Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

8.2.2. The OVAL File Format

The Open Vulnerability Assessment Language (OVAL) is the essential and oldest component of SCAP. The main goal of the OVAL standard is to enable interoperability among security products. That is achieved by standardization of the following three domains:
  1. Representation of the target system configuration.
  2. Analysis of the target system for the presence of a particular machine state.
  3. Reporting the results of the comparison between the specified machine state and the observed machine state.
Unlike other tools or custom scripts, the OVAL language describes a desired state of resources in a declarative manner. The OVAL language code is never executed directly, but by means of an OVAL interpreter tool called scanner. The declarative nature of OVAL ensures that the state of the assessed system is not accidentally modified, which is important because security scanners are often run with the highest possible privileges.
OVAL specification is open for public comments and contribution and various IT companies collaborate with the MITRE Corporation, federally funded not-for-profit organization. The OVAL specification is continuously evolving and different editions are distinguished by a version number. The current version 5.10.1 was released in January 2012.
Like all other SCAP components, OVAL is based on XML. The OVAL standard defines several document formats. Each of them includes different kind of information and serves a different purpose.

The OVAL Document Formats

  • The OVAL Definitions format is the most common OVAL file format that is used directly for system scans. The OVAL Definitions document describes the desired state of the target system.
  • The OVAL Variables format defines variables used to amend the OVAL Definitions document. The OVAL Variables document is typically used in conjunction with the OVAL Definitions document to tailor the security content for the target system at runtime.
  • The OVAL System Characteristics format holds information about the assessed system. The OVAL System Characteristics document is typically used to compare the actual state of the system against the expected state defined by an OVAL Definitions document.
  • The OVAL Results is the most comprehensive OVAL format that is used to report results of the system evaluation. The OVAL Results document typically contains copy of the evaluated OVAL definitions, bound OVAL variables, OVAL system characteristics, and results of tests that are computed based on comparison of the system characteristics and the definitions.
  • The OVAL Directives format is used to tailor verbosity of an OVAL Result document by either including or excluding certain details.
  • The OVAL Common Model format contains definitions of constructs and enumerations used in several other OVAL schemes. It is used to reuse OVAL definitions in order to avoid duplications across multiple documents.
The OVAL Definitions document consists of a set of configuration requirements where each requirement is defined in the following five basic sections: definitions, tests, objects, states, and variables. The elements within the definitions section describe which of the tests shall be fulfilled to satisfy the given definition. The test elements link objects and states together. During the system evaluation, a test is considered passed when a resource of the assessed system that is denoted by the given object element corresponds with the given state element. The variables section defines external variables which may be used to adjust elements from the states section. Besides these sections, the OVAL Definitions document typically contains also the generator and signature sections. The generator section holds information about the document origin and various additional information related to its content.
Each element from the OVAL document basic sections is unambiguously identified by an identifier in the following form:
oval:namespace:type:ID
where namespace is a name space defining the identifier, type is either def for definitions elements, tst for tests elements, obj for objects element, ste for states elements, and var for variables elements, and ID is an integer value of the identifier.

Example 8.2. An Example of an OVAL Definitions Document

          
<?xml version="1.0" encoding="utf-8"?>
<oval_definitions
    xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"
    xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
    xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <generator>
    <oval:product_name>vim</oval:product_name>
    <oval:schema_version>5.10.1</oval:schema_version>
    <oval:timestamp>2012-11-22T15:00:00+01:00</oval:timestamp>
  </generator>
  <definitions>
    <definition class="inventory" 
        id="oval:org.open-scap.cpe.rhel:def:6" 
        version="1">
      <metadata>
        <title>Red Hat Enterprise Linux 6</title>
        <affected family="unix">
          <platform>Red Hat Enterprise Linux 6</platform>
        </affected>
        <reference ref_id="cpe:/o:redhat:enterprise_linux:6" 
            source="CPE"/>
        <description>
          The operating system installed on the system is Red Hat Enterprise Linux 6
        </description>
      </metadata>
      <criteria>
        <criterion comment="Red Hat Enterprise Linux 6 is installed" 
            test_ref="oval:org.open-scap.cpe.rhel:tst:6"/>
      </criteria>
    </definition>
  </definitions>
  <tests>
    <lin-def:rpminfo_test check_existence="at_least_one_exists" 
        id="oval:org.open-scap.cpe.rhel:tst:6" 
        version="1" 
        check="at least one" 
        comment="redhat-release is version 6">
      <lin-def:object object_ref="oval:org.open-scap.cpe.redhat-release:obj:1"/>
      <lin-def:state state_ref="oval:org.open-scap.cpe.rhel:ste:6"/>
    </lin-def:rpminfo_test>
  </tests>
  <objects>
    <lin-def:rpmverifyfile_object id="oval:org.open-scap.cpe.redhat-release:obj:1" 
        version="1">
      <!-- This object represents rpm package which owns /etc/redhat-release file -->
      <lin-def:behaviors nolinkto='true' 
          nomd5='true' 
          nosize='true' 
          nouser='true' 
          nogroup='true' 
          nomtime='true' 
          nomode='true' 
          nordev='true' 
          noconfigfiles='true' 
          noghostfiles='true' />
      <lin-def:name operation="pattern match"/>
      <lin-def:epoch operation="pattern match"/>
      <lin-def:version operation="pattern match"/>
      <lin-def:release operation="pattern match"/>
      <lin-def:arch operation="pattern match"/>
      <lin-def:filepath>/etc/redhat-release</lin-def:filepath>
    </lin-def:rpmverifyfile_object>
  </objects>
  <states>
    <lin-def:rpminfo_state id="oval:org.open-scap.cpe.rhel:ste:6" 
        version="1">
      <lin-def:name operation="pattern match">^redhat-release</lin-def:name>
      <lin-def:version operation="pattern match">^6[^\d]</lin-def:version>
    </lin-def:rpminfo_state>
  </states>
</oval_definitions>