Frequently Asked Questions

A. OVAL

A1. What is OVAL?

Open Vulnerability and Assessment Language (OVAL®) is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL includes a language used to encode system details, and an assortment of content repositories held throughout the community. The language standardizes the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment. The repositories are collections of publicly available and open content that utilize the language. See About OVAL for additional information.

A2. Why OVAL? Is there a lot of support for something like this?

Until OVAL there was no common or structured means for system administrators and other end users to determine the existence of software vulnerabilities, configuration issues, programs, and/or patches in local systems. Much of the information was available as text-based descriptions from vulnerability and other knowledge sources such as software vendors, government agencies, tool vendors, and security consulting firms, however, it remained a labor-intensive and error-prone process for system administrators to read and interpret this unstructured information and make a determination of whether a particular vulnerability or configuration issue existed on a local system.

For operating system and application software vendors, the precise definitions of how to detect vulnerabilities or configuration issues found in OVAL definitions eliminate the need for exploit code as an assessment tool. And tool vendors who implemented closed and proprietary tests to check for the vulnerabilities implemented them in procedural code that could not be easily read and understood by a wide audience, if they made that code available at all.

OVAL solves these problems. The widespread availability of OVAL definitions will promote standardized vulnerability and configuration assessment and will provide consistent and reproducible information assurance metrics. Tools for collecting configuration information can be combined with OVAL content to provide for standardized assessment, resulting in more accurate determinations of existence and fewer false positives than what currently exists today. In addition, since OVAL definitions express security problems in a language familiar to system administrators, they will have a concrete and actionable impact on the specific group directly involved in security remediation efforts.

An integral component of OVAL is community involvement and support. OVAL definitions are based on a common XML definition schema approved by the OVAL Board, which includes members from major operating systems vendors, commercial information security tool vendors, academia, government agencies, and research institutions. Broad community participation in the OVAL effort comes from system administrators, software vendors, security analysts, and other members of the information security community reviewing and commenting on the OVAL schemas on the Developer's List and/or reviewing each draft definition and discussing and debating it on the Community Forum, both of which are hosted on the OVAL Web site. This means the OVAL Language schema and definitions will reflect the insights and combined expertise of the broadest possible collection of security and system administration professionals.

A3. What operating system platforms are supported?

Refer to the Language Releases page, and the Definitions Repository, for the specific OS versions supported.

A4. How is OVAL different from commercial vulnerability scanners?

OVAL itself is not a vulnerability scanner. Rather, it is an open language to express checks for determining whether software vulnerabilities—and configuration issues, programs, and patches—exist on a system. OVAL allows the sharing of technical details regarding how to identify the presence or absence of vulnerabilities on a computer system. The public nature of OVAL provides computer security researchers, software vendors, and system administrators with the means to collaborate to develop OVAL definitions. The end user of an OVAL-compliant tool benefits from this collaboration because of increased quality from the number of experts participating in the development of definitions, and now has the option of personally reviewing the individual definitions to see exactly how the vulnerability determination was made. This is in direct contrast to closed, proprietary methods of vulnerability assessment.

MITRE's freely available OVAL Interpreter shows how the three schemas work and interprets OVAL definitions, producing a list of OVAL-IDs and the CVE names of vulnerabilities found. It demonstrates OVAL in action, but has a limited user interface. (See F1. What is the OVAL Interpreter?).

A5. Can't hackers use this to break into my system?

Any public discussion or availability of vulnerability and configuration information may help a hacker. However, there are several reasons why the benefits of OVAL outweigh its risks:

• OVAL is restricted to publicly known configuration issues and vulnerabilities.
• OVAL definitions help users determine the presence of vulnerabilities or configuration issues on systems before they can be exploited.
• You must have root-level or system administrator access to employ the vulnerability information in an OVAL definition.
• The availability of the detailed technical information about vulnerabilities or configuration issues in OVAL definitions reduces the need for releasing exploit code to the public.
• There is a shift in community opinion towards sharing information, as reflected in the success of the collaborative nature of MITRE's CVE Initiative, and the fact that the OVAL Board includes key organizations in information security.

