", file=fout)
+ print("", file=fout)
+
+
+def PrintError(node, text):
+ if node == None:
+ print("Error: {0}".format(text), file=sys.stderr)
+ elif type(node) is int:
+ print("Error at line {0!s}: {1}".format(node, text), file=sys.stderr)
+ elif type(node) is str:
+ print("Error at line {0}: {1}".format(node, text), file=sys.stderr)
+ else:
+ print("Error at line {0!s}: {1}".format(node['name'], text), file=sys.stderr)
+
+
+def PrintItem(label, value, column1, column2, fout):
+ foo = "{:<" + str(column1) + "}"
+ if label == None:
+ value = foo.format(" ") + value
+ elif len(label) + 1 > column1:
+ value = (label + ": ") + value
+ else:
+ value = foo.format(label + ":") + value
+
+ rows = value.split('\n')
+
+ wrapper = textwrap.TextWrapper()
+ wrapper.break_long_words = False
+ wrapper.width = column2
+ wrapper.subsequent_indent = ' '*column1
+
+ for line in rows:
+ if len(line) > column2:
+ print ("\n".join(wrapper.wrap(line)), file=fout)
+ else:
+ print (line, file=fout)
+
+def CopyFile(fileName, fileOut):
+ fin = open(fileName,"r");
+ lines = fin.readlines()
+ for line in lines:
+ print(line, file=fileOut)
+ fin.close()
+
+
+
+
+if __name__ == '__main__':
+ main()
diff --git a/draft-ietf-sacm-information-model.xml b/draft-ietf-sacm-information-model.xml
index ba25bb4..9e02c22 100644
--- a/draft-ietf-sacm-information-model.xml
+++ b/draft-ietf-sacm-information-model.xml
@@ -30,6 +30,7 @@
+
]>
@@ -1036,5992 +1037,9 @@ name, hex-value, description
This section defines the specific Information Elements and relationships that will be
implemented by data models and transported between SACM Components.
-
-
-
- elementId: TBD
- name: sacmStatement
- dataType: orderedList
- status: current
- description: Associates SACM Statement Metadata
- which provides data origin information about
- the providing SACM Component with one or more
- SACM Content Elements that contain security
- automation information.
- structure: orderedList(sacmStatementMetadata,
- sacmContentElement+)
-
-
-
-
-
-
- elementId: TBD
- name: sacmStatementMetadata
- dataType: orderedList
- status: current
- description: Contains IEs that provide
- information about the data origin of the
- providing SACM Component as well as the
- information necessary for other SACM
- Components to understand the type of
- security automation information in the
- SACM Statement's SACM Content Element(s).
- structure: orderedList(publicationTimestamp,
- dataOrigin, anyIE*)
-
-
-
-
-
-
- elementId: TBD
- name: sacmContentElement
- dataType: list
- status: current
- description: Associates SACM Content Element
- Metadata which provides information about the
- data source and type of security automation
- information with the actual security automation
- information.
- structure: TODO
-
-
-
-
-
-
- elementId: TBD
- name: sacmContentElementMetadata
- dataType: orderedList
- status: current
- description: Contains IEs that provide
- information about the data source and type of
- security automation information such that other
- SACM Components are able to parse and understand
- the security automation information contained
- within the SACM Statement's SACM Content Element(s).
- structure: orderedList(collectionTimestamp,
- targetEndpoint, anyIE*)
-
-
-
-
-
-
- elementId: TBD
- name: targetEndpoint
- dataType: category
- status: current
- description: Information that identifies a target
- endpoint on the network. This may be a set of
- attributes that can be used to identify an endpoint
- on the network or a label that is unique to a SACM
- domain.
- structure: category(targetEndpointIdentifier |
- targetEndpointLabel)
-
-
-
-
-
-
- elementId: TBD
- name: targetEndpointIdentifier
- dataType: list
- status: current
- description: A set of attributes that uniquely
- identify a target endpoint on the network.
- structure: list(anyIE+)
-
-
-
-
-
-
- elementId: TBD
- name: targetEndpointLabel
- dataType: string
- status: current
- description: A label that uniquely identifies
- a target endpoint on SACM domain.
-
-
-
-
-
-
- elementId: TBD
- name: anyIE
- dataType: category
- status: current
- description: This category is a placeholder
- for any information element defined within
- the SACM Information Model. Its purpose is
- to provide an extension point in other
- information elements that enable them to
- support the specific needs of an enterprise,
- user, product, or service.
-
-
-
-
-
-
- elementId: TBD
- name: accessPrivilegeType
- dataType: string
- status: current
- description: A set of types that represent access
- privileges (read, write, none, etc.).
-
-
-
-
-
-
- elementId: TBD
- name: accountName
- dataType: string
- status: current
- description: A label that uniquely identifies an account
- that can require some form of (user) authentication to
- access.
-
-
-
-
-
-
- elementId: TBD
- name: administrativeDomainType
- dataType: string
- status: current
- description: A label the is supposed to uniquely
- identify an administrative domain.
-
-
-
-
-
-
- elementId: TBD
- name: addressAssociationType
- dataType: string
- status: current
- description: A label the is supposed to uniquely
- identify an administrative domain.
-
-
-
-
-
-
- elementId: TBD
- name: addressMaskValue
- dataType: string
- status: current
- description: A value that expresses a generic address
- subnetting bitmask.
-
-
-
-
-
-
- elementId: TBD
- name: addressType
- dataType: string
- status: current
- description: A set of types that specifies the type
- of address that is expressed in an address subject
- (e.g. ethernet, modbus, zigbee).
-
-
-
-
-
-
- elementId: TBD
- name: addressValue
- dataType: string
- status: current
- description: A value that expresses a generic network
- address.
-
-
-
-
-
-
- elementId: TBD
- name: applicationComponent
- dataType: string
- status: current
- description: A label that references a "sub"-application
- that is part of the application (e.g. an add-on, a
- cipher-suite, a library).
-
-
-
-
-
-
- elementId: TBD
- name: applicationLabel
- dataType: string
- status: current
- description: A label that is supposed to uniquely
- reference an application.
-
-
-
-
-
-
- elementId: TBD
- name: applicationType
- dataType: string
- status: current
- description: A set of types (FIXME maybe a finite set
- is not realistic here - value not enumerator?) that
- identifies the type of (user-space) application
- (e.g. text-editor, policy-editor, service-client,
- service-server, calender, rouge-like RPG).
-
-
-
-
-
-
- elementId: TBD
- name: applicationManufacturer
- dataType: string
- status: current
- description: The name of the vendor that created the
- application.
-
-
-
-
-
-
- elementId: TBD
- name: authenticator
- dataType: string
- status: current
- description: A label that references a SACM component
- that can authenticate target endpoints (can be used in
- a target-endpoint subject to express that the target
- endpoint was authenticated by that SACM component.
-
-
-
-
-
-
- elementId: TBD
- name: authenticationType
- dataType: string
- status: current
- description: A set of types that expresses which type
- of authentication was used to enable a network
- interaction/connection.
-
-
-
-
-
-
- elementId: TBD
- name: birthdate
- dataType: string
- status: current
- description: A label for the registered day of birth
- of a natural person (e.g. the date of birth of a person
- as an ISO date string).
- references: http://rs.tdwg.org/ontology/voc/Person#birthdate
-
-
-
-
-
-
- elementId: TBD
- name: bytesReceived
- dataType: string
- status: current
- description: A value that represents a number of octets
- received on a network interface.
-
-
-
-
-
-
- elementId: TBD
- name: bytesReceived
- dataType: string
- status: current
- description: A value that represents the number of
- octets received on a network interface.
-
-
-
-
-
-
- elementId: TBD
- name: bytesSent
- dataType: string
- status: current
- description: A value that represents the number of
- octets sent on a network interface.
-
-
-
-
-
-
- elementId: TBD
- name: certificate
- dataType: string
- status: current
- description: A value that expresses a certificate that
- can be collected from a target endpoint.
-
-
-
-
-
-
-
- elementId: TBD
- name: collectionTaskType
- dataType: string
- status: current
- description: A set of types that defines how collected
- SACM content was acquired (e.g. network-observation,
- remote-acquisition, self-reported, derived, authority,
- verified).
-
-
-
-
-
-
-
-
-
-
-
- elementId: TBD
- name: confidence
- dataType: string
- status: current
- description: A representation of the subjective probability
- that the assessed value is correct. If no confidence value
- is given, it is assumed that the confidence is 1. Acceptable
- values are between 0 and 1.
-
-
-
-
-
-
-
- elementId: TBD
- name: contentAction
- dataType: string
- status: current
- description: A set of types that express a type of
- action (e.g. add, delete, update). It can be associated,
- for instance, with an event subject or with a network
- observation.
-
-
-
-
-
-
-
- elementId: TBD
- name: countryCode
- dataType: string
- status: current
- description: A set of types according to ISO 3166-1.
-
-
-
-
-
-
-
- elementId: TBD
- name: dataOrigin
- dataType: string
- status: current
- description: A label that uniquely identifies a SACM
- component in and across SACM domains.
-
-
-
-
-
-
-
- elementId: TBD
- name: dataSource
- dataType: string
- status: current
- description: A label that is supposed to uniquely
- identify the data source (e.g. a target endpoint or
- sensor) that provided an initial endpoint attribute
- record.
-
-
-
-
-
-
-
-
-
-
- elementId: TBD
- name: default-depth
- dataType: string
- status: current
- description: A value that expresses how often a circular
- reference of subject is allowed to repeat, or how deep
- a recursive nesting may occur, respectively.
-
-
-
-
-
-
-
- elementId: TBD
- name: discoverer
- dataType: string
- status: current
- description: A label that refers to the SACM component
- that discovered a target endpoint (can be used in a
- target-endpoint subject to express, for example, that
- the target endpoint was authenticated by that SACM
- component).
-
-
-
-
-
-
-
- elementId: TBD
- name: emailAddress
- dataType: string
- status: current
- description: A value that expresses an email-address.
-
-
-
-
-
-
-
- elementId: TBD
- name: eventType
- dataType: string
- status: current
- description: a set of types that define the categories
- of an event (e.g. access-level-change,
- change-of-priviledge, change-of-authorization,
- environmental-event, or provisioning-event).
-
-
-
-
-
-
-
- elementId: TBD
- name: eventThreshold
- dataType: string
- status: current
- description: if applicable, a value that can be
- included in an event subject to indicate what numeric
- threshold value was crossed to trigger that event.
-
-
-
-
-
-
-
- elementId: TBD
- name: eventThresholdName
- dataType: string
- status: current
- description: If an event is created due to a crossed
- threshold, the threshold might have a name associated
- with it that can be expressed via this value.
-
-
-
-
-
-
-
-
- elementId: TBD
- name: eventTrigger
- dataType: string
- status: current
- description: This value is used to express more
- complex trigger conditions that may cause the creation
- of an event.
-
-
-
-
-
-
-
- elementId: TBD
- name: firmwareId
- dataType: string
- status: current
- description: A label that represents the BIOS or
- firmware ID of a specific target endpoint.
-
-
-
-
-
-
-
- elementId: TBD
- name: hostName
- dataType: string
- status: current
- description: A label typically associated with an
- endpoint, but, not always intended to be unique given
- scope.
-
-
-
-
-
-
-
-
- elementId: TBD
- name: interfaceLabel
- dataType: string
- status: current
- description: A unique label that can be used to
- reference a network interface.
-
-
-
-
-
-
-
-
- elementId: TBD
- name: ipv6AddressSubnetMask
- dataType: string
- status: current
- description: An IPv6 subnet bitmask.
-
-
-
-
-
-
-
-
- elementId: TBD
- name: ipv6AddressSubnetMaskCidrNotation
- dataType: string
- status: current
- description: An IPv6 subnet bitmask in CIDR notation.
-
-
-
-
-
-
-
-
- elementId: TBD
- name: ipv6AddressValue
- dataType: ipv6Address
- status: current
- description: An IPv6 subnet bitmask in CIDR notation.
- a network interface.
-
-
-
-
-
-
-
- elementId: TBD
- name: ipv4AddressSubnetMask
- dataType: string
- status: current
- description: An IPv4 subnet bitmask.
-
-
-
-
-
-
-
- elementId: TBD
- name: ipv4AddressSubnetMaskCidrNotation
- dataType: string
- status: current
- description: An IPv4 subnet bitmask in CIDR notation.
-
-
-
-
-
-
-
-
- elementId: TBD
- name: ipv4AddressValue
- dataType: ipv4Address
- status: current
- description: An IPv4 address value.
-
-
-
-
-
-
-
- elementId: TBD
- name: layer2InterfaceType
- dataType: string
- status: current
- description: A set of types referenced by IANA ifType.
-
-
-
-
-
-
-
- elementId: TBD
- name: layer4PortAddress
- dataType: unsigned32
- status: current
- description: A layer 4 port address
- typically associated with TCP and UDP
- protocols.
-
-
-
-
-
-
-
- elementId: TBD
- name: layer4Protocol
- dataType: string
- status: current
- description: A set of types that express a layer 4
- protocol (e.g. UDP or TCP).
-
-
-
-
-
-
-
- elementId: TBD
- name: locationName
- dataType: string
- status: current
- description: A value that represents a named region of
- physical space.
-
-
-
-
-
-
-
- elementId: TBD
- name: networkZoneLocation
- dataType: string
- status: current
- description: The zone location of an endpoint on the
- network (e.g. internet, enterprise DMZ,
- enterprise WAN, enclave DMZ, enclave).
-
-
-
-
-
-
-
- elementId: TBD
- name: layer2NetworkLocation
- dataType: string
- status: current
- description: The location of a layer-2 interface on
- the network (e.g. link-layer neighborhood,
- shared broadcast domain).
-
-
-
-
-
-
-
- elementId: TBD
- name: layer3NetworkLocation
- dataType: string
- status: current
- description: The location of a layer-3 interface on
- the network (e.g. next-hop routing neighbor).
-
-
-
-
-
-
-
- elementId: TBD
- name: macAddressValue
- dataType: string
- status: current
- description: A value that expresses an Ethernet address.
-
-
-
-
-
-
-
- elementId: TBD
- name: methodLabel
- dataType: string
- status: current
- description: A label that references a specific method
- registered and used in a SACM domain (e.g. method to
- match and re-identify target endpoints via identifying
- attributes).
-
-
-
-
-
-
-
- elementId: TBD
- name: methodRepository
- dataType: string
- status: current
- description: A label that references a SACM component
- methods can be registered at and that can provide
- guidance in the form of registered methods to other
- SACM components.
-
-
-
-
-
-
-
-
- elementId: TBD
- name: networkAccessLevelType
- dataType: string
- status: current
- description: A set of types that expresses categories
- of network access-levels (e.g. block, quarantine, etc.).
-
-
-
-
-
-
-
- elementId: TBD
- name: networkId
- dataType: string
- status: current
- description: Most networks such as AS, OSBF domains,
- or VLANs can have an ID.
-
-
-
-
-
-
-
-
- elementId: TBD
- name: networkInterfaceName
- dataType: string
- status: current
- description: A label that uniquely identifies an interface
- associated with a distinguishable endpoint.
-
-
-
-
-
-
-
- elementId: TBD
- name: networkLayer
- dataType: string
- status: current
- description: A set of layers that expresses the specific
- network layer an interface operates on.
-
-
-
-
-
-
-
- elementId: TBD
- name: networkName
- dataType: string
- status: current
- description: A label that is associated with a network.
- Some networks, for example, effective
- layer2-broadcast-domains are difficult to "grasp" and
- therefore quite difficult to name.
-
-
-
-
-
-
-
- elementId: TBD
- name: organizationId
- dataType: string
- status: current
- description: A label that uniquely identifies an
- organization via a PEN.
-
-
-
-
-
-
-
- elementId: TBD
- name: patchId
- dataType: string
- status: current
- description: A label the uniquely identifies a specific
- software patch.
-
-
-
-
-
-
-
-
- elementId: TBD
- name: patchName
- dataType: string
- status: current
- description: The vendor's name of a software patch.
-
-
-
-
-
-
-
- elementId: TBD
- name: personFirstName
- dataType: string
- status: current
- description: The first name of a natural person.
-
-
-
-
-
-
-
- elementId: TBD
- name: personLastName
- dataType: string
- status: current
- description: The last name of a natural person.
-
-
-
-
-
-
-
- elementId: TBD
- name: personMiddleName
- dataType: string
- status: current
- description: The middle name of a natural person.
-
-
-
-
-
-
-
- elementId: TBD
- name: phoneNumber
- dataType: string
- status: current
- description: A label that expresses the U.S. national
- phone number (e.g. pattern value="((\d{3}) )?\d{3}-\d{4}").
-
-
-
-
-
-
-
- elementId: TBD
- name: phoneNumberType
- dataType: string
- status: current
- description: A set of types that express the type of
- a phone number (e.g. DSN, Fax, Home, Mobile, Pager,
- Secure, Unsecure, Work, Other).
-
-
-
-
-
-
-
- elementId: TBD
- name: privilegeName
- dataType: string
- status: current
- description: The attribute name of the privilege
- represented as an AVP.
-
-
-
-
-
-
-
- elementId: TBD
- name: privilegeValue
- dataType: string
- status: current
- description: The value content of the privilege
- represented as an AVP.
-
-
-
-
-
-
-
- elementId: TBD
- name: protocol
- dataType: string
- status: current
- description: A set of types that defines specific
- protocols above layer 4 (e.g. http, https, dns, ipp,
- or unknown).
-
-
-
-
-
-
- elementId: TBD
- name: publicKey
- dataType: string
- status: current
- description: The value of a public key (regardless of its
- method of creation, crypto-system, or signature scheme)
- that can be collected from a target endpoint.
-
-
-
-
-
-
- elementId: TBD
- name: relationshipContentElementGuid
- dataType: string
- status: current
- description: A reference to a specific content element
- used in a relationship subject.
-
-
-
-
-
-
-
- elementId: TBD
- name: relationshipStatementElementGuid
- dataType: string
- status: current
- description: A reference to a specific SACM statement
- used in a relationship subject.
-
-
-
-
-
-
-
- elementId: TBD
- name: relationshipObjectLabel
- dataType: string
- status: current
- description: A reference to a specific label used in
- content (e.g. a te-label or a user-id). This
- reference is typically used if matching content
- attribute can be done efficiantly and can also be
- included in addition to a relationship-content-element-guid
- reference.
-
-
-
-
-
-
-
- elementId: TBD
- name: relationshipType
- dataType: string
- status: current
- description: A set of types that is in every instance
- of a relationship subject to highlight what kind of
- relationship exists between the subject the relationship
- is included in (e.g. associated_with_user,
- applies_to_session, seen_on_interface, associated_with_flow,
- contains_virtual_device).
-
-
-
-
-
-
-
- elementId: TBD
- name: roleName
- dataType: string
- status: current
- description: A label that references a collection of
- privileges assigned to a specific entity (identity?
- FIXME).
-
-
-
-
-
-
-
- elementId: TBD
- name: sessionStateType
- dataType: string
- status: current
- description: A set of types a discernible session (an
- ongoing network interaction) can be in (e.g.
- Authenticating, Authenticated, Postured, Started,
- Disconnected).
-
-
-
-
-
-
-
- elementId: TBD
- name: statementGuid
- dataType: string
- status: current
- description: A label that expresses a global unique
- ID referencing a specific SACM statement that was
- produced by a SACM component.
-
-
-
-
-
-
-
- elementId: TBD
- name: statementType
- dataType: string
- status: current
- description: A set of types that define the type of
- content that is included in a SACM statement (e.g.
- Observation, DirectoryContent, Correlation, Assessment,
- Guidance, Event).
-
-
-
-
-
-
-
- elementId: TBD
- name: status
- dataType: string
- status: current
- description: A set of types that defines possible
- result values for a finding in general (e.g. true,
- false, error, unknown, not applicable, not evaluated).
-
-
-
-
-
-
-
- elementId: TBD
- name: subAdministrativeDomain
- dataType: string
- status: current
- description: A label for related child domains an
- administrative domain can be composed of (used in the
- subject administrative-domain)
-
-
-
-
-
-
-
- elementId: TBD
- name: subInterfaceLabel
- dataType: string
- status: current
- description: A unique label a sub network interface
- (e.g. a tagged vlan on a trunk) can be referenced
- with.
-
-
-
-
-
-
- elementId: TBD
- name: superAdministrativeDomain
- dataType: string
- status: current
- description: a label for related parent domains an
- administrative domain is part of (used
- in the subject s.administrative-domain).
-
-
-
-
-
-
-
- elementId: TBD
- name: superInterfaceLabel
- dataType: string
- status: current
- description: a unique label a super network interface
- (e.g. a physical interface a tunnel
- interface terminates on) can be referenced
- with.
-
-
-
-
-
-
-
- elementId: TBD
- name: teAssessmentState
- dataType: string
- status: current
- description: a set of types that defines the state of
- assessment of a target-endpoint (e.g.
- in-discovery, discovered, in-classification,
- classified, in-assessment, assessed).
-
-
-
-
-
-
-
-
- elementId: TBD
- name: teLabel
- dataType: string
- status: current
- description: an identifying label created from a set
- of identifying attributes used to reference
- a specific target endpoint.
-
-
-
-
-
-
-
- elementId: TBD
- name: teId
- dataType: string
- status: current
- description: an identifying label that is created
- randomly, is supposed to be unique, and
- used to reference a specific target
- endpoint.
-
-
-
-
-
-
-
- elementId: TBD
- name: timestampType
- dataType: string
- status: current
- description: a set of types that express what type of
- action or event happened at that point
- of time (e.g. discovered, classified,
- collected, published). Can be included in
- a generic s.timestamp subject.
-
-
-
-
-
-
-
- elementId: TBD
- name: unitsReceived
- dataType: string
- status: current
- description: a value that represents a number of units
- (e.g. frames, packets, cells or segments)
- received on a network interface.
-
-
-
-
-
-
-
-
- elementId: TBD
- name: unitsSent
- dataType: string
- status: current
- description: a value that represents a number of units
- (e.g. frames, packets, cells or segments)
- sent on a network interface.
-
-
-
-
-
-
-
- elementId: TBD
- name: userDirectory
- dataType: string
- status: current
- description: a label that identifies a specific type
- of user-directory (e.g. ldap, active-directory,
- local-user).
-
-
-
-
-
-
-
- elementId: TBD
- name: sacmUserId
- dataType: string
- status: current
- description: a label that references a specific user
- known in a SACM domain.
-
-
-
-
-
-
-
- elementId: TBD
- name: webSite
- dataType: string
- status: current
- description: a URI that references a web-site.
-
-
-
-
-
-
-
- elementId: TBD
- name: WGS84Longitude
- dataType: float64
- status: current
- description: a label that represents WGS 84 rev 2004
- longitude.
-
-
-
-
-
-
-
- elementId: TBD
- name: WGS84Latitude
- dataType: float64
- status: current
- description: a label that represents WGS 84 rev 2004
- latitude.
-
-
-
-
-
-
-
- elementId: TBD
- name: WGS84Altitude
- dataType: float64
- status: current
- description: a label that represents WGS 84 rev 2004
- altitude.
-
-
-
-
-
-
-
-elementId: TBD
-name: hardwareSerialNumber
-dataType: string
-status: current
-description: A globally unique identifier for a particular
- piece of hardware assigned by the vendor.
-
-
-
-
-
-
-elementId: TBD
-name: interfaceName
-dataType: string
-status: current
-description: A short name uniquely describing an interface,
- eg "Eth1/0". See [RFC2863] for the definition
- of the ifName object.
-
-
-
-
-
-
-elementId: TBD
-name: interfaceIndex
-dataType: unsigned32
-status: current
-description: The index of an interface installed on an endpoint.
- The value matches the value of managed object
- 'ifIndex' as defined in [RFC2863]. Note that ifIndex
- values are not assigned statically to an interface
- and that the interfaces may be renumbered every time
- the device's management system is re-initialized,
- as specified in [RFC2863].
-
-
-
-
-
-
-elementId: TBD
-name: interfaceMacAddress
-dataType: macAddress
-status: current
-description: The IEEE 802 MAC address associated with a network
- interface on an endpoint.
