object only if every OVAL Object Entity, as guided by any OVAL Behaviors, matches the corresponding OVAL Item Entity in the OVAL Item under consideration.

An OVAL Object Entity matches an OVAL Item Entity only if the value of the OVAL Item Entity matches the value of the OVAL Object Entity in the context of the specified datatype and operation. See Section for additional information regarding the allowable datatypes, operations, and how they should be interpreted.

OVAL Object Entity Evaluation is the process of searching for system state information that matches the values of an OVAL Object Entity in the context of the specified datatype and operation. This process is further defined below.

The datatype and operation property associated with an OVAL Object Entity specifies what system state information should be collected from the system in the form of an OVAL Item. When comparing a value specified in the OVAL Object Entity against system state information, the operation must be performed in the context of the specified datatype; the same operation for two different datatypes could yield different results. See for additional information on how to apply an operation in the context of a particular datatype.

For many OVAL Object Entities, there are situations in which the OVAL Object Entity does not need to be considered in the evaluation of the OVAL Object. When the nil property is set to 'true', it indicates that the OVAL Object Entity must not be considered during OVAL Object Evaluation and must not be collected. For more information about a particular OVAL Object Entity and how the nil property affects it, see the appropriate OVAL Component Model.

An OVAL Variable may be referenced from an Object Entity in order to specify multiple values or to use a value that was collected from some other source. When the var_ref property is specified, the var_check property SHOULD also be specified. See for more information on how to evaluate an OVAL Object Entity that references a variable. In addition to the OVAL Item Entity value matching the values specified in the OVAL Variable according to the var_check property, the flag associated with the OVAL Variable must also be considered. The OVAL Variable flag indicates the outcome of the collection of values for the OVAL Variable. It is important to consider this outcome because it may affect the ability of an OVAL Object Entity to successfully match the corresponding OVAL Item Entity. Additionally, this flag will also impact the collected object flag. The following table describes what flags are valid given the flag value of the OVAL Variable referenced by an OVAL Object Entity. OVAL Variable Flag Valid OVAL Object Flags error error complete error, complete, incomplete, does not exist, not collected, not applicable incomplete error, incomplete, does not exist, not collected, not applicable does not exist does not exist not collected does not exist not applicable does not exist For additional information on when each flag value MUST be used, see .

However, when there are multiple OVAL Object Entities in an OVAL Object the flag values for each OVAL Object Entity must be considered when determining which flag values are appropriate. The following table describes how multiple flag values influence the collected object flag of the OVAL Object referencing the variable (ER = error; CO = complete; IN = incomplete; DE = does not exist; NC = not collected; NA = not applicable;).

|| OVAL Component Flag Count || Resulting || || Flag || ER | CO | IN | DE | NC | NA || ---------------||------------------------------------------ error || 1+ | 0+ | 0+ | 0+ | 0+ | 0+ || complete || 0 | 1+ | 0 | 0 | 0 | 0 || incomplete || 0 | 0+ | 1+ | 0 | 0 | 0 || does not exist || 0 | 0+ | 0+ | 1+ | 0 | 0 || not collected || 0 | 0+ | 0+ | 0+ | 1+ | 0 || not applicable || 0 | 0+ | 0+ | 0+ | 0+ | 1+ || ---------------||-----------------------------------------||

The set construct provides the ability to combine the collected OVAL Items of one or two OVAL Objects using the set operators defined in the SetOperatorEnumeration. See for more information about the allowed set operators. The processing of a set MUST be done in the following manner: Identify the OVAL Objects that are part of the set by examining the object_references associated with the set. Each object_reference will refer to an OVAL Object that describes a unique set of collected OVAL Items. For every defined filter , apply the associated filter to each OVAL Item. Apply the set operator to all OVAL Items remaining in the set. The resulting OVAL Items will be the unique set of OVAL Items referenced by the OVAL Object that contains the set.

