Red Hat and OVAL compatibility

Updated -

Q: What is the OVAL project?

The Open Vulnerability and Assessment Language (OVAL) project, maintained by The MITRE Corporation, is an international, information security effort that promotes open and publicly available security content, and seeks to standardize the transfer of this information across the entire spectrum of security tools and services. Refer to http://oval.mitre.org/ for further information.

Q: What is Red Hat doing with the OVAL project?

Red Hat Product Security helps customers evaluate and manage risk by tracking and investigating all security issues affecting Red Hat customers and providing timely and concise patches and security advisories via the Red Hat Customer Portal.

Red Hat creates and supports OVAL patch definitions, providing a machine-readable versions of our security advisories. This allows OVAL-compatible tools to test for the presence of vulnerabilities for which Red Hat has released security updates that could be applied to the system.

Red Hat was a founding board member of OVAL in 2002, and made a declaration of OVAL compatibility in May 2006.

Q: What Red Hat products are OVAL compatible?

Red Hat provides OVAL patch definitions for security updates to supported base1 repositories/channels in Red Hat Enterprise Linux 4, 5, 6, and 7. The first OVAL-compatible version was Red Hat Enterprise Linux 3, for which OVAL patch definitions continue to be available for download.

Q: How do I obtain the OVAL patch definitions?

The OVAL patch definitions are available individually and as a complete package, and are updated within an hour of a new security advisory being made available via the Red Hat Customer Portal.

https://www.redhat.com/security/data/oval/

Q: When does Red Hat update OVAL definitions?

Red Hat updates OVAL definitions each time a Red Hat Security Advisory (RHSA) for an OVAL-compatible product (see above) is released. OVAL content provided by Red Hat can be used to detect security updates which have been released by Red Hat, but not applied to a particular system. Red Hat OVAL content cannot be used to detect vulnerabilities in a system for which no security update has been released by Red Hat.

Q: Does Red Hat provide tools to parse these definitions?

Red Hat ships the OpenSCAP vulnerability scanner as a part of Red Hat Enterprise Linux. The following command can be used to assess a system using OVAL patch definitions:

oscap oval eval --results results.xml --report report.html com.redhat.rhsa-all.xml

Q: How is OVAL different from Red Hat Network?

The Red Hat Network is an enterprise system management tool that keeps Red Hat Enterprise Linux systems up-to-date with the latest errata, and reports which systems need which updates. Red Hat support for OVAL provides an alternative machine-readable view of Red Hat security advisories, allowing administrators to use OVAL compatible tools to determine the patch state of software across heterogeneous networks.

Q: Why is Red Hat using an OVAL patch definition rather than a vulnerability definition?

Each OVAL patch definition maps one-to-one to a Red Hat Security Advisory (RHSA). Since an RHSA can contain fixes for multiple vulnerabilities, each vulnerability is listed separately by its CVE name, and has a link to its entry in our public bug database.

Q: Why are tests that check the RPM signature included?

Our OVAL patch definitions include a test to check if an RPM is signed by the appropriate Red Hat package signing key. This test is necessary to avoid false positives and negatives caused by users who may rebuild packages themselves or use packages from upstream. The signature check is necessary to maintain backwards compatibility and does not check a system's integrity or detect other deficiencies.

Q: What level of detail do the tests cover?

The Red Hat OVAL patch definitions are designed to check for vulnerable versions of RPM packages installed on a system. It is possible to extend these definitions to include further checks - for instance, to find out if the packages are being used in a vulnerable configuration. These definitions are designed to cover software and updates shipped by Red Hat. Additional definitions are required to detect the patch status of third-party software.

Q: Where can I go for more information?

The MITRE OVAL website contains an FAQ and more detailed information, including the full schema. If you wish to submit corrections, ask questions, or get more information about the Red Hat implementation of OVAL, contact Red Hat Product Security at secalert@redhat.com.


  1. A base repository consists of packages based on a specific architecture and Red Hat Enterprise Linux release. A child repository is a repository associated with a base repository that contains extra packages. 

Was this helpful?

We appreciate your feedback. Leave a comment if you would like to provide more detail.
It looks like we have some work to do. Leave a comment to let us know how we could improve.