A6. Can OVAL help me protect my system?

Yes, but only as a preventative measure. Once you have used OVAL definitions or OVAL-compatible information security products and services to determine which vulnerabilities or configuration issues exist on your system, you may then use this information to obtain appropriate software patches and fix information for remediation from your vendors or from vulnerability research databases and Web sites.

A7. Does OVAL tell me how to fix my system?

No. OVAL can only help you determine if there are vulnerabilities or configuration issues on your system. You must obtain all instructions, software patches, or remediation information from your vendors or information security advisories in order to address your system vulnerabilities or configuration issues.

A8. Isn't the vulnerability information included in OVAL also in vulnerability databases?

Vulnerability databases include information about vulnerabilities that OVAL does not, such as the severity of the problem, whether it is locally or remotely exploitable, remediation information, and so on. Instead, OVAL definitions provide a detailed method for checking low-level configuration parameters on a computer to determine the presence or absence of software vulnerabilities. Vulnerability databases rarely have this kind of technical detail available.

A9. How can OVAL help me?

Use OVAL definitions or OVAL-compatible information security products and services as they become available to determine which, if any, software vulnerabilities, configuration issues, programs, or patches exist on your system (See F1. What is the OVAL Interpreter?). Obtain appropriate fix information and software patches from your vendors and make the repairs. See A2. Why OVAL? and the About OVAL page for additional information.

A10. Who owns OVAL?

The content of OVAL is a result of the collaborative efforts of MITRE and the OVAL Board, along with broad participation from the information security community. The Board includes representatives from numerous organizations such as operating system and security tool vendors, academic institutions, and government. MITRE maintains OVAL and moderates Board discussions and the Community Forum and Developer's List email discussion lists. OVAL is sponsored by the US-CERT at the U.S. Department of Homeland Security.

A11. How can my organization and I be involved?

An integral component of the OVAL effort is broad community participation. System administrators, software vendors, security analysts, and other members of the information security community are encouraged to join the OVAL Community Forum email list to submit new definitions as well as to discuss and debate the definitions currently on the OVAL Web site. Definition authors and major contributors will be acknowledged in each posted definition. In addition, anyone interested in discussing the OVAL Language or OVAL implementation issues is encouraged to join the "OVAL Developer's List." Visit How to Participate for additional information.

A12. Is someone from OVAL available to speak or participate on panel discussions at industry-related events, meetings, etc.?

Yes, members of the OVAL, Common Vulnerabilities and Exposures (CVE), Common Malware Enumeration (CME) and projects are available to present or participate in panel discussions about OVAL, CVE, CME, and/or other vulnerability management topics. Contact oval@mitre.org for more information and availability.

A13. What is the relationship between OVAL and US-CERT/DHS?

OVAL is sponsored by the National Cyber Security Division (NCSD) at the U.S. Department of Homeland Security. US-CERT is the operational arm of the NCSD. OVAL provides its vulnerability content to US-CERT and US-CERT uses this information and the CVE names upon which OVAL vulnerability definitions are based to incorporate into its security advisories when possible.

A14. Does OVAL participate in link exchange arrangements?

No, OVAL does not exchange links with other Web sites. Only authorized links are allowed on the OVAL Web site such as references for OVAL definitions in the OVAL Repository and those for OVAL-Compatible Products and Services, OVAL Board Members, and News about OVAL.

A15. Does OVAL offer RSS feeds?

See OVAL RSS Feeds.

A16. What are OVAL-IDs?

OVAL identifiers (OVAL-IDs) are assigned to all globally reusable components in the OVAL Language including OVAL definitions, objects, states, tests, and variables. OVAL-IDs use the format "oval:Organization DNS Name:ID Type:ID Value" where organization DNS Name is of the form 'org.mitre.oval'; ID Type denotes the entity to which the ID is being applied (and can be one of the following values: def - Definition, obj - Object, ste - State, tst - Test, or var - Variable); and ID Value is an integer that is unique to the DNS name and ID Type pair that precedes it. For example, oval:org.mitre.oval:def:1115 or oval:com.redhat.rhsa:def:20060742.