Set operations are used to combine multiple sets of different OVAL Items, as identified by the object_reference and limited by any filter, into a single unique set of OVAL Items. The different operators that guide process are in the SetOperatorEnumeration. For each operator, if only a single object_reference has been supplied then the resulting set is simply the complete set of OVAL Items identified by the referenced OVAL Object after any included filters have been applied. The tables below explain how different flags are combined for each set_operator to return a new flag. These tables are needed when computing the flag for collected objects that represent object sets in an OVAL Definition. The top row identifies the flag associated with the first set or object reference. The left column identifies the flag associated with the second set or object reference. The matrix inside the table represents the resulting flag when the given set_operator is applied. (E=error, C=complete, I=incomplete, DNE=does not exist, NC=not collected, NA=not applicable)

|| || set_operator is || Object 1 Flag || COMPLEMENT || || || E | C | I | DNE | NC | NA || -----------------||-----------------------------------|| E || E | E | E | DNE | E | E || Object C || E | C | I | DNE | NC | E || 2 I || E | E | E | DNE | NC | E || Flag DNE || E | C | I | DNE | NC | E || NC || E | NC | NC | DNE | NC | E || NA || E | E | E | E | E | E || -----------------||-----------------------------------||

|| || set_operator is || Object 1 Flag || INTERSECTION || || || E | C | I | DNE | NC | NA || ----------------||-----------------------------------|| E || E | E | E | DNE | E | E || Object C || E | C | I | DNE | NC | C || 2 I || E | I | I | DNE | NC | I || Flag DNE || DNE | DNE | DNE | DNE | DNE | DNE || NC || E | NC | NC | DNE | NC | NC || NA || E | C | I | DNE | NC | NA || ----------------||-----------------------------------||

|| || set_operator is || Object 1 Flag || UNION || || || E | C | I | DNE | NC | NA || ----------------||-----------------------------------|| E || E | E | E | E | E | E || Object C || E | C | I | C | I | C || 2 I || E | I | I | I | I | I || Flag DNE || E | C | I | DNE | I | DNE || NC || E | I | I | I | NC | NC || NA || E | C | I | DNE | NC | NA || ----------------||-----------------------------------||

The filter construct provides a way to control the OVAL Items that are included a set. See for additional information.

When evaluating an object_reference, an error MUST be reported it the OVAL Object identifier is invalid, the referenced OVAL Object does not exist, or the referenced OVAL Object does not align with the OVAL Object that is referring to it.

An OVAL Filter is a mechanism that provides the capability to either include or exclude OVAL Items based on their system state information. This is done through the referencing of an OVAL State that specifies the requirements for a matching OVAL Item and the action property that states whether or not the matching OVAL Items will be included or excluded. When evaluating an OVAL Filter, an error MUST be reported if the OVAL State identifier is not legal, the referenced OVAL State does not exist, or the referenced OVAL State does not align with the OVAL Object where it is used. The action property specifies whether or not the matching OVAL Items will be included or excluded. The action property enumeration values are defined in Section the ArithmeticEnumeration in [I-D.draft-haynes-sacm-oval-definitions-model].

When multiple OVAL Filters are specified, they MUST be evaluated sequentially from first to last to the collection of OVAL Items under consideration.

When applying a filter to OVAL Objects, every collected OVAL Item is compared to the OVAL State referenced by the OVAL Filter. If the collected OVAL Items match the OVAL State they are included or excluded based on the action property. The final set of collected OVAL Items is the set of collected OVAL Items after each OVAL Filter is evaluated. See .

The OVAL State is the standardized representation for expressing an expected machine state. In the OVAL State each OVAL State Entity expresses the expected value(s) for a single piece of configuration information. OVAL State Evaluation is the process of comparing a specified OVAL State against a collected OVAL Item on the system. OVAL State Evaluation can be broken up into two distinct parts: State Entity Evaluation - The process of determining whether or not an OVAL Item Entity, in a collected OVAL Item, matches the corresponding OVAL State Entity specified in an OVAL State. State Operator Evaluation - The process of combining the individual results, from the comparison of an OVAL Item Entity against the specified OVAL State Entity, according to the operator property.

