forked from OVALProject/Sandbox
-
Notifications
You must be signed in to change notification settings - Fork 1
/
x-asa-acl.xsd
300 lines (300 loc) · 19.5 KB
/
x-asa-acl.xsd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
<?xml version="1.0" encoding="utf-8"?>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval-sc="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5" xmlns:asa-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#asa" xmlns:asa-sc="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#asa" xmlns:x-asa-acl="http://oval.mitre.org/XMLSchema/x-asa-acl" xmlns:sch="http://purl.oclc.org/dsdl/schematron" targetNamespace="http://oval.mitre.org/XMLSchema/x-asa-acl" elementFormDefault="qualified" version="5.11">
<xsd:import namespace="http://oval.mitre.org/XMLSchema/oval-definitions-5" schemaLocation="oval-definitions-schema.xsd" />
<xsd:import namespace="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5" schemaLocation="oval-system-characteristics-schema.xsd" />
<xsd:annotation>
<xsd:documentation>The following is a proposal for the experimental asa-def:acl_test and asa-sc:acl_item that will support checking the output lines of access control lists (ACL) configurations on Cisco ASA 5500 Series Adaptive Security Appliances</xsd:documentation>
<xsd:documentation>Thanks to Omar Santos and Panos Kampanakis of Cisco for providing this test.</xsd:documentation>
<xsd:appinfo>
<schema>Experimental Schema for Cisco ASA 5500 Series Security Appliances access control list (ACL) Test</schema>
<version>5.11</version>
<date>10/15/2012 10:00:00 AM</date>
<terms_of_use>Copyright (c) 2002-2012, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at http://oval.mitre.org/oval/about/termsofuse.html. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.</terms_of_use>
<sch:ns prefix="oval-def" uri="http://oval.mitre.org/XMLSchema/oval-definitions-5" />
<sch:ns prefix="oval-sc" uri="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5" />
<sch:ns prefix="asa-def" uri="http://oval.mitre.org/XMLSchema/oval-definitions-5#asa" />
<sch:ns prefix="asa-sc" uri="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#asa" />
<sch:ns prefix="x-asa-acl" uri="http://oval.mitre.org/XMLSchema/x-asa-acl" />
<sch:ns prefix="xsi" uri="http://www.w3.org/2001/XMLSchema-instance" />
</xsd:appinfo>
</xsd:annotation>
<!-- =============================================================================== -->
<!-- ================================ ASA ACL TEST ================================ -->
<!-- =============================================================================== -->
<xsd:element name="acl_test" substitutionGroup="oval-def:test">
<xsd:annotation>
<xsd:documentation>The acl test is used to check the properties of specific output lines from an ACL configuration.</xsd:documentation>
<xsd:appinfo>
<oval:element_mapping>
<oval:test>acl_test</oval:test>
<oval:object>acl_object</oval:object>
<oval:state>acl_state</oval:state>
<oval:item target_namespace="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#x-asa-acl">acl_item</oval:item>
</oval:element_mapping>
</xsd:appinfo>
<xsd:appinfo>
<sch:pattern id="x-asa-acl_acltst">
<sch:rule context="x-asa-acl:acl_test/x-asa-acl:object">
<sch:assert test="@object_ref=ancestor::oval-def:oval_definitions/oval-def:objects/x-asa-acl:acl_object/@id">
<sch:value-of select="../@id" /> - the object child element of a acl_test must reference a acl_object</sch:assert>
</sch:rule>
<sch:rule context="x-asa-acl:acl_test/x-asa-acl:state">
<sch:assert test="@state_ref=ancestor::oval-def:oval_definitions/oval-def:states/x-asa-acl:acl_state/@id">
<sch:value-of select="../@id" /> - the state child element of a acl_test must reference a acl_state</sch:assert>
</sch:rule>
</sch:pattern>
</xsd:appinfo>
</xsd:annotation>
<xsd:complexType>
<xsd:complexContent>
<xsd:extension base="oval-def:TestType">
<xsd:sequence>
<xsd:element name="object" type="oval-def:ObjectRefType" />
<xsd:element name="state" type="oval-def:StateRefType" minOccurs="0" maxOccurs="unbounded" />
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
</xsd:element>
<xsd:element name="acl_object" substitutionGroup="oval-def:object">
<xsd:annotation>
<xsd:documentation>The acl_object element is used by an acl_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.</xsd:documentation>
<xsd:documentation>An acl object consists of a an acl name and an IP version entity that is the name and the IP protocol version of the access-list to be tested.</xsd:documentation>
<xsd:appinfo>
<sch:pattern id="x-asa-acl_acl_object_verify_filter_state">
<sch:rule context="x-asa-acl:acl_object//oval-def:filter">
<sch:let name="parent_object" value="ancestor::x-asa-acl:acl_object" />
<sch:let name="parent_object_id" value="$parent_object/@id" />
<sch:let name="state_ref" value="." />
<sch:let name="reffed_state" value="ancestor::oval-def:oval_definitions/oval-def:states/*[@id=$state_ref]" />
<sch:let name="state_name" value="local-name($reffed_state)" />
<sch:let name="state_namespace" value="namespace-uri($reffed_state)" />
<sch:assert test="(($state_namespace='http://oval.mitre.org/XMLSchema/oval-definitions-5#x-asa-acl') and ($state_name='acl_state'))">State referenced in filter for <sch:value-of select="name($parent_object)" /> '<sch:value-of select="$parent_object_id" />' is of the wrong type.</sch:assert>
</sch:rule>
</sch:pattern>
</xsd:appinfo>
</xsd:annotation>