-
-
-
-
-
-
-elementId: TBD
-name: interfaceType
-dataType: unsigned32
-status: current
-description: The type of a network interface. The value matches
- the value of managed object 'ifType' as defined in
- [IANA registry ianaiftype-mib].
-
-
-
-
-
-
-elementId: TBD
-name: interfaceFlags
-dataType: unsigned16
-status: current
-description: This information element specifies the flags
- associated with a network interface. Possible
- values include:
-structure: Up ; 0x1 ; Interface is up.
- Broadcast ; 0x2 ; Broadcast address valid.
- Debug ; 0x4 ; Turn on debugging.
- Loopback ; 0x8 ; Is a loopback net.
- Point-to-point ; 0x10 ; Interface is point-to-point link.
- No trailers ; 0x20 ; Avoid use of trailers.
- Resources allocated ; 0x40 ; Resources allocated.
- No ARP ; 0x80 ; No address resolution protocol.
- Receive all ; 0x100 ; Receive all packets.
-
-
-
-
-
-
-
-
-elementId: TBD
-name: networkInterface
-dataType: orderedList
-status: current
-description: Information about a network interface
- installed on an endpoint. The
- following high-level digram
- describes the structure of
- networkInterface information
- element.
-structure: orderedList(interfaceName, interfaceIndex, macAddress,
- interfaceType, flags)
-
-
-
-
-
-
-elementId: TBD
-name: softwareIdentifier
-dataType: string
-status: current
-description: A globally unique identifier for a particular
- software application.
-
-
-
-
-
-
-elementId: TBD
-name: softwareTitle
-dataType: string
-status: current
-description: The title of the software application.
-
-
-
-
-
-
-
-elementId: TBD
-name: softwareCreator
-dataType: string
-status: current
-description: The software developer (e.g., vendor or author).
-
-
-
-
-
-
-elementId: TBD
-name: simpleSoftwareVersion
-dataType: string
-status: current
-description: The version string for a software application that
- conforms to the format of a list of hierarchical
- non-negative integers separated by a single character
- delimiter format.
-
-
-
-
-
-
-elementId: TBD
-name: rpmSoftwareVersion
-dataType: string
-status: current
-description: The version string for a software application that
- conforms to the EPOCH:VERSION-RELEASE format.
-
-
-
-
-
-
-elementId: TBD
-name: ciscoTrainSoftwareVersion
-dataType: string
-status: current
-description: The version string for a software application that
- conforms to the Cisco IOS Train string format.
-
-
-
-
-
-
-elementId: TBD
-name: softwareVerison
-dataType: category
-status: current
-description: The version of the software application. Software
- applications may be versioned using a number of
- schemas. The following high-level digram describes
- the structure of the softwareVersion information
- element.
-structure: category(simpleSoftwareVersion | rpmSoftwareVersion |
- ciscoTrainSoftwareVersion)
-
-
-
-
-
-
-
-elementId: TBD
-name: softwareLastUpdated
-dataType: dateTimeSeconds
-status: current
-description: The date and time when the software instance
- was last updated on the system (e.g., new
- version instlalled or patch applied)
-
-
-
-
-
-
- elementId: TBD
- name: softwareClass
- dataType: enumeration
- status: current
- description: The class of the software instance.
- structure:
- Unknown ; 0x1 ; The class is not known.
- Other ; 0x2 ; The class is known, but, something
- other than a value listed in the
- enumeration.
- Driver ; 0x3 ; The class is a device driver.
- Configuration Software ; 0x4 ; The class is configuration software.
- Application Software ; 0x5 ; The class is application software.
- Instrumentation ; 0x6 ; The class is instrumentation.
- Diagnostic Software ; 0x8 ; The class is diagnostic software.
- Operating System ; 0x9 ; The class is operating system.
- Middleware ; 0xA ; The class is middleware.
- Firmware ; 0xB ; The class is firmware.
- BIOS/FCode ; 0xC ; The class is BIOS or FCode.
- Support/Service Pack ; 0xD ; The class is a support or service pack.
- Software Bundle ; 0xE ; The class is a software bundle.
- References: See Classifications of the DMTF CIM_SoftwareIdentity
- schema.
-
-
-
-
-
-
-elementId: TBD
-name: softwareInstance
-dataType: orderedList
-status: current
-description: Information about an instance of software
- installed on an endpoint. The following
- high-level digram describes the structure of
- softwareInstance information element.
-structure: orderedList(softwareIdentifier, softwareTitle,
- softwareCreator, softwareVersion,
- softwareLastUpdated, softwareClass)
-
-
-
-
-
-
-elementId: TBD
-name: globallyUniqueIdentifier
-dataType: unsigned8
-status: current
-description: TODO.
-
-
-
-
-
-
-elementId: TBD
-name: creationTimestamp
-dataType: dateTimeSeconds
-status: current
-description: The date and time when the posture
- information was created by a SACM Component.
-
-
-
-
-
-
-elementId: TBD
-name: collectionTimestamp
-dataType: dateTimeSeconds
-status: current
-description: The date and time when the posture
- information was collected or observed by a SACM
- Component.
-
-
-
-
-
-
-elementId: TBD
-name: publicationTimestamp
-dataType: dateTimeSeconds
-status: current
-description: The date and time when the posture
- information was published.
-
-
-
-
-
-
-elementId: TBD
-name: relayTimestamp
-dataType: dateTimeSeconds
-status: current
-description: The date and time when the posture
- information was relayed to another SACM Component.
-
-
-
-
-
-
-elementId: TBD
-name: storageTimestamp
-dataType: dateTimeSeconds
-status: current
-description: The date and time when the posture
- information was stored in a Repository.
-
-
-
-
-
-
-elementId: TBD
-name: type
-dataType: enumeration
-status: current
-description: The type of data model use to represent
- some set of endpoint information. The following
- table lists the set of data models supported by SACM.
-structure: TBD
-
-
-
-
-
-
-elementId: TBD
-name: protocolIdentifier
-dataType: unsigned8
-status: current
-description: The value of the protocol number in the IP packet
- header. The protocol number identifies the IP packet
- payload type. Protocol numbers are defined in the
- IANA Protocol Numbers registry.
-
- In Internet Protocol version 4 (IPv4), this is
- carried in the Protocol field. In Internet Protocol
- version 6 (IPv6), this is carried in the Next Header
- field in the last extension header of the packet.
-
-
-
-
-
-elementId: TBD
-name: sourceTransportPort
-dataType: unsigned16
-status: current
-description: The source port identifier in the transport header.
- For the transport protocols UDP, TCP, and SCTP, this
- is the source port number given in the respective
- header. This field MAY also be used for future
- transport protocols that have 16-bit source port
- identifiers.
-
-
-
-
-
-elementId: TBD
-name: sourceIPv4PrefixLength
-dataType: unsigned8
-status: current
-description: The number of contiguous bits that are relevant in
- the sourceIPv4Prefix Information Element.
-
-
-
-
-
-elementId: TBD
-name: ingressInterface
-dataType: unsigned32
-status: current
-description: The index of the IP interface where packets of this
- Flow are being received. The value matches the
- value of managed object 'ifIndex' as defined in
- [RFC2863]. Note that ifIndex values are not assigned
- statically to an interface and that the interfaces
- may be renumbered every time the device's management
- system is re-initialized, as specified in [RFC2863].
-
-
-
-
-
-elementId: TBD
-name: destinationTransportPort
-dataType: unsigned16
-status: current
-description: The destination port identifier in the transport
- header. For the transport protocols UDP, TCP, and
- SCTP, this is the destination port number given in
- the respective header. This field MAY also be used
- for future transport protocols that have 16-bit
- destination port identifiers.
-
-
-
-
-
-elementId: TBD
-name: sourceIPv6PrefixLength
-dataType: unsigned8
-status: current
-description: The number of contiguous bits that are relevant in
- the sourceIPv6Prefix Information Element.
-
-
-
-
-
-elementId: TBD
-name: sourceIPv4Prefix
-dataType: ipv4Address
-status: current
-description: IPv4 source address prefix.
-
-
-
-
-
-elementId: TBD
-name: destinationIPv4Prefix
-dataType: ipv4Address
-status: current
-description: IPv4 destination address prefix.
-
-
-
-
-
-elementId: TBD
-name: sourceMacAddress
-dataType: macAddress
-status: current
-description: The IEEE 802 source MAC address field.
-
-
-
-
-
-elementId: TBD
-name: ipVersion
-dataType: unsigned8
-status: current
-description: The IP version field in the IP packet header.
-
-
-
-
-
-elementId: TBD
-name: interfaceDescription
-dataType: string
-status: current
-description: The description of an interface, eg "FastEthernet
- 1/0" or "ISP
-connection".
-
-
-
-
-
-elementId: TBD
-name: applicationDescription
-dataType: string
-status: current
-description: Specifies the description of an application.
-
-
-
-
-
-elementId: TBD
-name: applicationId
-dataType: octetArray
-status: current
-description: Specifies an Application ID per [RFC6759].
-
-
-
-
-
-elementId: TBD
-name: applicationName
-dataType: string
-status: current
-description: Specifies the name of an application.
-
-
-
-
-
-elementId: TBD
-name: exporterIPv4Address
-dataType: ipv4Address
-status: current
-description: The IPv4 address used by the Exporting Process.
- This is used by the Collector to identify the
- Exporter in cases where the identity of the Exporter
- may have been obscured by the use of a proxy.
-
-
-
-
-
-elementId: TBD
-name: exporterIPv6Address
-dataType: ipv6Address
-status: current
-description: The IPv6 address used by the Exporting Process.
- This is used by the Collector to identify the
- Exporter in cases where the identity of the
- Exporter may have been obscured by the use of a
- proxy.
-
-
-
-
-
-elementId: TBD
-name: portId
-dataType: unsigned32
-status: current
-description: An identifier of a line port that is unique per
- IPFIX Device hosting an Observation Point.
- Typically, this Information Element is used for
- limiting the scope of other Information Elements.
-
-
-
-
-
-elementId: TBD
-name: templateId
-dataType: unsigned16
-status: current
-description: An identifier of a Template that is locally unique
- within a combination of a Transport session and an
- Observation Domain.
-
- Template IDs 0-255 are reserved for Template Sets,
- Options Template Sets, and other reserved Sets yet
- to be created. Template IDs of Data Sets are
- numbered from 256 to 65535.
-
- Typically, this Information Element is used for
- limiting the scope of other Information Elements.
- Note that after a re-start of the Exporting Process
- Template identifiers may be re-assigned.
-
-
-
-
-
-elementId: TBD
-name: collectorIPv4Address
-dataType: ipv4Address
-status: current
-description: An IPv4 address to which the Exporting Process sends
- Flow information.
-
-
-
-
-
-elementId: TBD
-name: collectorIPv6Address
-dataType: ipv6Address
-status: current
-description: An IPv6 address to which the Exporting Process sends
- Flow information.
-
-
-
-
-
-elementId: TBD
-name: informationElementIndex
-dataType: unsigned16
-status: current
-description: A zero-based index of an Information Element
- referenced by informationElementId within a Template
- referenced by templateId; used to disambiguate
- scope for templates containing multiple identical
- Information Elements.
-
-
-
-
-
-elementId: TBD
-name: informationElementId
-dataType: unsigned16
-status: current
-description: This Information Element contains the ID of another
- Information Element.
-
-
-
-
-
-elementId: TBD
-name: informationElementDataType
-dataType: unsigned8
-status: current
-description: A description of the abstract data type of an IPFIX
- information element.These are taken from the
- abstract data types defined in section 3.1 of the
- IPFIX Information Model [RFC5102]; see that section
- for more information on the types described in the
- informationElementDataType sub-registry.
-
- These types are registered in the IANA IPFIX
- Information Element Data Type subregistry. This
- subregistry is intended to assign numbers for type
- names, not to provide a mechanism for adding data
- types to the IPFIX Protocol, and as such requires a
- Standards Action [RFC5226] to modify.
-
-
-
-
-
-elementId: TBD
-name: informationElementDescription
-dataType: string
-status: current
-description: A UTF-8 [RFC3629] encoded Unicode string containing
- a human-readable description of an Information
- Element. The content of the
- informationElementDescription MAY be annotated with
- one or more language tags [RFC4646], encoded
- in-line [RFC2482] within the UTF-8 string, in order
- to specify the language in which the description is
- written. Description text in multiple languages MAY
- tag each section with its own language tag; in this
- case, the description information in each language
- SHOULD have equivalent meaning. In the absence of
- any language tag, the "i-default" [RFC2277] language
- SHOULD be assumed. See the Security Considerations
- section for notes on string handling for Information
- Element type records.
-
-
-
-
-
-elementId: TBD
-name: informationElementName
-dataType: string
-status: current
-description: A UTF-8 [RFC3629] encoded Unicode string containing
- the name of an Information Element, intended as a
- simple identifier. See the Security Considerations
- section for notes on string handling for Information
- Element type records.
-
-
-
-
-
-elementId: TBD
-name: informationElementRangeBegin
-dataType: unsigned64
-status: current
-description: Contains the inclusive low end of the range of
- acceptable values for an Information Element.
-
-
-
-
-
-elementId: TBD
-name: informationElementRangeEnd
-dataType: unsigned64
-status: current
-description: Contains the inclusive high end of the range of
- acceptable values for an Information Element.
-
-
-
-
-
-elementId: TBD
-name: informationElementSemantics
-dataType: unsigned8
-status: current
-description: A description of the semantics of an IPFIX
- Information Element. These are taken from the data
- type semantics defined in section 3.2 of the IPFIX
- Information Model [RFC5102]; see that section for
- more information on the types defined in the
- informationElementSemantics sub-registry. This
- field may take the values in Table ; the special
- value 0x00 (default) is used to note that no
- semantics apply to the field; it cannot be
- manipulated by a Collecting Process or File Reader
- that does not understand it a priori.
-
- These semantics are registered in the IANA IPFIX
- Information Element Semantics subregistry. This
- subregistry is intended to assign numbers for
- semantics names, not to provide a mechanism for
- adding semantics to the IPFIX Protocol, and as such
- requires a Standards Action [RFC5226] to modify.
-
-
-
-
-
-elementId: TBD
-name: informationElementUnits
-dataType: unsigned16
-status: current
-description: A description of the units of an IPFIX Information
- Element. These correspond to the units implicitly
- defined in the Information Element definitions in
- section 5 of the IPFIX Information Model [RFC5102];
- see that section for more information on the types
- described in the informationElementsUnits
- sub-registry. This field may take the values in
- Table 3 below; the special value 0x00 (none) is
- used to note that the field is unitless.
-
- These types are registered in the IANA IPFIX
- Information Element Units subregistry; new types
- may be added on a First Come First Served [RFC5226]
- basis.
-
-
-
-
-
-elementId: TBD
-name: applicationCategoryName
-dataType: string
-status: current
-description: An attribute that provides a first level
- categorization for each Application ID.
-
-
-
-
-
-elementId: TBD
-name: mibObjectValueInteger
-dataType: signed64
-status: current
-description: An IPFIX Information Element which denotes that the
- integer value of a MIB object will be exported.
- The MIB Object Identifier ("mibObjectIdentifier")
- for this field MUST be exported in a MIB Field
- Option or via another means. This Information
- Element is used for MIB objects with the Base
- Syntax of Integer32 and INTEGER with IPFIX Reduced
- Size Encoding used as required. The value is
- encoded as per the standard IPFIX Abstract Data Type
- of signed64.
-
-
-
-
-
-elementId: TBD
-name: mibObjectValueOctetString
-dataType: octetArray
-status: current
-description: An IPFIX Information Element which denotes that an
- Octet String or Opaque value of a MIB object will
- be exported. The MIB Object Identifier
- ("mibObjectIdentifier") for this field MUST be
- exported in a MIB Field Option or via another means.
- This Information Element is used for MIB objects
- with the Base Syntax of OCTET STRING and Opaque. The
- value is encoded as per the standard IPFIX Abstract
- Data Type of octetArray.
-
-
-
-
-
-elementId: TBD
-name: mibObjectValueOID
-dataType: octetArray
-status: current
-description: An IPFIX Information Element which denotes that an
- Object Identifier or OID value of a MIB object will
- be exported. The MIB Object Identifier
- ("mibObjectIdentifier") for this field MUST be
- exported in a MIB Field Option or via another means.
- This Information Element is used for MIB objects
- with the Base Syntax of OBJECT IDENTIFIER. Note -
- In this case the "mibObjectIdentifier" will define
- which MIB object is being exported while the value
- contained in this Information Element will be an
- OID as a value. The mibObjectValueOID Information
- Element is encoded as ASN.1/BER [BER] in an
- octetArray.
-
-
-
-
-
-elementId: TBD
-name: mibObjectValueBits
-dataType: octetArray
-status: current
-description: An IPFIX Information Element which denotes that a
- set of Enumerated flags or bits from a MIB object
- will be exported. The MIB Object Identifier
- ("mibObjectIdentifier") for this field MUST be
- exported in a MIB Field Option or via another means.
- This Information Element is used for MIB objects
- with the Base Syntax of BITS. The flags or bits are
- encoded as per the standard IPFIX Abstract Data Type
- of octetArray, with sufficient length to accommodate
- the required number of bits. If the number of bits
- is not an integer multiple of octets then the most
- significant bits at end of the octetArray MUST be
- set to zero.
-
-
-
-
-
-elementId: TBD
-name: mibObjectValueIPAddress
-dataType: ipv4Address
-status: current
-description: An IPFIX Information Element which denotes that the
- IPv4 Address of a MIB object will be exported. The
- MIB Object Identifier ("mibObjectIdentifier") for
- this field MUST be exported in a MIB Field Option
- or via another means. This Information Element is
- used for MIB objects with the Base Syntax of
- IPaddress. The value is encoded as per the standard
- IPFIX Abstract Data Type of ipv4Address.
-
-
-
-
-
-elementId: TBD
-name: mibObjectValueCounter
-dataType: unsigned64
-status: current
-description: An IPFIX Information Element which denotes that the
- counter value of a MIB object will be exported.
- The MIB Object Identifier ("mibObjectIdentifier")
- for this field MUST be exported in a MIB Field
- Option or via another means. This Information
- Element is used for MIB objects with the Base
- Syntax of Counter32 or Counter64 with IPFIX Reduced
- Size Encoding used as required. The value is encoded
- as per the standard IPFIX Abstract Data Type
- of unsigned64.
-
-
-
-
-
-elementId: TBD
-name: mibObjectValueGauge
-dataType: unsigned32
-status: current
-description: An IPFIX Information Element which denotes that the
- Gauge value of a MIB object will be exported. The
- MIB Object Identifier ("mibObjectIdentifier") for
- this field MUST be exported in a MIB Field Option
- or via another means. This Information Element is
- used for MIB objects with the Base Syntax of Gauge32.
- The value is encoded as per the standard IPFIX
- Abstract Data Type of unsigned64. This value will
- represent a non-negative integer, which may increase
- or decrease, but shall never exceed a maximum
- value, nor fall below a minimum value.
-
-
-
-
-
-elementId: TBD
-name: mibObjectValueTimeTicks
-dataType: unsigned32
-status: current
-description: An IPFIX Information Element which denotes that the
- TimeTicks value of a MIB object will be exported.
- The MIB Object Identifier ("mibObjectIdentifier")
- for this field MUST be exported in a MIB Field
- Option or via another means. This Information
- Element is used for MIB objects with the Base
- Syntax of TimeTicks. The value is encoded as per
- the standard IPFIX Abstract Data Type of unsigned32.
-
-
-
-
-
-elementId: TBD
-name: mibObjectValueUnsigned
-dataType: unsigned64
-status: current
-description: An IPFIX Information Element which denotes that an
- unsigned integer value of a MIB object will be
- exported. The MIB Object Identifier
- ("mibObjectIdentifier") for this field MUST be
- exported in a MIB Field Option or via another means.
- This Information Element is used for MIB objects
- with the Base Syntax of unsigned64 with IPFIX
- Reduced Size Encoding used as required. The value is
- encoded as per the standard IPFIX Abstract Data Type
- of unsigned64.
-
-
-
-
-
-
-elementId: TBD
-name: mibObjectValueTable
-dataType: orderedList
-status: current
-description: An IPFIX Information Element which denotes that a
- complete or partial conceptual table will be
- exported. The MIB Object Identifier
- ("mibObjectIdentifier") for this field MUST be
- exported in a MIB Field Option or via another means.
- This Information Element is used for MIB objects
- with a SYNTAX of SEQUENCE. This is encoded as a
- subTemplateList of mibObjectValue Information
- Elements. The template specified in the
- subTemplateList MUST be an Options Template and
- MUST include all the Objects listed in the INDEX
- clause as Scope Fields.
-structure: orderedList(mibObjectValueRow+)
-
-
-
-
-
-
-
-elementId: TBD
-name: mibObjectValueRow
-dataType: orderedList
-status: current
-description: An IPFIX Information Element which denotes that a
- single row of a conceptual table will be exported.
- The MIB Object Identifier ("mibObjectIdentifier")
- for this field MUST be exported in a MIB Field
- Option or via another means. This Information
- Element is used for MIB objects with a SYNTAX of
- SEQUENCE. This is encoded as a subTemplateList of
- mibObjectValue Information Elements. The
- subTemplateList exported MUST contain exactly one
- row (i.e., one instance of the subtemplate). The
- template specified in the subTemplateList MUST be
- an Options Template and MUST include all the
- Objects listed in the INDEX clause as Scope Fields.
-structure: orderedList(mibObjectValue+)
-
-
-
-
-
-
-
-elementId: TBD
-name: mibObjectIdentifier
-dataType: octetArray
-status: current
-description: An IPFIX Information Element which denotes that a
- MIB Object Identifier (MIB OID) is exported in the
- (Options) Template Record. The mibObjectIdentifier
- Information Element contains the OID assigned to
- the MIB Object Type Definition encoded as
- ASN.1/BER [BER].
-
-
-
-
-
-elementId: TBD
-name: mibSubIdentifier
-dataType: unsigned32
-status: current
-description: A non-negative sub-identifier of an Object
- Identifier (OID).
-
-
-
-
-
-elementId: TBD
-name: mibIndexIndicator
-dataType: unsigned64
-status: current
-description: This set of bit fields is used for marking the
- Information Elements of a Data Record that serve as
- INDEX MIB objects for an indexed Columnar MIB
- object. Each bit represents an Information Element
- in the Data Record with the n-th bit representing
- the n-th Information Element. A bit set to value 1
- indicates that the corresponding Information Element
- is an index of the Columnar Object represented by
- the mibFieldValue. A bit set to value 0 indicates
- that this is not the case.
-
- If the Data Record contains more than 64
- Information Elements, the corresponding Template
- SHOULD be designed such that all INDEX
- Fields are among the first 64 Information Elements,
- because the mibIndexIndicator only contains 64 bits.
- If the Data Record contains less than 64
- Information Elements, then the extra bits in the
- mibIndexIndicator for which no corresponding
- Information Element exists MUST have the value 0,
- and must be disregarded by the Collector. This
- Information Element may be exported with
- IPFIX Reduced Size Encoding.
-
-
-
-
-
-elementId: TBD
-name: mibCaptureTimeSemantics
-dataType: unsigned8
-status: current
-description: Indicates when in the lifetime of the flow the MIB
- value was retrieved from the MIB for a
- mibObjectIdentifier. This is used to indicate if
- the value exported was collected from the MIB
- closer to flow creation or flow export time and
- will refer to the Timestamp fields included in the
- same record. This field SHOULD be used when
- exporting a mibObjectValue that specifies counters
- or statistics.
-
- If the MIB value was sampled by SNMP prior to the
- IPFIX Metering Process or Exporting Process
- retrieving the value (i.e., the data is already
- stale) and it's important to know the exact sampling
- time, then an additional observationTime* element
- should be paired with the OID using structured data.
- Similarly, if different mibCaptureTimeSemantics
- apply to different mibObject elements within the
- Data Record, then individual mibCaptureTimeSemantics
- should be paired with each OID using structured data.