OVAL State Entity Evaluation is the process of comparing a specified OVAL State Entity against the corresponding collected OVAL Item Entities. This comparison must be done in the context of the datatype and operation, whether or not an OVAL Variable is referenced, and whether or not there are multiple occurrences of the corresponding OVAL Item Entity in the collected OVAL Item.

The datatype and operation property associated with an OVAL State Entity specifies how the collected OVAL Item Entity compares to the value(s) specified in the OVAL State Entity. When comparing a value specified in the OVAL State Entity against a collected OVAL Item Entity, the operation must be performed in the context of the specified datatype. See for additional information on how an operation is applied in the context of a particular datatype.

An OVAL Variable can be referenced from an OVAL State Entity to specify multiple values that the corresponding OVAL Item Entities will be compared against or to utilize a value that was collected from some other source. For information on how to evaluate an OVAL State Entity that references an OVAL Variable, see .

An OVAL Item may contain multiple occurrences of an OVAL Item Entity to represent that the OVAL Item has multiple values for that particular OVAL Item Entity. The entity_check property specifies how many occurrences of an OVAL Item Entity MUST match the OVAL State Entity, as defined in , in order to evaluate to 'true'. The valid values for the entity_check property are defined by the CheckEnumeration. See for more information about how to apply the property.

The final result of an OVAL State Entity Evaluation is determined by first comparing the value specified in the OVAL State Entity with each occurrence of a corresponding OVAL Item Entity, in an OVAL Item, in the context of the specified datatype and operation as defined in . The results of the comparisons are evaluated against the specified entity_check property according to . This will be the final result of the OVAL State Entity Evaluation unless an OVAL Variable was also referenced. If an OVAL Variable was referenced, the above procedure must be performed for each value in the OVAL Variable. The final result must then be computed by examining the var_check property and the individual results for each OVAL Variable value comparison. See .

Once the OVAL State Entity Evaluation is complete for every OVAL State Entity, the individual results from each evaluation MUST be combined according to the operator property specified on the OVAL State. The combined result will be the final result of the OVAL State Evaluation. See for more information on applying the operator to the individual results of the evaluations.

OVAL Variable Evaluation is the process of retrieving a collection of values from sources both local and external to OVAL Definitions as well as manipulating those values through the evaluation of OVAL Functions. OVAL Variables can be used in OVAL Definitions to specify multiple values, manipulate values, retrieve values at execution time, and create generic and reusable content.

A constant_variable is a locally defined collection of one or more values that are specified prior to evaluation time.

A constant_variable is only capable of having a flag value of 'error', 'complete', or 'not collected'. The flag values of 'does not exist' and 'incomplete' are not used for the evaluation of a constant_variable because a constant variable is required to contain at least one value. The flag value of 'not applicable' is not used because the constant_variable construct is platform independent. The following table outlines when a constant variable will evaluate to each of the flag values. Value Description error This flag value must be used when one or more values do not conform to the specified datatype as defined in the oval:DatatypeEnumeration. complete This flag value must be used when all values conform to the specified datatype and the collection of constant variables is supported in the OVAL-capable product. incomplete - does not exist - not collected This flag value must be used when the tool does not support the collection of constant_variables. not applicable -

An external_variable is a locally declared, externally defined, collection of one or more values. The values referenced by an external_variable are collected from the external source at run-time.

The OVAL Language provides the PossibleValueType and PossibleRestriction constructs as a mechanism to validate input coming from sources external to the OVAL Definitions.

The possible_restriction construct specifies one or more restrictions on the values of an external variable. When more than one restriction is used the individual results of each comparison between the restriction and the external variable value must be combined using the selected operator attribute. The default operation performed is 'AND'. See for more information on how to combine the individual results. The final result, after combining the individual results, will be the result of the possible_restriction construct.