<xsd:complexType>
<xsd:complexContent>
<xsd:extension base="oval-def:ObjectType">
<xsd:sequence>
<xsd:choice>
<xsd:element ref="oval-def:set" />
<xsd:sequence>
<xsd:element name="name" type="oval-def:EntityObjectStringType">
<xsd:annotation>
<xsd:documentation>The name of the ACL.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="ip_version" type="x-asa-acl:EntityObjectAccessListIPVersionType">
<xsd:annotation>
<xsd:documentation>The IP version of the ACL.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element ref="oval-def:filter" minOccurs="0" maxOccurs="unbounded" />
</xsd:sequence>
</xsd:choice>
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
</xsd:element>
<xsd:element name="acl_state" substitutionGroup="oval-def:state">
<xsd:annotation>
<xsd:documentation>The acl_state element defines the different information that can be used to evaluate the result of a specific ACL configuration. This includes the name of ths ACL and the corresponding config lines. Please refer to the individual elements in the schema for more details about what each represents.</xsd:documentation>
</xsd:annotation>
<xsd:complexType>
<xsd:complexContent>
<xsd:extension base="oval-def:StateType">
<xsd:sequence>
<xsd:element name="name" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>The name of the ACL.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="ip_version" type="x-asa-acl:EntityStateAccessListIPVersionType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>The IP version of the ACL (i.e. IPv4 or IPv6 or both for UACLs).</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="use" type="x-asa-acl:EntityStateAccessListUseType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>The feature where the ACL is used.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="used_in" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>The name of where the ACL is used. For example if use is 'INTERFACE', use_in will be the name of the interface.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="interface_direction" type="x-asa-acl:EntityStateAccessListInterfaceDirectionType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>The direction the ACL is applied by using the access-group command. Inbound access lists apply to traffic as it enters an interface.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="acl_config_lines" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>The value returned with all config lines of the ACL.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="config_line" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>The value returned with one ACL config line at a time.</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
</xsd:element>
<!-- =============================================================================== -->
<!-- ============================ ASA ACL OBJECT TYPES =============================== -->
<!-- =============================================================================== -->
<xsd:complexType name="EntityObjectAccessListIPVersionType">
<xsd:annotation>
<xsd:documentation>The EntityObjectRoutingProtocolType complex type restricts a string value to a specific set of values: IPV4, IPV6 or IPV4_V6 (both). These values describe if an ACL is for IPv4 or IPv6 or both for UACLs in a Cisco ASA configuration.</xsd:documentation>
</xsd:annotation>
<xsd:simpleContent>
<xsd:restriction base="oval-def:EntityObjectStringType">
<xsd:enumeration value="IPV4" />
<xsd:enumeration value="IPV6" />
<xsd:enumeration value="IPV4_V6" />
</xsd:restriction>
</xsd:simpleContent>
</xsd:complexType>
<!-- =============================================================================== -->
<!-- ============================= ASA ACL STATE TYPES =============================== -->
<!-- =============================================================================== -->
<xsd:complexType name="EntityStateAccessListIPVersionType">
<xsd:annotation>
<xsd:documentation>The EntityStateIPVersionType complex type restricts a string value to a specific set of values: IPV4, IPV6 or IPV4_V6 (both). These values describe if an ACL is for IPv4 or IPv6 or both for UACLs in a Cisco ASA configuration.</xsd:documentation>
</xsd:annotation>
<xsd:simpleContent>
<xsd:restriction base="oval-def:EntityStateStringType">
<xsd:enumeration value="IPV4" />
<xsd:enumeration value="IPV6" />
<xsd:enumeration value="IPV4_V6" />
</xsd:restriction>
</xsd:simpleContent>
</xsd:complexType>
<xsd:complexType name="EntityStateAccessListUseType">
<xsd:annotation>
<xsd:documentation>The EntityStateAccessListUseType complex type restricts a string value to a specific set of values: INTERFACE, INTERFACE_CP (control plane interface ACL), CRYPTO_MAP_MATCH, CLASS_MAP_MATCH, ROUTE_MAP_MATCH, IGMP_FILTER, NONE. These values describe the ACL use in a Cisco ASA configuration.</xsd:documentation>
</xsd:annotation>
<xsd:simpleContent>
<xsd:restriction base="oval-def:EntityStateStringType">
<xsd:enumeration value="INTERFACE" />
<xsd:enumeration value="INTERFACE_CP" />
<xsd:enumeration value="CRYPTO_MAP_MATCH" />
<xsd:enumeration value="CLASS_MAP_MATCH" />
<xsd:enumeration value="ROUTE_MAP_MATCH" />
<xsd:enumeration value="IGMP_FILTER" />
<xsd:enumeration value="NONE" />
</xsd:restriction>
</xsd:simpleContent>
</xsd:complexType>
<xsd:complexType name="EntityStateAccessListInterfaceDirectionType">
<xsd:annotation>