B. OVAL Language

B1. What is the OVAL Language?

The OVAL Language standardizes the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment.

The OVAL community has developed three schemas written in Extensible Markup Language (XML) to serve as the framework and vocabulary of the OVAL Language. These schemas correspond to the three steps of the assessment process: an OVAL System Characteristics schema for representing system information, an OVAL Definition schema for expressing a specific machine state, and an OVAL Results schema for reporting the results of an assessment.

See About the OVAL Language and Structure of the Language for more information.

B2. Why XML?

Every OVAL definition on the OVAL Web site is posted in Extensible Markup Language (XML) under a single OVAL-ID. XML is used as the framework for OVAL Definitions because XML's data centric approach makes it easier to extract the logical criteria of a definition and allows it to be combined with other XML data in order to extend the usefulness of OVAL.

Because they are written in XML, OVAL definitions are machine readable and can be used as part of information security products and services, or the pseudocode can be read in hardcopy or electronic form by information security professionals such as system administrators, security analysts, etc. For tool vendors, XML are specifications and not implementation requirements. The XML information in OVAL can be converted into whatever implementation structure or format necessary for your tool or service.

Information about XML and programming in XML can be found in numerous locations on the Internet, including the World Wide Web Consortium Web site, through search engines such as Google, Yahoo, etc., in bookstores, or at your local library.

B3. Who created the OVAL schemas?

The OVAL schemas are created by MITRE and members of the OVAL Developer's List and approved by the OVAL Board. Visit the OVAL Language Releases page to review or download the schemas.

B4. Is there technical documentation that explains the XML elements, types, and attributes that comprise the OVAL Schemas?

Yes, OVAL Element Dictionaries for the latest version of OVAL are available as documentation downloads in the OVAL Language section.

C. OVAL Repository

C1. What is the OVAL Repository?

The OVAL Repository is the central meeting place for the OVAL Community to discuss, analyze, store, and disseminate OVAL definitions. OVAL definitions are standardized, machine-readable tests written in the Open Vulnerability and Assessment Language that check computer systems for the presence of software vulnerabilities, configuration issues, programs, and patches.

OVAL definitions, which are free to use and implement in information security products and services, are written in Extensible Mark-up Language (XML) and are available for most major platforms. See the OVAL Repository main page to review or download all OVAL definitions posted to date.

C2. What is OVAL content?

OVAL content includes any XML document written in the OVAL Language. For example, OVAL Definitions, OVAL System Characteristics files, and OVAL Results files.

C3. What information is included in an OVAL definition?

"OVAL definitions" are machine-readable, gold standard tests that definitively determine whether the specified software vulnerability, configuration issue, program, or patch is present on a system. There are four main classes of OVAL definitions:

• OVAL Vulnerability Definitions — Tests that determine the presence of vulnerabilities on systems.
• OVAL Compliance Definitions — Tests that determine whether the configuration settings of a system meets a security policy.
• OVAL Inventory Definitions — Tests that whether a specific piece of software is installed on the system.
• OVAL Patch Definitions — Tests that determine whether a particular patch is appropriate for a system.

A "Miscellaneous" class is also available for definitions that do not fall into any of the four main classes. Each OVAL definition includes metadata, a high-level summary, and the detailed definition. Definition metadata provides the OVAL-ID, status of the definition (Draft, Interim, or Accepted), the CVE name or other reference on which the definition (or definitions) is based, the version of the official OVAL Definition Schema the definition works with, a brief description of the security issue covered in the definition, the main author, and a list of the significant contributors to the development of the definition.

The high-level summary includes the following: "Vulnerable software exists," which states the specific operating system (OS), the name of the file with the vulnerability in it, application version, and patch status; and "Vulnerable configuration," which indicates if the service is running or not, specific configuration settings, and workarounds. The detailed portion of definitions provides the logic for checking for the system characteristics (OS installed, settings in the OS, software applications installed, and settings in applications) to indicate that vulnerable software exists, and configuration attributes (registry key values, file system attributes, and configuration files) to indicate that a vulnerable configuration exists.