-
- Values:
- 0. undefined
- 1. begin - The value for the MIB object is captured
- from the MIB when the Flow is first observed
- 2. end - The value for the MIB object is captured
- from the MIB when the Flow ends
- 3. export - The value for the MIB object is
- captured from the MIB at export time
- 4. average - The value for the MIB object is an
- average of multiple captures from the MIB over the
- observed life of the Flow
-
-
-
-
-
-elementId: TBD
-name: mibContextEngineID
-dataType: octetArray
-status: current
-description: A mibContextEngineID that specifies the SNMP engine
- ID for a MIB field being exported over IPFIX.
- Definition as per [RFC3411] section 3.3.
-
-
-
-
-
-elementId: TBD
-name: mibContextName
-dataType: string
-status: current
-description: This Information Element denotes that a MIB Context
- Name is specified for a MIB field being exported
- over IPFIX. Reference [RFC3411] section 3.3.
-
-
-
-
-
-elementId: TBD
-name: mibObjectName
-dataType: string
-status: current
-description: The name (called a descriptor in [RFC2578]
- of an object type definition.
-
-
-
-
-
-elementId: TBD
-name: mibObjectDescription
-dataType: string
-status: current
-description: The value of the DESCRIPTION clause of an MIB object
- type definition.
-
-
-
-
-
-elementId: TBD
-name: mibObjectSyntax
-dataType: string
-status: current
-description: The value of the SYNTAX clause of an MIB object type
- definition, which may include a Textual Convention
- or Subtyping. See [RFC2578].
-
-
-
-
-
-elementId: TBD
-name: mibModuleName
-dataType: string
-status: current
-description: The textual name of the MIB module that defines a MIB
- Object.
-
-
-
-
-
-elementId: TBD
-name: interface
-dataType: list
-structure: list (interfaceName, hwAddress, inetAddr, netmask)
-status: current
-description: Represents an interface and its configuration
-options.
-
-
-
-
-
-elementId: TBD
-name: iflisteners
-dataType: list
-structure: list (interfaceName, physicalProtocol, hwAddress,
- programName, pid, userId)
-status: current
-description: Stores the results of checking for applications that
-are bound to an ethernet interface on the system.
-
-
-
-
-
-elementId: TBD
-name: physicalProtocol
-dataType: enumeration
-structure:
-ETH_P_LOOP ; 0x1 ; Ethernet loopback packet.
-ETH_P_PUP ; 0x2 ; Xerox PUP packet.
-ETH_P_PUPAT ; 0x3 ; Xerox PUP Address Transport packet.
-ETH_P_IP ; 0x4 ; Internet protocol packet.
-ETH_P_X25 ; 0x5 ; CCITT X.25 packet.
-ETH_P_ARP ; 0x6 ; Address resolution packet.
-ETH_P_BPQ ; 0x7 ; G8BPQ AX.25 ethernet packet.
-ETH_P_IEEEPUP ; 0x8 ; Xerox IEEE802.3 PUP packet.
-ETH_P_IEEEPUPAT ; 0x9 ; Xerox IEEE802.3 PUP address transport
- packet.
-ETH_P_DEC ; 0xA ; DEC assigned protocol.
-ETH_P_DNA_DL ; 0xB ; DEC DNA Dump/Load.
-ETH_P_DNA_RC ; 0xC ; DEC DNA Remote Console.
-ETH_P_DNA_RT ; 0xD ; DEC DNA Routing.
-ETH_P_LAT ; 0xE ; DEC LAT.
-ETH_P_DIAG ; 0xF ; DEC Diagnostics.
-ETH_P_CUST ; 0x10 ; DEC Customer use.
-ETH_P_SCA ; 0x11 ; DEC Systems Comms Arch.
-ETH_P_RARP ; 0x12 ; Reverse address resolution packet.
-ETH_P_ATALK ; 0x13 ; Appletalk DDP.
-ETH_P_AARP ; 0x14 ; Appletalk AARP.
-ETH_P_8021Q ; 0x15 ; 802.1Q VLAN Extended Header.
-ETH_P_IPX ; 0x16 ; IPX over DIX.
-ETH_P_IPV6 ; 0x17 ; IPv6 over bluebook.
-ETH_P_SLOW ; 0x18 ; Slow Protocol. See 802.3ad 43B.
-ETH_P_WCCP ; 0x19 ; Web-cache coordination protocol.
-ETH_P_PPP_DISC ; 0x1A ; PPPoE discovery messages.
-ETH_P_PPP_SES ; 0x1B ; PPPoE session messages.
-ETH_P_MPLS_UC ; 0x1C ; MPLS Unicast traffic.
-ETH_P_MPLS_MC ; 0x1D ; MPLS Multicast traffic.
-ETH_P_ATMMPOA ; 0x1E ; MultiProtocol Over ATM.
-ETH_P_ATMFATE ; 0x1F ; Frame-based ATM Transport over Ethernet.
-ETH_P_AOE ; 0x20 ; ATA over Ethernet.
-ETH_P_TIPC ; 0x21 ; TIPC.
-ETH_P_802_3 ; 0x22 ; Dummy type for 802.3 frames.
-ETH_P_AX25 ; 0x23 ; Dummy protocol id for AX.25.
-ETH_P_ALL ; 0x24 ; Every packet.
-ETH_P_802_2 ; 0x25 ; 802.2 frames.
-ETH_P_SNAP ; 0x26 ; Internal only.
-ETH_P_DDCMP ; 0x27 ; DEC DDCMP: Internal only
-ETH_P_WAN_PPP ; 0x28 ; Dummy type for WAN PPP frames.
-ETH_P_PPP_MP ; 0x29 ; Dummy type for PPP MP frames.
-ETH_P_PPPTALK ; 0x2A ; Dummy type for Atalk over PPP.
-ETH_P_LOCALTALK ; 0x2B ; Localtalk pseudo type.
-ETH_P_TR_802_2 ; 0x2C ; 802.2 frames.
-ETH_P_MOBITEX ; 0x2D ; Mobitex.
-ETH_P_CONTROL ; 0x2E ; Card specific control frames.
-ETH_P_IRDA ; 0x2F ; Linux-IrDA.
-ETH_P_ECONET ; 0x30 ; Acorn Econet.
-ETH_P_HDLC ; 0x31 ; HDLC frames.
-ETH_P_ARCNET ; 0x32 ; 1A for ArcNet.
- ; 0x33 ; The empty string value is permitted here
- to allow for detailed error reporting.
-status: current
-description: The physical layer protocol used by the AF_PACKET
-socket.
-
-
-
-
-
-elementId: TBD
-name: hwAddress
-dataType: string
-status: current
-description: The hardware address associated
- with the interface.
-
-
-
-
-
-elementId: TBD
-name: programName
-dataType: string
-status: current
-description: The name of the communicating
- program.
-
-
-
-
-
-elementId: TBD
-name: userId
-dataType: unsigned32
-status: current
-description: The numeric user id.
-
-
-
-
-
-elementId: TBD
-name: inetlisteningserver
-dataType: list
-structure: list (transportProtocol, localAddress,
- localPort, localFullAddress, programName, foreignAddress,
- foreignPort, foreignFullAddress, pid, userId)
-status: current
-description: Stores the results of checking for network servers
-currently active on a system. It holds information pertaining to
-a specific protocol-address-port combination.
-
-
-
-
-
-elementId: TBD
-name: transportProtocol
-dataType: string
-status: current
-description: The transport-layer
- protocol (tcp or udp).
-
-
-
-
-
-elementId: TBD
-name: localAddress
-dataType: ipAddress
-status: current
-description: This is the IP address being listened to. Note that
-the IP address can be IPv4 or IPv6.
-
-
-
-
-
-elementId: TBD
-name: localPort
-dataType: unsigned32
-status: current
-description: This is the TCP or UDP port
- being listened to.
-
-
-
-
-
-elementId: TBD
-name: localFullAddress
-dataType: string
-status: current
-description: The IP address and network port on which the program
-listens, including the local address and the local port. Note
-that the IP address can be IPv4 or IPv6.
-
-
-
-
-
-elementId: TBD
-name: foreignAddress
-dataType: ipAddress
-status: current
-description: The IP address with which the program is
-communicating, or with which it will communicate. Note that the
-IP address can be IPv4 or IPv6.
-
-
-
-
-
-elementId: TBD
-name: foreignFullAddress
-dataType: ipAddress
-status: current
-description: The IP address and network port to which the program
-is communicating or will accept communications from, including
-the foreign address and foreign port. Note that the IP address
-can be IPv4 or IPv6.
-
-
-
-
-
-elementId: TBD
-name: selinuxboolean
-dataType: list
-structure: list (selinuxName, currentStatus,
- pendingStatus)
-status: current
-description: Describes the current and pending status of a
-SELinux boolean.
-
-
-
-
-
-
-elementId: TBD
-name: selinuxName
-dataType: string
-status: current
-description: The name of the SELinux
- boolean.
-
-
-
-
-
-elementId: TBD
-name: currentStatus
-dataType: boolean
-status: current
-description: Indicates current state of
- the specified SELinux boolean.
-
-
-
-
-
-elementId: TBD
-name: pendingStatus
-dataType: boolean
-status: current
-description: Indicates the pending
- state of the specified SELinux boolean.
-
-
-
-
-
-elementId: TBD
-name: selinuxsecuritycontext
-dataType: list
-structure: list (filepath, path, filename, pid,
- username, role, domainType, lowSensitivity, lowCategory,
- highSensitivity, highCategory, rawlowSensitivity,
- rawlowCategory, rawhighSensitivity, rawhighCategory)
-status: current
-description: Describes the SELinux security
- context of a file or process on the local system.
-
-
-
-
-
-elementId: TBD
-name: filepath
-dataType: string
-status: current
-description: Specifies the absolute path for a file on the
-machine. A directory cannot be specified as a filepath.
-
-
-
-
-
-elementId: TBD
-name: path
-dataType: string
-status: current
-description: Specifies the directory component of
- the absolute path to a file on the machine.
-
-
-
-
-
-elementId: TBD
-name: filename
-dataType: string
-status: current
-description: The name of the file.
-
-
-
-
-
-elementId: TBD
-name: pid
-dataType: unsigned32
-status: current
-description: The process ID of the
- process.
-
-
-
-
-
-elementId: TBD
-name: role
-dataType: string
-status: current
-description: Specifies the types that a process
- may transition to (domain transitions).
-
-
-
-
-
-elementId: TBD
-name: domainType
-dataType: string
-status: current
-description: Specifies the domain in which the file is accessible
-or the domain in which a process executes.
-
-
-
-
-
-elementId: TBD
-name: lowSensitivity
-dataType: string
-status: current
-description: Specifies the current sensitivity of a file or
-process.
-
-
-
-
-
-elementId: TBD
-name: lowCategory
-dataType: string
-status: current
-description: Specifies the set of
- categories associated with the low sensitivity.
-
-
-
-
-
-elementId: TBD
-name: highSensitivity
-dataType: string
-status: current
-description: Specifies the maximum
- range for a file or the clearance for a process.
-
-
-
-
-
-elementId: TBD
-name: highCategory
-dataType: string
-status: current
-description: Specifies the set of
- categories associated with the high sensitivity.
-
-
-
-
-
-elementId: TBD
-name: rawlowSensitivity
-dataType: string
-status: current
-description: Specifies the current sensitivity of a file or
-process but in its raw context.
-
-
-
-
-
-elementId: TBD
-name: rawlowCategory
-dataType: string
-status: current
-description: Specifies the set of categories associated with the
-low sensitivity but in its raw context.
-
-
-
-
-
-elementId: TBD
-name: rawhighSensitivity
-dataType: string
-status: current
-description: Specifies the maximum range for a file or the
-clearance for a process but in its raw context.
-
-
-
-
-
-elementId: TBD
-name: rawhighCategory
-dataType: string
-status: current
-description: Specifies the set of categories associated with the
-high sensitivity but in its raw context.
-
-
-
-
-
-elementId: TBD
-name: systemdunitdependency
-dataType: list
-structure: list (unit, dependency)
-status: current
-
-description: Stores the dependencies of the systemd
-unit.
-
-
-
-
-
-elementId: TBD
-name: unit
-dataType: string
-status: current
-description: Refers to the full systemd unit name, which has a
-form of "$name.$type". For example "cupsd.service". This name is
-usually also the filename of the unit configuration file.
-
-
-
-
-
-
-elementId: TBD
-name: dependency
-dataType: string
-status: current
-description: Refers to the name of a unit that was confirmed to
-be a dependency of the given unit.
-
-
-
-
-
-elementId: TBD
-name: systemdunitproperty
-dataType: list
-structure: list (unit, property, systemdunitValue)
-
-status: current
-description: Stores the properties and values of a systemd unit.
-
-
-
-
-
-
-elementId: TBD
-name: property
-dataType: string
-status: current
-description: The property associated with a
- systemd unit.
-
-
-
-
-
-elementId: TBD
-name: systemdunitValue
-dataType: string
-status: current
-description: The value of the property associated with a systemd
-unit. Exactly one value shall be used for all property types
-except dbus arrays - each array element shall be represented by
-one value.
-
-
-
-
-
-elementId: TBD
-name: file
-dataType: list
-structure: list (filepath, path, filename, fileType, userId,
-aTime, cTime, mTime, size)
-status: current
-description: The metadata associated with a file on the endpoint.
-
-
-
-
-
-
-elementId: TBD
-name: fileType
-dataType: string
-status: current
-description: The file's type (e.g., regular file (regular),
-directory, named pipe (fifo), symbolic link, socket or block
-special.)
-
-
-
-
-
-elementId: TBD
-name: groupId
-dataType: unsigned32
-status: current
-description: The group owner of the file, by
- group number.
-
-
-
-
-
-elementId: TBD
-name: aTime
-dataType: dateTimeSeconds
-status: current
-description: The time that the file was last
- accessed.
-
-
-
-
-
-elementId: TBD
-name: cTime
-dataType: dateTimeSeconds
-status: current
-description: The time of the last change
- to the file's inode.
-
-
-
-
-
-elementId: TBD
-name: mTime
-dataType: dateTimeSeconds
-status: current
-description: The time of the last change to
- the file's contents.
-
-
-
-
-
-elementId: TBD
-name: size
-dataType: unsigned32
-status: current
-description: This is the size of the file in
- bytes.
-
-
-
-
-
-elementId: TBD
-name: suid
-dataType: boolean
-status: current
-description: Indicates whether the program runs with the uid
-(thus privileges) of the file's owner, rather than the calling
-user.
-
-
-
-
-
-elementId: TBD
-name: sgid
-dataType: boolean
-status: current
-description: Indicates whether the program runs with the gid
-(thus privileges) of the file's group owner, rather than the
-calling user's group.
-
-
-
-
-
-elementId: TBD
-name: sticky
-dataType: boolean
-status: current
-description: Indicates whether users can delete each other's
-files in this directory, when said directory is writable by
-those users.
-
-
-
-
-
-elementId: TBD
-name: hasExtendedAcl
-dataType: boolean
-status: current
-description: Indicates whether the file or directory hasACL
-permissions applied to it. If a system supports ACLs and the
-file or directory doesn't have an ACL, or it matches the standard
-UNIX permissions, the entity will have a status of 'exists' and
-a value of 'false'. If the system supports ACLs and the file or
-directory has an ACL, the entity will have a status of 'exists'
-and a value of 'true'. Lastly, if a system doesn't support ACLs,
-the entity will have a status of 'does not exist'.
-
-
-
-
-
-elementId: TBD
-name: inetd
-dataType: list
-structure: list (serviceProtocol, serviceName, serverProgram,
- serverArguments, endpointType, execAsUser, waitStatus)
-status: current
-description: Holds information associated
- with different Internet services.
-
-
-
-
-
-elementId: TBD
-name: serverProgram
-dataType: string
-status: current
-description: Either the pathname of a server program to be
-invoked by inetd to perform the requested service, or the value
-internal if inetd itself provides the service.
-
-
-
-
-
-elementId: TBD
-name: endpointType
-dataType: enumeration
-structure:
-stream ; 0x1 ; The stream value is used to describe a stream
-socket.
-dgram ; 0x2 ; The dgram value is used to describe a datagram
-socket.
-raw ; 0x3 ; The raw value is used to describe a raw socket.
-seqpacket ; 0x4 ; The seqpacket value is used to describe a
-sequenced packet socket.
-tli ; 0x5 ; The tli value is used to describe all TLI endpoints.
-sunrpc_tcp ; 0x6 ; The sunrpc_tcp value is used to describe all
-SUNRPC TCP endpoints.
-sunrpc_udp ; 0x7 ; The sunrpc_udp value is used to describe all
-SUNRPC UDP endpoints.
- ; 0x8 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description: The endpoint type (aka, socket type) associated with
-the service.
-
-
-
-
-
-elementId: TBD
-name: execAsUser
-dataType: string
-status: current
-description: The user id of the user the
- server program should run under.
-
-
-
-
-
-elementId: TBD
-name: waitStatus
-dataType: enumeration
-structure: wait ; 0x1 ; The value of 'wait' specifies that the
-server that is invoked by inetd will take over the listening
-socket associated with the service, and once launched, inetd will
-wait for that server to exit, if ever, before it resumes
-listening for new service requests.
-
-nowait ; 0x2 ; The value of 'nowait' specifies that the server
-that is invoked by inetd will not wait for any existing server
-to finish before taking over the listening socket associated with
-the service.
-
-; 0x3 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description: Specifies whether the server that is invoked by
-inetd will take over the listening socket associated with the
-service, and whether once launched, inetd will wait for that
-server to exit, if ever, before it resumes listening for new
-service requests. The legal values are "wait" or "nowait".
-
-
-
-
-
-
-elementId: TBD
-name: inetAddr
-dataType: ipAddress
-status: current
-description: The IP address of the specific interface. Note that
-the IP address can be IPv4 or IPv6.
-
-
-
-
-
-elementId: TBD
-name: netmask
-dataType: ipAddress
-status: current
-description: The bitmask used to calculate
- the interface's IP network.
-
-
-
-
-
-elementId: TBD
-name: passwordInfo
-dataType: list
-structure: list (username, password, userId, groupId, gcos,
- homeDir, loginShell, lastLogin)
-status: current
-description: Describes user account information for a
- system.
-
-
-
-
-
-elementId: TBD
-name: username
-dataType: string
-status: current
-description: The name of the user.
-
-
-
-
-
-elementId: TBD
-name: password
-dataType: string
-status: current
-description: The encrypted version of the
- user's password.
-
-
-
-
-
-elementId: TBD
-name: gcos
-dataType: string
-status: current
-description:
-
-
-
-
-
-
-elementId: TBD
-name: homeDir
-dataType: string
-status: current
-description: The user's home
- directory.
-
-
-
-
-
-elementId: TBD
-name: loginShell
-dataType: string
-status: current
-description: The user's shell
- program.
-
-
-
-
-
-elementId: TBD
-name: lastLogin
-dataType: unsigned32
-status: current
-description: The date and time when the
- last login occurred.
-
-
-
-
-
-elementId: TBD
-name: process
-dataType: list
-structure: list (commandLine, pid, ppid, priority, startTime)
-
-status: current
-description: Information about a process running on an endpoint.
-
-
-
-
-
-
-elementId: TBD
-name: commandLine
-dataType: string
-status: current
-description: The string used to start the
- process. This includes any parameters that are part of the
- command line.
-
-
-
-
-
-elementId: TBD
-name: ppid
-dataType: unsigned32
-status: current
-description: The process ID of the process's
- parent process.
-
-
-
-
-
-elementId: TBD
-name: priority
-dataType: unsigned32
-status: current
-description: The scheduling priority with
- which the process runs.
-
-
-
-
-
-elementId: TBD
-name: startTime
-dataType: string
-status: current
-description: The time of day the process
- started.
-
-
-
-
-
-elementId: TBD
-name: routingtable
-dataType: list
-structure: list (destination, gateway, flags,
- interfaceName)
-status: current
-description: Holds information about an individual routing table
-entry found in a system's primary routing table.
-
-
-
-
-
-elementId: TBD
-name: destination
-dataType: ipAddress
-status: current
-description: The destination IP address
- prefix of the routing table entry.
-
-
-
-
-
-elementId: TBD
-name: gateway
-dataType: ipAddress
-status: current
-description: The gateway of the specified
- routing table entry.
-
-
-
-
-
-elementId: TBD
-name: runlevelInfo
-dataType: list
-structure: list (serviceName, runlevel, start, kill)
-
-status: current
-description: Information about the start or kill state of a
-specified service at a given runlevel.
-
-
-
-
-
-
-elementId: TBD
-name: runlevel
-dataType: string
-status: current
-description: Specifies the system runlevel
- associated with a service.
-
-
-
-
-
-elementId: TBD
-name: start
-dataType: boolean
-status: current
-description: Specifies whether the service is
- scheduled to start at the runlevel.
-
-
-
-
-
-elementId: TBD
-name: kill
-dataType: boolean
-status: current
-description: Specifies whether the service is
- scheduled to be killed at the runlevel.
-
-
-
-
-
-elementId: TBD
-name: shadowItem
-dataType: list
-structure: list (username, password, chgLst, chgAllow,
- chgReq, expWarn, expInact, expDate, flags, encryptMethod)
-status: current
-description:
-
-
-
-
-
-
-elementId: TBD
-name: chgLst
-dataType: dateTimeSeconds
-status: current
-description: The date of the last password
- change.
-
-
-
-
-
-elementId: TBD
-name: chgAllow
-dataType: unsigned32
-status: current
-description: Specifies how often in days a
- user may change their password. It can also be thought of
- as the minimum age of a password.
-
-
-
-
-
-elementId: TBD
-name: chgReq
-dataType: unsigned32
-status: current
-description: Describes how long a user can
- keep a password before the system forces her to change it.
-
-
-
-
-
-elementId: TBD
-name: expWarn
-dataType: unsigned32
-status: current
-description: Describes how long before
- password expiration the system begins warning the user.
-
-
-
-
-
-elementId: TBD
-name: expInact
-dataType: unsigned32
-status: current
-description: Describes how many days of
- account inactivity the system will wait after a password
- expires before locking the account.
-
-
-
-
-
-elementId: TBD
-name: expDate
-dataType: dateTimeSeconds
-status: current
-description: Specifies when will the
- account's password expire.
-
-
-
-
-
-elementId: TBD
-name: encryptMethod
-dataType: enumeration
-structure: DES ; 0x1 ; The DES method corresponds to the (none)
-prefix.
- BSDi ; 0x2 ; The BSDi method corresponds to BSDi modified
- DES or the '_' prefix.
- MD5 ; 0x3 ; The MD5 method corresponds to MD5 for Linux/BSD
- or the $1$ prefix.
- Blowfish ; 0x4 ; The Blowfish method corresponds to Blowfish
- (OpenBSD) or the $2$ or $2a$ prefixes.
- Sun MD5 ; 0x5 ; The Sun MD5 method corresponds to the $md5$
- prefix.
- SHA-256 ; 0x6 ; The SHA-256 method corresponds to the $5$
- prefix.
- SHA-512 ; 0x7 ; The SHA-512 method corresponds to the $6$
- prefix. ; 0x8 ; The empty string value is permitted here to
- allow for empty elements associated with variable references.
-status: current
-description: Describes method that is used for hashing
- passwords.
-
-
-
-
-
-elementId: TBD
-name: symlink
-dataType: list
-structure: list (symlinkFilepath, canonicalPath)
-status: current
-
-description: Identifies the result generated for a symlink.
-
-
-
-
-
-elementId: TBD
-name: symlinkFilepath
-dataType: string
-status: current
-description: Specifies the filepath to
- the subject symbolic link file.
-
-
-
-
-
-elementId: TBD
-name: canonicalPath
-dataType: string
-status: current
-description: Specifies the canonical
- path for the target of the symbolic link file specified by
- the filepath.
-
-
-
-
-
-elementId: TBD
-name: sysctl
-dataType: list
-structure: list (kernelParameterName, kernelParameterValue+,
- uname, machineClass, nodeName, osName, osRelease,
- osVersion, processorType)
-status: current
-description: Stores
- information retrieved from the local system about a kernel
- parameter and its respective value(s).
