About the OVAL Language

Introduction

The OVAL Language standardizes the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment.

OVAL Language Benefits

• A simple and straightforward approach for determining if a software vulnerability, configuration issue, program, or patch exists on a given system.
• Standard Extensible Markup Language (XML) schemas that outline the necessary security-relevant configuration information.
• A single XML document that encodes the precise details of specific issue.
• An open alternative to closed, proprietary, and replicated efforts.
• Supported by a community of security experts, system administrators, and software developers
• Industry-endorsed via the OVAL Board and OVAL Developers Forum.

How OVAL Works

The OVAL Language involves three main categories:

• OVAL System Characteristics schema for collecting configuration data from systems for testing.
• OVAL Definition schema for testing the presence of a specific machine state (vulnerable, compliance, etc.).
• OVAL Results schema for reporting the results from the evaluated systems.

How the three categories work together during a standard vulnerability assessment process.

Collecting Information from Systems

The OVAL System Characteristics schema defines a standard XML format for representing system configuration information, which includes operating system parameters, installed software application settings, and other security relevant configuration values. The schema provides a "database" of system characteristics against which OVAL definitions can be compared in order to analyze a system for the presence of a particular machine state. The schema can also be used as an exchange format that can be incorporated into a variety of tools. By utilizing the provided OVAL System Characteristics file, other applications would not need to perform data collection, but rather can use the provided information to perform analysis. MITRE's reference OVAL Interpreter is an example of an application that generates data in the OVAL System Characteristics schema format and makes it available to these other applications. Other information security products and services that incorporate the OVAL System Characteristics schema are listed on the OVAL-Compatible Products and Services page.

Standardized Tests

The OVAL Definition schema is the language framework for writing OVAL Definitions in XML. OVAL Definitions encode the details of a specific machine state (when is a system vulnerable, in compliance, etc.) enabling testing of a system to be automated. The OVAL Language's standardized schemas also allow a wide range of computer security professionals to discuss the technical details of determining whether a vulnerability is present on a system, whether the configuration settings of a system meets a security policy, and/or whether a patch is present on a system.

There are two parts to the schema for writing OVAL Definitions, a core schema that describes the basics of the format, and individual component schemas for tests that are specific for individual OS platforms or applications. For example, there is a UNIX schema containing tests written for UNIX platforms, and a Windows schema for tests written for Windows platforms.

MITRE's reference OVAL Interpreter is an example of an application that interprets OVAL definitions written against the OVAL Definition schema. Other information security products and services that incorporate OVAL definitions are listed on the OVAL-Compatible Products and Services page.

Results of the Tests

The OVAL Results schema defines a standard XML format for reporting the results of an evaluation of a system. The results data contains the current state of a system's configuration as compared against a set of OVAL Definitions. The OVAL Results schema allows applications to consume this data, interpret it, and take the necessary actions to mitigate the vulnerabilities and configuration conflicts. For example, installing patches, altering system configuration settings, and/or taking external precautions to limit access to the affected systems. This schema also defines a standard exchange format that can be incorporated into a variety of tools. MITRE's reference OVAL Interpreter is an example of an application that generates data in the OVAL Results schema format, and makes it available to other applications. Other information security products and services that incorporate the OVAL Results schema are listed on the OVAL-Compatible Products and Services page.

Review Process

The purpose of the OVAL Language Review Process is to ensure that all of the members of the OVAL Community have an opportunity to provide input in the development and direction of the OVAL Language. It also provides OVAL tool developers with a set of milestones to assist them in planning their own development schedules to maintain compatibility with the OVAL Language.

The entire process is managed by the OVAL Moderator, who is an individual or an organization that maintains OVAL and provides impartial technical guidance to the OVAL Board on all matters related to the ongoing development of OVAL. A representative from The MITRE Corporation currently serves as the OVAL Moderator.

The timeline associated with the review process will vary depending upon whether the planned modifications will result in a major or minor language version change. A major version change will require more effort in each stage of the process than a minor version change, and therefore, the overall time it will take to move from the planning stage to the release stage will be longer (see OVAL Language Versioning).

Planning

The OVAL Moderator begins the process of gathering suggestions and comments from the OVAL Community for evolving the existing OVAL Language. The OVAL Board reviews the suggestions and determines which ones should be considered in the new version of the OVAL Language. The length of this period is based upon the number, extent, and urgency of the proposed changes.

Draft/Internal Review

A new version of the OVAL Language is officially proposed to the OVAL Community for consideration as the next version. The OVAL Community is expected to review the schema and to propose additions, deletions, and modifications, all of which are further reviewed by the community. During this period the OVAL Moderator coordinates the testing of the draft language and updates to any OVAL maintained tools, in order to ensure that the proposed changes to the language are valid and usable.

Release Candidate

The OVAL Board has determined that the proposed OVAL Language has reached a level of consensus within the OVAL Community, and the OVAL Moderator has verified that the language is valid. In the release candidate stage, the language remains frozen for a period of time determined by the OVAL Board. It is during this stage that vendors and tool developers can update their tools with the knowledge that the schema will remain stable. Subsequent release candidates may be released if a serious problem is discovered in the proposed language.

Official

The OVAL Web Site is updated to comply with the new version of the OVAL Language, including all OVAL Definitions, and the OVAL Interpreter. The previous schema files and its associated elements are then archived on the OVAL Web Site.

Additional Information

For additional information about the OVAL Language see Structure of the Language, Use Cases, and Versioning. For the current version of OVAL see the Releases page.

Page Last Updated: July 12, 2006