Login: Support | Partner    
 
Home » Learning Center » Task: OVAL SC 

Task: OVAL SC

The Open Vulnerability and Assessment Language (OVAL) is an approach for a standardized description of the (security) state of an IT system. OVAL files describe a vulnerability and define tests to identify the state in which a system is vulnerable. They usually refer to specific version of software products for which a known vulnerability exists.

This means that in order to check for vulnerabilities described in an OVAL definition, information about the current state of the system is needed. This information is collected in a standardized format as well — the OVAL System Characteristics (SC).

There are a number of solutions which perform checks based on OVAL definitions and SC files. OVAL definitions are provided by various vendors. MITRE provides the OVAL Repository with more than 13,000 entries.

OVAL Adoption Program

top^
Greenbone is an official OVAL Adopter and Greenbone Security Manager is registered as a "Systems Characteristics Producer".

See also: OVAL Adoption Program

Supported are OVAL versions 5.3 to 5.10. Should any wrong, missing or incomplete OVAL element be found, users are encouraged to provide feedback to the Greenbone support team. The OVAL-SC implementation of the Greenbone solution allows to activate updates within a single day and therefore provides timely improvements for the users.

Collecting Scan Results as OVAL SCs

top^

During a scan the Greenbone Security Manager collects large amounts of data about the target system. This information is managed in an optimized data pool. Parts of this information are usable as a component of an OVAL System Characteristics.

The creation of OVAL SC files is not enabled by default but has to be explicitly enabled. The following scan configuration can be used to achieve this: collect-oval-sc-v2.xml

Import the scan configuration in the GSM:

The new scan configuration is now shown in the list:

The most comprehensive results of a target system can be collected using authenticated scans. For this you need to create an account on the target system. Ensure that the account has the necessary privileges. For unixoid systems an account with low privileges is usually sufficient, for Windows system administrative privileges are required.

The following example shows the creation of a Linux target. For a Windows target the credential must be set in the SMB field instead of SSH.

Now create the task, which you can start immediately.

The scan itself is quite fast because the scan configuration is optimized to collect only the specific data needed for generating the System Characteristics file.

The results are returned a log information. If you adjust your filter you can see the OVAL System Characteristics in XML formatted for easy readability:

Please note: If you have collected data from a large number of target systems this view may become hard to read.

Exporting OVAL SCs

top^

OVAL SC files are defined in a way that one file can contain only information about one system. Using the Greenbone Security Manager you can collect a large number of System Characteristics from many different systems in one single step.

Because of this we provide two Report Format Plugins:

  • OVAL System Characteristics: Produces a single SC file in the XML format.

  • OVAL System Characteristics Archive: Can be used for an arbitrary number of System Characteristics, which will be collected in a ZIP file. The names of the individual SC files will contain the IP address of the target system.

Both plugins are available for download on the Report Formats page.

Import the report format plugins, verify the signature and activate them. For detailed information about this process, please refer to: Feature: Report Formats

You can now download the results in the format you require for further processing. Select the format "OVAL-SC" or "OVAL-SC archive" in the "Full report" line:

The ZIP archives look as follows:

Example: Using OVAL SCs with ovaldi

top^

The MITRE organization not only provides the OVAL standard but also provides a reference implementation for local OVAL checks. The OVAL Interpreter ovaldi is available under an Open Source license.

By using the Greenbone Security Manager to provide OVAL System Characteristics it is easy to use ovaldi on Linux to check a Windows system — or the other way round.

For example, if the target system you tested above was a Debian Linux system, you can now download the official Debian OVAL definitions 2010 and execute the test ("false" means that a condition was not met, i.e. a vulnerability does not exist on the target).

Ovaldi automatically creates a HTML and XML version of the plain text output as shown below: oval-sc-debian-squeeze-sample-ovaldi-results.html (102 KByte) and oval-sc-debian-squeeze-sample-ovaldi-results.xml (4.2 MByte).

$ cd /tmp
$ ovaldi -m -o /tmp/oval-definitions-2010.xml \
    -i /tmp/oval-sc-debian-squeeze-sample.xml \
    -a /usr/share/ovaldi/xml/

----------------------------------------------------
OVAL Definition Interpreter
Version: 5.10.1 Build: 2
Build date: Sep 11 2012 07:49:59
Copyright (c) 2002-2012 - The MITRE Corporation
----------------------------------------------------

Start Time: Tue Sep 11 12:12:52 2012

 ** parsing /tmp/oval-definitions-2010.xml file.
    - validating xml schema.
 ** checking schema version
     - Schema version - 5.3
 ** skipping Schematron validation
 ** parsing /tmp/oval-sc-debian-lenny-sample.xml for analysis.
    - validating xml schema.
 ** running the OVAL Definition analysis.
      Analyzing definition:  FINISHED
 ** applying directives to OVAL results.
 ** OVAL definition results.