Each definition is distinguished by a unique identifier (OVAL-ID). OVAL-IDs use the format "oval:Organization DNS Name:ID Type:ID Value" where organization DNS Name is of the form 'org.mitre.oval'; ID Type denotes the entity to which the ID is being applied (and can be one of the following values: def - Definition, obj - Object, ste - State, tst - Test, or var - Variable); and ID Value is an integer that is unique to the DNS name and ID Type pair that precedes it. For example, oval:org.mitre.oval:def:1115. (Note that the OVAL-ID format extends across all of the globally reusable components in the OVAL Language - definitions, objects, states, tests, and variables.)

(Important: OVAL deprecated the use of the SQL format in November 2004. Any SQL versions of OVAL definitions should be considered to be for informational purposes only.)

C4. Who decides what goes in the OVAL definitions?

The OVAL Repository Moderator evaluates and reviews definitions for publication in the OVAL Repository. Once new definitions are published the OVAL Repository they are subject to community review. This community review takes place on the Discussion List, an email list hosted on the OVAL Web site.

C5. How does a vulnerability or exposure become an OVAL definition?

The OVAL Repository uses the publicly known vulnerabilities identified in the CVE List as the basis for its vulnerability definitions. Draft definitions against these vulnerabilities, configuration issues, and patches are written by members of the OVAL Repository community and submitted to the OVAL Repository Moderator for public comment and review. Public comments on new definitions are made on the Discussion List, a lightly moderated public forum for discussing the definitions in the OVAL Repository. After discussion has subsided, any modifications to new definitions are published in the OVAL Repository. Definitions are posted with "DRAFT," "INTERIM," or "ACCEPTED" status. (See "Stages of an OVAL Definition" for a detailed description of this process.)

C6. Where does OVAL find out about the vulnerabilities used in the Vulnerability Definitions?

Most OVAL vulnerability definitions are based on the publicly known vulnerabilities identified in MITRE's CVE List (see C7). This information comes from a variety of public sources including the application and operating system vendors themselves, security tool vendors, public vulnerability databases, and as a direct result of the open discussions on OVAL's Community Forum email list.

On occasion, discussions on the community discussion list may bring to light new potential security vulnerabilities (see C12). In these instances, the relevant information will be forwarded to the CVE Initiative and if accepted, the issue will be assigned a CVE name with candidate status. Any subsequent OVAL definitions developed for this newly identified problem will include this CVE name.

C7. Do the OVAL Definitions address all vulnerabilities and exposures?

No. The intention of OVAL is to be comprehensive with respect to the most recent vulnerabilities identified on the CVE List for the platforms supported (see A3).

C8. What is CVE? What is the relationship between CVE and OVAL?

Common Vulnerabilities and Exposures (CVE®) is a list or dictionary that provides common names for publicly known information security vulnerabilities and exposures. CVE common names make it easier to share data across separate network security databases and tools that are CVE-compatible. CVE also provides a baseline for evaluating the coverage of an organization's security tools. CVE content is determined by the CVE Editorial Board, which is composed of experts from the international information security community. The MITRE Corporation maintains CVE and manages the CVE Editorial Board. See http://cve.mitre.org.

OVAL uses the publicly known vulnerabilities identified in CVE List as the basis for most of the OVAL vulnerability definitions (see C5). If discussions in the Community Forum result in information about new and previously unreported vulnerabilities, this information and any supporting references will be forwarded to the CVE Initiative for possible addition to the list. MITRE manages both CVE and OVAL and the two teams work closely together.

C9. Are the OVAL definitions intended for public use?

OVAL's definitions and Language schemas are all free to download, use, reference, and implement, per the Terms of Use. Members of the community are welcome to comment on OVAL's definitions and schemas on the Community Forum and Developer's List.