-
-
-
-
-
-elementId: TBD
-name: kernelParameterName
-dataType: string
-status: current
-description: The name of a kernel
- parameter that was collected from the local system.
-
-
-
-
-
-elementId: TBD
-name: kernelParameterValue
-dataType: string
-status: current
-description: The current value(s)
- for the specified kernel parameter on the local system.
-
-
-
-
-
-elementId: TBD
-name: uname
-dataType: list
-structure: list (machineClass, nodeName, osName, osRelease,
- osVersion, processorType)
-status: current
-description: Information about the hardware the machine is running
- on.
-
-
-
-
-
-elementId: TBD
-name: machineClass
-dataType: string
-status: current
-description: Specifies the machine
- hardware name.
-
-
-
-
-
-elementId: TBD
-name: nodeName
-dataType: string
-status: current
-description: Specifies the host
- name.
-
-
-
-
-
-elementId: TBD
-name: osName
-dataType: string
-status: current
-description: Specifies the operating system
- name.
-
-
-
-
-
-elementId: TBD
-name: osRelease
-dataType: string
-status: current
-description: Specifies the build
- version.
-
-
-
-
-
-elementId: TBD
-name: processorType
-dataType: string
-status: current
-description: Specifies the processor
- type.
-
-
-
-
-
-elementId: TBD
-name: internetService
-dataType: list
-structure: list (serviceProtocol, serviceName, flags,
- noAccess, onlyFrom, port, server, serverArguments,
- socketType, registeredServiceType, user, wait, disabled)
-
-status: current
-description: Holds information associated with Internet services.
-
-
-
-
-
-elementId: TBD
-name: serviceProtocol
-dataType: string
-status: current
-description: Specifies the protocol
- that is used by the service.
-
-
-
-
-
-elementId: TBD
-name: serviceName
-dataType: string
-status: current
-description: Specifies the name of the
- service.
-
-
-
-
-
-elementId: TBD
-name: flags
-dataType: string
-status: current
-description: Specifies miscellaneous settings
- associated with the service with executing a program.
-
-
-
-
-
-elementId: TBD
-name: noAccess
-dataType: string
-status: current
-description: Specifies the remote hosts to
- which the service is unavailable.
-
-
-
-
-
-elementId: TBD
-name: onlyFrom
-dataType: ipAddress
-status: current
-description: Specifies the remote hosts to
- which the service is available.
-
-
-
-
-
-elementId: TBD
-name: port
-dataType: unsigned32
-status: current
-description: The port entity specifies the port
- used by the service.
-
-
-
-
-
-elementId: TBD
-name: server
-dataType: string
-status: current
-description: Specifies the executable that is
- used to launch the service.
-
-
-
-
-
-elementId: TBD
-name: serverArguments
-dataType: string
-status: current
-description: Specifies the arguments
- that are passed to the executable when launching the service.
-
-
-
-
-
-elementId: TBD
-name: socketType
-dataType: string
-status: current
-description: Specifies the type of socket
- that is used by the service. Possible values include: stream,
- dgram, raw, or seqpacket.
-
-
-
-
-
-elementId: TBD
-name: registeredServiceType
-dataType: enumeration
-structure: INTERNAL ; 0x1 ; The INTERNAL type is used to describe
-services like echo, chargen, and others whose functionality is
-supplied by xinetd itself.
- RPC ; 0x2 ; The RPC type is used to describe services that
- use remote procedure call ala NFS.
- UNLISTED ; 0x3 ; The UNLISTED type is used to describe
- services that aren't listed in /etc/protocols or /etc/rpc.
- TCPMUX ; 0x4 ; The TCPMUX type is used to describe services
- that conform to RFC 1078. This type indiciates that the service
- is responsible for handling the protocol handshake.
- TCPMUXPLUS ; 0x5 ; The TCPMUXPLUS type is used to describe
- services that conform to RFC 1078. This type indicates that
- xinetd is responsible for handling the protocol
- handshake.
- ; 0x6 ; The empty string value is permitted here to allow
- for detailed error reporting.
-status: current
-
-description: Specifies the type of internet service.
-
-
-
-
-
-elementId: TBD
-name: wait
-dataType: boolean
-status: current
-description: Specifies whether or not the service is single-threaded
-or multi-threaded and whether or not xinetd accepts the connection
-or the service accepts the connection. A value of 'true' indicates
-that the service is single-threaded and the service will accept the
-connection. A value of 'false' indicates that the service is multi-
-threaded and xinetd will accept the connection.
-
-
-
-
-
-elementId: TBD
-name: disabled
-dataType: boolean
-status: current
-description: Specifies whether or not the
- service is disabled. A value of 'true' indicates that the
- service is disabled and will not start. A value of
- 'false' indicates that the service is not disabled.
-
-
-
-
-
-elementId: TBD
-name: windowsView
-dataType: enumeration
-structure: 32_bit ; 0x1 ; Indicates the 32_bit windows view.
-64_bit ; 0x2 ; Indicates the 64_bit windows view.
-; 0x3 ; The empty string value is permitted here to allow for
-empty elements associated with error conditions.
-status: current
-description: Indicates from which
- view (32-bit or 64-bit), the information was collected.
- A value of '32_bit' indicates the Item was collected from
- the 32-bit view. A value of '64-bit' indicates the Item
- was collected from the 64-bit view.
-
-
-
-
-
-elementId: TBD
-name: fileauditedpermissions
-dataType: list
-structure: list (filepath, path, filename,
- trusteeSid, trusteeName, auditStandardDelete,
- auditStandardReadControl, auditStandardWriteDac,
- auditStandardWriteOwner, auditStandardSynchronize,
- auditAccessSystemSecurity, auditGenericRead, auditGenericWrite,
- auditGenericExecute, auditGenericAll, auditFileReadData,
- auditFileWriteData, auditFileAppendData, auditFileReadEa,
- auditFileWriteEa, auditFileExecute, auditFileDeleteChild,
- auditFileReadAttributes, auditFileWriteAttributes,
- windowsView)
-status: current
-description: Stores the audited access rights of a file that a
-system access control list (SACL) structure grants to a specified
-trustee. The trustee's audited access rights are determined checking
-all access control entries (ACEs) in the SACL.
-
-
-
-
-
-elementId: TBD
-name: trusteeName
-dataType: string
-status: current
-description: Specifies the trustee name. A
- trustee can be a user, group, or program (such as a Windows
- service).
-
-
-
-
-
-elementId: TBD
-name: auditStandardDelete
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description: The right to delete the object.
-
-
-
-
-
-elementId: TBD
-name: auditStandardReadControl
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description: The right to read the information in the object's
-security descriptor, not including the information in the SACL.
-
-
-
-
-
-elementId: TBD
-name: auditStandardWriteDac
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description: The right to modify the DACL in the object's security
- descriptor.
-
-
-
-
-
-elementId: TBD
-name: auditStandardWriteOwner
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description: The right to change the owner in the object's security
- descriptor.
-
-
-
-
-
-elementId: TBD
-name: auditStandardSynchronize
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description: The right to use the object for synchronization.
-This enables a thread to wait until the object is in the signaled
-state. Some object types do not support this access right.
-
-
-
-
-
-elementId: TBD
-name: auditAccessSystemSecurity
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description: Indicates access to a system access control list (SACL).
-
-
-
-
-
-elementId: TBD
-name: auditGenericRead
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description: Read access.
-
-
-
-
-
-elementId: TBD
-name: auditGenericWrite
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description: Write access.
-
-
-
-
-
-elementId: TBD
-name: auditGenericExecute
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description: Execute access.
-
-
-
-
-
-elementId: TBD
-name: auditGenericAll
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description: Read, write, and execute access.
-
-
-
-
-
-elementId: TBD
-name: auditFileReadData
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description: Grants the right to read data from the file.
-
-
-
-
-
-elementId: TBD
-name: auditFileWriteData
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description: Grants the right to write data to the file.
-
-
-
-
-
-elementId: TBD
-name: auditFileAppendData
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description: Grants the right to append data to the file.
-
-
-
-
-
-elementId: TBD
-name: auditFileReadEa
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description: Grants the right to read extended attributes.
-
-
-
-
-
-elementId: TBD
-name: auditFileWriteEa
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description: Grants the right to write extended attributes.
-
-
-
-
-
-elementId: TBD
-name: auditFileExecute
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description: Grants the right to execute a file.
-
-
-
-
-
-elementId: TBD
-name: auditFileDeleteChild
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description: Right to delete a directory and all the files it
-contains (its children), even if the files are read-only.
-
-
-
-
-
-elementId: TBD
-name: auditFileReadAttributes
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description: Grants the right to read file attributes.
-
-
-
-
-
-elementId: TBD
-name: auditFileWriteAttributes
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description: Grants the right to change file attributes.
-
-
-
-
-
-elementId: TBD
-name: fileeffectiverights
-dataType: list
-structure: list (filepath, path, filename,
- trusteeSid, trusteeName, standardDelete, standardReadControl,
- standardWriteDac, standardWriteOwner,
- standardSynchronize, accessSystemSecurity, genericRead,
- genericWrite, genericExecute, genericAll, fileReadData,
- fileWriteData, fileAppendData, fileReadEa, fileWriteEa,
- fileExecute, fileDeleteChild, fileReadAttributes,
- fileWriteAttributes, windowsView)
-status: current
-description: Stores the effective rights of a file that a
- discretionary access control list (DACL) structure grants
- to a specified trustee. The trustee's effective rights
- are determined checking all access-allowed and access-denied
- access control entries (ACEs) in the DACL.
-
-
-
-
-
-elementId: TBD
-name: standardDelete
-dataType: boolean
-status: current
-description: The right to delete the
- object.
-
-
-
-
-
-elementId: TBD
-name: standardReadControl
-dataType: boolean
-status: current
-description: The right to read
- the information in the object's security descriptor, not
- including the information in the SACL.
-
-
-
-
-
-elementId: TBD
-name: standardWriteDac
-dataType: boolean
-status: current
-description: The right to modify the
- DACL in the object's security descriptor.
-
-
-
-
-
-elementId: TBD
-name: standardWriteOwner
-dataType: boolean
-status: current
-description: The right to change
- the owner in the object's security descriptor.
-
-
-
-
-
-elementId: TBD
-name: standardSynchronize
-dataType: boolean
-status: current
-description: The right to use the
- object for synchronization. This enables a thread to wait
- until the object is in the signaled state. Some object
- types do not support this access right.
-
-
-
-
-
-elementId: TBD
-name: accessSystemSecurity
-dataType: boolean
-status: current
-description: Indicates access to
- a system access control list (SACL).
-
-
-
-
-
-elementId: TBD
-name: genericRead
-dataType: boolean
-status: current
-description: Read access.
-
-
-
-
-
-elementId: TBD
-name: genericWrite
-dataType: boolean
-status: current
-description: Write access.
-
-
-
-
-
-elementId: TBD
-name: genericExecute
-dataType: boolean
-status: current
-description: Execute access.
-
-
-
-
-
-elementId: TBD
-name: genericAll
-dataType: boolean
-status: current
-description: Read, write, and execute
- access.
-
-
-
-
-
-elementId: TBD
-name: fileReadData
-dataType: boolean
-status: current
-description: Grants the right to read
- data from the file
-
-
-
-
-
-elementId: TBD
-name: fileWriteData
-dataType: boolean
-status: current
-description: Grants the right to write
- data to the file.
-
-
-
-
-
-elementId: TBD
-name: fileAppendData
-dataType: boolean
-status: current
-description: Grants the right to
- append data to the file.
-
-
-
-
-
-elementId: TBD
-name: fileReadEa
-dataType: boolean
-status: current
-description: Grants the right to read
- extended attributes.
-
-
-
-
-
-elementId: TBD
-name: fileWriteEa
-dataType: boolean
-status: current
-description: Grants the right to write
- extended attributes.
-
-
-
-
-
-elementId: TBD
-name: fileExecute
-dataType: boolean
-status: current
-description: Grants the right to execute
- a file.
-
-
-
-
-
-elementId: TBD
-name: fileDeleteChild
-dataType: boolean
-status: current
-description: Right to delete a
- directory and all the files it contains (its children),
- even if the files are read-only.
-
-
-
-
-
-elementId: TBD
-name: fileReadAttributes
-dataType: boolean
-status: current
-description: Grants the right to
- read file attributes.
-
-
-
-
-
-elementId: TBD
-name: fileWriteAttributes
-dataType: boolean
-status: current
-description: Grants the right to
- change file attributes.
-
-
-
-
-
-elementId: TBD
-name: groupInfo
-dataType: list
-structure: list (group, username, subgroup)
-status: current
-description: Specifies the different users and subgroups, that
-directly belong to specific groups.
-
-
-
-
-
-elementId: TBD
-name: group
-dataType: string
-status: current
-description: Represents the name of a particular
- group.
-
-
-
-
-
-elementId: TBD
-name: subgroup
-dataType: string
-status: current
-description: Represents the name of a
- particular subgroup in the specified group.
-
-
-
-
-
-elementId: TBD
-name: groupSidInfo
-dataType: list
-structure: list (groupSid, userSid, subgroupSid)
-status: current
-description: Specifies the different users and subgroups, that
-directly belong to specific groups
- (identified by SID).
-
-
-
-
-
-elementId: TBD
-name: userSidInfo
-dataType: list
-structure: list (userSid, enabled, groupSid, lastLogon)
-
-status: current
-description: Specifies the different groups (identified by SID)
-that a user belongs to.
-
-
-
-
-
-elementId: TBD
-name: userSid
-dataType: string
-status: current
-description: Represents the SID of a
- particular user.
-
-
-
-
-
-elementId: TBD
-name: subgroupSid
-dataType: string
-status: current
-description: Represents the SID of a
- particular subgroup.
-
-
-
-
-
-elementId: TBD
-name: lockoutpolicy
-dataType: list
-structure: list (forceLogoff, lockoutDuration,
- lockoutObservationWindow, lockoutThreshold)
-status: current
-description: Specifies various attributes associated
- with lockout information for users and global groups in the
- security database.
-
-
-
-
-
-elementId: TBD
-name: forceLogoff
-dataType: unsigned32
-status: current
-description: Specifies, in seconds, the
- amount of time between the end of the valid logon time and
- the time when the user is forced to log off the
- network.
-
-
-
-
-
-elementId: TBD
-name: lockoutDuration
-dataType: unsigned32
-status: current
-description: Specifies, in seconds,
- how long a locked account remains locked before it is
- automatically unlocked.
-
-
-
-
-
-elementId: TBD
-name: lockoutObservationWindow
-dataType: unsigned32
-status: current
-description: Specifies the
- maximum time, in seconds, that can elapse between any two
- failed logon attempts before lockout occurs.
-
-
-
-
-
-elementId: TBD
-name: lockoutThreshold
-dataType: unsigned32
-status: current
-description: Specifies the number of
- invalid password authentications that can occur before an
- account is marked "locked out."
-
-
-
-
-
-elementId: TBD
-name: passwordpolicy
-dataType: list
-structure: list (maxPasswdAge, minPasswdAge,
- minPasswdLen, passwordHistLen, passwordComplexity,
- reversibleEncryption)
-status: current
-description: Specifies
- policy information associated with passwords.
-
-
-
-
-
-elementId: TBD
-name: maxPasswdAge
-dataType: unsigned32
-status: current
-description: Specifies, in seconds (from
- a DWORD), the maximum allowable password age. A value of
- TIMEQ_FOREVER (max DWORD value, 4294967295) indicates
- that the password never expires. The minimum valid value
- for this element is ONE_DAY (86400). See the
- USER_MODALS_INFO_0 structure returned by a call to
- NetUserModalsGet().
-
-
-
-
-
-elementId: TBD
-name: minPasswdAge
-dataType: unsigned32
-status: current
-description: Specifies the minimum
- number of seconds that can elapse between the time a password
- changes and when it can be changed again. A value of
- zero indicates that no delay is required between password
- updates.
-
-
-
-
-
-elementId: TBD
-name: minPasswdLen
-dataType: unsigned32
-status: current
-description: Specifies the minimum
- allowable password length. Valid values for this element are
- zero through PWLEN.
-
-
-
-
-
-elementId: TBD
-name: passwordHistLen
-dataType: unsigned32
-status: current
-description: Specifies the length of
- password history maintained. A new password cannot match any
- of the previous usrmod0_password_hist_len passwords.
- Valid values for this element are zero through DEF_MAX_PWHIST.
-
-
-
-
-
-elementId: TBD
-name: passwordComplexity
-dataType: boolean
-status: current
-description: Indicates whether
- passwords must meet the complexity requirements put forth
- by the operating system.
-
-
-
-
-
-elementId: TBD
-name: reversibleEncryption
-dataType: boolean
-status: current
-description: Indicates whether
- or not passwords are stored using reversible encryption.
-
-
-
-
-
-elementId: TBD
-name: portInfo
-dataType: list
-structure: list (localAddress, localPort, transportProtocol,
- pid, foreignAddress, foreignPort)
-status: current
-description: Information about open listening ports.
-
-
-
-
-
-elementId: TBD
-name: foreignPort
-dataType: string
-status: current
-description: The TCP or UDP port to which
- the program communicates.
-
-
-
-
-
-elementId: TBD
-name: printereffectiverights
-dataType: list
-structure: list (printerName, trusteeSid,
- standardDelete, standardReadControl, standardWriteDac,
- standardWriteOwner, standardSynchronize,
- accessSystemSecurity, genericRead, genericWrite,
- genericExecute, genericAll, printerAccessAdminister,
- printerAccessUse, jobAccessAdminister, jobAccessRead)
-status: current
-description: Stores the effective rights of a printer that a
-discretionary access control list (DACL) structure grants to a
-specified trustee. The trustee's effective rights are determined
-checking all access-allowed and access-denied access control
-entries (ACEs) in the DACL.
-
-
-
-
-
-elementId: TBD
-name: printerName
-dataType: string
-status: current
-description: Specifies the name of the
- printer.
-
-
-
-
-
-elementId: TBD
-name: printerAccessAdminister
-dataType: boolean
-status: current
-description:
-
-
-
-
-
-
-elementId: TBD
-name: printerAccessUse
-dataType: boolean
-status: current
-description:
-
-
-
-
-
-
-elementId: TBD
-name: jobAccessAdminister
-dataType: boolean
-status: current
-description:
-
-
-
-
-
-
-elementId: TBD
-name: jobAccessRead
-dataType: boolean
-status: current
-description:
-
-
-
-
-
-
-elementId: TBD
-name: registry
-dataType: list
-structure: list (registryHive, registryKey, registryKeyName,
- lastWriteTime, registryKeyType, registryKeyValue,
- windowsView)
-status: current
-description: Specifies information that can be
- collected about a particular registry key.
-
-
-
-
-
-elementId: TBD
-name: registryHive
-dataType: enumeration
-structure: HKEY_CLASSES_ROOT ; 0x1 ; This registry subtree
- contains information that associates file types with programs
- and configuration data for automation (e.g. COM
- objects and Visual Basic Programs).
- HKEY_CURRENT_CONFIG ; 0x2 ; This registry subtree contains
- configuration data for the current hardware profile.
- HKEY_CURRENT_USER ; 0x3 ; This registry subtree contains the
- user profile of the user that is currently logged into the
- system.
- HKEY_LOCAL_MACHINE ; 0x4 ; This registry subtree contains
- information about the local system.
- HKEY_USERS ; 0x5 ; This registry subtree contains user-specific
- data.
- ; 0x6 ; The empty string value is permitted here to allow
- for detailed error reporting.
-status: current
-description: The
- hive that the registry key belongs to.
-
-
-
-
-
-elementId: TBD
-name: registryKey
-dataType: string
-status: current
-description: Describes the registry key.
- Note that the hive portion of the string should not be
- included, as this data can be found under the hive
- element.
-
-
-
-
-
-elementId: TBD
-name: registryKeyName
-dataType: string
-status: current
-description: Describes the name of a
- registry key.
-
-
-
-
-
-elementId: TBD
-name: lastWriteTime
-dataType: unsigned64
-status: current
-description: The last time that the key or any of its value entries
- were modified. The value of this entity represents the
- FILETIME structure which is a 64-bit value representing the
- number of 100-nanosecond intervals since January 1, 1601
- (UTC). Last write time can be queried on any key, with hives
- being classified as a type of key. When collecting only
- information about a registry hive or key the last write time
- will be the time the key or any of its entries were modified.
- When collecting only information about a registry name the
- last write time will be the time the containing key was
- modified. Thus when collecting information about a registry
- name, the last write time does not correlate directly
- to the specified name. See the RegQueryInfoKey function
- lpftLastWriteTime.
-
-
-
-
-
-elementId: TBD
-name: registryKeyType
-dataType: enumeration
-structure: reg_binary ; 0x1 ; The reg_binary type
- is used by registry keys that specify binary data in any
- form.
- reg_dword ; 0x2 ; The reg_dword type is used by
- registry keys that specify an unsigned 32-bit integer.
- reg_dword_little_endian ; 0x3 ; The reg_dword_little_endian
- type is used by registry keys that specify an unsigned 32-bit
- little-endian integer. It is designed to run on
- little-endian computer architectures.
- reg_dword_big_endian ; 0x4 ; The reg_dword_big_endian type
- is used by registry keys that specify an unsigned 32-bit
- big-endian integer. It is designed to run on big-endian
- computer architectures.
- reg_expand_sz ; 0x5 ; The reg_expand_sz type is used by
- registry keys to specify a null-terminated
- string that contains unexpanded references to environment
- variables (for example, "%PATH%").
- reg_link ; 0x6 ; The reg_link type is used by the registry
- keys for null-terminated unicode strings. It is related to
- target path of a symbolic link created by the
- RegCreateKeyEx function.
- reg_multi_sz ; 0x7 ; The reg_multi_sz type is used by
- registry keys that specify an array of null-terminated
- strings, terminated by two null characters.
- reg_none; 0x8 ;
- The reg_none type is used by registry keys that have no
- defined value type.
- reg_qword; 0x9 ; The reg_qword type is used by registry keys
- that specify an unsigned 64-bit integer.
- reg_qword_little_endian; 0xA ; The reg_qword_little_endian
- type is used by registry keys that specify an unsigned
- 64-bit integer in little-endian computer architectures.
- reg_sz; 0xB ; The reg_sz type is used by registry keys that
- specify a single null-terminated string.
- reg_resource_list; 0xC ; The reg_resource_list type is used
- by registry keys that specify a resource list.
- reg_full_resource_descriptor; 0xD ; The
- reg_full_resource_descriptor type is used by registry
- keys that specify a full resource descriptor.
- reg_resource_requirements_list; 0xE ; The
- reg_resource_requirements_list type is used by registry keys
- that specify a resource requirements list.
- ; 0xF ; The empty string value is permitted here to allow
- for detailed error reporting.
-status: current
-description:
- Specifies the type of data stored by the registry key.
-
-
-
-
-
-elementId: TBD
-name: registryKeyValue
-dataType: string
-status: current
-description: Holds the actual value
- of the specified registry key. The representation of the
- value as well as the associated datatype attribute
- depends on type of data stored in the registry key. If the
- value being tested is of type REG_BINARY, then the
- datatype attribute should be set to 'binary' and the data
- represented by the value entity should follow the
- xsd:hexBinary form. (each binary octet is encoded as two hex
- digits) If the value being tested is of type
- REG_DWORD, REG_QWORD, REG_DWORD_LITTLE_ENDIAN,
- REG_DWORD_BIG_ENDIAN, or REG_QWORD_LITTLE_ENDIAN then the
- datatype attribute should be set to 'int' and the value
- entity should represent the data as an unsigned integer.