Each restriction allows for the specification of an operation and a value that will be compared to a supplied value for the external_variable. The result of this comparison will be used in the computation of the final result of the possible_restriction construct. See for additional information on how to determine the result of the comparison between the specified value and the external variable value using the specified operation in the context of the datatype specified on the external_variable.

The possible_value construct specifies a permitted external variable value. The specified value and the external variable value must be compared as string values using the equals operation. See for additional information on how to determine the result of the comparison. The result of this comparison will be used in determining the final result of validating an external variable value.

The final result of validating an external_variable value is determined by combining every possible_restriction and possible_value constructs using the logical 'OR' operator. That is, each value in the external_variable will be evaluated against the combination of possible_restriction and possible_value constructs and the results of this evaluation will be combined using the 'OR' operator. See for more information on how to combine the individual results using the 'OR' operator.

An external variable is only capable of returning a flag value of 'error', 'complete', or 'not collected'. The following table outlines when an external variable will evaluate to each of the flag values. The flag values 'does not exist' and 'incomplete' are not used because an external_variable is required to contain at least one value. The flag value of 'not applicable' is not used because the external_variable construct is platform independent. Value Description error This flag value must be used when one or more values do not conform to the specified datatype as defined in the oval:DatatypeEnumeration. This flag value must be used when there was an error collecting the values from the external source. This flag value must be used when there is a value, collected from the external source, that does not conform to the restrictions specified by the possible_value and possible_restriction constructs or if there is an error processing the possible_value and possible_restriction constructs. This flag value must be used when the final result of validating the external variable values is not 'true'. This flag must be used when the external source for the variable cannot be found. complete This flag value must be used when the final result of validating every external variable value is 'true' and conforms to the specified datatype. incomplete - does not exist - not collected This flag value must be used when the tool does not support the collection of constant_variables. not applicable -

A local_variable is a locally defined collection of one or more values that may be composed of values from other sources collected at evaluation time.

An OVAL Function is a construct, in the OVAL Language, that takes one or more collections of values and manipulates them in some defined way. The result of evaluating an OVAL Function will be zero or more values.

Due to the recursive nature of the ComponentGroup construct, OVAL Functions can be nested within one another. In this case, a depth-first approach is taken to processing OVAL Functions. As a result, the inner most OVAL Functions are evaluated first, and then the resulting values are used as input to the outer OVAL Function and so on.

When one or more of the specified sub-components resolve to multiple values, the function will be applied to the Cartesian product of the values, in the sub-components, and will result in a collection of values.

OVAL Functions are designed to work on values with specific datatypes. If an input value is encountered that does not align with required datatypes an attempt must be made to cast the input value(s) to the required datatype before evaluating the OVAL Function. If the input value cannot be cast to the required datatype the flag value, of the OVAL Function, MUST be set to 'error'.

When determining the flag value of an OVAL Function, the combined flag value of the sub-components must be computed in order to determine if the evaluation of the OVAL Function should continue. The following tables outline how to combine the sub-component flag values. Notation Description x x individual OVAL Component flag values are... x,y x or y individual OVAL Component flag values are...

|| num of components with flag || || || resulting flag is || E | C | I | DNE | NC | NA || ||-----------------------------------||------------------ || 1+ | 0+ | 0+ | 0+ | 0+ | 0+ || Error || 0 | 1+ | 0 | 0 | 0 | 0 || Complete || 0 | 0+ | 1+ | 0 | 0 | 0 || Incomplete || 0 | 0+ | 0+ | 1+ | 0 | 0 || Does Not Exist || 0 | 0+ | 0+ | 0+ | 1+ | 0 || Not Collected || 0 | 0+ | 0+ | 0+ | 0+ | 1+ || Not Applicable ||-----------------------------------||------------------ Once the flag values of the sub-components have been combined the evaluation of an OVAL Function must only continue if the flag value is 'complete'. All other flag values mean that the evaluation of the OVAL Function stops and the flag of the OVAL Function MUST be 'error'. The following table outlines how to determine the flag value of an OVAL Function. Value Description error This flag value must be used if the combined sub-component flag is a value other than 'complete'.This flag value must be used if an error occurred during the computation of an OVAL Function. This flag value must be used if an attempt to cast an input value to a required datatype failed. complete This flag value must be used if the combined sub-component flag is complete and the evaluation of the OVAL Function completes successfully. incomplete - does not exist - not collected - not applicable -

