Task: OVAL SC
The Open Vulnerability and Assessment Language (OVAL) is an approach for a standardized description of the (security) state of an IT system. OVAL files describe a vulnerability and define tests to identify the state in which a system is vulnerable. They usually refer to specific version of software products for which a known vulnerability exists.
This means that in order to check for vulnerabilities described in an OVAL definition, information about the current state of the system is needed. This information is collected in a standardized format as well — the OVAL System Characteristics (SC).
There are a number of solutions which perform checks based on OVAL definitions and SC files. OVAL definitions are provided by various vendors. MITRE provides the OVAL Repository with more than 13,000 entries.
OVAL Adoption Program
 |
Greenbone is an official OVAL Adopter and Greenbone Security Manager is registered
as a "Systems Characteristics Producer".
See also: OVAL Adoption Program |
Supported are OVAL versions 5.3 to 5.10. Should any wrong, missing or incomplete OVAL element be found, users are encouraged to provide feedback to the Greenbone support team. The OVAL-SC implementation of the Greenbone solution allows to activate updates within a single day and therefore provides timely improvements for the users.
Collecting Scan Results as OVAL SCs
During a scan the Greenbone Security Manager collects large amounts of data about the target system. This information is managed in an optimized data pool. Parts of this information are usable as a component of an OVAL System Characteristics.
The creation of OVAL SC files is not enabled by default but has to be explicitly enabled. The following scan configuration can be used to achieve this: collect-oval-sc-v2.xml
Import the scan configuration in the GSM:
The new scan configuration is now shown in the list:
The most comprehensive results of a target system can be collected using authenticated scans. For this you need to create an account on the target system. Ensure that the account has the necessary privileges. For unixoid systems an account with low privileges is usually sufficient, for Windows system administrative privileges are required.
The following example shows the creation of a Linux target. For a Windows target the credential must be set in the SMB field instead of SSH.
Now create the task, which you can start immediately.
The scan itself is quite fast because the scan configuration is optimized to collect only the specific data needed for generating the System Characteristics file.
The results are returned a log information. If you adjust your filter you can see the OVAL System Characteristics in XML formatted for easy readability:
Please note: If you have collected data from a large number of target systems this view may become hard to read.
Exporting OVAL SCs
OVAL SC files are defined in a way that one file can contain only information about one system. Using the Greenbone Security Manager you can collect a large number of System Characteristics from many different systems in one single step.
Because of this we provide two Report Format Plugins:
-
OVAL System Characteristics: Produces a single SC file in the XML format.
-
OVAL System Characteristics Archive: Can be used for an arbitrary number of System Characteristics, which will be collected in a ZIP file. The names of the individual SC files will contain the IP address of the target system.
Both plugins are available for download on the Report Formats page.
Import the report format plugins, verify the signature and activate them. For detailed information about this process, please refer to: Feature: Report Formats
You can now download the results in the format you require for further processing. Select the format "OVAL-SC" or "OVAL-SC archive" in the "Full report" line:
The ZIP archives look as follows:
Example: Using OVAL SCs with ovaldi
The MITRE organization not only provides the OVAL standard but also provides a reference implementation for local OVAL checks. The OVAL Interpreter ovaldi is available under an Open Source license.
By using the Greenbone Security Manager to provide OVAL System Characteristics it is easy to use ovaldi on Linux to check a Windows system — or the other way round.
For example, if the target system you tested above was a Debian Linux system, you can now download the official Debian OVAL definitions 2010 and execute the test ("false" means that a condition was not met, i.e. a vulnerability does not exist on the target).
Ovaldi automatically creates a HTML and XML version of the plain text output as shown below: oval-sc-debian-squeeze-sample-ovaldi-results.html (102 KByte) and oval-sc-debian-squeeze-sample-ovaldi-results.xml (4.2 MByte).
