OVAL Adoption > Questionnaires

Name of Your Organization:

Red Hat, Inc.

Web Site:

http://www.redhat.com

Adopting Capability:

Red Hat Security Advisories

Capability home page:

http://www.redhat.com/security/transparent/oval/

General Capability Questions

Adoption Capabilities

If the functionality is available now, indicate "Yes." If it has been implemented but not released, indicate "Beta". If planned but not currently available, indicate "Planned". If there are no plans for a specific category, that section(s) is not included as part of the questionnaire below.

OVAL Definition Repository — Yes

Product Accessibility <AR_1.9>

Provide a short description of how and where your capability is made available to your customers and the public.

OVAL Definitions for Red Hat Enterprise Linux errata are available individually and as a complete archive, updated within an hour of each new security advisory being made available on the Red Hat Network.

Language Version Indication <AR_1.10>

Describe how and where the capability indicates the version of the OVAL Language used to validate, create, or update its content.

The FAQ explains the OVAL version. This is available from http://www.redhat.com/security/transparent/oval/

Capability Correctness Questions

Error Reporting <AR_2.1>

Indicate how a user who discovers an error in the capability’s use of OVAL can report the error.

Email to secalert@redhat.com

Responding to Error Reports <AR_2.2>

Describe the approach to responding to the above error reports and how applicable fixes will be applied.

Policy at https://access.redhat.com/security/team/contact/

Documentation Questions

Adoption Documentation <AR_3.1>

Provide a copy, or directions to the location, of where the documentation describes OVAL and OVAL Adoption for any customers.

http://www.redhat.com/security/transparent/oval/

OVAL Content Error Reporting <AR_3.3>

Provide a copy, or directions to the location, of where the documentation describes the procedure by which errors in OVAL content may be reported for any OVAL content that is produced by the product.

http://www.redhat.com/security/transparent/oval/

Definition Repository Capability Questions

Unique IDs <AR_6.1> <AR_6.2> <AR_6.3>

Describe the process by which IDs are assigned and managed in the repository and how global uniqueness of IDs is ensured.

Each OVAL-ID maps directly to a Red Hat Security Advisory. For example a Red Hat Security advisory RHSA-2006:0425 would have the OVAL-ID oval:com.redhat.rhsa:def:20060425 and hence the filename com.redhat.rhsa-20060425.xml

Content Versioning <AR_6.4>

Describe the process by which the versions of Definitions, Tests, Objects, States, and Variables are managed in the repository.

The version numbers used are based on the push count of the advisory (each time the advisory is altered this number increments) as well as a version number of the definition creation tool (so changes to the creation tool will cause the version numbers to change).

Standard References <AR_6.6> <AR_6.7> <AR_6.8>

Indicate how and when CVE-IDs, CCE-IDs, and CPE-IDs are used as references on OVAL Definitions in the repository.

Each OVAL Definition includes an ‘affected_cpe_list’ section containing the list of associated CPE names. Each OVAL Definition contains a list of associated CVE references.

Content Updates <AR_6.9>

Describe the process by which users can retrieve content updates.

Updates are published to the same URL.

Adoption Signature

Questions for Signature

Statement of Adoption <AR_1.2>

"As an authorized representative of my organization I agree that we will abide by all of the mandatory adoption requirements as well as all of the additional mandatory adoption requirements that are appropriate for our specific type of capability."

NAME: Mark Cox
TITLE: Director, Security Response Team

Statement of Accuracy <AR_1.2>

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability’s use of the OVAL Language and the interpretation of the logic."

NAME: Mark Cox
TITLE: Director, Security Response Team

Statement on Follow-On Correctness Testing Support <AR_1.7>

"As an authorized representative of my organization, we agree to support the Review Authority in follow-on correctness testing activities, where appropriate types of OVAL documents might need to be exchanged with other organizations attempting to prove the correctness of their capabilities."

NAME: Mark Cox
TITLE: Director, Security Response Team

Page Last Updated: April 13, 2011