A component is a reference to another part of the content that allows further evaluation or manipulation of the value or values specified by the referral.

A literal_component is a component that allows the specification of a literal value. The value can be of any supported datatype as specified in the oval:DatatypeEnumeration. The default datatype is 'string'.

A literal_component is only capable of evaluating to a flag value of 'error' or 'complete'. The flag values 'does not exist' and 'incomplete' are not used because an external_variable is required to contain at least one value. The flag value of 'not applicable' is not used because the literal_component construct is platform independent. The following table outlines when a literal_component will evaluate to each of the flag values. Value Description error This flag value must be used when the value does not conform to the specified datatype as defined in the oval:DatatypeEnumeration. complete This flag value must be used when the value conforms to the specified datatype as defined in the oval:DatatypeEnumeration. incomplete - does not exist - not collected - not applicable -

An object component is a component that resolves to the value(s) of OVAL Item Entities or OVAL Fields, in OVAL Items, that were collected by an OVAL Object. The property, object_ref, must reference an existing OVAL Object. The value that is used by the object component must be specified using the item_field property of the object component. This indicates which entity should be used as the value for the component. In the case that the OVAL Object collects multiple OVAL Items as part of its evaluation, this can resolve to a collection of values. In the case that an OVAL Item Entity has a datatype of 'record', the record_field property can be used to indicate which field to use for the component.

An object_component is only capable of evaluating to a flag value of 'error', 'complete', 'incomplete', or 'not collected'. The flag values 'does not exist' and 'incomplete' are not used because an object_component is required to contain at least one value. The following table outlines when an object_component will evaluate to each of the flag values. Value Description error This flag value must be used when the value does not conform to the specified datatype as defined in the oval:DatatypeEnumeration. This flag value must be used if the OVAL Object does not return any OVAL Items. This flag value must be used if an entity is not found with a name that matches the value of the item_field property. This flag value must be used if a field is not found with a name that matches the value of the record_field property. complete This flag value must be used when every value conforms to the specified datatype as defined in the oval:DatatypeEnumeration and when the flag of the referenced OVAL Object is 'complete'. incomplete This flag value must be used when every value conforms to the specified datatype as defined in the oval:DatatypeEnumeration and when the flag of the referenced OVAL Object is 'incomplete'. does not exist - not collected This flag value must be used when the OVAL-capable product does not support the collection of object_components. not applicable -

An variable component is a component that resolves to the value(s) of the referenced OVAL Variable. The property, var_ref, must reference an existing OVAL Variable.

A variable_component is only capable of evaluating to a flag value of 'error', 'complete', 'incomplete', or 'not collected'. The following table outlines when a variable_component will evaluate to each of the flag values. Value Description error This flag value must be used when the flag value of the referenced OVAL Variable is 'error'. This flag value must be used when the referenced OVAL Variable cannot be found. complete This flag value must be used when the flag value of the referenced OVAL Variable is 'complete'. incomplete This flag value must be used when the flag value of the referenced OVAL Variable is 'incomplete'. does not exist This flag value must be used when the flag value of the referenced OVAL Variable is 'does not exist'. not collected This flag value must be used when the OVAL-capable product does not support the collection of variable_components. not applicable -