- DWORD and QWORD values represnt unsigned 32-bit and 64-bit
- integers, respectively. If the value being tested is of type
- REG_EXPAND_SZ, then the datatype attribute should be set to
- 'string' and the pre-expanded string should be
- represented by the value entity. If the value being tested
- is of type REG_MULTI_SZ, then only a single string (one
- of the multiple strings) should be tested using the value
- entity with the datatype attribute set to 'string'. In
- order to test multiple values, multiple OVAL registry tests
- should be used. If the specified registry key is of
- type REG_SZ, then the datatype should be 'string' and the
- value entity should be a copy of the string. If the
- value being tested is of type REG_LINK, then the datatype
- attribute should be set to 'string' and the
- null-terminated Unicode string should be represented by the
- value entity.
-
-
-
-
-
-elementId: TBD
-name: regkeyauditedpermissions
-dataType: list
-structure: list (registryKey, trusteeSid, trusteeName,
- standardDelete, standardReadControl, standardWriteDac,
- standardWriteOwner, standardSynchronize,
- accessSystemSecurity, genericRead, genericWrite,
- genericExecute, genericAll, keyQueryValue, keySetValue,
- keyCreateSubKey, keyEnumerateSubKeys, keyNotify,
- keyCreateLink, keyWow6464Key, keyWow6432Key, keyWow64Res,
- windowsView)
-status: current
-description: Stores the audited access rights of a registry key
-that a system access control list (SACL) structure grants to a
-specified trustee. The trustee's audited access rights are
-determined checking all access control entries (ACEs) in the SACL.
-
-
-
-
-
-elementId: TBD
-name: auditKeyQueryValue
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description:
-
-
-
-
-
-
-elementId: TBD
-name: auditKeySetValue
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description:
-
-
-
-
-
-
-elementId: TBD
-name: auditKeyCreateSubKey
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description:
-
-
-
-
-
-
-elementId: TBD
-name: auditKeyEnumerateSubKeys
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description:
-
-
-
-
-
-
-elementId: TBD
-name: auditKeyNotify
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description:
-
-
-
-
-
-
-elementId: TBD
-name: auditKeyCreateLink
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description:
-
-
-
-
-
-
-elementId: TBD
-name: auditKeyWow6464Key
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description:
-
-
-
-
-
-
-elementId: TBD
-name: auditKeyWow6432Key
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description:
-
-
-
-
-
-
-elementId: TBD
-name: auditKeyWow64Res
-dataType: enumeration
-structure: AUDIT_FAILURE ; 0x1 ; The audit type AUDIT_FAILURE is
-used to perform audits on all unsuccessful occurrences of
-specified events when auditing is enabled.
-AUDIT_NONE ; 0x2 ; The audit type AUDIT_NONE is used to cancel
-all auditing options for the specified events.
-AUDIT_SUCCESS ; 0x3 ; The audit type AUDIT_SUCCESS is used to
-perform audits on all successful occurrences of the specified
-events when auditing is enabled.
-AUDIT_SUCCESS_FAILURE ; 0x4 ; The audit type AUDIT_SUCCESS_FAILURE
-is used to perform audits on all successful and unsuccessful
-occurrences of the specified events when auditing is enabled.
-; 0x5 ; The empty string value is permitted here to allow for
-detailed error reporting.
-status: current
-description:
-
-
-
-
-
-
-elementId: TBD
-name: regkeyeffectiverights
-dataType: list
-structure: list (registryHive, registryKey, trusteeSid,
- trusteeName, standardDelete, standardReadControl,
- standardWriteDac, standardWriteOwner, standardSynchronize,
- accessSystemSecurity, genericRead, genericWrite,
- genericExecute, genericAll, keyQueryValue, keySetValue,
- keyCreateSubKey, keyEnumerateSubKeys, keyNotify,
- keyCreateLink, keyWow6464Key, keyWow6432Key, keyWow64Res,
- windowsView)
-status: current
-description: Stores the effective rights of a registry key that a
-discretionary access control list (DACL) structure grants to a
-specified trustee. The trustee's effective rights are determined
-checking all access-allowed and access-denied access control
-entries (ACEs) in the DACL.
-
-
-
-
-
-elementId: TBD
-name: keyQueryValue
-dataType: boolean
-status: current
-description: Specifies whether or not
- permission is granted to query the key's value.
-
-
-
-
-
-elementId: TBD
-name: keySetValue
-dataType: boolean
-status: current
-description: Specifies whether or not
- permission is granted to set the key's value.
-
-
-
-
-
-elementId: TBD
-name: keyCreateSubKey
-dataType: boolean
-status: current
-description: Specifies whether or not
- permission is granted to create a subkey.
-
-
-
-
-
-elementId: TBD
-name: keyEnumerateSubKeys
-dataType: boolean
-status: current
-description: Specifies whether or
- not permission is granted to list the subkeys associated
- with key.
-
-
-
-
-
-elementId: TBD
-name: keyNotify
-dataType: boolean
-status: current
-description:
-
-
-
-
-
-
-elementId: TBD
-name: keyCreateLink
-dataType: boolean
-status: current
-description:
-
-
-
-
-
-
-elementId: TBD
-name: keyWow6464Key
-dataType: boolean
-status: current
-description:
-
-
-
-
-
-
-elementId: TBD
-name: keyWow6432Key
-dataType: boolean
-status: current
-description:
-
-
-
-
-
-
-elementId: TBD
-name: keyWow64Res
-dataType: boolean
-status: current
-description:
-
-
-
-
-
-
-elementId: TBD
-name: service
-dataType: list
-structure: list (serviceName, displayName, description,
- serviceType, startType, currentState, controlsAccepted,
- startName, path, pid, serviceFlag, dependencies)
-status: current
-description: Stores information about Windows services that are
-present on the system.
-
-
-
-
-
-elementId: TBD
-name: displayName
-dataType: string
-status: current
-description: Specifies the name of the
- service as specified in administrative tools.
-
-
-
-
-
-elementId: TBD
-name: description
-dataType: string
-status: current
-description: Specifies the description of
- the service.
-
-
-
-
-
-elementId: TBD
-name: serviceType
-dataType: enumeration
-structure: SERVICE_FILE_SYSTEM_DRIVER ; 0x1 ; The
- SERVICE_FILE_SYSTEM_DRIVER type means that the service is
- a file system driver. The DWORD value that this
- corresponds to is 0x00000002.
- SERVICE_KERNEL_DRIVER ; 0x2 ; The SERVICE_KERNEL_DRIVER type
- means that the service is a driver. The DWORD value that
- this corresponds to is 0x00000001.
- SERVICE_WIN32_OWN_PROCESS ; 0x3 ; The SERVICE_WIN32_OWN_PROCESS
- type means that the service runs in its own process. The DWORD
- value that this corresponds to is 0x00000010.
- SERVICE_WIN32_SHARE_PROCESS ; 0x4 ; The
- SERVICE_WIN32_SHARE_PROCESS type means that the service runs
- in a process with other services. The DWORD value that this
- corresponds to is 0x00000020.
- SERVICE_INTERACTIVE_PROCESS ; 0x5 ; The
- SERVICE_WIN32_SHARE_PROCESS type means that the service runs
- in a process with other services. The DWORD value that this
- corresponds to is 0x00000100.
- ; 0x6 ; The empty string value is permitted here to allow for
- empty elements associated with error conditions.
-status: current
-description:
- Specifies the type of the service.
-
-
-
-
-
-elementId: TBD
-name: startType
-dataType: enumeration
-structure: SERVICE_AUTO_START ; 0x1 ; The SERVICE_AUTO_START type
- means that the service is started automatically by the Service
- Control Manager (SCM) during startup. The DWORD value that
- this corresponds to is 0x00000002.
- SERVICE_BOOT_START ; 0x2 ; The SERVICE_BOOT_START type means
- that the driver service is started by the system loader. The
- DWORD value that this corresponds to is 0x00000000.
- SERVICE_DEMAND_START ; 0x3 ; The SERVICE_DEMAND_START type
- means that the service is started by the Service Control
- Manager (SCM) when StartService() is called. The DWORD value
- that this corresponds to is 0x00000003.
- SERVICE_DISABLED ; 0x4 ; The SERVICE_DISABLED type means
- that the service cannot be started. The DWORD value that
- this corresponds to is 0x00000004.
- SERVICE_SYSTEM_START ; 0x5 ; The SERVICE_SYSTEM_START type
- means that the service is a device driver started by
- IoInitSystem(). The DWORD value that this corresponds to is
- 0x00000001.
- ; 0x6 ; The empty string value is permitted here to allow
- for empty elements associated with error conditions.
-status: current
-description: Specifies when the service should be started.
-
-
-
-
-
-elementId: TBD
-name: currentState
-dataType: enumeration
-structure: SERVICE_CONTINUE_PENDING ; 0x1 ; The
- SERVICE_CONTINUE_PENDING type means that the service has been
- sent a command to continue, however, the command has
- not yet been executed. The DWORD value that this corresponds
- to is 0x00000005. SERVICE_PAUSE_PENDING ; 0x2 ; The
- SERVICE_PAUSE_PENDING type means that the service has been
- sent a command to pause, however, the command has not
- yet been executed. The DWORD value that this corresponds to
- is 0x00000006.
- SERVICE_PAUSED ; 0x3 ; The SERVICE_PAUSED type means that
- the service is paused. The DWORD value that this corresponds
- to is 0x00000007.
- SERVICE_RUNNING ; 0x4 ; The SERVICE_RUNNING type means that
- the service is running. The DWORD value that this
- corresponds to is 0x00000004.
- SERVICE_START_PENDING ; 0x5 ; The SERVICE_START_PENDING type
- means that the service has been sent a command to start,
- however, the command has not yet been executed. The DWORD
- value that this corresponds to is 0x00000002.
- SERVICE_STOP_PENDING ; 0x6 ; The SERVICE_STOP_PENDING type
- means that the service
- has been sent a command to stop, however, the command has
- not yet been executed. The DWORD value that this
- corresponds to is 0x00000003.
- SERVICE_STOPPED ; 0x7 ; The SERVICE_STOPPED type means that
- the service is stopped. The DWORD value that this corresponds
- to is 0x00000001.
- ; 0x8 ; The empty string value is permitted here to allow
- for empty elements associated with error conditions.
-status: current
-description: Specifies the current state of
- the service.
-
-
-
-
-
-elementId: TBD
-name: controlsAccepted
-dataType: enumeration
-structure: SERVICE_ACCEPT_NETBINDCHANGE ; 0x1 ;
- The SERVICE_ACCEPT_NETBINDCHANGE type means that the
- service is a network component and can accept changes in its
- binding without being stopped or restarted. The DWORD value
- that this corresponds to is 0x00000010.
- SERVICE_ACCEPT_PARAMCHANGE ; 0x2 ; The SERVICE_ACCEPT_PARAMCHANGE
- type means that the service can re-read its
- startup parameters without being stopped or restarted. The
- DWORD value that this corresponds to is 0x00000008.
- SERVICE_ACCEPT_PAUSE_CONTINUE ; 0x3 ; The
- SERVICE_ACCEPT_PAUSE_CONTINUE type means that the service
- can be paused or continued. The DWORD value that this
- corresponds to is 0x00000002.
- SERVICE_ACCEPT_PRESHUTDOWN ; 0x4 ; The
- SERVICE_ACCEPT_PRESHUTDOWN type means that the service can
- receive pre-shutdown notifications. The DWORD value
- that this corresponds to is 0x00000100.
- SERVICE_ACCEPT_SHUTDOWN ; 0x5 ; The SERVICE_ACCEPT_SHUTDOWN
- type means that the service can receive shutdown notifications.
- The DWORD value that this corresponds to is 0x00000004.
- SERVICE_ACCEPT_STOP ; 0x6 ; The SERVICE_ACCEPT_STOP type
- means that the service can be stopped. The DWORD value
- that this corresponds to is 0x00000001.
- SERVICE_ACCEPT_HARDWAREPROFILECHANGE ; 0x7 ; The
- SERVICE_ACCEPT_HARDWAREPROFILECHANGE type means that the
- service can receive notifications when the system's
- hardware profile changes. The DWORD value that this
- corresponds to is 0x00000020.
- SERVICE_ACCEPT_POWEREVENT ; 0x8 ; The SERVICE_ACCEPT_POWEREVENT
- type means that the service can receive notifications when the
- system's power status has changed. The DWORD value that this
- corresponds to is 0x00000040.
- SERVICE_ACCEPT_SESSIONCHANGE ; 0x9 ; The
- SERVICE_ACCEPT_SESSIONCHANGE type means that the service can
- receive notifications when the system's session
- status has changed. The DWORD value that this corresponds
- to is 0x00000080.
- SERVICE_ACCEPT_TIMECHANGE ; 0xA ; The SERVICE_ACCEPT_TIMECHANGE
- type means that the service can receive notifications when
- the system time changes. The DWORD value that this corresponds
- to is 0x00000200.
- SERVICE_ACCEPT_TRIGGEREVENT ; 0xB ; The
- SERVICE_ACCEPT_TRIGGEREVENT type means that the service can
- receive notifications when an event that the service
- has registered for occurs on the system. The DWORD value that
- this corresponds to is 0x00000400.
- ; 0xC ; The empty string value is permitted here to allow
- for empty elements associated with error conditions.
-status: current
-
-description: Specifies the control codes that a service will
- accept and process.
-
-
-
-
-
-elementId: TBD
-name: startName
-dataType: string
-status: current
-description: Specifies the account under
- which the process should run.
-
-
-
-
-
-elementId: TBD
-name: serviceFlag
-dataType: boolean
-status: current
-description: Specifies whether the
- service is in a system process that must always run (true)
- or if the service is in a non-system process or is not
- running (false).
-
-
-
-
-
-elementId: TBD
-name: dependencies
-dataType: string
-status: current
-description: Specifies the dependencies
- of this service on other services.
-
-
-
-
-
-elementId: TBD
-name: serviceeffectiverights
-dataType: list
-structure: list (serviceName, trusteeSid,
- standardDelete, standardReadControl, standardWriteDac,
- standardWriteOwner, genericRead, genericWrite,
- genericExecute, serviceQueryConf, serviceChangeConf,
- serviceQueryStat, serviceEnumDependents, serviceStart,
- serviceStop, servicePause, serviceInterrogate,
- serviceUserDefined)
-status: current
-description: Stores the
- effective rights of a service that a discretionary access
- control list (DACL) structure grants to a specified
- trustee. The trustee's effective rights are determined by
- checking all access-allowed and access-denied access
- control entries (ACEs) in the DACL.
-
-
-
-
-
-elementId: TBD
-name: trusteeSid
-dataType: string
-status: current
-description: Specifies the SID that is
- associated with a user, group, system, or program (such as a
- Windows service).
-
-
-
-
-
-elementId: TBD
-name: serviceQueryConf
-dataType: boolean
-status: current
-description: Specifies whether or
- not permission is granted to query the service configuration.
-
-
-
-
-
-elementId: TBD
-name: serviceChangeConf
-dataType: boolean
-status: current
-description: Specifies whether or
- not permission is granted to change service configuration.
-
-
-
-
-
-elementId: TBD
-name: serviceQueryStat
-dataType: boolean
-status: current
-description: Specifies whether or
- not permission is granted to query the service control
- manager about the status of the service.
-
-
-
-
-
-elementId: TBD
-name: serviceEnumDependents
-dataType: boolean
-status: current
-description: Specifies whether
- or not permission is granted to query for an enumeration of
- all the services dependent on the service.
-
-
-
-
-
-elementId: TBD
-name: serviceStart
-dataType: boolean
-status: current
-description: Specifies whether or not
- permission is granted to start the service.
-
-
-
-
-
-elementId: TBD
-name: serviceStop
-dataType: boolean
-status: current
-description: Specifies whether or not
- permission is granted to stop the service.
-
-
-
-
-
-elementId: TBD
-name: servicePause
-dataType: boolean
-status: current
-description: Specifies whether or not
- permission is granted to pause or continue the service.
-
-
-
-
-
-elementId: TBD
-name: serviceInterrogate
-dataType: boolean
-status: current
-description: Specifies whether or not permission is granted to
- request the service to report its status immediately.
-
-
-
-
-
-elementId: TBD
-name: serviceUserDefined
-dataType: boolean
-status: current
-description: Specifies whether or
- not permission is granted to specify a user-defined
- control code.
-
-
-
-
-
-elementId: TBD
-name: sharedresourceauditedpermissions
-dataType: list
-structure: list (netname, trusteeSid,
- standardDelete, standardReadControl, standardWriteDac,
- standardWriteOwner, standardSynchronize,
- accessSystemSecurity, genericRead, genericWrite,
- genericExecute, genericAll)
-status: current
-description: Stores
- the audited access rights of a shared resource that a system
- access control list (SACL) structure grants to a
- specified trustee. The trustee's audited access rights are
- determined checking all access control entries (ACEs)
- in the SACL.
-
-
-
-
-
-elementId: TBD
-name: netname
-dataType: string
-status: current
-description: Specifies the name associated
- with a particular shared resource.
-
-
-
-
-
-elementId: TBD
-name: sharedresourceeffectiverights
-dataType: list
-structure: list (netname, trusteeSid,
- standardDelete, standardReadControl, standardWriteDac,
- standardWriteOwner, standardSynchronize,
- accessSystemSecurity, genericRead, genericWrite,
- genericExecute, genericAll)
-status: current
-description: Stores
- the effective rights of a shared resource that a
- discretionary access control list (DACL) structure grants
- to a specified trustee. The trustee's effective rights are
- determined checking all access-allowed and access-denied
- access control entries (ACEs) in the DACL.
-
-
-
-
-
-elementId: TBD
-name: user
-dataType: list
-structure: list (username, enabled, group, lastLogon)
-status: current
-description: Specifies the groups to which a user belongs.
-
-
-
-
-
-elementId: TBD
-name: enabled
-dataType: boolean
-status: current
-description: Represents whether the
- particular user is enabled or not.
-
-
-
-
-
-elementId: TBD
-name: lastLogon
-dataType: unsigned32
-status: current
-description: The date and time when the
- last logon occurred.
-
-
-
-
-
-elementId: TBD
-name: groupSid
-dataType: string
-status: current
-description: Represents the SID of a
- particular group. If the specified user belongs to more than
- one group, then multiple groupSid elements are
- applicable. If the specified user is not a member of a single
- group, then a single groupSid element should be
- incldued with a status of 'does not exist'. If there is an
- error determining the groups that the user belongs to,
- then a single groupSid element should be included with a
- status of 'error'.
