OVAL - OVAL Repository Overview

OVAL Repository Overview

Introduction | OVAL Definitions | How the Community Participates

Introduction

The OVAL Repository is the central meeting place for the OVAL Community to discuss, analyze, store, and disseminate "OVAL Definitions." OVAL Definitions are standardized, machine-readable tests written in the Open Vulnerability and Assessment Language (OVAL®) that check computer systems for the presence of software vulnerabilities, configuration issues, programs, and patches. OVAL Definitions, which are free to use and implement in information security products and services, are available for most major platforms.

Members of the community contribute definitions by posting them to the OVAL Repository Forum email discussion list, where the OVAL Team and other members of the community review and discuss them. See the OVAL Repository main page to review or download all OVAL Definitions posted to date.

The OVAL Repository is registered as "Officially CVE-Compatible" by the Common Vulnerabilities and Exposures (CVE®) project. For detailed information, see our Statement of CVE Compatibility.

OVAL Definitions

OVAL Definitions, which are written in Extensible Mark-up Language (XML), detect the presence of software vulnerabilities, configuration issues, programs, and patches in terms of system characteristics and configuration information, without requiring software exploit code.

By specifying logical conditions on the values of system characteristics and configuration attributes, OVAL Definitions characterize exactly which systems are susceptible to or have a given vulnerability, whether the configuration settings of a system meets security policies, and whether particular patches are appropriate for a system. System characteristics include operating system (OS) installed, settings in the OS, software applications installed, and settings in applications, while configuration attributes include registry key settings, file system attributes, and configuration files.

There are four main classes of OVAL Definitions:

OVAL Vulnerability Definitions	Tests that determine the presence of vulnerabilities on systems.
OVAL Compliance Definitions	Tests that determine whether the configuration settings of a system meets a security policy.
OVAL Inventory Definitions	Tests that whether a specific piece of software is installed on the system.
OVAL Patch Definitions	Tests that determine whether a particular patch is appropriate for a system.

A "Miscellaneous" class is also available for definitions that do not fall into any of the four main classes. OVAL Vulnerability Definitions are based primarily on Common Vulnerabilities and Exposures (CVE®), a dictionary of standardized identifiers and descriptions for publicly known information security vulnerabilities and exposures developed by The MITRE Corporation in cooperation with the international security community.

Each definition is distinguished by a unique OVAL Identifier (OVAL-ID). OVAL-IDs use the format "oval:Organization DNS Name:ID Type:ID Value" where organization DNS Name is of the form ‘org.mitre.oval’; ID Type denotes the entity to which the ID is being applied (and can be one of the following values: def - Definition, obj - Object, ste - State, tst - Test, or var - Variable); and ID Value is an integer that is unique to the DNS name and ID Type pair that precedes it. For example, oval:org.mitre.oval:def:1115. (Note that the OVAL-ID format extends across all of the globally reusable components in the OVAL Language — definitions, objects, states, tests, and variables.)

OVAL definitions are free to review or download from the OVAL Repository on the OVAL Web site.

Information Included in an OVAL Definition

Each OVAL Definition includes metadata, a high-level summary, and the detailed test. Definition metadata provides the OVAL-ID, status of the definition (Draft, Interim, or Accepted), the CVE Identifier or other reference on which the definition (or definitions) is based, version of the OVAL Definition Schema that the definition works with, a brief description of the security issue covered in the definition, the main author, and a list of the significant contributors to the development of the definition.

The high-level summary includes the following: "Vulnerable software exists," which states the specific OS, the name of the file with the vulnerability in it, application version, and patch status; and "Vulnerable configuration," which indicates if the service is running or not, specific configuration settings, and workarounds. The detailed portion of definitions provides the logic for checking for the system characteristics (OS installed, settings in the OS, software applications installed, and settings in applications) to indicate that vulnerable software exists, and the configuration attributes (registry key values, file system attributes, and configuration files) to indicate that a vulnerable configuration exists.

Writing and Submitting OVAL Definitions

The OVAL Definition Schema is the language framework for writing OVAL Definitions. Any member of the OVAL Community may submit OVAL Definitions. See the Submission Guidelines for instructions on how to write and submit OVAL Definitions.

How the Community Participates

OVAL Definitions are written by members of the OVAL Community, which includes the OVAL Board, organizations with OVAL-Compatible information security products and services, and members of the OVAL Repository Forum email list.

The Repository Forum is a lightly moderated public discussion list for those interested in writing, submitting, and discussing new and previously posted definitions, as well as the vulnerabilities and configuration issues themselves that affect definition writing. See Stages of an OVAL Definition for a complete description of how definitions are created by the community and added to the Repository.