C10. How can I get the latest copies of the OVAL definitions? What do they cost, and are there any licensing fees?

You may review or download OVAL definitions from the main page of the OVAL Repository. All OVAL definitions—as well as all schemas and downloads on the OVAL Web site—are free to the public to use, download, reference, and implement with no licensing fees or restrictions as to their use. See the full Terms of Use statement for details.

C11. Can my organization or I submit OVAL definitions?

Yes. Members of the information security community may submit definitions to the OVAL Editor for review. Definitions must be based upon the OVAL Definition schema and the "Submission Guidelines." See Submit an OVAL Definition for the specific steps and requirements.

C12. Can I include OVAL definition information in my product/security advisory/etc.?

Yes. OVAL definition information is free to use.

C13. I discovered a new security problem, how can I get it added to the OVAL Repository?

Except for software configuration issues, programs, and patches, OVAL definitions are based on vulnerability information from CVE entries. If new vulnerabilities come to light in discussions on OVAL's public discussion email list, the information will be forwarded to the CVE Initiative.

Alternatively, after first contacting the vendor, you could post information to mailing lists such as Bugtraq or NTBugtraq. Or, you could contact a vulnerability analysis team, an emergency response team such as CERT, or other organizations that are specifically designed to handle such new information. Once the information has been verified through these other mechanisms, the new entries will make it into CVE and then be available to OVAL.

C14. How do I search the Repository by OVAL-ID?

“Search by OVAL-ID” feature is located on the OVAL Repository’s home page that allows users to search for any component in the OVAL Language that has been assigned an OVAL-ID including OVAL definitions, objects, states, tests, and variables (See A16. What is an OVAL-ID?).

You may “Search by OVAL-ID” by entering any of the following:

Definition ID – Searches the OVAL Repository for the single definition with the specified ID, for example searching for “oval:com.example:def:123” would return a url for that definition.

Definition Type & Integer – Searches the OVAL Repository for all definitions regardless of namespace that have the specified integer component. For example, searching for “def:123” would return the following results: oval:com.example:def:123, oval:org.mitre.oval:def:123, oval:com.abc:def:123, etc.

Integer-only – Searches the OVAL Repository for all OVAL Definitions whose Definition ID has the specified integer component. For example, searching for “123” would return the following results: oval:com.example:def:123, oval:org.mitre.oval:def:123, oval:com.abc:def:123, etc.

ID Type & Integer – Searches the OVAL Repository for all definitions that use any OVAL-ID of the specified ID Type with the specified integer components. For example, searching for “tst:123” returns all definitions that use any test with the specified type and integer components. See the example above for how to search for 'def' type.

Compete ID Other than Definition ID – Searches the OVAL Repository for any definitions that use the specified ID, for example, “oval:com.example:obj:123”. See above for how to search by “Definition ID,” which is handled differently.

C15. How do I search the Repository by OVAL Metadata?

The OVAL Repository’s Advanced Search page allows users to search OVAL Definitions by any combination of the following: title, description, platform, product, contributor, organization, class, family, status, reference source, and/or reference number. You may also search by OVAL-ID (see C14. How do I search the Repository by OVAL-ID?).

OVAL Tests, Objects, States, and Varaibles may also be searched on by their metadata.

D. OVAL Compatibility

D1. What does it mean to be "OVAL-compatible"?

"OVAL-compatible" means that a tool, service, Web site, database, or advisory/alert incorporates OVAL in a pre-defined and standard way. A product or service is considered OVAL-compatible if it uses OVAL as appropriate for communicating details of vulnerabilities, patches, security configuration settings, and other machine states.

To be OVAL-Compatible a product or service must:

1. Comply with one or more of the OVAL Language schemas:
   • OVAL System Characteristics
   • OVAL Definition
   • OVAL Results
2. Use OVAL as one or both of the following:
   • "Producer" that generates data that conforms to a specific schema
   • "Consumer" that utilizes an existing data set for some purpose

Specifically, a product/service must adhere to the Requirements and Recommendations for OVAL Compatibility. For more information see About OVAL Compatibility, Benefits of OVAL Compatibility, Compatible Products and Services, and Declarations to Be OVAL-Compatible.