-
-
-
+ &InformationModel;
+
Many of the specifications in this document have been developed in a public-private
partnership with vendors and end-users. The hard work of the SCAP community is
diff --git a/im.csv b/im.csv
new file mode 100644
index 0000000..30c39c6
--- /dev/null
+++ b/im.csv
@@ -0,0 +1,407 @@
+elementId,enterpriseId,name,dataType,status,description,structure,references
+TBD,,informationElementRangeBegin,unsigned64,current,"Contains the inclusive low end of the range of acceptable values for an Information Element.",,
+TBD,,printerName,string,current,"Specifies the name of the printer.",,
+TBD,,collectorIPv4Address,ipv4Address,current,"An IPv4 address to which the Exporting Process sends Flow information.",,
+TBD,,pendingStatus,boolean,current,"Indicates the pending state of the specified SELinux boolean.",,
+TBD,,fileReadEa,boolean,current,"Grants the right to read extended attributes.",,
+TBD,,eventType,string,current,"a set of types that define the categories of an event (e.g. access-level-change, change-of-priviledge, change-of-authorization, environmental-event, or provisioning-event).",,
+TBD,,sacmStatementMetadata,orderedList,current,"Contains IEs that provide information about the data origin of the providing SACM Component as well as the information necessary for other SACM Components to understand the type of security automation information in the SACM Statement's SACM Content Element(s).","orderedList(publicationTimestamp,dataOrigin,)",
+TBD,,mibObjectValueGauge,unsigned32,current,"An IPFIX Information Element which denotes that the Gauge value of a MIB object will be exported. The MIB Object Identifier (""mibObjectIdentifier"") for this field MUST be exported in a MIB Field Option or via another means. This Information Element is used for MIB objects with the Base Syntax of Gauge32. The value is encoded as per the standard IPFIX Abstract Data Type of unsigned64. This value will represent a non-negative integer, which may increase or decrease, but shall never exceed a maximum value, nor fall below a minimum value.",,
+TBD,,networkLayer,string,current,"A set of layers that expresses the specific network layer an interface operates on.",,
+TBD,,softwareTitle,string,current,"The title of the software application.",,
+TBD,,routingtable,list,current,"Holds information about an individual routing table entry found in a system's primary routing table.","list(destination,gateway,flags,interfaceName)",
+TBD,,auditFileAppendData,enumeration,current,"Grants the right to append data to the file.","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,filename,string,current,"The name of the file.",,
+TBD,,interfaceLabel,string,current,"A unique label that can be used to reference a network interface.",,
+TBD,,size,unsigned32,current,"This is the size of the file in bytes.",,
+TBD,,targetEndpointLabel,string,current,"A label that uniquely identifies a target endpoint on SACM domain.",,
+TBD,,mibIndexIndicator,unsigned64,current,"This set of bit fields is used for marking the Information Elements of a Data Record that serve as INDEX MIB objects for an indexed Columnar MIB object. Each bit represents an Information Element in the Data Record with the n-th bit representing the n-th Information Element. A bit set to value 1 indicates that the corresponding Information Element is an index of the Columnar Object represented by the mibFieldValue. A bit set to value 0 indicates that this is not the case.|| If the Data Record contains more than 64 Information Elements, the corresponding Template SHOULD be designed such that all INDEX Fields are among the first 64 Information Elements, because the mibIndexIndicator only contains 64 bits. If the Data Record contains less than 64 Information Elements, then the extra bits in the mibIndexIndicator for which no corresponding Information Element exists MUST have the value 0, and must be disregarded by the Collector. This Information Element may be exported with IPFIX Reduced Size Encoding.",,
+TBD,,softwareVerison,category,current,"The version of the software application. Software applications may be versioned using a number of schemas. The following high-level digram describes the structure of the softwareVersion information element.","category(simpleSoftwareVersion |rpmSoftwareVersion |ciscoTrainSoftwareVersion)",
+TBD,,fileWriteAttributes,boolean,current,"Grants the right to change file attributes.",,
+TBD,,interfaceIndex,unsigned32,current,"The index of an interface installed on an endpoint. The value matches the value of managed object 'ifIndex' as defined in [RFC2863]. Note that ifIndex values are not assigned statically to an interface and that the interfaces may be renumbered every time the device's management system is re-initialized, as specified in [RFC2863].",,
+TBD,,lockoutpolicy,list,current,"Specifies various attributes associated with lockout information for users and global groups in the security database.","list(forceLogoff,lockoutDuration,lockoutObservationWindow,lockoutThreshold)",
+TBD,,mibObjectValueOID,octetArray,current,"An IPFIX Information Element which denotes that an Object Identifier or OID value of a MIB object will be exported. The MIB Object Identifier (""mibObjectIdentifier"") for this field MUST be exported in a MIB Field Option or via another means. This Information Element is used for MIB objects with the Base Syntax of OBJECT IDENTIFIER. Note - In this case the ""mibObjectIdentifier"" will define which MIB object is being exported while the value contained in this Information Element will be an OID as a value. The mibObjectValueOID Information Element is encoded as ASN.1/BER [BER] in an octetArray.",,
+TBD,,selinuxName,string,current,"The name of the SELinux boolean.",,
+TBD,,patchName,string,current,"The vendor's name of a software patch.",,
+TBD,,relayTimestamp,dateTimeSeconds,current,"The date and time when the posture information was relayed to another SACM Component.",,
+TBD,,relationshipObjectLabel,string,current,"A reference to a specific label used in content (e.g. a te-label or a user-id). This reference is typically used if matching content attribute can be done efficiantly and can also be included in addition to a relationship-content-element-guid reference.",,
+TBD,,systemdunitValue,string,current,"The value of the property associated with a systemd unit. Exactly one value shall be used for all property types except dbus arrays - each array element shall be represented by one value.",,
+TBD,,localFullAddress,string,current,"The IP address and network port on which the program listens, including the local address and the local port. Note that the IP address can be IPv4 or IPv6.",,
+TBD,,fileauditedpermissions,list,current,"Stores the audited access rights of a file that a system access control list (SACL) structure grants to a specified trustee. The trustee's audited access rights are determined checking all access control entries (ACEs) in the SACL.","list(filepath,path,filename,trusteeSid,trusteeName,auditStandardDelete,auditStandardReadControl,auditStandardWriteDac,auditStandardWriteOwner,auditStandardSynchronize,auditAccessSystemSecurity,auditGenericRead,auditGenericWrite,auditGenericExecute,auditGenericAll,auditFileReadData,auditFileWriteData,auditFileAppendData,auditFileReadEa,auditFileWriteEa,auditFileExecute,auditFileDeleteChild,auditFileReadAttributes,auditFileWriteAttributes,windowsView)",
+TBD,,serviceChangeConf,boolean,current,"Specifies whether or not permission is granted to change service configuration.",,
+TBD,,serviceQueryStat,boolean,current,"Specifies whether or not permission is granted to query the service control manager about the status of the service.",,
+TBD,,layer3NetworkLocation,string,current,"The location of a layer-3 interface on the network (e.g. next-hop routing neighbor).",,
+TBD,,auditFileWriteEa,enumeration,current,"Grants the right to write extended attributes.","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,auditFileReadEa,enumeration,current,"Grants the right to read extended attributes.","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,applicationLabel,string,current,"A label that is supposed to uniquely reference an application.",,
+TBD,,registryKeyName,string,current,"Describes the name of a registry key.",,
+TBD,,lastWriteTime,unsigned64,current,"The last time that the key or any of its value entries were modified. The value of this entity represents the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). Last write time can be queried on any key, with hives being classified as a type of key. When collecting only information about a registry hive or key the last write time will be the time the key or any of its entries were modified. When collecting only information about a registry name the last write time will be the time the containing key was modified. Thus when collecting information about a registry name, the last write time does not correlate directly to the specified name. See the RegQueryInfoKey function lpftLastWriteTime.",,
+TBD,,server,string,current,"Specifies the executable that is used to launch the service.",,
+TBD,,currentStatus,boolean,current,"Indicates current state of the specified SELinux boolean.",,
+TBD,,gateway,ipAddress,current,"The gateway of the specified routing table entry.",,
+TBD,,windowsView,enumeration,current,"Indicates from which view (32-bit or 64-bit), the information was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view.","32_bit;0x1;Indicates the 32_bit windows view.||64_bit;0x2;Indicates the 64_bit windows view.||;0x3;The empty string value is permitted here to allow for empty elements associated with error conditions.||",
+TBD,,rpmSoftwareVersion,string,current,"The version string for a software application that conforms to the EPOCH:VERSION-RELEASE format.",,
+TBD,,serviceEnumDependents,boolean,current,"Specifies whether or not permission is granted to query for an enumeration of all the services dependent on the service.",,
+TBD,,informationElementDescription,string,current,"A UTF-8 [RFC3629] encoded Unicode string containing a human-readable description of an Information Element. The content of the informationElementDescription MAY be annotated with one or more language tags [RFC4646], encoded in-line [RFC2482] within the UTF-8 string, in order to specify the language in which the description is written. Description text in multiple languages MAY tag each section with its own language tag; in this case, the description information in each language SHOULD have equivalent meaning. In the absence of any language tag, the ""i-default"" [RFC2277] language SHOULD be assumed. See the Security Considerations section for notes on string handling for Information Element type records.",,
+TBD,,informationElementIndex,unsigned16,current,"A zero-based index of an Information Element referenced by informationElementId within a Template referenced by templateId; used to disambiguate scope for templates containing multiple identical Information Elements.",,
+TBD,,service,list,current,"Stores information about Windows services that are present on the system.","list(serviceName,displayName,description,serviceType,startType,currentState,controlsAccepted,startName,path,pid,serviceFlag,dependencies)",
+TBD,,maxPasswdAge,unsigned32,current,"Specifies, in seconds (from a DWORD), the maximum allowable password age. A value of TIMEQ_FOREVER (max DWORD value, 4294967295) indicates that the password never expires. The minimum valid value for this element is ONE_DAY (86400). See the USER_MODALS_INFO_0 structure returned by a call to NetUserModalsGet().",,
+TBD,,serverArguments,string,current,"Specifies the arguments that are passed to the executable when launching the service.",,
+TBD,,roleName,string,current,"A label that references a collection of privileges assigned to a specific entity (identity? FIXME).",,
+TBD,,relationshipType,string,current,"A set of types that is in every instance of a relationship subject to highlight what kind of relationship exists between the subject the relationship is included in (e.g. associated_with_user, applies_to_session, seen_on_interface, associated_with_flow, contains_virtual_device).",,
+TBD,,path,string,current,"Specifies the directory component of the absolute path to a file on the machine.",,
+TBD,,lowSensitivity,string,current,"Specifies the current sensitivity of a file or process.",,
+TBD,,serviceeffectiverights,list,current,"Stores the effective rights of a service that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined by checking all access-allowed and access-denied access control entries (ACEs) in the DACL.","list(serviceName,trusteeSid,standardDelete,standardReadControl,standardWriteDac,standardWriteOwner,genericRead,genericWrite,genericExecute,serviceQueryConf,serviceChangeConf,serviceQueryStat,serviceEnumDependents,serviceStart,serviceStop,servicePause,serviceInterrogate,serviceUserDefined)",
+TBD,,applicationCategoryName,string,current,"An attribute that provides a first level categorization for each Application ID.",,
+TBD,,unitsSent,string,current,"a value that represents a number of units (e.g. frames, packets, cells or segments) sent on a network interface.",,
+TBD,,templateId,unsigned16,current,"An identifier of a Template that is locally unique within a combination of a Transport session and an Observation Domain.|| Template IDs 0-255 are reserved for Template Sets, Options Template Sets, and other reserved Sets yet to be created. Template IDs of Data Sets are numbered from 256 to 65535.|| Typically, this Information Element is used for limiting the scope of other Information Elements. Note that after a re-start of the Exporting Process Template identifiers may be re-assigned.",,
+TBD,,sacmContentElementMetadata,orderedList,current,"Contains IEs that provide information about the data source and type of security automation information such that other SACM Components are able to parse and understand the security automation information contained within the SACM Statement's SACM Content Element(s).","orderedList(collectionTimestamp,targetEndpoint,)",
+TBD,,userSidInfo,list,current,"Specifies the different groups (identified by SID) that a user belongs to.","list(userSid,enabled,groupSid,lastLogon)",
+TBD,,nodeName,string,current,"Specifies the host name.",,
+TBD,,keyCreateLink,boolean,current,"",,
+TBD,,destinationIPv4Prefix,ipv4Address,current,"IPv4 destination address prefix.",,
+TBD,,kernelParameterValue,string,current,"The current value(s) for the specified kernel parameter on the local system.",,
+TBD,,informationElementSemantics,unsigned8,current,"A description of the semantics of an IPFIX Information Element. These are taken from the data type semantics defined in section 3.2 of the IPFIX Information Model [RFC5102]; see that section for more information on the types defined in the informationElementSemantics sub-registry. This field may take the values in Table ; the special value 0x00 (default) is used to note that no semantics apply to the field; it cannot be manipulated by a Collecting Process or File Reader that does not understand it a priori.|| These semantics are registered in the IANA IPFIX Information Element Semantics subregistry. This subregistry is intended to assign numbers for semantics names, not to provide a mechanism for adding semantics to the IPFIX Protocol, and as such requires a Standards Action [RFC5226] to modify.",,
+TBD,,cTime,dateTimeSeconds,current,"The time of the last change to the file's inode.",,
+TBD,,sacmStatement,orderedList,current,"Associates SACM Statement Metadata which provides data origin information about the providing SACM Component with one or more SACM Content Elements that contain security automation information.","orderedList(sacmStatementMetadata,sacmContentElement+)",
+TBD,,ciscoTrainSoftwareVersion,string,current,"The version string for a software application that conforms to the Cisco IOS Train string format.",,
+TBD,,applicationName,string,current,"Specifies the name of an application.",,
+TBD,,informationElementName,string,current,"A UTF-8 [RFC3629] encoded Unicode string containing the name of an Information Element, intended as a simple identifier. See the Security Considerations section for notes on string handling for Information Element type records.",,
+TBD,,foreignAddress,ipAddress,current,"The IP address with which the program is communicating, or with which it will communicate. Note that the IP address can be IPv4 or IPv6.",,
+TBD,,authenticator,string,current,"A label that references a SACM component that can authenticate target endpoints (can be used in a target-endpoint subject to express that the target endpoint was authenticated by that SACM component.",,
+TBD,,auditGenericAll,enumeration,current,"Read, write, and execute access.","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,applicationId,octetArray,current,"Specifies an Application ID per [RFC6759].",,
+TBD,,genericRead,boolean,current,"Read access.",,
+TBD,,hwAddress,string,current,"The hardware address associated with the interface.",,
+TBD,,personFirstName,string,current,"The first name of a natural person.",,
+TBD,,netmask,ipAddress,current,"The bitmask used to calculate the interface's IP network.",,
+TBD,,hardwareSerialNumber,string,current,"A globally unique identifier for a particular piece of hardware assigned by the vendor.",,
+TBD,,selinuxsecuritycontext,list,current,"Describes the SELinux security context of a file or process on the local system.","list(filepath,path,filename,pid,username,role,domainType,lowSensitivity,lowCategory,highSensitivity,highCategory,rawlowSensitivity,rawlowCategory,rawhighSensitivity,rawhighCategory)",
+TBD,,domainType,string,current,"Specifies the domain in which the file is accessible or the domain in which a process executes.",,
+TBD,,start,boolean,current,"Specifies whether the service is scheduled to start at the runlevel.",,
+TBD,,chgLst,dateTimeSeconds,current,"The date of the last password change.",,
+TBD,,unit,string,current,"Refers to the full systemd unit name, which has a form of ""$name.$type"". For example ""cupsd.service"". This name is usually also the filename of the unit configuration file.",,
+TBD,,publicationTimestamp,dateTimeSeconds,current,"The date and time when the posture information was published.",,
+TBD,,reversibleEncryption,boolean,current,"Indicates whether or not passwords are stored using reversible encryption.",,
+TBD,,fileAppendData,boolean,current,"Grants the right to append data to the file.",,
+TBD,,organizationId,string,current,"A label that uniquely identifies an organization via a PEN.",,
+TBD,,methodRepository,string,current,"A label that references a SACM component methods can be registered at and that can provide guidance in the form of registered methods to other SACM components.",,
+TBD,,status,string,current,"A set of types that defines possible result values for a finding in general (e.g. true, false, error, unknown, not applicable, not evaluated).",,
+TBD,,processorType,string,current,"Specifies the processor type.",,
+TBD,,serviceFlag,boolean,current,"Specifies whether the service is in a system process that must always run (true) or if the service is in a non-system process or is not running (false).",,
+TBD,,sysctl,list,current,"Stores information retrieved from the local system about a kernel parameter and its respective value(s).","list(kernelParameterName,kernelParameterValue+,uname,machineClass,nodeName,osName,osRelease,osVersion,processorType)",
+TBD,,auditKeyCreateLink,enumeration,current,"","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,selinuxboolean,list,current,"Describes the current and pending status of a SELinux boolean.","list(selinuxName,currentStatus,pendingStatus)",
+TBD,,mibObjectIdentifier,octetArray,current,"An IPFIX Information Element which denotes that a MIB Object Identifier (MIB OID) is exported in the (Options) Template Record. The mibObjectIdentifier Information Element contains the OID assigned to the MIB Object Type Definition encoded as ASN.1/BER [BER].",,
+TBD,,relationshipStatementElementGuid,string,current,"A reference to a specific SACM statement used in a relationship subject.",,
+TBD,,passwordHistLen,unsigned32,current,"Specifies the length of password history maintained. A new password cannot match any of the previous usrmod0_password_hist_len passwords. Valid values for this element are zero through DEF_MAX_PWHIST.",,
+TBD,,uname,list,current,"Information about the hardware the machine is running on.","list(machineClass,nodeName,osName,osRelease,osVersion,processorType)",
+TBD,,applicationComponent,string,current,"A label that references a ""sub""-application that is part of the application (e.g. an add-on, a cipher-suite, a library).",,
+TBD,,password,string,current,"The encrypted version of the user's password.",,
+TBD,,ipv4AddressValue,ipv4Address,current,"An IPv4 address value.",,
+TBD,,personMiddleName,string,current,"The middle name of a natural person.",,
+TBD,,kernelParameterName,string,current,"The name of a kernel parameter that was collected from the local system.",,
+TBD,,auditGenericExecute,enumeration,current,"Execute access.","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,startType,enumeration,current,"Specifies when the service should be started.","SERVICE_AUTO_START;0x1;The SERVICE_AUTO_START type means that the service is started automatically by the Service Control Manager (SCM) during startup. The DWORD value that this corresponds to is 0x00000002.||SERVICE_BOOT_START;0x2;The SERVICE_BOOT_START type means that the driver service is started by the system loader. The DWORD value that this corresponds to is 0x00000000.||SERVICE_DEMAND_START;0x3;The SERVICE_DEMAND_START type means that the service is started by the Service Control Manager (SCM) when StartService() is called. The DWORD value that this corresponds to is 0x00000003.||SERVICE_DISABLED;0x4;The SERVICE_DISABLED type means that the service cannot be started. The DWORD value that this corresponds to is 0x00000004.||SERVICE_SYSTEM_START;0x5;The SERVICE_SYSTEM_START type means that the service is a device driver started by IoInitSystem(). The DWORD value that this corresponds to is 0x00000001.||;0x6;The empty string value is permitted here to allow for empty elements associated with error conditions.||",
+TBD,,phoneNumberType,string,current,"A set of types that express the type of a phone number (e.g. DSN, Fax, Home, Mobile, Pager, Secure, Unsecure, Work, Other).",,
+TBD,,portId,unsigned32,current,"An identifier of a line port that is unique per IPFIX Device hosting an Observation Point. Typically, this Information Element is used for limiting the scope of other Information Elements.",,
+TBD,,foreignFullAddress,ipAddress,current,"The IP address and network port to which the program is communicating or will accept communications from, including the foreign address and foreign port. Note that the IP address can be IPv4 or IPv6.",,
+TBD,,destinationTransportPort,unsigned16,current,"The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header. This field MAY also be used for future transport protocols that have 16-bit destination port identifiers.",,
+TBD,,lastLogon,unsigned32,current,"The date and time when the last logon occurred.",,
+TBD,,methodLabel,string,current,"A label that references a specific method registered and used in a SACM domain (e.g. method to match and re-identify target endpoints via identifying attributes).",,
+TBD,,disabled,boolean,current,"Specifies whether or not the service is disabled. A value of 'true' indicates that the service is disabled and will not start. A value of 'false' indicates that the service is not disabled.",,
+TBD,,genericExecute,boolean,current,"Execute access.",,
+TBD,,timestampType,string,current,"a set of types that express what type of action or event happened at that point of time (e.g. discovered, classified, collected, published). Can be included in a generic s.timestamp subject.",,
+TBD,,auditKeyEnumerateSubKeys,enumeration,current,"","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,serviceInterrogate,boolean,current,"Specifies whether or not permission is granted to request the service to report its status immediately.",,
+TBD,,interfaceMacAddress,macAddress,current,"The IEEE 802 MAC address associated with a network interface on an endpoint.",,
+TBD,,shadowItem,list,current,"","list(username,password,chgLst,chgAllow,chgReq,expWarn,expInact,expDate,flags,encryptMethod)",
+TBD,,forceLogoff,unsigned32,current,"Specifies, in seconds, the amount of time between the end of the valid logon time and the time when the user is forced to log off the network.",,
+TBD,,pid,unsigned32,current,"The process ID of the process.",,
+TBD,,chgAllow,unsigned32,current,"Specifies how often in days a user may change their password. It can also be thought of as the minimum age of a password.",,
+TBD,,rawhighCategory,string,current,"Specifies the set of categories associated with the high sensitivity but in its raw context.",,
+TBD,,machineClass,string,current,"Specifies the machine hardware name.",,
+TBD,,serviceName,string,current,"Specifies the name of the service.",,
+TBD,,keyWow6464Key,boolean,current,"",,
+TBD,,runlevel,string,current,"Specifies the system runlevel associated with a service.",,
+TBD,,bytesSent,string,current,"A value that represents the number of octets sent on a network interface.",,
+TBD,,eventThreshold,string,current,"if applicable, a value that can be included in an event subject to indicate what numeric threshold value was crossed to trigger that event.",,
+TBD,,mibModuleName,string,current,"The textual name of the MIB module that defines a MIB Object.",,
+TBD,,portInfo,list,current,"Information about open listening ports.","list(localAddress,localPort,transportProtocol,pid,foreignAddress,foreignPort)",
+TBD,,ipv4AddressSubnetMask,string,current,"An IPv4 subnet bitmask.",,
+TBD,,subInterfaceLabel,string,current,"A unique label a sub network interface (e.g. a tagged vlan on a trunk) can be referenced with.",,
+TBD,,ipv4AddressSubnetMaskCidrNotation,string,current,"An IPv4 subnet bitmask in CIDR notation.",,
+TBD,,serviceStop,boolean,current,"Specifies whether or not permission is granted to stop the service.",,
+TBD,,serviceUserDefined,boolean,current,"Specifies whether or not permission is granted to specify a user-defined control code.",,
+TBD,,protocol,string,current,"A set of types that defines specific protocols above layer 4 (e.g. http, https, dns, ipp, or unknown).",,
+TBD,,standardDelete,boolean,current,"The right to delete the object.",,
+TBD,,regkeyauditedpermissions,list,current,"Stores the audited access rights of a registry key that a system access control list (SACL) structure grants to a specified trustee. The trustee's audited access rights are determined checking all access control entries (ACEs) in the SACL.","list(registryKey,trusteeSid,trusteeName,standardDelete,standardReadControl,standardWriteDac,standardWriteOwner,standardSynchronize,accessSystemSecurity,genericRead,genericWrite,genericExecute,genericAll,keyQueryValue,keySetValue,keyCreateSubKey,keyEnumerateSubKeys,keyNotify,keyCreateLink,keyWow6464Key,keyWow6432Key,keyWow64Res,windowsView)",
+TBD,,groupSid,string,current,"Represents the SID of a particular group. If the specified user belongs to more than one group, then multiple groupSid elements are applicable. If the specified user is not a member of a single group, then a single groupSid element should be incldued with a status of 'does not exist'. If there is an error determining the groups that the user belongs to, then a single groupSid element should be included with a status of 'error'.",,
+TBD,,auditFileExecute,enumeration,current,"Grants the right to execute a file.","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,expDate,dateTimeSeconds,current,"Specifies when will the account's password expire.",,
+TBD,,teLabel,string,current,"an identifying label created from a set of identifying attributes used to reference a specific target endpoint.",,
+TBD,,relationshipContentElementGuid,string,current,"A reference to a specific content element used in a relationship subject.",,
+TBD,,authenticationType,string,current,"A set of types that expresses which type of authentication was used to enable a network interaction/connection.",,
+TBD,,interface,list,current,"Represents an interface and its configuration options.","list(interfaceName,hwAddress,inetAddr,netmask)",
