OVAL Board Minutes



Jon Baker – MITRE (Moderator)
Bryan Worrell - MITRE
Steve Boczenowski - MITRE
Bob Martin - MITRE
Matthew Wojcik - MITRE
Rob Hollis - ThreatGuard, Inc.
Melissa McAvoy - DoD
Tim Keanini - nCircle Network Security, Inc
Jay Graver - nCircle Network Security, Inc
Alex Quilter - Hewlett-Packard
Nick Hansen - Hewlett-Packard
Kent Landfield - McAfee
Carl Banzhof - McAfee
William McVey - Cisco Systems
Mark Cox – Red Hat
Dave Waltermire - Booz Allen Hamilton
Andrew Bove - Secure Elements
Jim Hensen - BigFix, Inc.
Nils Puhlmann
Nick Connor - Assuria Limited
Back to top

Meeting Summary


Recent oval-board-list Conversations

  • Funding
  • Compatibility Transition
OVAL Version 5.4
OVAL Interpreter
2008 RSA Conference Planning
2008 OVAL Developer Days
External Repository Guidelines
Where to Next?
New Areas of Content Growth
Questions & Concerns


After a quick welcome the planned agenda was modified to first address any comments, questions, or concerns over recent oval-board-list conversations.

Back to top

Recent oval-board-list Conversations

Two topics have been discussed in the past week on the oval-board-list that need to be brought to everyone's attention: funding and compatibility transition.

Funding Update:

In the July of 2007 MITRE announced that DHS had reduced the funding of OVAL and several other projects. In preparation for this quarterly call an OVAL Board member asked about the current funding status of the OVAL project at MITRE. The following response was sent to the oval-board-list and reiterated during the conference call:

“For FY08, we have seen a slight increase in funding for the OVAL project from DHS. While we are not back at the funding level of a couple years ago, we feel comfortable that we can continue to support and advance OVAL with our current funding. One of the factors that will enable this is the fact that NIST is developing a validation program for OVAL. This will allow NIST to apply its resources and experience in running validation programs to ultimately benefit the success of OVAL.”

Compatibility Transition:

An OVAL Board member asked for clarification about the plans for any transition to a NIST run OVAL validation program and what if any role MITRE and the OVAL Board would play in such a transition. The following response was sent to the oval-board-list and summarized during the conference call:

“MITRE would like to rely on the OVAL Board for guidance when it comes to making the decision to stop running the OVAL Compatibility testing here at MITRE and defer to the NIST-run program. As I previously stated MITRE will continue to run the OVAL Compatibly program until NIST has developed a program capable of testing the standard, not just the SCAP usage of the standard. After any transition occurs MITRE will work with NIST and the OVAL Board to ensure that the NIST run program remains true to the standard as it evolves independent of SCAP.”

Kent Landfield: The compatibility tests currently defined at NIST are not as strict as the OVAL Compatibility program’s requirements.

Dave Waltermire: What is currently being developed at NIST is focused on the FDCC scanning capability. From a SCAP perspective the requirements for OVAL validation are less stringent.

Kent Landfield: This is a problem because there seems to be a notion that if you are SCAP compliant, then you are compliant with the individual models that compose SCAP. Having one less strict than another is going to cause issues.

Dave Waltermire: There has always been a need for a standalone OVAL evaluation and that is planned for the future at NIST.

Jon Baker: The OVAL Compatibility program will continue to run at MITRE until NIST has created a program that is true to the OVAL Language, not just the use cases that are needed for SCAP. Once such a program is ready MITRE and the OVAL Board will work together with NIST to determine when it is appropriate to stop running OVAL Compatibility testing at MITRE and defer to the NIST run program.

Back to top

OVAL Version 5.4

The first draft of OVAL Version 5.4 was posted on Friday, January 11, 2008. Please take a moment and review the “New In Version 5.4” section of the OVAL 5.4 release page. Note that the recent posts from Hewlett-Packard related to the VMware ESX Server Schema and HP-UX Schema are not yet included in the DRAFT of version 5.4.

We currently plan to have a release candidate of version 5.4 posted on January 30, 2008. If all goes well the release date will be February 20, 2008.