<xsd:documentation>The EntityStateAccessListInterfaceDirectionType complex type restricts a string value to a specific set of values: IN, OUT. These values describe the inbound or outbound ACL direction on an interface in a Cisco ASA configuration. These values are defined with the access-group command.</xsd:documentation>
</xsd:annotation>
<xsd:simpleContent>
<xsd:restriction base="oval-def:EntityStateStringType">
<xsd:enumeration value="IN" />
<xsd:enumeration value="OUT" />
</xsd:restriction>
</xsd:simpleContent>
</xsd:complexType>
<!-- =============================================================================== -->
<!-- ========================= ASA ACL ITEM ================================= -->
<!-- =============================================================================== -->
<xsd:element name="acl_item" substitutionGroup="oval-sc:item">
<xsd:annotation>
<xsd:documentation>Stores command that are part of a asa configuration section. For example all configuration lines under an interface. It should not store configurations for configs that already have a separate item. For example OSPF has a router item and should not also be stored in a acl_item. </xsd:documentation>
</xsd:annotation>
<xsd:complexType>
<xsd:complexContent>
<xsd:extension base="oval-sc:ItemType">
<xsd:sequence>
<xsd:element name="name" type="oval-sc:EntityItemStringType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>Element with the name of the ACL.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="ip_version" type="x-asa-acl:EntityItemAccessListIPVersionType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>Element with the IP version of the ACL.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="use" type="x-asa-acl:EntityItemAccessListUseType" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>Element with the feature where the ACL is used. If the same ACL is applied in more than one feature (i.e interface and crypto map), multiple items needs to be created.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="used_in" type="oval-sc:EntityItemStringType" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>Element with the name of where the ACL is used. For example if use is 'INTERFACE', use_in will be the name of the interface. If the same ACL is applied in more than one feature (i.e interface and crypto map), multiple items needs to be created.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="interface_direction" type="x-asa-acl:EntityItemAccessListInterfaceDirectionType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>Element with the direction the ACL is applied to an interface using the access-group command.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="acl_config_lines" type="oval-sc:EntityItemStringType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>Element with the value returned with all config lines of the ACL.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="config_line" type="oval-sc:EntityItemStringType" minOccurs="0" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>Element with the value returned with one ACL config line at a time.</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
</xsd:element>
<!-- =============================================================================== -->
<!-- =============================== ASA ACL ITEM TYPES ============================== -->
<!-- =============================================================================== -->
<xsd:complexType name="EntityItemAccessListIPVersionType">
<xsd:annotation>
<xsd:documentation>The EntityItemRoutingProtocolType complex type restricts a string value to a specific set of values: IPV4, IPV6 or IPV4_V6 (both). These values describe if an ACL is for IPv4 or both for UACLs or IPv6 in a Cisco asa configuration.</xsd:documentation>
</xsd:annotation>
<xsd:simpleContent>
<xsd:restriction base="oval-sc:EntityItemStringType">
<xsd:enumeration value="IPV4" />
<xsd:enumeration value="IPV6" />
<xsd:enumeration value="IPV4_V6" />
</xsd:restriction>
</xsd:simpleContent>
</xsd:complexType>
<xsd:complexType name="EntityItemAccessListUseType">
<xsd:annotation>
<xsd:documentation>The EntityItemAccessListUseType complex type restricts a string value to a specific set of values: INTERFACE, INTERFACE_CP (control plane interface ACL), CRYPTO_MAP_MATCH, CLASS_MAP_MATCH, ROUTE_MAP_MATCH, IGMP_FILTER, NONE. These values describe the ACL use in a Cisco asa configuration.</xsd:documentation>
</xsd:annotation>
<xsd:simpleContent>
<xsd:restriction base="oval-sc:EntityItemStringType">
<xsd:enumeration value="INTERFACE" />
<xsd:enumeration value="INTERFACE_CP" />
<xsd:enumeration value="CRYPTO_MAP_MATCH" />
<xsd:enumeration value="CLASS_MAP_MATCH" />
<xsd:enumeration value="ROUTE_MAP_MATCH" />
<xsd:enumeration value="IGMP_FILTER" />
<xsd:enumeration value="NONE" />
</xsd:restriction>
</xsd:simpleContent>
</xsd:complexType>
<xsd:complexType name="EntityItemAccessListInterfaceDirectionType">
<xsd:annotation>
<xsd:documentation>The EntityItemAccessListInterfaceDirectionType complex type restricts a string value to a specific set of values: IN, OUT. These values describe the inbound or outbound ACL direction on an interface in a Cisco ASA configuration.</xsd:documentation>
</xsd:annotation>
<xsd:simpleContent>
<xsd:restriction base="oval-sc:EntityItemStringType">
<xsd:enumeration value="IN" />
<xsd:enumeration value="OUT" />
</xsd:restriction>
</xsd:simpleContent>
</xsd:complexType>
</xsd:schema>