+TBD,,ppid,unsigned32,current,"The process ID of the process's parent process.",,
+TBD,,fileWriteEa,boolean,current,"Grants the right to write extended attributes.",,
+TBD,,hasExtendedAcl,boolean,current,"Indicates whether the file or directory hasACL permissions applied to it. If a system supports ACLs and the file or directory doesn't have an ACL, or it matches the standard UNIX permissions, the entity will have a status of 'exists' and a value of 'false'. If the system supports ACLs and the file or directory has an ACL, the entity will have a status of 'exists' and a value of 'true'. Lastly, if a system doesn't support ACLs, the entity will have a status of 'does not exist'.",,
+TBD,,loginShell,string,current,"The user's shell program.",,
+TBD,,fileType,string,current,"The file's type (e.g., regular file (regular), directory, named pipe (fifo), symbolic link, socket or block special.)",,
+TBD,,passwordInfo,list,current,"Describes user account information for a system.","list(username,password,userId,groupId,gcos,homeDir,loginShell,lastLogin)",
+TBD,,genericAll,boolean,current,"Read, write, and execute access.",,
+TBD,,WGS84Altitude,float64,current,"a label that represents WGS 84 rev 2004 altitude.",,
+TBD,,lastLogin,unsigned32,current,"The date and time when the last login occurred.",,
+TBD,,accessSystemSecurity,boolean,current,"Indicates access to a system access control list (SACL).",,
+TBD,,printerAccessUse,boolean,current,"",,
+TBD,,transportProtocol,string,current,"The transport-layer protocol (tcp or udp).",,
+TBD,,softwareInstance,orderedList,current,"Information about an instance of software installed on an endpoint. The following high-level digram describes the structure of softwareInstance information element.","orderedList(softwareIdentifier,softwareTitle,softwareCreator,softwareVersion,softwareLastUpdated,softwareClass)",
+TBD,,encryptMethod,enumeration,current,"Describes method that is used for hashing passwords.","DES;0x1;The DES method corresponds to the (none) prefix.||BSDi;0x2;The BSDi method corresponds to BSDi modified DES or the '_' prefix.||MD5;0x3;The MD5 method corresponds to MD5 for Linux/BSD or the $1$ prefix.||Blowfish;0x4;The Blowfish method corresponds to Blowfish (OpenBSD) or the $2$ or $2a$ prefixes.||Sun MD5;0x5;The Sun MD5 method corresponds to the $md5$ prefix.||SHA-256;0x6;The SHA-256 method corresponds to the $5$ prefix.||SHA-512;0x7;The SHA-512 method corresponds to the $6$||prefix.;0x8;The empty string value is permitted here to allow for empty elements associated with variable references.||",
+TBD,,superAdministrativeDomain,string,current,"a label for related parent domains an administrative domain is part of (used in the subject s.administrative-domain).",,
+TBD,,trusteeName,string,current,"Specifies the trustee name. A trustee can be a user, group, or program (such as a Windows service).",,
+TBD,,keyCreateSubKey,boolean,current,"Specifies whether or not permission is granted to create a subkey.",,
+TBD,,mibObjectValueInteger,signed64,current,"An IPFIX Information Element which denotes that the integer value of a MIB object will be exported. The MIB Object Identifier (""mibObjectIdentifier"") for this field MUST be exported in a MIB Field Option or via another means. This Information Element is used for MIB objects with the Base Syntax of Integer32 and INTEGER with IPFIX Reduced Size Encoding used as required. The value is encoded as per the standard IPFIX Abstract Data Type of signed64.",,
+TBD,,certificate,string,current,"A value that expresses a certificate that can be collected from a target endpoint.",,
+TBD,,symlink,list,current,"Identifies the result generated for a symlink.","list(symlinkFilepath,canonicalPath)",
+TBD,,auditGenericRead,enumeration,current,"Read access.","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,sacmContentElement,list,current,"Associates SACM Content Element Metadata which provides information about the data source and type of security automation information with the actual security automation information.","list()",
+TBD,,eventTrigger,string,current,"This value is used to express more complex trigger conditions that may cause the creation of an event.",,
+TBD,,iflisteners,list,current,"Stores the results of checking for applications that are bound to an ethernet interface on the system.","list(interfaceName,physicalProtocol,hwAddress,programName,pid,userId)",
+TBD,,auditStandardWriteDac,enumeration,current,"The right to modify the DACL in the object's security descriptor.","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,collectionTimestamp,dateTimeSeconds,current,"The date and time when the posture information was collected or observed by a SACM Component.",,
+TBD,,eventThresholdName,string,current,"If an event is created due to a crossed threshold, the threshold might have a name associated with it that can be expressed via this value.",,
+TBD,,WGS84Latitude,float64,current,"a label that represents WGS 84 rev 2004 latitude.",,
+TBD,,subAdministrativeDomain,string,current,"A label for related child domains an administrative domain can be composed of (used in the subject administrative-domain)",,
+TBD,,genericWrite,boolean,current,"Write access.",,
+TBD,,informationElementUnits,unsigned16,current,"A description of the units of an IPFIX Information Element. These correspond to the units implicitly defined in the Information Element definitions in section 5 of the IPFIX Information Model [RFC5102]; see that section for more information on the types described in the informationElementsUnits sub-registry. This field may take the values in Table 3 below; the special value 0x00 (none) is used to note that the field is unitless.|| These types are registered in the IANA IPFIX Information Element Units subregistry; new types may be added on a First Come First Served [RFC5226] basis.",,
+TBD,,dependency,string,current,"Refers to the name of a unit that was confirmed to be a dependency of the given unit.",,
+TBD,,mibCaptureTimeSemantics,unsigned8,current,"Indicates when in the lifetime of the flow the MIB value was retrieved from the MIB for a mibObjectIdentifier. This is used to indicate if the value exported was collected from the MIB closer to flow creation or flow export time and will refer to the Timestamp fields included in the same record. This field SHOULD be used when exporting a mibObjectValue that specifies counters or statistics.|| If the MIB value was sampled by SNMP prior to the IPFIX Metering Process or Exporting Process retrieving the value (i.e., the data is already stale) and it's important to know the exact sampling time, then an additional observationTime* element should be paired with the OID using structured data. Similarly, if different mibCaptureTimeSemantics apply to different mibObject elements within the Data Record, then individual mibCaptureTimeSemantics should be paired with each OID using structured data.|| Values: 0. undefined 1. begin - The value for the MIB object is captured from the MIB when the Flow is first observed 2. end - The value for the MIB object is captured from the MIB when the Flow ends 3. export - The value for the MIB object is captured from the MIB at export time 4. average - The value for the MIB object is an average of multiple captures from the MIB over the observed life of the Flow",,
+TBD,,filepath,string,current,"Specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.",,
+TBD,,keyWow6432Key,boolean,current,"",,
+TBD,,gcos,string,current,"",,
+TBD,,teId,string,current,"an identifying label that is created randomly, is supposed to be unique, and used to reference a specific target endpoint.",,
+TBD,,networkInterface,orderedList,current,"Information about a network interface installed on an endpoint. The following high-level digram describes the structure of networkInterface information element.","orderedList(interfaceName,interfaceIndex,macAddress,interfaceType,flags)",
+TBD,,serviceProtocol,string,current,"Specifies the protocol that is used by the service.",,
+TBD,,inetd,list,current,"Holds information associated with different Internet services.","list(serviceProtocol,serviceName,serverProgram,serverArguments,endpointType,execAsUser,waitStatus)",
+TBD,,highSensitivity,string,current,"Specifies the maximum range for a file or the clearance for a process.",,
+TBD,,auditFileReadData,enumeration,current,"Grants the right to read data from the file.","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,anyIE,category,current,"This category is a placeholder for any information element defined within the SACM Information Model. Its purpose is to provide an extension point in other information elements that enable them to support the specific needs of an enterprise, user, product, or service.",,
+TBD,,netname,string,current,"Specifies the name associated with a particular shared resource.",,
+TBD,,mibObjectValueUnsigned,unsigned64,current,"An IPFIX Information Element which denotes that an unsigned integer value of a MIB object will be exported. The MIB Object Identifier (""mibObjectIdentifier"") for this field MUST be exported in a MIB Field Option or via another means. This Information Element is used for MIB objects with the Base Syntax of unsigned64 with IPFIX Reduced Size Encoding used as required. The value is encoded as per the standard IPFIX Abstract Data Type of unsigned64.",,
+TBD,,internetService,list,current,"Holds information associated with Internet services.","list(serviceProtocol,serviceName,flags,noAccess,onlyFrom,port,server,serverArguments,socketType,registeredServiceType,user,wait,disabled)",
+TBD,,auditStandardSynchronize,enumeration,current,"The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,foreignPort,string,current,"The TCP or UDP port to which the program communicates.",,
+TBD,,sticky,boolean,current,"Indicates whether users can delete each other's files in this directory, when said directory is writable by those users.",,
+TBD,,ipv6AddressSubnetMask,string,current,"An IPv6 subnet bitmask.",,
+TBD,,informationElementDataType,unsigned8,current,"A description of the abstract data type of an IPFIX information element.These are taken from the abstract data types defined in section 3.1 of the IPFIX Information Model [RFC5102]; see that section for more information on the types described in the informationElementDataType sub-registry.|| These types are registered in the IANA IPFIX Information Element Data Type subregistry. This subregistry is intended to assign numbers for type names, not to provide a mechanism for adding data types to the IPFIX Protocol, and as such requires a Standards Action [RFC5226] to modify.",,
+TBD,,auditKeyCreateSubKey,enumeration,current,"","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,endpointType,enumeration,current,"The endpoint type (aka, socket type) associated with the service.","stream;0x1;The stream value is used to describe a stream socket.||dgram;0x2;The dgram value is used to describe a datagram socket.||raw;0x3;The raw value is used to describe a raw socket.||seqpacket;0x4;The seqpacket value is used to describe a sequenced packet socket.||tli;0x5;The tli value is used to describe all TLI endpoints.||sunrpc_tcp;0x6;The sunrpc_tcp value is used to describe all SUNRPC TCP endpoints.||sunrpc_udp;0x7;The sunrpc_udp value is used to describe all SUNRPC UDP endpoints.||;0x8;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,fileReadAttributes,boolean,current,"Grants the right to read file attributes.",,
+TBD,,phoneNumber,string,current,"A label that expresses the U.S. national phone number (e.g. pattern value=""((\d{3}) )?\d{3}-\d{4}"").",,
+TBD,,mibContextEngineID,octetArray,current,"A mibContextEngineID that specifies the SNMP engine ID for a MIB field being exported over IPFIX. Definition as per [RFC3411] section 3.3.",,
+TBD,,auditKeySetValue,enumeration,current,"","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,systemdunitproperty,list,current,"Stores the properties and values of a systemd unit.","list(unit,property,systemdunitValue)",
+TBD,,mibObjectName,string,current,"The name (called a descriptor in [RFC2578] of an object type definition.",,
+TBD,,rawhighSensitivity,string,current,"Specifies the maximum range for a file or the clearance for a process but in its raw context.",,
+TBD,,registryKeyValue,string,current,"Holds the actual value of the specified registry key. The representation of the value as well as the associated datatype attribute depends on type of data stored in the registry key. If the value being tested is of type REG_BINARY, then the datatype attribute should be set to 'binary' and the data represented by the value entity should follow the xsd:hexBinary form. (each binary octet is encoded as two hex digits) If the value being tested is of type REG_DWORD, REG_QWORD, REG_DWORD_LITTLE_ENDIAN, REG_DWORD_BIG_ENDIAN, or REG_QWORD_LITTLE_ENDIAN then the datatype attribute should be set to 'int' and the value entity should represent the data as an unsigned integer. DWORD and QWORD values represnt unsigned 32-bit and 64-bit integers, respectively. If the value being tested is of type REG_EXPAND_SZ, then the datatype attribute should be set to 'string' and the pre-expanded string should be represented by the value entity. If the value being tested is of type REG_MULTI_SZ, then only a single string (one of the multiple strings) should be tested using the value entity with the datatype attribute set to 'string'. In order to test multiple values, multiple OVAL registry tests should be used. If the specified registry key is of type REG_SZ, then the datatype should be 'string' and the value entity should be a copy of the string. If the value being tested is of type REG_LINK, then the datatype attribute should be set to 'string' and the null-terminated Unicode string should be represented by the value entity.",,
+TBD,,standardSynchronize,boolean,current,"The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.",,
+TBD,,sacmUserId,string,current,"a label that references a specific user known in a SACM domain.",,
+TBD,,file,list,current,"The metadata associated with a file on the endpoint.","list(filepath,path,filename,fileType,userId,aTime,cTime,mTime,size)",
+TBD,,teAssessmentState,string,current,"a set of types that defines the state of assessment of a target-endpoint (e.g. in-discovery, discovered, in-classification, classified, in-assessment, assessed).",,
+TBD,,interfaceDescription,string,current,"The description of an interface, eg ""FastEthernet 1/0"" or ""ISP connection"".",,
+TBD,,wait,boolean,current,"Specifies whether or not the service is single-threaded or multi-threaded and whether or not xinetd accepts the connection or the service accepts the connection. A value of 'true' indicates that the service is single-threaded and the service will accept the connection. A value of 'false' indicates that the service is multi- threaded and xinetd will accept the connection.",,
+TBD,,mibObjectValueTable,orderedList,current,"An IPFIX Information Element which denotes that a complete or partial conceptual table will be exported. The MIB Object Identifier (""mibObjectIdentifier"") for this field MUST be exported in a MIB Field Option or via another means. This Information Element is used for MIB objects with a SYNTAX of SEQUENCE. This is encoded as a subTemplateList of mibObjectValue Information Elements. The template specified in the subTemplateList MUST be an Options Template and MUST include all the Objects listed in the INDEX clause as Scope Fields.","orderedList(mibObjectValueRow+)",
+TBD,,fileExecute,boolean,current,"Grants the right to execute a file.",,
+TBD,,auditStandardWriteOwner,enumeration,current,"The right to change the owner in the object's security descriptor.","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,mibObjectValueOctetString,octetArray,current,"An IPFIX Information Element which denotes that an Octet String or Opaque value of a MIB object will be exported. The MIB Object Identifier (""mibObjectIdentifier"") for this field MUST be exported in a MIB Field Option or via another means. This Information Element is used for MIB objects with the Base Syntax of OCTET STRING and Opaque. The value is encoded as per the standard IPFIX Abstract Data Type of octetArray.",,
+TBD,,applicationManufacturer,string,current,"The name of the vendor that created the application.",,
+TBD,,mibObjectValueIPAddress,ipv4Address,current,"An IPFIX Information Element which denotes that the IPv4 Address of a MIB object will be exported. The MIB Object Identifier (""mibObjectIdentifier"") for this field MUST be exported in a MIB Field Option or via another means. This Information Element is used for MIB objects with the Base Syntax of IPaddress. The value is encoded as per the standard IPFIX Abstract Data Type of ipv4Address.",,
+TBD,,sourceIPv6PrefixLength,unsigned8,current,"The number of contiguous bits that are relevant in the sourceIPv6Prefix Information Element.",,
+TBD,,networkId,string,current,"Most networks such as AS, OSBF domains, or VLANs can have an ID.",,
+TBD,,group,string,current,"Represents the name of a particular group.",,
+TBD,,auditKeyWow6432Key,enumeration,current,"","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,layer4PortAddress,unsigned32,current,"A layer 4 port address typically associated with TCP and UDP protocols.",,
+TBD,,canonicalPath,string,current,"Specifies the canonical path for the target of the symbolic link file specified by the filepath.",,
+TBD,,physicalProtocol,enumeration,current,"The physical layer protocol used by the AF_PACKET socket.","ETH_P_LOOP;0x1;Ethernet loopback packet.||ETH_P_PUP;0x2;Xerox PUP packet.||ETH_P_PUPAT;0x3;Xerox PUP Address Transport packet.||ETH_P_IP;0x4;Internet protocol packet.||ETH_P_X25;0x5;CCITT X.25 packet.||ETH_P_ARP;0x6;Address resolution packet.||ETH_P_BPQ;0x7;G8BPQ AX.25 ethernet packet.||ETH_P_IEEEPUP;0x8;Xerox IEEE802.3 PUP packet.||ETH_P_IEEEPUPAT;0x9;Xerox IEEE802.3 PUP address transport packet.||ETH_P_DEC;0xA;DEC assigned protocol.||ETH_P_DNA_DL;0xB;DEC DNA Dump/Load.||ETH_P_DNA_RC;0xC;DEC DNA Remote Console.||ETH_P_DNA_RT;0xD;DEC DNA Routing.||ETH_P_LAT;0xE;DEC LAT.||ETH_P_DIAG;0xF;DEC Diagnostics.||ETH_P_CUST;0x10;DEC Customer use.||ETH_P_SCA;0x11;DEC Systems Comms Arch.||ETH_P_RARP;0x12;Reverse address resolution packet.||ETH_P_ATALK;0x13;Appletalk DDP.||ETH_P_AARP;0x14;Appletalk AARP.||ETH_P_8021Q;0x15;802.1Q VLAN Extended Header.||ETH_P_IPX;0x16;IPX over DIX.||ETH_P_IPV6;0x17;IPv6 over bluebook.||ETH_P_SLOW;0x18;Slow Protocol. See 802.3ad 43B.||ETH_P_WCCP;0x19;Web-cache coordination protocol.||ETH_P_PPP_DISC;0x1A;PPPoE discovery messages.||ETH_P_PPP_SES;0x1B;PPPoE session messages.||ETH_P_MPLS_UC;0x1C;MPLS Unicast traffic.||ETH_P_MPLS_MC;0x1D;MPLS Multicast traffic.||ETH_P_ATMMPOA;0x1E;MultiProtocol Over ATM.||ETH_P_ATMFATE;0x1F;Frame-based ATM Transport over Ethernet.||ETH_P_AOE;0x20;ATA over Ethernet.||ETH_P_TIPC;0x21;TIPC.||ETH_P_802_3;0x22;Dummy type for 802.3 frames.||ETH_P_AX25;0x23;Dummy protocol id for AX.25.||ETH_P_ALL;0x24;Every packet.||ETH_P_802_2;0x25;802.2 frames.||ETH_P_SNAP;0x26;Internal only.||ETH_P_DDCMP;0x27;DEC DDCMP: Internal only||ETH_P_WAN_PPP;0x28;Dummy type for WAN PPP frames.||ETH_P_PPP_MP;0x29;Dummy type for PPP MP frames.||ETH_P_PPPTALK;0x2A;Dummy type for Atalk over PPP.||ETH_P_LOCALTALK;0x2B;Localtalk pseudo type.||ETH_P_TR_802_2;0x2C;802.2 frames.||ETH_P_MOBITEX;0x2D;Mobitex.||ETH_P_CONTROL;0x2E;Card specific control frames.||ETH_P_IRDA;0x2F;Linux-IrDA.||ETH_P_ECONET;0x30;Acorn Econet.||ETH_P_HDLC;0x31;HDLC frames.||ETH_P_ARCNET;0x32;1A for ArcNet.||;0x33;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,destination,ipAddress,current,"The destination IP address prefix of the routing table entry.",,
+TBD,,programName,string,current,"The name of the communicating program.",,
+TBD,,serverProgram,string,current,"Either the pathname of a server program to be invoked by inetd to perform the requested service, or the value internal if inetd itself provides the service.",,
+TBD,,keySetValue,boolean,current,"Specifies whether or not permission is granted to set the key's value.",,
+TBD,,localPort,unsigned32,current,"This is the TCP or UDP port being listened to.",,
+TBD,,contentAction,string,current,"A set of types that express a type of action (e.g. add, delete, update). It can be associated, for instance, with an event subject or with a network observation.",,
+TBD,,socketType,string,current,"Specifies the type of socket that is used by the service. Possible values include: stream, dgram, raw, or seqpacket.",,
+TBD,,highCategory,string,current,"Specifies the set of categories associated with the high sensitivity.",,
+TBD,,privilegeName,string,current,"The attribute name of the privilege represented as an AVP.",,
+TBD,,targetEndpointIdentifier,list,current,"A set of attributes that uniquely identify a target endpoint on the network.","list(anyIE+)",
+TBD,,sourceIPv4PrefixLength,unsigned8,current,"The number of contiguous bits that are relevant in the sourceIPv4Prefix Information Element.",,
+TBD,,dataSource,string,current,"A label that is supposed to uniquely identify the data source (e.g. a target endpoint or sensor) that provided an initial endpoint attribute record.",,
+TBD,,subgroup,string,current,"Represents the name of a particular subgroup in the specified group.",,
+TBD,,serviceType,enumeration,current," Specifies the type of the service.","SERVICE_FILE_SYSTEM_DRIVER;0x1;The SERVICE_FILE_SYSTEM_DRIVER type means that the service is a file system driver. The DWORD value that this corresponds to is 0x00000002.||SERVICE_KERNEL_DRIVER;0x2;The SERVICE_KERNEL_DRIVER type means that the service is a driver. The DWORD value that this corresponds to is 0x00000001.||SERVICE_WIN32_OWN_PROCESS;0x3;The SERVICE_WIN32_OWN_PROCESS type means that the service runs in its own process. The DWORD value that this corresponds to is 0x00000010.||SERVICE_WIN32_SHARE_PROCESS;0x4;The SERVICE_WIN32_SHARE_PROCESS type means that the service runs in a process with other services. The DWORD value that this corresponds to is 0x00000020.||SERVICE_INTERACTIVE_PROCESS;0x5;The SERVICE_WIN32_SHARE_PROCESS type means that the service runs in a process with other services. The DWORD value that this corresponds to is 0x00000100.||;0x6;The empty string value is permitted here to allow for empty elements associated with error conditions.||",
+TBD,,mibObjectValueBits,octetArray,current,"An IPFIX Information Element which denotes that a set of Enumerated flags or bits from a MIB object will be exported. The MIB Object Identifier (""mibObjectIdentifier"") for this field MUST be exported in a MIB Field Option or via another means. This Information Element is used for MIB objects with the Base Syntax of BITS. The flags or bits are encoded as per the standard IPFIX Abstract Data Type of octetArray, with sufficient length to accommodate the required number of bits. If the number of bits is not an integer multiple of octets then the most significant bits at end of the octetArray MUST be set to zero.",,
+TBD,,layer2NetworkLocation,string,current,"The location of a layer-2 interface on the network (e.g. link-layer neighborhood, shared broadcast domain).",,
+TBD,,enabled,boolean,current,"Represents whether the particular user is enabled or not.",,
+TBD,,locationName,string,current,"A value that represents a named region of physical space.",,
+TBD,,sharedresourceeffectiverights,list,current,"Stores the effective rights of a shared resource that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL.","list(netname,trusteeSid,standardDelete,standardReadControl,standardWriteDac,standardWriteOwner,standardSynchronize,accessSystemSecurity,genericRead,genericWrite,genericExecute,genericAll)",
+TBD,,symlinkFilepath,string,current,"Specifies the filepath to the subject symbolic link file.",,
+TBD,,confidence,string,current,"A representation of the subjective probability that the assessed value is correct. If no confidence value is given, it is assumed that the confidence is 1. Acceptable values are between 0 and 1.",,
+TBD,,bytesReceived,string,current,"A value that represents a number of octets received on a network interface.",,
+TBD,,trusteeSid,string,current,"Specifies the SID that is associated with a user, group, system, or program (such as a Windows service).",,
+TBD,,birthdate,string,current,"A label for the registered day of birth of a natural person (e.g. the date of birth of a person as an ISO date string).",,http://rs.tdwg.org/ontology/voc/Person#birthdate
+TBD,,auditStandardDelete,enumeration,current,"The right to delete the object.","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,dependencies,string,current,"Specifies the dependencies of this service on other services.",,
+TBD,,lockoutDuration,unsigned32,current,"Specifies, in seconds, how long a locked account remains locked before it is automatically unlocked.",,
+TBD,,displayName,string,current,"Specifies the name of the service as specified in administrative tools.",,
+TBD,,auditFileWriteData,enumeration,current,"Grants the right to write data to the file.","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,keyEnumerateSubKeys,boolean,current,"Specifies whether or not permission is granted to list the subkeys associated with key.",,
+TBD,,hostName,string,current,"A label typically associated with an endpoint, but, not always intended to be unique given scope.",,
+TBD,,serviceQueryConf,boolean,current,"Specifies whether or not permission is granted to query the service configuration.",,
+TBD,,auditStandardReadControl,enumeration,current,"The right to read the information in the object's security descriptor, not including the information in the SACL.","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,startTime,string,current,"The time of day the process started.",,
+TBD,,noAccess,string,current,"Specifies the remote hosts to which the service is unavailable.",,
+TBD,,softwareClass,enumeration,current,"The class of the software instance.","Unknown;0x1;The class is not known.||Other;0x2;The class is known, but, something other than a value listed in the enumeration.||Driver;0x3;The class is a device driver.||Configuration Software;0x4;The class is configuration software.||Application Software;0x5;The class is application software.||Instrumentation;0x6;The class is instrumentation.||Diagnostic Software;0x8;The class is diagnostic software.||Operating System;0x9;The class is operating system.||Middleware;0xA;The class is middleware.||Firmware;0xB;The class is firmware.||BIOS/FCode;0xC;The class is BIOS or FCode.||Support/Service Pack;0xD;The class is a support or service pack.||Software Bundle;0xE;The class is a software bundle. References: See Classifications of the DMTF CIM_SoftwareIdentity schema.||",
+TBD,,protocolIdentifier,unsigned8,current,"The value of the protocol number in the IP packet header. The protocol number identifies the IP packet payload type. Protocol numbers are defined in the IANA Protocol Numbers registry.|| In Internet Protocol version 4 (IPv4), this is carried in the Protocol field. In Internet Protocol version 6 (IPv6), this is carried in the Next Header field in the last extension header of the packet.",,
+TBD,,expWarn,unsigned32,current,"Describes how long before password expiration the system begins warning the user.",,
+TBD,,publicKey,string,current,"The value of a public key (regardless of its method of creation, crypto-system, or signature scheme) that can be collected from a target endpoint.",,
+TBD,,runlevelInfo,list,current,"Information about the start or kill state of a specified service at a given runlevel.","list(serviceName,runlevel,start,kill)",
+TBD,,patchId,string,current,"A label the uniquely identifies a specific software patch.",,
+TBD,,printereffectiverights,list,current,"Stores the effective rights of a printer that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL.","list(printerName,trusteeSid,standardDelete,standardReadControl,standardWriteDac,standardWriteOwner,standardSynchronize,accessSystemSecurity,genericRead,genericWrite,genericExecute,genericAll,printerAccessAdminister,printerAccessUse,jobAccessAdminister,jobAccessRead)",
+TBD,,mibObjectValueRow,orderedList,current,"An IPFIX Information Element which denotes that a single row of a conceptual table will be exported. The MIB Object Identifier (""mibObjectIdentifier"") for this field MUST be exported in a MIB Field Option or via another means. This Information Element is used for MIB objects with a SYNTAX of SEQUENCE. This is encoded as a subTemplateList of mibObjectValue Information Elements. The subTemplateList exported MUST contain exactly one row (i.e., one instance of the subtemplate). The template specified in the subTemplateList MUST be an Options Template and MUST include all the Objects listed in the INDEX clause as Scope Fields.","orderedList(mibObjectValue+)",
