MRL WikiMain Page | About | Help | FAQ | Special pages | Log in

Printable version | Disclaimers | Privacy policy


From MRL Wiki

Open Vulnerability and Assessment Language (OVAL) is an XML language standard introduced by MITRE and OVAL Community (Sponsored by US-CERT at the U.S Department of Homeland Security). It was designed to provide structured means for network and system administrators to detect vulnerabilities and configuration problems on their systems. As one of its missions, OVAL sets out to bring a standard assessment approach that can be used by assessment tools.


[edit] OVAL Language

OVAL is split into three schemas corresponding to three stages of evaluation and assessment process: COllecting Information from Systems, Standardized Tests, and Reporting of Results.

[edit] OVAL System Characteristics Schema

OVAL System Characteristics Schema is used for collecting system characteristics and configuration information. The schema provides a database of opearting system parameters, installed applications, application settings, and other security relevant attributes.

Below is an example of Windows operatings system minimum password length parameter:

<xsd:element name="min_passwd_len" type="oval-sc:EntityItemIntType" minOccurs="0" maxOccurs="1">
  <xsd:documentation>Specifies the minimum allowable password length. Valid values for 
   this element are zero through PWLEN.</xsd:documentation>
    <sch:pattern id="ppitemmin_passwd_len">
     <sch:rule context="win-sc:passwordpolicy_item/win-sc:min_passwd_len">
      <sch:assert test="not(@datatype) or @datatype='int'">item <value-of select="../@id"/> - 
       datatype attribute for the min_passwd_len entity of a passwordpolicy_item should be 'int'</sch:assert>

[edit] OVAL Definition Schema

OVAL Definition Schema is used for writing definitions that test for known vulnerabilities, configuration issues, and patch level. Definitions Schemas are organizaed into Repositories and released by a number of vendors to support their products. There are three classes of OVAL definitions:

Here is an example of vulnerability definition portion of MITRE's OVAL Repository:

<definition id="oval:org.mitre.oval:def:965" version="1" class="vulnerability">
  <title>IE6 Script Execution Vulnerability (Win2K/XP,SP1)</title>
   <affected family="windows">
    <platform>Microsoft Windows 2000</platform>
    <platform>Microsoft Windows XP</platform>
    <product>Microsoft Internet Explorer</product>
   <reference source="CVE" ref_id="CVE-2006-1190" ref_url=""/>
   <description>Microsoft Internet Explorer 5.01 through 6 does not always return the correct IOleClientSite information 
   when dynamically creating an embedded object, which could cause Internet Explorer to run the object in the wrong security 
   context or zone, and allow remote attackers to execute arbitrary code.</description>

Followed by the definition of the vulnerability, OVAL provides criterion to determine whether the evaluated system is vulnerable. Here is an example of criterion to determine if the machine is vulnerable to IE6 Script Execution Vulnerability:

<criteria comment="Software section" operator="AND">
 <criteria operator="OR" comment="Win2K or XP,SP1 is installed">
  <criterion comment="Windows 2000 is installed" negate="false" test_ref="oval:org.mitre.oval:tst:3085"/>
   <criteria operator="AND" comment="Windows XP 32-bit SP1 is installed">
    <criteria operator="AND" comment="Windows XP 32-bit edition is installed">
     <criterion comment="Windows XP is installed" negate="false" test_ref="oval:org.mitre.oval:tst:2838"/>
     <criterion comment="32-Bit version of Windows is installed" negate="false" test_ref="oval:org.mitre.oval:tst:2748"/>
     <criterion comment="Win2K/XP/2003 service pack 1 is installed" negate="false" test_ref="oval:org.mitre.oval:tst:2843"/>
  <criterion comment="Internet Explorer 6 (any patch level) is installed" negate="false" test_ref="oval:org.mitre.oval:tst:2333"/>
 <criterion comment="the version of mshtml.dll is less than 6.0.2800.1543" negate="false" test_ref="oval:org.mitre.oval:tst:2332"/>

[edit] OVAL Results Schema

OVAL Results Schema is used for presenting results of the tests from the evaluated systems. The results data contains the current state of a system's configuration as compared against a set of OVAL vulnerability, compliance, or patch definitions. The schema defines a standard exchange format that can be incorporated into a variety of tools.

[edit] OVAL Repositories

A number of vendors released OVAL Repositories; however, the largest definition repository is provided by MITRE which is based on MITRE's own CVE (Common Vulnerabilities and Exposures List). The repository can be obtained here:

Other repositories of OVAL definitions:

[edit] OVAL Interpreter

To complement its OVAL Repository and Language, MITRE developed a reference implementation of the language and its definitions: OVAL Interpreter. It is available for a variety of UNIX and Windows platforms and capable of conducting of all levels of security assessment.

[edit] See Also

[edit] External Links

Retrieved from ""

This page has been accessed 2,482 times. This page was last modified on 21 June 2007, at 21:22.


Main Page
Community portal
Current events
Recent changes
Random page
Edit this page
Editing help
This page
Discuss this page
New section
Printable version
Page history
What links here
Related changes
My pages
Log in / create account
Special pages
New pages
File list