A local_variable can contain an OVAL Function or an OVAL Component. As a result, the flag value must consider both the flag of the OVAL Function or OVAL Component along with the additional conditions from being an OVAL Variable. The following table describes when each flag value must be used. Value Description error This flag value must be used when one or more values do not conform to the specified datatype as defined in the oval:DatatypeEnumeration. This flag value must be used when there was an error collecting the values from the external source. This flag value must be used when the specified datatype is 'record'. This flag value must be used when the flag value of the specified OVAL Function or OVAL Component is 'error'. complete This flag value must be used when the flag value of the specified OVAL Function or OVAL Component is 'complete' and every value conforms to the specified datatype. incomplete - does not exist This flag value must be used when the flag value of the referenced OVAL Variable is 'does not exist'. not collected This flag value must be used when there are no values. not applicable -

This section describes a set of evaluation concepts that apply to several aspects of producing OVAL Content.

Check Enumeration Evaluation is the process of determining whether or not the number of individual results, produced from the comparison of some set of values, satisfies the specified CheckEnumeration value. The following tables describe how each CheckEnumeration value affects the final result of an evaluation. The far left column identifies the CheckEnumeration value in question. The middle column specifies the different combinations of individual results that the CheckEnumeration value may bind together. The last column specifies the final result according to each combination of individual results. It is important to note that if an individual result is negated, then a 'true' result is 'false' and a 'false' result is 'true', and all other results stay as is.

|| num of individual results || check attr || || final result is || T | F | E | U | NE | NA || -------------||-----------------------------||------------------ || 1+ | 0 | 0 | 0 | 0 | 0+ || True || 0+ | 1+ | 0+ | 0+ | 0+ | 0+ || False ALL || 0+ | 0 | 1+ | 0+ | 0+ | 0+ || Error || 0+ | 0 | 0 | 1+ | 0+ | 0+ || Unknown || 0+ | 0 | 0 | 0 | 1+ | 0+ || Not Evaluated || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable -------------||-----------------------------||------------------

|| num of individual results || check attr || || final result is || T | F | E | U | NE | NA || -------------||-----------------------------||------------------ || 1+ | 0+ | 0+ | 0+ | 0+ | 0+ || True || 0 | 1+ | 0 | 0 | 0 | 0+ || False AT || 0 | 0+ | 1+ | 0+ | 0+ | 0+ || Error LEAST || 0 | 0+ | 0 | 1+ | 0+ | 0+ || Unknown ONE || 0 | 0+ | 0 | 0 | 1+ | 0+ || Not Evaluated || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable -------------||-----------------------------||------------------

|| num of individual results || check attr || || final result is || T | F | E | U | NE | NA || -------------||-----------------------------||------------------ || 1 | 0+ | 0 | 0 | 0 | 0+ || True || 2+ | 0+ | 0+ | 0+ | 0+ | 0+ || ** False ** || 0 | 1+ | 0 | 0 | 0 | 0+ || ** False ** ONLY ||0,1 | 0+ | 1+ | 0+ | 0+ | 0+ || Error ONE ||0,1 | 0+ | 0 | 1+ | 0+ | 0+ || Unknown ||0,1 | 0+ | 0 | 0 | 1+ | 0+ || Not Evaluated || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable -------------||-----------------------------||------------------

|| num of individual results || check attr || || final result is || T | F | E | U | NE | NA || -------------||-----------------------------||------------------ || 0 | 1+ | 0 | 0 | 0 | 0+ || True || 1+ | 0+ | 0+ | 0+ | 0+ | 0+ || False NONE || 0 | 0+ | 1+ | 0+ | 0+ | 0+ || Error SATISFY || 0 | 0+ | 0 | 1+ | 0+ | 0+ || Unknown || 0 | 0+ | 0 | 0 | 1+ | 0+ || Not Evaluated || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable -------------||-----------------------------||------------------