+TBD,,fileDeleteChild,boolean,current,"Right to delete a directory and all the files it contains (its children), even if the files are read-only.",,
+TBD,,softwareLastUpdated,dateTimeSeconds,current,"The date and time when the software instance was last updated on the system (e.g., new version instlalled or patch applied)",,
+TBD,,collectorIPv6Address,ipv6Address,current,"An IPv6 address to which the Exporting Process sends Flow information.",,
+TBD,,kill,boolean,current,"Specifies whether the service is scheduled to be killed at the runlevel.",,
+TBD,,interfaceName,string,current,"A short name uniquely describing an interface, eg ""Eth1/0"". See [RFC2863] for the definition of the ifName object.",,
+TBD,,execAsUser,string,current,"The user id of the user the server program should run under.",,
+TBD,,accessPrivilegeType,string,current,"A set of types that represent access privileges (read, write, none, etc.).",,
+TBD,,passwordComplexity,boolean,current,"Indicates whether passwords must meet the complexity requirements put forth by the operating system.",,
+TBD,,exporterIPv4Address,ipv4Address,current,"The IPv4 address used by the Exporting Process. This is used by the Collector to identify the Exporter in cases where the identity of the Exporter may have been obscured by the use of a proxy.",,
+TBD,,passwordpolicy,list,current,"Specifies policy information associated with passwords.","list(maxPasswdAge,minPasswdAge,minPasswdLen,passwordHistLen,passwordComplexity,reversibleEncryption)",
+TBD,,privilegeValue,string,current,"The value content of the privilege represented as an AVP.",,
+TBD,,WGS84Longitude,float64,current,"a label that represents WGS 84 rev 2004 longitude.",,
+TBD,,mTime,dateTimeSeconds,current,"The time of the last change to the file's contents.",,
+TBD,,ipv6AddressValue,ipv6Address,current,"An IPv6 subnet bitmask in CIDR notation. a network interface.",,
+TBD,,standardWriteDac,boolean,current,"The right to modify the DACL in the object's security descriptor.",,
+TBD,,startName,string,current,"Specifies the account under which the process should run.",,
+TBD,,expInact,unsigned32,current,"Describes how many days of account inactivity the system will wait after a password expires before locking the account.",,
+TBD,,applicationDescription,string,current,"Specifies the description of an application.",,
+TBD,,addressType,string,current,"A set of types that specifies the type of address that is expressed in an address subject (e.g. ethernet, modbus, zigbee).",,
+TBD,,rawlowCategory,string,current,"Specifies the set of categories associated with the low sensitivity but in its raw context.",,
+TBD,,auditKeyWow64Res,enumeration,current,"","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,addressValue,string,current,"A value that expresses a generic network address.",,
+TBD,,creationTimestamp,dateTimeSeconds,current,"The date and time when the posture information was created by a SACM Component.",,
+TBD,,aTime,dateTimeSeconds,current,"The time that the file was last accessed.",,
+TBD,,userId,unsigned32,current,"The numeric user id.",,
+TBD,,waitStatus,enumeration,current,"Specifies whether the server that is invoked by inetd will take over the listening socket associated with the service, and whether once launched, inetd will wait for that server to exit, if ever, before it resumes listening for new service requests. The legal values are ""wait"" or ""nowait"".","wait;0x1;The value of 'wait' specifies that the server that is invoked by inetd will take over the listening socket associated with the service, and once launched, inetd will wait for that server to exit, if ever, before it resumes listening for new service requests.||nowait;0x2;The value of 'nowait' specifies that the server that is invoked by inetd will not wait for any existing server to finish before taking over the listening socket associated with the service.||;0x3;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,registryHive,enumeration,current,"The hive that the registry key belongs to.","HKEY_CLASSES_ROOT;0x1;This registry subtree contains information that associates file types with programs and configuration data for automation (e.g. COM objects and Visual Basic Programs).||HKEY_CURRENT_CONFIG;0x2;This registry subtree contains configuration data for the current hardware profile.||HKEY_CURRENT_USER;0x3;This registry subtree contains the user profile of the user that is currently logged into the system.||HKEY_LOCAL_MACHINE;0x4;This registry subtree contains information about the local system.||HKEY_USERS;0x5;This registry subtree contains user-specific data.||;0x6;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,ipVersion,unsigned8,current,"The IP version field in the IP packet header.",,
+TBD,,serviceStart,boolean,current,"Specifies whether or not permission is granted to start the service.",,
+TBD,,lockoutObservationWindow,unsigned32,current,"Specifies the maximum time, in seconds, that can elapse between any two failed logon attempts before lockout occurs.",,
+TBD,,auditFileDeleteChild,enumeration,current,"Right to delete a directory and all the files it contains (its children), even if the files are read-only.","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,auditKeyQueryValue,enumeration,current,"","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,osRelease,string,current,"Specifies the build version.",,
+TBD,,commandLine,string,current,"The string used to start the process. This includes any parameters that are part of the command line.",,
+TBD,,fileeffectiverights,list,current,"Stores the effective rights of a file that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL.","list(filepath,path,filename,trusteeSid,trusteeName,standardDelete,standardReadControl,standardWriteDac,standardWriteOwner,standardSynchronize,accessSystemSecurity,genericRead,genericWrite,genericExecute,genericAll,fileReadData,fileWriteData,fileAppendData,fileReadEa,fileWriteEa,fileExecute,fileDeleteChild,fileReadAttributes,fileWriteAttributes,windowsView)",
+TBD,,minPasswdAge,unsigned32,current,"Specifies the minimum number of seconds that can elapse between the time a password changes and when it can be changed again. A value of zero indicates that no delay is required between password updates.",,
+TBD,,type,enumeration,current,"The type of data model use to represent some set of endpoint information. The following table lists the set of data models supported by SACM.","TBD;;||",
+TBD,,mibContextName,string,current,"This Information Element denotes that a MIB Context Name is specified for a MIB field being exported over IPFIX. Reference [RFC3411] section 3.3.",,
+TBD,,priority,unsigned32,current,"The scheduling priority with which the process runs.",,
+TBD,,globallyUniqueIdentifier,unsigned8,current,"TODO.",,
+TBD,,sourceMacAddress,macAddress,current,"The IEEE 802 source MAC address field.",,
+TBD,,user,list,current,"Specifies the groups to which a user belongs.","list(username,enabled,group,lastLogon)",
+TBD,,informationElementId,unsigned16,current,"This Information Element contains the ID of another Information Element.",,
+TBD,,auditKeyNotify,enumeration,current,"","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,administrativeDomainType,string,current,"A label the is supposed to uniquely identify an administrative domain.",,
+TBD,,dataOrigin,string,current,"A label that uniquely identifies a SACM component in and across SACM domains.",,
+TBD,,description,string,current,"Specifies the description of the service.",,
+TBD,,localAddress,ipAddress,current,"This is the IP address being listened to. Note that the IP address can be IPv4 or IPv6.",,
+TBD,,groupSidInfo,list,current,"Specifies the different users and subgroups, that directly belong to specific groups (identified by SID).","list(groupSid,userSid,subgroupSid)",
+TBD,,flags,string,current,"Specifies miscellaneous settings associated with the service with executing a program.",,
+TBD,,jobAccessAdminister,boolean,current,"",,
+TBD,,interfaceFlags,unsigned16,current,"This information element specifies the flags associated with a network interface. Possible values include:",,
+TBD,,onlyFrom,ipAddress,current,"Specifies the remote hosts to which the service is available.",,
+TBD,,softwareIdentifier,string,current,"A globally unique identifier for a particular software application.",,
+TBD,,systemdunitdependency,list,current,"Stores the dependencies of the systemd unit.","list(unit,dependency)",
+TBD,,auditGenericWrite,enumeration,current,"Write access.","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,keyNotify,boolean,current,"",,
+TBD,,applicationType,string,current,"A set of types (FIXME maybe a finite set is not realistic here - value not enumerator?) that identifies the type of (user-space) application (e.g. text-editor, policy-editor, service-client, service-server, calender, rouge-like RPG).",,
+TBD,,port,unsigned32,current,"The port entity specifies the port used by the service.",,
+TBD,,homeDir,string,current,"The user's home directory.",,
+TBD,,targetEndpoint,category,current,"Information that identifies a target endpoint on the network. This may be a set of attributes that can be used to identify an endpoint on the network or a label that is unique to a SACM domain.","category(targetEndpointIdentifier |targetEndpointLabel)",
+TBD,,property,string,current,"The property associated with a systemd unit.",,
+TBD,,auditFileReadAttributes,enumeration,current,"Grants the right to read file attributes.","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,auditFileWriteAttributes,enumeration,current,"Grants the right to change file attributes.","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,layer2InterfaceType,string,current,"A set of types referenced by IANA ifType.",,
+TBD,,registeredServiceType,enumeration,current,"Specifies the type of internet service.","INTERNAL;0x1;The INTERNAL type is used to describe services like echo, chargen, and others whose functionality is supplied by xinetd itself.||RPC;0x2;The RPC type is used to describe services that use remote procedure call ala NFS.||UNLISTED;0x3;The UNLISTED type is used to describe services that aren't listed in /etc/protocols or /etc/rpc.||TCPMUX;0x4;The TCPMUX type is used to describe services that conform to RFC 1078. This type indiciates that the service is responsible for handling the protocol handshake.||TCPMUXPLUS;0x5;The TCPMUXPLUS type is used to describe services that conform to RFC 1078. This type indicates that xinetd is responsible for handling the protocol handshake.||;0x6;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,networkInterfaceName,string,current,"A label that uniquely identifies an interface associated with a distinguishable endpoint.",,
+TBD,,auditAccessSystemSecurity,enumeration,current,"Indicates access to a system access control list (SACL).","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,addressMaskValue,string,current,"A value that expresses a generic address subnetting bitmask.",,
+TBD,,sourceIPv4Prefix,ipv4Address,current,"IPv4 source address prefix.",,
+TBD,,mibSubIdentifier,unsigned32,current,"A non-negative sub-identifier of an Object Identifier (OID).",,
+TBD,,username,string,current,"The name of the user.",,
+TBD,,standardWriteOwner,boolean,current,"The right to change the owner in the object's security descriptor.",,
+TBD,,keyQueryValue,boolean,current,"Specifies whether or not permission is granted to query the key's value.",,
+TBD,,standardReadControl,boolean,current,"The right to read the information in the object's security descriptor, not including the information in the SACL.",,
+TBD,,process,list,current,"Information about a process running on an endpoint.","list(commandLine,pid,ppid,priority,startTime)",
+TBD,,statementType,string,current,"A set of types that define the type of content that is included in a SACM statement (e.g. Observation, DirectoryContent, Correlation, Assessment, Guidance, Event).",,
+TBD,,userSid,string,current,"Represents the SID of a particular user.",,
+TBD,,emailAddress,string,current,"A value that expresses an email-address.",,
+TBD,,mibObjectDescription,string,current,"The value of the DESCRIPTION clause of an MIB object type definition.",,
+TBD,,discoverer,string,current,"A label that refers to the SACM component that discovered a target endpoint (can be used in a target-endpoint subject to express, for example, that the target endpoint was authenticated by that SACM component).",,
+TBD,,lowCategory,string,current,"Specifies the set of categories associated with the low sensitivity.",,
+TBD,,networkZoneLocation,string,current,"The zone location of an endpoint on the network (e.g. internet, enterprise DMZ, enterprise WAN, enclave DMZ, enclave).",,
+TBD,,superInterfaceLabel,string,current,"a unique label a super network interface (e.g. a physical interface a tunnel interface terminates on) can be referenced with.",,
+TBD,,webSite,string,current,"a URI that references a web-site.",,
+TBD,,exporterIPv6Address,ipv6Address,current,"The IPv6 address used by the Exporting Process. This is used by the Collector to identify the Exporter in cases where the identity of the Exporter may have been obscured by the use of a proxy.",,
+TBD,,minPasswdLen,unsigned32,current,"Specifies the minimum allowable password length. Valid values for this element are zero through PWLEN.",,
+TBD,,printerAccessAdminister,boolean,current,"",,
+TBD,,ipv6AddressSubnetMaskCidrNotation,string,current,"An IPv6 subnet bitmask in CIDR notation.",,
+TBD,,auditKeyWow6464Key,enumeration,current,"","AUDIT_FAILURE;0x1;The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.||AUDIT_NONE;0x2;The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.||AUDIT_SUCCESS;0x3;The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.||AUDIT_SUCCESS_FAILURE;0x4;The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.||;0x5;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,mibObjectSyntax,string,current,"The value of the SYNTAX clause of an MIB object type definition, which may include a Textual Convention or Subtyping. See [RFC2578].",,
+TBD,,sharedresourceauditedpermissions,list,current,"Stores the audited access rights of a shared resource that a system access control list (SACL) structure grants to a specified trustee. The trustee's audited access rights are determined checking all access control entries (ACEs) in the SACL.","list(netname,trusteeSid,standardDelete,standardReadControl,standardWriteDac,standardWriteOwner,standardSynchronize,accessSystemSecurity,genericRead,genericWrite,genericExecute,genericAll)",
+TBD,,inetlisteningserver,list,current,"Stores the results of checking for network servers currently active on a system. It holds information pertaining to a specific protocol-address-port combination.","list(transportProtocol,localAddress,localPort,localFullAddress,programName,foreignAddress,foreignPort,foreignFullAddress,pid,userId)",
+TBD,,chgReq,unsigned32,current,"Describes how long a user can keep a password before the system forces her to change it.",,
+TBD,,sgid,boolean,current,"Indicates whether the program runs with the gid (thus privileges) of the file's group owner, rather than the calling user's group.",,
+TBD,,softwareCreator,string,current,"The software developer (e.g., vendor or author).",,
+TBD,,collectionTaskType,string,current,"A set of types that defines how collected SACM content was acquired (e.g. network-observation, remote-acquisition, self-reported, derived, authority, verified).",,
+TBD,,servicePause,boolean,current,"Specifies whether or not permission is granted to pause or continue the service.",,
+TBD,,fileReadData,boolean,current,"Grants the right to read data from the file",,
+TBD,,regkeyeffectiverights,list,current,"Stores the effective rights of a registry key that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL.","list(registryHive,registryKey,trusteeSid,trusteeName,standardDelete,standardReadControl,standardWriteDac,standardWriteOwner,standardSynchronize,accessSystemSecurity,genericRead,genericWrite,genericExecute,genericAll,keyQueryValue,keySetValue,keyCreateSubKey,keyEnumerateSubKeys,keyNotify,keyCreateLink,keyWow6464Key,keyWow6432Key,keyWow64Res,windowsView)",
+TBD,,registryKeyType,enumeration,current," Specifies the type of data stored by the registry key.","reg_binary;0x1;The reg_binary type is used by registry keys that specify binary data in any form.||reg_dword;0x2;The reg_dword type is used by registry keys that specify an unsigned 32-bit integer.||reg_dword_little_endian;0x3;The reg_dword_little_endian type is used by registry keys that specify an unsigned 32-bit little-endian integer. It is designed to run on little-endian computer architectures.||reg_dword_big_endian;0x4;The reg_dword_big_endian type is used by registry keys that specify an unsigned 32-bit big-endian integer. It is designed to run on big-endian computer architectures.||reg_expand_sz;0x5;The reg_expand_sz type is used by registry keys to specify a null-terminated string that contains unexpanded references to environment variables (for example, ""%PATH%"").||reg_link;0x6;The reg_link type is used by the registry keys for null-terminated unicode strings. It is related to target path of a symbolic link created by the RegCreateKeyEx function.||reg_multi_sz;0x7;The reg_multi_sz type is used by registry keys that specify an array of null-terminated strings, terminated by two null characters.||reg_none;0x8;The reg_none type is used by registry keys that have no defined value type.||reg_qword;0x9;The reg_qword type is used by registry keys that specify an unsigned 64-bit integer.||reg_qword_little_endian;0xA;The reg_qword_little_endian type is used by registry keys that specify an unsigned 64-bit integer in little-endian computer architectures.||reg_sz;0xB;The reg_sz type is used by registry keys that specify a single null-terminated string.||reg_resource_list;0xC;The reg_resource_list type is used by registry keys that specify a resource list.||reg_full_resource_descriptor;0xD;The reg_full_resource_descriptor type is used by registry keys that specify a full resource descriptor.||reg_resource_requirements_list;0xE;The reg_resource_requirements_list type is used by registry keys that specify a resource requirements list.||;0xF;The empty string value is permitted here to allow for detailed error reporting.||",
+TBD,,simpleSoftwareVersion,string,current,"The version string for a software application that conforms to the format of a list of hierarchical non-negative integers separated by a single character delimiter format.",,
+TBD,,sessionStateType,string,current,"A set of types a discernible session (an ongoing network interaction) can be in (e.g. Authenticating, Authenticated, Postured, Started, Disconnected).",,
+TBD,,role,string,current,"Specifies the types that a process may transition to (domain transitions).",,
+TBD,,storageTimestamp,dateTimeSeconds,current,"The date and time when the posture information was stored in a Repository.",,
+TBD,,controlsAccepted,enumeration,current,"Specifies the control codes that a service will accept and process.","SERVICE_ACCEPT_NETBINDCHANGE;0x1;The SERVICE_ACCEPT_NETBINDCHANGE type means that the service is a network component and can accept changes in its binding without being stopped or restarted. The DWORD value that this corresponds to is 0x00000010.||SERVICE_ACCEPT_PARAMCHANGE;0x2;The SERVICE_ACCEPT_PARAMCHANGE type means that the service can re-read its startup parameters without being stopped or restarted. The DWORD value that this corresponds to is 0x00000008.||SERVICE_ACCEPT_PAUSE_CONTINUE;0x3;The SERVICE_ACCEPT_PAUSE_CONTINUE type means that the service can be paused or continued. The DWORD value that this corresponds to is 0x00000002.||SERVICE_ACCEPT_PRESHUTDOWN;0x4;The SERVICE_ACCEPT_PRESHUTDOWN type means that the service can receive pre-shutdown notifications. The DWORD value that this corresponds to is 0x00000100.||SERVICE_ACCEPT_SHUTDOWN;0x5;The SERVICE_ACCEPT_SHUTDOWN type means that the service can receive shutdown notifications. The DWORD value that this corresponds to is 0x00000004.||SERVICE_ACCEPT_STOP;0x6;The SERVICE_ACCEPT_STOP type means that the service can be stopped. The DWORD value that this corresponds to is 0x00000001.||SERVICE_ACCEPT_HARDWAREPROFILECHANGE;0x7;The SERVICE_ACCEPT_HARDWAREPROFILECHANGE type means that the service can receive notifications when the system's hardware profile changes. The DWORD value that this corresponds to is 0x00000020.||SERVICE_ACCEPT_POWEREVENT;0x8;The SERVICE_ACCEPT_POWEREVENT type means that the service can receive notifications when the system's power status has changed. The DWORD value that this corresponds to is 0x00000040.||SERVICE_ACCEPT_SESSIONCHANGE;0x9;The SERVICE_ACCEPT_SESSIONCHANGE type means that the service can receive notifications when the system's session status has changed. The DWORD value that this corresponds to is 0x00000080.||SERVICE_ACCEPT_TIMECHANGE;0xA;The SERVICE_ACCEPT_TIMECHANGE type means that the service can receive notifications when the system time changes. The DWORD value that this corresponds to is 0x00000200.||SERVICE_ACCEPT_TRIGGEREVENT;0xB;The SERVICE_ACCEPT_TRIGGEREVENT type means that the service can receive notifications when an event that the service has registered for occurs on the system. The DWORD value that this corresponds to is 0x00000400.||;0xC;The empty string value is permitted here to allow for empty elements associated with error conditions.||",
+TBD,,default-depth,string,current,"A value that expresses how often a circular reference of subject is allowed to repeat, or how deep a recursive nesting may occur, respectively.",,
+TBD,,accountName,string,current,"A label that uniquely identifies an account that can require some form of (user) authentication to access.",,
+TBD,,firmwareId,string,current,"A label that represents the BIOS or firmware ID of a specific target endpoint.",,
+TBD,,registryKey,string,current,"Describes the registry key. Note that the hive portion of the string should not be included, as this data can be found under the hive element.",,
+TBD,,addressAssociationType,string,current,"A label the is supposed to uniquely identify an administrative domain.",,
+TBD,,groupId,unsigned32,current,"The group owner of the file, by group number.",,
+TBD,,informationElementRangeEnd,unsigned64,current,"Contains the inclusive high end of the range of acceptable values for an Information Element.",,
+TBD,,layer4Protocol,string,current,"A set of types that express a layer 4 protocol (e.g. UDP or TCP).",,
+TBD,,osName,string,current,"Specifies the operating system name.",,
+TBD,,suid,boolean,current,"Indicates whether the program runs with the uid (thus privileges) of the file's owner, rather than the calling user.",,
+TBD,,lockoutThreshold,unsigned32,current,"Specifies the number of invalid password authentications that can occur before an account is marked ""locked out.""",,
+TBD,,userDirectory,string,current,"a label that identifies a specific type of user-directory (e.g. ldap, active-directory, local-user).",,
+TBD,,registry,list,current,"Specifies information that can be collected about a particular registry key.","list(registryHive,registryKey,registryKeyName,lastWriteTime,registryKeyType,registryKeyValue,windowsView)",
+TBD,,personLastName,string,current,"The last name of a natural person.",,
+TBD,,networkAccessLevelType,string,current,"A set of types that expresses categories of network access-levels (e.g. block, quarantine, etc.).",,
+TBD,,rawlowSensitivity,string,current,"Specifies the current sensitivity of a file or process but in its raw context.",,
+TBD,,macAddressValue,string,current,"A value that expresses an Ethernet address.",,
+TBD,,currentState,enumeration,current,"Specifies the current state of the service.","SERVICE_CONTINUE_PENDING;0x1;The SERVICE_CONTINUE_PENDING type means that the service has been sent a command to continue, however, the command has not yet been executed. The DWORD value that this corresponds||to is 0x00000005. SERVICE_PAUSE_PENDING;0x2;The SERVICE_PAUSE_PENDING type means that the service has been sent a command to pause, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000006.||SERVICE_PAUSED;0x3;The SERVICE_PAUSED type means that the service is paused. The DWORD value that this corresponds to is 0x00000007.||SERVICE_RUNNING;0x4;The SERVICE_RUNNING type means that the service is running. The DWORD value that this corresponds to is 0x00000004.||SERVICE_START_PENDING;0x5;The SERVICE_START_PENDING type means that the service has been sent a command to start, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000002.||SERVICE_STOP_PENDING;0x6;The SERVICE_STOP_PENDING type means that the service has been sent a command to stop, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000003.||SERVICE_STOPPED;0x7;The SERVICE_STOPPED type means that the service is stopped. The DWORD value that this corresponds to is 0x00000001.||;0x8;The empty string value is permitted here to allow for empty elements associated with error conditions.||",
+TBD,,statementGuid,string,current,"A label that expresses a global unique ID referencing a specific SACM statement that was produced by a SACM component.",,
+TBD,,interfaceType,unsigned32,current,"The type of a network interface. The value matches the value of managed object 'ifType' as defined in [IANA registry ianaiftype-mib].",,
+TBD,,inetAddr,ipAddress,current,"The IP address of the specific interface. Note that the IP address can be IPv4 or IPv6.",,
+TBD,,networkName,string,current,"A label that is associated with a network. Some networks, for example, effective layer2-broadcast-domains are difficult to ""grasp"" and therefore quite difficult to name.",,
+TBD,,ingressInterface,unsigned32,current,"The index of the IP interface where packets of this Flow are being received. The value matches the value of managed object 'ifIndex' as defined in [RFC2863]. Note that ifIndex values are not assigned statically to an interface and that the interfaces may be renumbered every time the device's management system is re-initialized, as specified in [RFC2863].",,
+TBD,,jobAccessRead,boolean,current,"",,
+TBD,,countryCode,string,current,"A set of types according to ISO 3166-1.",,
+TBD,,subgroupSid,string,current,"Represents the SID of a particular subgroup.",,
+TBD,,mibObjectValueTimeTicks,unsigned32,current,"An IPFIX Information Element which denotes that the TimeTicks value of a MIB object will be exported. The MIB Object Identifier (""mibObjectIdentifier"") for this field MUST be exported in a MIB Field Option or via another means. This Information Element is used for MIB objects with the Base Syntax of TimeTicks. The value is encoded as per the standard IPFIX Abstract Data Type of unsigned32.",,
+TBD,,sourceTransportPort,unsigned16,current,"The source port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the source port number given in the respective header. This field MAY also be used for future transport protocols that have 16-bit source port identifiers.",,
+TBD,,groupInfo,list,current,"Specifies the different users and subgroups, that directly belong to specific groups.","list(group,username,subgroup)",
+TBD,,fileWriteData,boolean,current,"Grants the right to write data to the file.",,
+TBD,,unitsReceived,string,current,"a value that represents a number of units (e.g. frames, packets, cells or segments) received on a network interface.",,
+TBD,,mibObjectValueCounter,unsigned64,current,"An IPFIX Information Element which denotes that the counter value of a MIB object will be exported. The MIB Object Identifier (""mibObjectIdentifier"") for this field MUST be exported in a MIB Field Option or via another means. This Information Element is used for MIB objects with the Base Syntax of Counter32 or Counter64 with IPFIX Reduced Size Encoding used as required. The value is encoded as per the standard IPFIX Abstract Data Type of unsigned64.",,
+TBD,,keyWow64Res,boolean,current,"",,
diff --git a/lib b/lib
deleted file mode 160000
index 4e73a2f..0000000
--- a/lib
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 4e73a2f93295f8a8bef218b82a0741d73756ed14