Proposal: Add version_item Element to PAN-OS OVAL Schema

[s-polasa]

Abstarct

This PR enhances the PAN-OS OVAL schema by introducing a new element version_item in both definitions and system-characteristics schemas. As per the current PAN-OS XSD Statement (OVAL 5.12 and 6.0), the <config_item> element only collects information from:

https://<PAN-OS-DEVICE>/api/?type=export&category=configuration

This API is not sufficient to capture full system information.

Real-Time System Analysis Summary:

Element Name	Description
config_item	Only collects the running configuration from the PAN-OS device. Information like DeviceName, DeviceVersion, etc., is missing in the response.
version_item	Collects device-specific information such as Model Name, Device Version, License Status, etc.

➡️ version_item is proposed as a new schema element to bridge this gap.

---

Real-Time Device Analysis (PA-VM - PAN-OS v11.0.5)

Example CLI Output:

admin@PA-VM> show system info

hostname: PA-VM
ip-address: 192.168.122.26
family: vm
model: PA-VM
serial: unknown
vm-license: none
sw-version: 11.0.5

Example API Request Flow:

# Get API Key
curl -s -k 'https://192.168.122.26/api/?type=keygen&user=admin&password=admin'

# Example Response
<response status='success'>
  <result>
    <key>LUFRPT1X...</key>
  </result>
</response>

# Use API Key to get config
APIKEY="LUFRPT1X..."
curl -s -k "https://192.168.122.26/api/?key=$APIKEY&type=export&category=configuration"

Example Configuration Output:

<config version="11.0.0" urldb="paloaltonetworks" detail-version="11.0.0">
  <mgt-config>...</mgt-config>
</config>

➡️ As seen above, sw-version and other critical system information are not represented in the configuration XML — hence the need for version_item.

---

Changes Introduced

• version_item in panos-definitions-schema.xsd
• version_item in panos-system-characteristics-schema.xsd

[vanderpol]

@maxullman and @A-Biggs, I'd like to finalize OVAL 5.12.2 by the end of Sept, as we are hoping NIST releases SCAP 1.4 in October. Please spend some time and review this, if it's in-scope for your work at Arctic Wolf. If it's not in scope just let me know and I'll try to find someone else to review it. Ideally it would be someone who is supporting PAN-OS and I'd like to see some sample content/results etc..

[maxullman]

@vanderpol , @A-Biggs worked closer to our PAN-OS support, but this looks good to me.

[A-Biggs]

@vanderpol will there need to be an implementation for it to be a part of OVAL 5.12.2, or are we going to fore go that in this case?

[vanderpol]

@vanderpol will there need to be an implementation for it to be a part of OVAL 5.12.2, or are we going to fore go that in this case?

Ideally, we would like to see some sample content and results, in order to ensure that the proposal actually works. If there are issues with the proposal, we will end up fixing them in 5.12.3 etc... so it's your call on risk tolerance.

[s-polasa]

@vanderpol

When can we expect this updates ?

[vanderpol]

@vanderpol

When can we expect this updates ?

From my side, OVAL 5.12.2 will be released after the US Government shutdown ends, which is TBD. Ideally, we will see some sample content and results from a vendor that prototypes this feature, such as @A-Biggs or @maxullman

[vanderpol]

Our team is back after the government shutdown and I'm working the details for releasing OVAL 5.12.2. @A-Biggs and/or @maxullman should this PR be included, if so, please confirm with your github approval