Operator Enumeration Evaluation is the process of combining the individual results of evaluations using logical operations. The following table shows the notation used when describing the number of individual results that evaluate to a particular result. Notation Description x x individual results are... x,y x or y individual results are... x+ x or more individual results are... Odd an odd number of individual results are... Even an even number of individual results are... The following tables describe how each OperatorEnumeration value affects the final result of an evaluation. The far left column identifies the OperatorEnumeration value in question. The middle column specifies the different combinations of individual results that the OperatorEnumeration value may bind together. The last column specifies the final result according to each combination of individual results. It is important to note that if an individual result is negated, then a 'true' result is 'false' and a 'false' result is 'true', and all other results stay as is.

|| num of individual results || operator is || || final result is || T | F | E | U | NE | NA || -------------||-----------------------------||------------------ || 1+ | 0 | 0 | 0 | 0 | 0+ || True || 0+ | 1+ | 0+ | 0+ | 0+ | 0+ || False AND || 0+ | 0 | 1+ | 0+ | 0+ | 0+ || Error || 0+ | 0 | 0 | 1+ | 0+ | 0+ || Unknown || 0+ | 0 | 0 | 0 | 1+ | 0+ || Not Evaluated || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable -------------||-----------------------------||------------------

|| num of individual results || operator is || || final result is || T | F | E | U | NE | NA || -------------||-----------------------------||------------------ || 1 | 0+ | 0 | 0 | 0 | 0+ || True || 2+ | 0+ | 0+ | 0+ | 0+ | 0+ || ** False ** || 0 | 1+ | 0 | 0 | 0 | 0+ || ** False ** ONE ||0,1 | 0+ | 1+ | 0+ | 0+ | 0+ || Error ||0,1 | 0+ | 0 | 1+ | 0+ | 0+ || Unknown ||0,1 | 0+ | 0 | 0 | 1+ | 0+ || Not Evaluated || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable -------------||-----------------------------||------------------

|| num of individual results || operator is || || final result is || T | F | E | U | NE | NA || -------------||-----------------------------||------------------ || 1+ | 0+ | 0+ | 0+ | 0+ | 0+ || True || 0 | 1+ | 0 | 0 | 0 | 0+ || False OR || 0 | 0+ | 1+ | 0+ | 0+ | 0+ || Error || 0 | 0+ | 0 | 1+ | 0+ | 0+ || Unknown || 0 | 0+ | 0 | 0 | 1+ | 0+ || Not Evaluated || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable -------------||-----------------------------||------------------

|| num of individual results || operator is || || final result is || T | F | E | U | NE | NA || -------------||-----------------------------||------------------ ||odd | 0+ | 0 | 0 | 0 | 0+ || True ||even| 0+ | 0 | 0 | 0 | 0+ || False XOR || 0+ | 0+ | 1+ | 0+ | 0+ | 0+ || Error || 0+ | 0+ | 0 | 1+ | 0+ | 0+ || Unknown || 0+ | 0+ | 0 | 0 | 1+ | 0+ || Not Evaluated || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable -------------||-----------------------------||------------------

OVAL Entity Evaluation is the process of comparing the specified value(s), from an OVAL Object or State Entity, against the corresponding system state information in the context of the selected datatype and operation.

The result of applying an operation in the context of a specified datatype MUST evaluate to 'true' only if the values being compared satisfy the conditions of the operation for the specified datatype. If the values being compared do not satisfy the conditions of the operation, the final result MUST be 'false'. To ensure consistency in the comparison of the value(s) specified in the OVAL Object and State Entities with the system state information, the operations for each datatype must be defined. The following table describes how each operation must be performed in the context of a specific datatype.

