OVAL - OVAL Board Minutes: Teleconference 2005-06-16, 13:00

OVAL Board Minutes

Teleconference 2005-06-16, 13:00 - 14:00 EST

Attendees

Chris Andrew - Patchlink Corporation
Carl Banzhof - Citadel Security Software
Jay Beale - Bastille Linux
Andrew Buttner - MITRE Corp.
Anton Chuvakin - netForensics, Inc.
Mark Cox - Red Hat, Inc.
Rob Hollis - ThreatGuard, Inc.
Kent Landfield - Citadel Security Software
Bob Martin - MITRE Corp.
Raffael Marty - ArcSight, Inc.
National Security Agency
David Proulx - MITRE Corp.
Patrick Ravenel - Preventsys, Inc.
Ingrid Skoog - MITRE Corp.
Eric Voskil - DesktopStandard Corporation

Agenda

OVAL Status Update
OVAL Compatibility Program
"An Introduction to the OVAL Schema" Document
Proposed Minor Version Change - OVAL Schema Version 4.1
OVAL Developer Days

Welcome to new OVAL Board members

Jim Alderson - GuardedNet, Inc.
Chris Andrew - PatchLink Corporation
Robert Hollis - ThreatGuard, Inc.
Varugis Kurien - Microsoft Corporation
National Security Agency
Nils Puhlmann - Adobe Systems Incorporated
Patrick Ravenel - Preventsys, Inc.
Robert Stull - eEye Digital Security
Eric Voskuil - DesktopStandard Corporation
John Wilson - Microsoft Corporation

Meeting Summary

OVAL Status Update

Patch Definitions

MITRE has been working with DesktopStandard to come up with a format for the patching class of definitions. This work is still in its early stages. The hope is to make enough progress so that there can be some good talk on this subject at OVAL Developer Days.
Raffy M. asked if the Board could see what has been worked on and review the proposed patch definitions

Dave P. stated that the OVAL Team will try to get something out to Board list next week

Unauthenticated Tests
- The working group for Unauthenticated OVAL tests has been moving along slowly. Mike Murray, who is heading this working group, is not on the call. Maybe an update can be sent out over e-mail next week?
  
  Drew B. defined unauthenticated tests - they will provide an ability to generate definitions against information gathered over the network, as opposed to gathering it directly off of an end host. He also explained the reasoning behind the name unauthenticated tests vs. network tests - due to the fact that tests can currently be run over the network, as long as the tool has authenticated access to the host, the use of the term network tests would be a misnomer.
Web Services
- Dave P. stated that MITRE is currently in the process of standing up a Web Application Server, and how it is intended to be used. The initial motivation for this was to support the Center for Internet Security (CIS) in their generation of definitions to correspond with their Benchmarks. The Web Service was created to coordinate OVAL IDs with definitions being produced at MITRE. As development evolved, it became apparent that the Web Services could be used to support a number of functions, both internally and externally.
  
  The Web Application Server will be a topic at Developer Days. MITRE will present what services they intend to offer, and to solicit feedback from the attendees on additional functionality.
  
  Rob H. asked if this server is available now, and if so, what services does it offer.
  
  Dave P. explained that they have only been on line within the last two weeks, and the functionality is primarily limited to supporting MITRE's Definition Writer. The next stage is intended to support the OVAL Web Site, and the final stage would be functions to support external tools. If the demand is great enough, we could move up the development of the tool-based services.
  
  Melissa M. asked if there was a means for submitting OVAL content online.
  
  Dave P. explained that this is something have had in mind for quite some time, but due to priorities and man-power issues, it remains as a future goal.

OVAL Compatibility Program

Bob M. explained where the compatibility program stands right now, with respect to vendor involvement. There have been 19 OVAL Compatibility declarations.
By Developer Days, MITRE hopes to have a draft Compatibility Requirements document for the Board to review.
Some important questions that must be addressed:
- What makes an OVAL creator?
- If one is an OVAL consumer, must this go hand-in-hand with being a result producer?
Raffy M is not so much concerned with how the OVAL results were generated, as he is with having the OVAL Results format available as a standard exchange medium.

Bob M. replied that you then do not know if there are false positives? How can you trust the results? The purpose of the OVAL Results file is to state that these results were generated using OVAL Definitions, which we view to be of a very high quality.

Patrick R. and Melissa M. backed up Raffy's opinion to allow compatibility separately for tests and results.

Drew B. offered the solution that we include an optional 'source' attribute with the results to provide consumers with an indicator of how the results were generated. This proposal was met with agreement.
Kent L. noted that he'd like to see at least a draft copy of the Compatibility Requirements document before Developer Days, so that the Board could possibly get through a round of comments, and be able to speak intelligibly about the requirements.

"An Introduction to the OVAL Schema" Document

This document is currently available on the website for download/reading.
Drew B. provided a brief overview on what the document covers and why it was written.
The document is always open for comment, and can be discussed on the Board or Discussion lists.
Drew encouraged those who haven't had time yet, to please read it over.
Major vs. Minor Schema Versions
- MITRE has gone back and forth on the issue of whether to have a single version number that increments with each Schema change, or a major/minor version numbering scheme, and a set of guidelines for when the version numbers change.
  
  The drawback of incrementing minor revisions independently on each of the Component Schemas is trying to keep track of the version numbers on the various schemas.
  
  The drawback of having a single version number is rate at which the number would change. For every Schema modification, the value would need to be incremented, and this could have a significant effect on tools that implement OVAL.

Proposed Minor Version Change - OVAL Schema Version 4.1

OVAL Schema version 4.1 will come out within the next couple of months. A full schedule is available on the OVAL web site. The proposed changes are minor and will not invalidate any existing content. Mostly, these changes involve adding new Component Schemas and family names.
A full description of the changes will be sent out to the developer list and feedback is encouraged - keeping in mind that these are only minor revisions.
Raffy M. asked for the return of a single result flag on the criteria element. It used to be there but was removed.

Drew B. replied that will look into this and will start some conversation over e-mail. The flag had been removed in a previous version, as it is unknown whether a user wants the results of the Software section AND the Configuration section, or just the results of the Software or Configuration sections.
Carl B expressed a desire for aggregated results for when multiple assessments/hosts are scanned.
Many voiced an opinion on results being 'too verbose' and 'overly repetitious' with some information.
Drew B. pointed out that these are obviously issues that need to be addressed, and proposed to add discussion of the Result Schema to the agenda for OVAL Developer Days.

OVAL Developer Days

When: MITRE was planning for Tuesday and Wednesday, July 19th and 20th (Note: Due to scheduling constraints on conference rooms at MITRE, Developer Days will be Monday and Tuesday, July 18th and 19th. Details on the agenda and travel details will soon be forwarded to the Board list.)
Times: There was some debate, but the consensus seems to be a 9 or 10 AM start
What: Technical meeting to resolve such issues as Schema Version 5, OVAL variables, OVAL ID generation, Web Services, definition/content ownership, compatibility and more
Who: Those who have started implementing OVAL in their tools, Board members and their technical staff
Limits to who can come: None. The one possible restriction would be if the list of attendees becomes too large to ensure productive dialog. For the moment this is not a concern.