OVAL Interpreter

An update to the OVAL Interpreter is on the way for this month. This update will include:
• Minor bug fixes.
• Linux code contributions from Debian and Red Hat.
• Linux build updates developed with the support of Debian, Red Hat, and Maitreya Security.
• NIST Feature requests to support SCAP Compliance Testing.

Jon Baker: Are we getting to a point where we need to advance the OVAL Interpreter to be a more complete reference implementation? To date we have limited the scope of the OVAL Interpreter to simply cover the language constructs in use in the OVAL Repository. As we are seeing an increase in OVAL adoption we are seeing more frequent implementation questions on our mailing lists and there is now a greater diversity of content written in the OVAL Language.

Kent Landfield: NIST is going to be using the interpreter for validation and comparisons against the vendor tools. The reference implementation needs to be complete, even if it isn't elegantly written or efficient--it just needs to work.

Dave Waltermire: Because the interpreter is not complete it is hard to trust the results from the labs which will use the interpreter for testing.

Dave Waltermire: Having a complete interpreter can be helpful when trying to understand what a less-than-intuitive test is attempting to accomplish.

Jon Baker: We don't want to release a tool that could be considered to rival a commercial tool. If we provide a complete reference implementation are we going to far?

Kent Landfield: We need a tool that can be used for testing purposes as an A-B comparison tool against ours to make sure we are following the correct OVAL validation conventions.

Rob Hollis: If the scope of the interpreter is going to be expanded can the BSD License be changed to something else that is a little less open, like something that states free for non-commercial use?

Jon Baker: The interpreter is being bundled with a couple of OSes, which is a big win for the OVAL Language and adoption of the standard. Changing the license would likely prevent this sort of promotion of OVAL.

Tim Keanini: Changing the license of the interpreter will likely cause problems for OVAL and the community and will likely not further the standard.

Kent Landfield: We want to move the language forward. Placing restrictions on the license may hinder progress within the community.

Jon Baker: The OVAL Interpreter is written to demonstrate how to evaluate an OVAL Definition. When considering new features and enhancements for the OVAL Interpreter we try to keep this goal in mind and avoid unneeded capabilities.

Jon Baker: Based on the current community feedback it seems clear that we need to extend the interpreter to implement more of the tests defined in the OVAL Language. MITRE has been working with NIST to support their validation program with the interpreter. Our focus will be to ensure that the content produced for the FDCC is supported. Are there other content streams that we should ensure coverage for?

Jon Baker: Providing a more complete reference implementation will help us avoid errors in new tests and other language features moving forward and should result in a better language that is easier to understand and adopt.

Back to top

2008 RSA Conference Planning

This year the RSA Conference will be April 7-11, 2008. MITRE will once again be hosting the “Making Security Measurable” booth and providing co-promotion signs to other booths supporting OVAL, CVE, and CWE. We do not have any sort of OVAL Compatibility demo planned for this year’s expo. We are just now starting the planning for our booth and are looking for suggestions.

Kent Landfield: With SCAP being the unifying theme, would it make sense to see if we could get NIST to cooperate and participate in the MITRE booth.

Dave Waltermire: NIST isn't really planning on doing much at RSA.

Melissa McAvoy: There will be an NSA booth.

Bob Martin: Is it possible to make sure that the NSA booth has some SCAP documents in it?

Melissa McAvoy: It is not clear that there will be someone in the NSA booth who is knowledgeable enough to speak about SCAP.

Group: We can/should coordinate to make sure that there are flyers in the NSA booth that mention SCAP and possibly point people to the MITRE booth.

Back to top

2008 OVAL Developer Days:

We are looking to host OVAL Developer Days the week of May 5, 2008 here in Bedford, MA. The primary focus of this year’s OVAL Developer Days will be to define the requirements for Version 6.0 of OVAL. As much as possible we would like to keep the event focused on OVAL 6.0.

In the near future we will start working on version 6.0. Expect to see emails on the oval-developer-list shortly after the 5.4 release is official. Be thinking of requirements for version 6.0.