    OVAL Id                                 Result
    -------------------------------------------------------
    oval:org.debian:def:1965                false
    oval:org.debian:def:1966                false
    oval:org.debian:def:1967                false
    oval:org.debian:def:1968                false
    oval:org.debian:def:1969                false
    oval:org.debian:def:1970                false
    oval:org.debian:def:1971                false
    oval:org.debian:def:1972                false
    oval:org.debian:def:1973                false
    oval:org.debian:def:1974                false
    ...
    oval:org.debian:def:2124                false
    oval:org.debian:def:2125                false
    oval:org.debian:def:2126                false
    oval:org.debian:def:2127                false
    oval:org.debian:def:2128                false
    oval:org.debian:def:2129                false
    oval:org.debian:def:2130                false
    oval:org.debian:def:2131                false
    oval:org.debian:def:2132                false
    oval:org.debian:def:2133                false
    -------------------------------------------------------


 ** finished evaluating OVAL definitions.

 ** saving OVAL results to results.xml.
 ** running OVAL Results xsl: /usr/share/ovaldi/xml//results_to_html.xsl.

----------------------------------------------------

If the target system was a Microsoft Windows system, you can use the definitions provided by MITRE and execute the test ("false" means that a condition was not met, i.e. a vulnerability does not exist on the target).

Ovaldi automatically creates a HTML and XML version of the plain text output as shown below: oval-sc-windows-xp-sample-ovaldi-results.html (23 KByte) and oval-sc-windows-xp-sample-ovaldi-results.xml (159 KByte).

$ cd /tmp
$ ovaldi -m -o /tmp/windows.xml \
    -i /tmp/oval-sc-windows-xp-sample.xml \
    -a /usr/share/ovaldi/xml/

----------------------------------------------------
OVAL Definition Interpreter
Version: 5.10.1 Build: 2
Build date: Sep 11 2012 07:49:59
Copyright (c) 2002-2012 - The MITRE Corporation
----------------------------------------------------

Start Time: Tue Sep 11 15:57:55 2012

 ** parsing /tmp/windows.xml file.
    - validating xml schema.
 ** checking schema version
     - Schema version - 5.10
 ** skipping Schematron validation
 ** parsing /tmp/oval-sc-windows-xp-sample.xml for analysis.
    - validating xml schema.
 ** running the OVAL Definition analysis.
      Analyzing definition:  FINISHED
 ** applying directives to OVAL results.
 ** OVAL definition results.

    OVAL Id                                 Result
    -------------------------------------------------------
    oval:org.mitre.oval:def:754             true
    oval:org.mitre.oval:def:15339           false
    oval:org.mitre.oval:def:15465           false
    oval:org.mitre.oval:def:15452           false
    oval:org.mitre.oval:def:15377           false
    oval:org.mitre.oval:def:15346           false
    oval:org.mitre.oval:def:15173           false
    oval:org.mitre.oval:def:15057           false
    oval:org.mitre.oval:def:15546           false
    oval:org.mitre.oval:def:14566           false
    oval:org.mitre.oval:def:720             false
    oval:org.mitre.oval:def:627             false
    oval:org.mitre.oval:def:286             false
    oval:org.mitre.oval:def:748             false
    oval:org.mitre.oval:def:684             false
    oval:org.mitre.oval:def:396             false
    oval:org.mitre.oval:def:1205            false
    oval:org.mitre.oval:def:679             false
    oval:org.mitre.oval:def:165             false
    oval:org.mitre.oval:def:565             false
    oval:org.mitre.oval:def:289             false
    oval:org.mitre.oval:def:730             false
    oval:org.mitre.oval:def:1162            false
    oval:org.mitre.oval:def:2041            false
    oval:org.mitre.oval:def:1946            false
    oval:org.mitre.oval:def:1815            false
    oval:org.mitre.oval:def:1282            false
    oval:org.mitre.oval:def:1804            false
    oval:org.mitre.oval:def:1469            false
    oval:org.mitre.oval:def:718             false
    oval:org.mitre.oval:def:347             false
    oval:org.mitre.oval:def:283             false
    oval:org.mitre.oval:def:282             false
    -------------------------------------------------------


 ** finished evaluating OVAL definitions.

 ** saving OVAL results to results.xml.
 ** running OVAL Results xsl: /usr/share/ovaldi/xml/results_to_html.xsl.

----------------------------------------------------