OVAL
From MRL Wiki
Open Vulnerability and Assessment Language (OVAL) is an XML language standard introduced by MITRE and OVAL Community (Sponsored by US-CERT at the U.S Department of Homeland Security). It was designed to provide structured means for network and system administrators to detect vulnerabilities and configuration problems on their systems. As one of its missions, OVAL sets out to bring a standard assessment approach that can be used by assessment tools.
Contents |
[edit] OVAL Language
OVAL is split into three schemas corresponding to three stages of evaluation and assessment process: COllecting Information from Systems, Standardized Tests, and Reporting of Results.
[edit] OVAL System Characteristics Schema
OVAL System Characteristics Schema is used for collecting system characteristics and configuration information. The schema provides a database of opearting system parameters, installed applications, application settings, and other security relevant attributes.
Below is an example of Windows operatings system minimum password length parameter:
<xsd:element name="min_passwd_len" type="oval-sc:EntityItemIntType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>Specifies the minimum allowable password length. Valid values for
this element are zero through PWLEN.</xsd:documentation>
<xsd:appinfo>
<sch:pattern id="ppitemmin_passwd_len">
<sch:rule context="win-sc:passwordpolicy_item/win-sc:min_passwd_len">
<sch:assert test="not(@datatype) or @datatype='int'">item <value-of select="../@id"/> -
datatype attribute for the min_passwd_len entity of a passwordpolicy_item should be 'int'</sch:assert>
</sch:rule>
</sch:pattern>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
[edit] OVAL Definition Schema
OVAL Definition Schema is used for writing definitions that test for known vulnerabilities, configuration issues, and patch level. Definitions Schemas are organizaed into Repositories and released by a number of vendors to support their products. There are three classes of OVAL definitions:
- OVAL Vulnerability Definitions - tests for the presence of vulnerabilities
- OVAL Compliance Definitions - tests configuration settings of a systems and compares them with security policy
- OVAL Patch Definitions - tests that determine whether a particular path is appropriate for the system
Here is an example of vulnerability definition portion of MITRE's OVAL Repository:
<definition id="oval:org.mitre.oval:def:965" version="1" class="vulnerability">
<metadata>
<title>IE6 Script Execution Vulnerability (Win2K/XP,SP1)</title>
<affected family="windows">
<platform>Microsoft Windows 2000</platform>
<platform>Microsoft Windows XP</platform>
<product>Microsoft Internet Explorer</product>
</affected>
<reference source="CVE" ref_id="CVE-2006-1190" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1190"/>
<description>Microsoft Internet Explorer 5.01 through 6 does not always return the correct IOleClientSite information
when dynamically creating an embedded object, which could cause Internet Explorer to run the object in the wrong security
context or zone, and allow remote attackers to execute arbitrary code.</description>
...
Followed by the definition of the vulnerability, OVAL provides criterion to determine whether the evaluated system is vulnerable. Here is an example of criterion to determine if the machine is vulnerable to IE6 Script Execution Vulnerability:
<criteria comment="Software section" operator="AND">
<criteria operator="OR" comment="Win2K or XP,SP1 is installed">
<criterion comment="Windows 2000 is installed" negate="false" test_ref="oval:org.mitre.oval:tst:3085"/>
<criteria operator="AND" comment="Windows XP 32-bit SP1 is installed">
<criteria operator="AND" comment="Windows XP 32-bit edition is installed">
<criterion comment="Windows XP is installed" negate="false" test_ref="oval:org.mitre.oval:tst:2838"/>
<criterion comment="32-Bit version of Windows is installed" negate="false" test_ref="oval:org.mitre.oval:tst:2748"/>
</criteria>
<criterion comment="Win2K/XP/2003 service pack 1 is installed" negate="false" test_ref="oval:org.mitre.oval:tst:2843"/>
</criteria>
</criteria>
<criterion comment="Internet Explorer 6 (any patch level) is installed" negate="false" test_ref="oval:org.mitre.oval:tst:2333"/>
<criterion comment="the version of mshtml.dll is less than 6.0.2800.1543" negate="false" test_ref="oval:org.mitre.oval:tst:2332"/>
</criteria>
[edit] OVAL Results Schema
OVAL Results Schema is used for presenting results of the tests from the evaluated systems. The results data contains the current state of a system's configuration as compared against a set of OVAL vulnerability, compliance, or patch definitions. The schema defines a standard exchange format that can be incorporated into a variety of tools.
[edit] OVAL Repositories
A number of vendors released OVAL Repositories; however, the largest definition repository is provided by MITRE which is based on MITRE's own CVE (Common Vulnerabilities and Exposures List). The repository can be obtained here: http://oval.mitre.org/repository/
Other repositories of OVAL definitions:
[edit] OVAL Interpreter
To complement its OVAL Repository and Language, MITRE developed a reference implementation of the language and its definitions: OVAL Interpreter. It is available for a variety of UNIX and Windows platforms and capable of conducting of all levels of security assessment.