Red Hat and OVAL compatibility

Q: What is the OVAL project?

The Open Vulnerability and Assessment Language (OVAL) project, maintained by Center for Internet Security (CIS), is an international, information security effort that promotes open and publicly available security content, and seeks to standardize the transfer of this information across the entire spectrum of security tools and services. Refer to https://oval.cisecurity.org/ for further information.

Q: What is Red Hat doing with the OVAL project?

Red Hat Product Security helps customers evaluate and manage risk by tracking and investigating all security issues affecting Red Hat customers and providing timely and concise patches and security advisories via the Red Hat Customer Portal.

Red Hat creates and supports OVAL patch definitions, providing a machine-readable versions of our security advisories. This allows OVAL-compatible tools to test for the presence of vulnerabilities for which Red Hat has released security updates that could be applied to the system.

Red Hat was a founding board member of OVAL in 2002, and made a declaration of OVAL compatibility in May 2006.

Q: What Red Hat products are OVAL compatible?

Red Hat provides OVAL patch definitions for security updates to supported base¹ repositories/channels in Red Hat Enterprise Linux 4, 5, 6, 7, and 8, and select other products. The first OVAL-compatible version was Red Hat Enterprise Linux 3.

Q: How do I obtain the OVAL patch definitions?

The OVAL patch definitions are available as a "stream" for a particular product and version, and are updated within an hour of a new security advisory being made available via the Red Hat Customer Portal.

https://access.redhat.com/security/data/oval/v2

Q: When does Red Hat update OVAL definitions?

Red Hat updates OVAL definitions each time a Red Hat Security Advisory (RHSA) for an OVAL-compatible product (see above) is released. OVAL content provided by Red Hat can be used to detect security updates which have been released by Red Hat, but not applied to a particular system. Red Hat OVAL content cannot be used to detect vulnerabilities in a system for which no security update has been released by Red Hat.

Q: Does Red Hat provide tools to parse these definitions?

Red Hat ships the OpenSCAP vulnerability scanner as a part of Red Hat Enterprise Linux. The following command can be used to assess a system using OVAL patch definitions:

oscap oval eval --results results.xml --report report.html rhel-9.oval.xml

Q: What is an OVAL "Stream" (or "v2" OVAL file) and why are they necessary?

Because RPM versions are not comparable between different repositories that are not designed to be enabled simultaneously (for example: an RPM released in Red Hat Enterprise Linux 7.2 will have a higher version but may be at a lower patch level than another RPM released later for Red Hat Enterprise Linux 7.1 EUS), the OVAL definitions are divided into "Streams" by product and version. To completely evaluate your system you will need to evaluate it against the streams for all products installed on that system.

The difference between the product-version "streams" and the previously-published RHEL-only individual OVAL files (or "-all" stream) is merely one of organization, not format. It is the organization of the OVAL definitions into product-version streams that allows us to support OVAL definitions for products other than RHEL, as the OVAL definitions in a particular stream will only contain tests that are relevant to that product-version.

Q: Why is Red Hat using an OVAL patch definition rather than a vulnerability definition?

Each OVAL patch definition maps one-to-one to a Red Hat Security Advisory (RHSA). Since an RHSA can contain fixes for multiple vulnerabilities, each vulnerability is listed separately by its CVE name, and has a link to its entry in our public bug database.

Q: Why are tests that check the RPM signature included?

Our OVAL patch definitions include a test to check if an RPM is signed by the appropriate Red Hat package signing key. This test is necessary to avoid false positives and negatives caused by users who may rebuild packages themselves or use packages from upstream. The signature check is necessary to maintain backwards compatibility and does not check a system's integrity or detect other deficiencies.

Q: What level of detail do the tests cover?

The Red Hat OVAL patch definitions are designed to check for vulnerable versions of RPM packages installed on a system. It is possible to extend these definitions to include further checks - for instance, to find out if the packages are being used in a vulnerable configuration. These definitions are designed to cover software and updates shipped by Red Hat. Additional definitions are required to detect the patch status of third-party software.

Q: Where can I go for more information?

The OVAL Community Guidelines contains additional information, including the full schema. If you wish to submit corrections, ask questions, or get more information about the Red Hat implementation of OVAL, contact Red Hat Product Security at secalert@redhat.com or file a Jira issue in the public SECDATA project.