$ cd /tmp $ ovaldi -m -o /tmp/oval-definitions-2010.xml \ -i /tmp/oval-sc-debian-squeeze-sample.xml \ -a /usr/share/ovaldi/xml/ ---------------------------------------------------- OVAL Definition Interpreter Version: 5.10.1 Build: 2 Build date: Sep 11 2012 07:49:59 Copyright (c) 2002-2012 - The MITRE Corporation ---------------------------------------------------- Start Time: Tue Sep 11 12:12:52 2012 ** parsing /tmp/oval-definitions-2010.xml file. - validating xml schema. ** checking schema version - Schema version - 5.3 ** skipping Schematron validation ** parsing /tmp/oval-sc-debian-lenny-sample.xml for analysis. - validating xml schema. ** running the OVAL Definition analysis. Analyzing definition: FINISHED ** applying directives to OVAL results. ** OVAL definition results. OVAL Id Result ------------------------------------------------------- oval:org.debian:def:1965 false oval:org.debian:def:1966 false oval:org.debian:def:1967 false oval:org.debian:def:1968 false oval:org.debian:def:1969 false oval:org.debian:def:1970 false oval:org.debian:def:1971 false oval:org.debian:def:1972 false oval:org.debian:def:1973 false oval:org.debian:def:1974 false ... oval:org.debian:def:2124 false oval:org.debian:def:2125 false oval:org.debian:def:2126 false oval:org.debian:def:2127 false oval:org.debian:def:2128 false oval:org.debian:def:2129 false oval:org.debian:def:2130 false oval:org.debian:def:2131 false oval:org.debian:def:2132 false oval:org.debian:def:2133 false ------------------------------------------------------- ** finished evaluating OVAL definitions. ** saving OVAL results to results.xml. ** running OVAL Results xsl: /usr/share/ovaldi/xml//results_to_html.xsl. ----------------------------------------------------
If the target system was a Microsoft Windows system, you can use the definitions provided by MITRE and execute the test ("false" means that a condition was not met, i.e. a vulnerability does not exist on the target).
Ovaldi automatically creates a HTML and XML version of the plain text output as shown below: oval-sc-windows-xp-sample-ovaldi-results.html (23 KByte) and oval-sc-windows-xp-sample-ovaldi-results.xml (159 KByte).
$ cd /tmp $ ovaldi -m -o /tmp/windows.xml \ -i /tmp/oval-sc-windows-xp-sample.xml \ -a /usr/share/ovaldi/xml/ ---------------------------------------------------- OVAL Definition Interpreter Version: 5.10.1 Build: 2 Build date: Sep 11 2012 07:49:59 Copyright (c) 2002-2012 - The MITRE Corporation ---------------------------------------------------- Start Time: Tue Sep 11 15:57:55 2012 ** parsing /tmp/windows.xml file. - validating xml schema. ** checking schema version - Schema version - 5.10 ** skipping Schematron validation ** parsing /tmp/oval-sc-windows-xp-sample.xml for analysis. - validating xml schema. ** running the OVAL Definition analysis. Analyzing definition: FINISHED ** applying directives to OVAL results. ** OVAL definition results. OVAL Id Result ------------------------------------------------------- oval:org.mitre.oval:def:754 true oval:org.mitre.oval:def:15339 false oval:org.mitre.oval:def:15465 false oval:org.mitre.oval:def:15452 false oval:org.mitre.oval:def:15377 false oval:org.mitre.oval:def:15346 false oval:org.mitre.oval:def:15173 false oval:org.mitre.oval:def:15057 false oval:org.mitre.oval:def:15546 false oval:org.mitre.oval:def:14566 false oval:org.mitre.oval:def:720 false oval:org.mitre.oval:def:627 false oval:org.mitre.oval:def:286 false oval:org.mitre.oval:def:748 false oval:org.mitre.oval:def:684 false oval:org.mitre.oval:def:396 false oval:org.mitre.oval:def:1205 false oval:org.mitre.oval:def:679 false oval:org.mitre.oval:def:165 false oval:org.mitre.oval:def:565 false oval:org.mitre.oval:def:289 false oval:org.mitre.oval:def:730 false oval:org.mitre.oval:def:1162 false oval:org.mitre.oval:def:2041 false oval:org.mitre.oval:def:1946 false oval:org.mitre.oval:def:1815 false oval:org.mitre.oval:def:1282 false oval:org.mitre.oval:def:1804 false oval:org.mitre.oval:def:1469 false oval:org.mitre.oval:def:718 false oval:org.mitre.oval:def:347 false oval:org.mitre.oval:def:283 false oval:org.mitre.oval:def:282 false ------------------------------------------------------- ** finished evaluating OVAL definitions. ** saving OVAL results to results.xml. ** running OVAL Results xsl: /usr/share/ovaldi/xml/results_to_html.xsl. ----------------------------------------------------