D2. I don't understand the compatibility categories for OVAL compatibility. What are OVAL "producers" and "consumers"?

When talking about OVAL compatibility it is necessary to consider each of the OVAL Schemas and how they will be used-that is, by information security products and services that are producers and/or consumers of the of one or more of the three types of OVAL Language schemas. "Producers" generate data that conforms to a specific schema (for example, a software inventory tool that gathers OVAL Systems Characteristics information, a software vendor who creates draft definitions in their security bulletins, and vulnerability assessment tool that outputs its test findings in accordance to the OVAL Results schema), while "consumers" utilize an existing data set for some purpose (for example, a vulnerability assessment tool that draws in the OVAL System Characteristics file and then runs OVAL tests against the information rather than directly gathering the information at run-time, a remediation tool that imports the OVAL Results, and an organizational status reporting tool that uses the OVAL Results to provide information on conformance with policy).

A product or service may be a producer and/or consumer of information from one schema or multiple schemas.

D3. How can my product or service be made OVAL-compatible? Are there specific requirements that must be met?

See About OVAL Compatibility and Requirements and Recommendations for OVAL Compatibility for more information.

D4. How can OVAL-compatible products and services help me?

See Benefits of OVAL Compatibility.

D5. Can my organization register our product or service as OVAL-compatible?

To make a declaration of OVAL compatibility, send an email to oval@mitre.org with your company name and contact information, the type of product, the name of the product(s) or service(s), and the way in which your product is or will be OVAL-compatible.

D6. Can my organization be listed for supporting OVAL?

Yes, organizations with capabilities that support the use of OVAL can be listed on the OVAL Supporters page. Send an email to oval@mitre.org to request that your capability be added to the list.

E. OVAL Community Forum & OVAL Board

E1. What is the role of the OVAL Community Forum email list and how can I join?

The OVAL Community Forum email discussion list is a lightly moderated public forum for new and previously posted OVAL vulnerability, compliance, and patch definitions, as well as the vulnerabilities and configuration issues themselves that affect definition writing.

Active participation is an important part of the OVAL effort. System administrators, software vendors, security analysts, developers, and other members of the information security community are all invited to participate. A confirmation will be sent to you verifying your addition to the list(s). View our Privacy Policy.

E2. What is the role of the OVAL Developer's List and how can I join?

The OVAL Developer's List is a public email discussion forum for discussing the OVAL Language schemas as well as specific topics for developers such as addressing OVAL implementation issues and for assisting other developers in incorporating OVAL information into their tools and services.

Active participation is an important part of the OVAL effort. System administrators, software vendors, security analysts, developers, and other members of the information security community are all invited to participate. A confirmation will be sent to you verifying your addition to the list(s). View our Privacy Policy.

E3. Who is the OVAL Board?

The OVAL Board includes members from major operating systems vendors, commercial information security tool vendors, academia, government agencies, and research institutions. Other information security experts will be invited to participate on the Board on an as-needed basis based upon recommendations from Board members. Archives of Board meetings and discussions are available for review and comment in the OVAL Board section of the OVAL Web site.

E4. What is MITRE?

In partnership with government clients, The MITRE Corporation (MITRE) is a not-for-profit corporation working in the public interest. It addresses issues of critical national importance, combining systems engineering and information technology to develop innovative solutions that make a difference.

MITRE's work is focused within three Federally Funded Research and Development Centers (FFRDCs). One FFRDC performs systems engineering and integration work for Department of Defense C3I. A second performs systems research and development work for the Federal Aviation Administration and other civil aviation authorities. The third FFRDC provides strategic, technical and program management advice to the Internal Revenue Service and the Treasury Department.

An example of another FFRDC that plays a role in the security community is the Software Engineering Institute (SEI) at Carnegie Mellon University, of which the CERT Coordination Center is a part.

E5. What is MITRE's role in OVAL?