Dave Waltermire: Maybe we can talk about how to better couple OVAL and XCCDF?

Rob Hollis: Maybe start with OVAL and then work into the other standards towards the end of the week.

Unknown: Later in the week we could focus on the other efforts including CRF.

Jon Baker: Common Result Format (CRF) aims to facilitate data aggregation across varying tools with different focuses by leveraging the work of CPE, CCE, and CVE. If you are interested in CRF please see: http://crf.mitre.org. A draft specification is posted there for community review. CRF is not currently funded but we'd love to see it move forward.

MITRE will work with the community over the oval-developer-list to establish an agenda for this year’s Developer Days.

Back to top

External Repository Guidelines

On December 27, 2007 an initial email was sent to the oval-discussion-list to start a conversation about establishing a set of guidelines for repositories of OVAL Definitions. We would like to use this conversation to drive creation of a guidelines document that will be available on the OVAL Web site.

The purpose of a set of guidelines is to provide consistency among repositories of OVAL Definitions and give suggestions to repository hosts. We do not want to create a set of requirements that will discourage existing or potential repository hosts.

Back to top

Where to Next?

Where should we be looking next?

Kent Landfield: Integration issues. It is great that OVAL has grown as much as it has, but now it is becoming something larger and its success depends on how it interacts with the larger suite.

Kent Landfield: Something has to drive OVAL forward on the commercial side, not just government/educational side. OVAL has the ability to take on additional features that haven’t been addressed yet. Specifically, remediation and not just detection.

Jon Baker: We would love to do that work but we feel that we don't have the funding under OVAL to tackle that project. There is a lot of experience that could be leveraged on the OVAL Board.

Kent Landfield: Vendors may be able to collaborate and provide a draft specification for an open remediation language.

Kent Landfield: We've talked about this before and want it to happen. We want it community driven instead of having several vendors each setting up their own forum.

Jon Baker: Under the OVAL project we will create a list to facilitate community discussion aimed at defining a standardized remediation language. The list will be introduced to the oval-developer-list and links will be added to it from the OVAL Web site.

Matthew Wojcik: The people on the government side pushing OVAL/FDCC/SCAP clearly have their hands full. The community could pick this up instead of loading more work on to the government. The community could also help us keep OVAL from becoming a government standard by helping us keep it alive in the commercial sector.

Matthew Wojcik: If there are people out there that feel this is becoming a government-only standard, we need to know about it.

Kent Landfield: FDCC is only one use case of SCAP. I will be using and promoting the SCAP standards for FDCC and other use cases.

Dave Waltermire: There are some foreign governments using SCAP, not just the U.S.

Rob Hollis: MITRE is custodian over most of the moving parts of SCAP, but two parts are managed elsewhere (XCCDF and CVSS). SCAP may have limitations on a global scale if the Federal Government controls part of it. Is it possible to bring all of the SCAP related standards together under one roof?

Kent Landfield: This is not likely. The best we can do is keep working with OVAL and MITRE while pushing governance of the standards out of NIST/NSA/Government and into a third party like MITRE or some other non-profit organization.

Melissa McAvoy: This is a difficult situation because these standards are all funded by the government. There are not currently any volunteers offering to take over XCCDF and fund its development.

Jon Baker: Agreed.

Dave Waltermire: We all want to make sure that these standards succeed and achieve their broader goals.

Kent Landfield: We need to think about how to transition these standards and their governance into the community from the government. We need to figure out how to get around these funding/management/control issues.

Back to top

New Areas of Content Growth

Are there areas that we should be focusing our outreach efforts for establish new types of content streams?

Alex Quilter: We'd like to see OVAL Definitions being published by networking vendors like Cisco.

William McVey: We should coordinate our efforts.

Back to top

Questions & Concerns

Rob Hollis: Did the transition to a new format of OVAL Repository Downloads happen? The old downloads continue to work.

Jon Baker: Yes, the transition occurred. There are no longer any references to the old format downloads on the site. We left behind the actual files though. Our plan is to remove them and put in a redirect to the new format downloads in the next few weeks.

Back to top

Page Last Updated: February 07, 2008