It is often necessary to reference a variable from an OVAL Object or State Entity in order to specify multiple values or to use a value that was collected at runtime. When an OVAL Variable is referenced from an OVAL Object or State Entity using the var_ref property, the system state information will be compared to the every OVAL Variable value in the context of the specified datatype and operation. The final result of these comparisons are dependent on the value of the var_check property which specifies how many of the values, contained in OVAL Variable, must match the system state information to evaluate to a result of 'true'. The valid values for the var_check property are the defined in the CheckEnumeration. Value Description all The OVAL Object or State Entity matches the system state information only if the value of the OVAL Item Entity matches all of the values in the referenced the OVAL Variable in the context of the datatype and operation specified in the OVAL Object or State Entity. at least one The OVAL Object or State Entity matches the system state information only if the value of the OVAL Item Entity matches one or more of the values in the referenced OVAL Variable in the context of the datatype and operation specified in the OVAL Object or State Entity. none satisfy The OVAL Object or State Entity matches the system state information only if the OVAL Item Entity matches zero of the values in the referenced OVAL Variable in the context of the specified datatype and operation. does not exist - only one The OVAL Object or State Entity matches the system state information only if the OVAL Item Entity matches one of the values in the referenced OVAL Variable in the context of the specified datatype and operation.

For more detailed information on how to combine the individual results of the comparisons between the OVAL object or State Entities and the system state information to determine the final result of applying the var_check property, see .

In certain situations, it is possible that the datatype specified on the OVAL Entity is different from the datatype of the system state information. When this happens, it is required that an attempt is made to cast the system state information to the datatype specified by the OVAL Entity before the operation is applied. If the cast is unsuccessful, the final result of the OVAL Entity Evaluation MUST be 'error'. Otherwise, the final result is dependent on the outcome of the Datatype and Operation Evaluation and the Variable Check Evaluation if an OVAL Variable is referenced. The process of casting a value of one datatype to a value of another datatype must conform to .

When the mask property is set to 'true' on an OVAL Entity or an OVAL Field, the value of that OVAL Entity or OVAL Field MUST NOT be present in the OVAL Results. Additionally, the mask property MUST be set to 'true' for any OVAL Entity or OVAL Field or corresponding OVAL Item Entity or OVAL Field in the OVAL Results where the system state information was omitted. When the mask property is set to 'true' on an OVAL Entity with a datatype of 'record', each OVAL Field MUST have its operation and value or value omitted from the OVAL Results regardless of the OVAL Field's mask property value. It is possible for masking conflicts to occur where one entity has mask set to 'true' and another entity has mask set to 'false'. Such a conflict will occur when the mask attribute is set differently on an OVAL Object and OVAL State or when more than one OVAL Objects identify the same OVAL Item(s). When such a conflict occurs the value MUST always be masked. Values MUST NOT be masked in OVAL System Characteristics that are not contained within OVAL Results.

Casting is performed whenever the datatype of a value, used during evaluation, differs from the specified datatype whether it be on an OVAL Entity or an OVAL Function. In most scenarios, it will be possible to attempt the cast of a value from one datatype to another.

When attempting to cast a value from one datatype to another, the value under consideration must be parsed according to the specified datatype. If the value is successfully parsed according to the definition of the specified datatype in the oval:DatatypeEnumeration, this constitutes a successful cast. If the value is not successfully parsed according to the definition of the specified datatype, this means that it is not possible to cast the value to the specified datatype and an error MUST be reported for the construct attempting to perform the cast.

In some scenarios, it is not possible to perform a cast from one datatype to another due to the datatypes, under consideration, being incompatible. When an attempt is made to cast two incompatible datatypes, an error MUST be reported. The following outlines the casts where the datatypes are incompatible: An attempt to cast a value of datatype 'record' to any datatype other than 'record'. An attempt to cast a value of datatype 'ipv4_address' to any datatype other than 'ipv4_address' or 'string'. An attempt to cast a value of datatype 'ipv6_address' to any datatype other than 'ipv6_address' or 'string'. An attempt to cast a value with a datatype other than 'ipv4_address' or 'string' to 'ipv4_address'. An attempt to cast a value with a datatype other than 'ipv6_address' or 'string' to 'ipv6_address'.