MITRE created the OVAL Board, maintains OVAL with assistance from the Board, moderates the OVAL Community Forum and OVAL Developer's email lists, and provides neutral guidance throughout the process to ensure that OVAL serves the public interest.

E6. Why is MITRE maintaining OVAL, and how long does MITRE plan to maintain it?

In accordance with its mission, MITRE has traditionally acted in the public interest. Its unique role allows it to provide an objective perspective to this effort. MITRE will maintain OVAL as long as it serves the community to do so.

F. OVAL Interpreter

F1. What is the OVAL Interpreter?

MITRE's reference OVAL Interpreter is a freely available implementation of OVAL created to show how information can be collected from a computer; how definitions can be used to test the system for software vulnerabilities, configuration issues, programs, and patches; and how results of these tests can be presented. You may download the Interpreter to any computer you wish, and as many computers as you wish.

Once installed, running the Interpreter will provide you with a list of OVAL-IDs and their references (e.g., CVE names) determined by OVAL to be present on the system. Definition writers may also use the Interpreter during development of draft definitions for correct syntax and adherence to the OVAL Schema. MITRE developed the OVAL Interpreter to demonstrate the usability of the OVAL Language schemas and OVAL Definitions. Refer to the Download the OVAL Interpreter page for the availability and most recent versions of the Interpreter.

NOTE: The OVAL Interpreter is only one example of the many uses of OVAL. Visit About OVAL Compatibility to learn more about the many ways information security products and services can be compatible with the OVAL.

F2. What are the OVAL Interpreter terms of use?

The Reference Interpreter and its source code are subject to the terms of the Berkeley Software Distribution License (BSD). You may download the OVAL Interpreter to any computer you wish, and as many computers as you wish. MITRE provides the OVAL Interpreter, OVAL definitions, and OVAL Language schema for free as a public service. Security remains the responsibility of the user.

F3. What's included in the OVAL Interpreter download? What platforms are supported?

The OVAL Interpreter download consist of the following:

• The Reference Interpreter
• OVAL XML Schemas for the selected operating system (OS)
• All "Accepted," "Interim," and "Draft" definitions for the selected OS
• OVAL System Characteristics schema (input schema) and OVAL Results schema (output schema)
• Read Me/Installation Instructions
• Berkeley Software Distribution License (BSD)

Visit the Download the OVAL Interpreter page for OS availability and the most recent version of the Interpreter.

F4. What are the "Data Files"? How often are they updated?

OVAL Data Files are intended for use with the reference OVAL Interpreter and include all Accepted, Interim, and Draft vulnerability, compliance, inventory, and patch definitions for a platform. The latest Data Files and MD5 hash/checksum may be downloaded from the Data Files page. MITRE uses MD5 hash/checksum verification (when applicable) to ensure that the data files and installation program for the OVAL Interpreter have not been modified in any manner, i.e., that the program components or that the OVAL definitions have not been tampered with or potentially malicious content added. A data file that has been tampered with may cause the Interpreter to generate misleading results.

Updates and revisions to the OVAL Interpreter are announced on the News page and in OVAL's free e-newsletter. Periodically refer to the Data Files page to ensure you are using most up-to-date file versions, or sign-up for our OVAL Repository RSS feed to receive notification of when the Repository and Data Files have been updated.

F5. After running the OVAL Interpreter, why do I receive the following message: "You must supply the MD5 hash for the data file or use the -m command to skip the MD5 check"?

The OVAL Interpreter is set up to validate that the Data Files have not been tampered with by checking the MD5 hash (or checksum) generated from the Data Files on your computer with an MD5 hash provided by MITRE on the OVAL Web site. In order to start the Interpreter you must provide this MD5 hash. From the command line, type the program name 'ovaldi.exe', then add a space and type the MD5 hash value from the OVAL Web site. For example:

ovaldi.exe 897237212305b2d7a4dd5fa6b4e226fc

If you want to use some of the advanced option flags, place them between the program name and the MD5 hash. For example:

ovaldi.exe -i myData.xml -s 897237212305b2d7a4dd5fa6b4e226fc

If you do not want to supply the MD5 hash and are confident that the Data Files on your computer have not been tampered with, you can supply the -m flag to skip the MD5 check. For example:

ovaldi.exe -m

NOTE: We suggest caution when using the -m option. A Data File that has been tampered with can cause misleading results to be generated. MITRE recommends that you always supply a valid MD5 hash from the OVAL Web site when using the Interpreter.

F6. I ran the OVAL Interpreter with the -v flag and got errors, should I worry about them even though the Interpreter seemed to run fine?

Most of the messages produced when the -v flag is set are the result of registry keys and files not existing on your system. This kind of message is informational, rather than an error. An OVAL Definition may have tests to retrieve information about specified objects (files, registry keys, etc.). In some systems, these objects simply do not exist, perhaps because a particular application or software component is not installed.

For example, installed patches are determined by the existence of certain registry keys. If a patch is not installed, then the registry key will not exist. When the Interpreter evaluates an OVAL definition, it attempts to collect information about this registry key on the system. If the key is not found, the patch is not installed. Since these missing objects are not really errors, they are not normally reported to the user, but appear when the -v option is specified.

Scan through the list of messages produced by the -v flag and look for errors that are not common. These could signify that something is working incorrectly.

F7. How can I read the results of an OVAL analysis?

The results of an OVAL analysis are written in XML, which is difficult to read (this is why we also post pseudocode for OVAL Definitions). The OVAL Interpreter includes sample XML style sheets that will convert an OVAL Results file to a formatted HTML file for readability. The sample style sheets can be found in the XML directory of the OVAL Interpreter. See F8. How do I run an XML style sheet? for instructions on running an XML style sheet.

F8. How do I run an XML style sheet?

There are several ways to run an XML style sheet, including Web browsers. There are also other tools available that will run XML style sheets, and some excellent code libraries for programming. Numerous resources on this topic are available on the Web such as http://www.xml.com/pub/a/2003/11/26/learnXSLT.html on XML.com.

Running a style sheet with a Web browser

Most Web browsers are capable of running an XML style sheet. This is the simplest way to run a style sheet. Start by adding the following line to the top of the OVAL Results file after the initial XML tag:

<?xml-stylesheet href="myXmlStyleSheet.xsl" type="text/xsl"?>

The top of the file should look like:

<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<?xml-stylesheet href=" myXmlStyleSheet.xsl" type="text/xsl"?>

Next, open the file in a current browser and the browser will run the XML style sheet and generate the resulting HTML view of the XML.

XML Style Sheet Tools

netBeans is a free Java IDE that has a great deal of XML capabilities built into it and can be used to run any specified style sheet on an XML file and view the results. More information about netBeans can be found at http://netbeans.org.

Code Libraries

Xerces and Xalan are free XML libraries with versions available in several programming languages. More information about Xerces and Xalan is available at http://xml.apache.org.

F9. What can I do with the results of an OVAL analysis?

The results of an OVAL analysis are written to results.xml file in the working directory by default. Optionally the results can be written to any file by using the -r command when running the OVAL Definition Interpreter. The results file is written in XML according to the OVAL Results Schema.

Review the results

The results can be converted to html or another user-friendly form using an XML style sheet. See F8. How do I run an XML style sheet? for instructions on running an XML style sheet.

Use the results in another application

OVAL Results files can be consumed by other applications that understand the OVAL Results schema.

F10. Is source code available for the OVAL Interpreter?

Yes. MITRE has released the source code for the OVAL Interpreter to further assist developers in incorporating OVAL information into their tools and services, per the terms of the Berkeley Software Distribution License (BSD). For assistance in building the source, read the instructions appropriate to your platform contained in the 'docs' directory of the source code download.

NOTE: The Definition Interpreter is itself only one example of the many uses of OVAL. Visit About OVAL Compatibility to learn more about the many ways information security products and services can be OVAL-compatible.

Page Last Updated: March 06, 2008