Information security can often be a game of cat and mouse: The mouse is played by the vulnerabilities that are found throughout most enclaves, and the cat by security professionals that attempt to eliminate them from their territory.
Every vulnerability that is found and disclosed is researched and implemented by the dozens of proprietary vulnerability scanning software companies. Scanning your enclave with three or four different tools often yields different results. If you change vendors, customization needs to be developed for the new assessment tool. The need for open standardization is clear. MITRE, sponsored by the Department of Homeland Security, created the Open Vulnerability Assessment Language (OVAL), to address these needs.
What does the open vulnerability assessment language do?
It might be easier at this point to tell you what OVAL is not, and eliminate any misconceptions. OVAL is not a silver bullet to solve all your vulnerability and risk management problems. OVAL is not a complete scanning solution or a remediation tool. It is a standardized language. You will need an assessment tool to interpret OVAL content to perform assessments.
Through public scrutiny, direct vendor support, and community development, comes vulnerability content that is reliable and verifiable. OVAL utilizes the robustness of XML to create a standard language for defining, assessing, and reporting vulnerabilities and configurations. Creating a standard language enables the IT industry to share and collaborate on technical configuration information. For example, if a new vulnerability is discovered in VMware or Pidgin (both of which happened during the writing of this article), the maintainers can quickly release the vulnerability scanning content in the form of OVAL definitions, and the security community can use an assessment tool to immediately determine which systems may be vulnerable, and what the risks are. If there are any bugs, false positives or issues with the content, the community is quick to share fixes and results through the use of publicly accessible repositories.
The power of open standards
Those conducting assessments will reap the benefits of the open standards and collaboration, Because when an industry practice is standardized and opened up, we all benefit. Vendors are quick to adopt open standards and integrate them. This has never been more apparent than with OVAL. As of November 2009, there are 20 tools that have already been validated to consume OVAL content (to see the most up-to-date listing, view the Oval Compatibility list). As a security professional, you benefit from the broad vendor support with the portability of your content. No matter what tool you choose the content that you have identified and/or modified to fit your environment will work with it.
So where do you get this content? Most commercial tools will ship with a good set of vulnerability checks built in and receive regular content updates for the subscription period. If you are looking for customized content or content that is specific to a particular security guide or benchmark, one of the OVAL repositories can help. Community and vendor repositories house thousands of definitions that are developed by both the security industry and product developers and are free for all to use. Here are the repositories currently available:
|MITRE Repository||Any platform submitted||Open Community Based Support for configuration and vulnerability information|
|Red Hat Repository||Red Hat Enterprise Linux||Vulnerability content|
|NIST SCAP Repository||Any platform submitted||SCAP related|
As new repositories are created and verified, MITRE will list them on their other repositories webpage. If you are assessing systems for use with the U.S. Federal Government, you will be particularly interested in the NIST SCAP repository. It maintains content that has been developed for the assessing systems based on current federal and vendor guidance, such as the Federal Desktop Core Configuration (FDCC), DISA Security Technical Implementation Guides (STIG), and Microsoft Security guides. A lot of vendors and system maintainers are beginning to write their own content for specific systems. For example, Red Hat has developed the OVAL content to automate their Red Hat Security Guide, and Tresys Technology has developed OVAL content for validating the STIGs against their open source Certifiable Linux Integration Platform (CLIP).
Overview of the OVAL language
We cannot provide an in-depth analysis of OVAL or make you an expert on writing OVAL content here, but instead provide a brief overview. More information may be found at the references provided at the end of this section. An OVAL document defines configuration information through the use of tests, containing objects and associated states. As an example, see this definition for a Red Hat system (PDF) that will verify that SELinux is set to enforcing at boot-time. In this example, you are defining a definition that includes a single test. This test (oval:tresys:tst:1000)simply finds an object (in this case a line in the file /etc/selinux/config) and checks a state (that SELINUX=enforcing). Don't worry if you can't read the example line-by-line, it's meant to be read by machines, not people.
If you are thinking about writing custom checks for your environment, I would suggest checking one of the repositories listed above. Chances are the content you need is already written. The MITRE repository is a good place to start and there is a Firefox add-on for searching the MITRE repository. If you are interested in learning more about writing OVAL content you should check out the OVAL language site for more information. MITRE also offers a free 1-day course on creating custom benchmarks for your environment where you can learn to use the free tools and other standards that are available.
Conducting a vulnerability assessment with OVAL
In order to conduct an assessment with OVAL you need an interpreter. If you do not have an OVAL validated tool to provide the interpretation, MITRE provides an open-source interpreter that works with Windows, UNIX, and Linux: ovaldi. For enterprise level assessment, I recommend using one of the commercially available tools, but for learning and testing OVAL the ovaldi tool is sufficient. Because it is open source, ovaldi is utilized on the CLIP system to interpret the STIG checks Tresys Technology developed for it. By running the following command on CLIP you are conducting the assessment:
#ovaldi -a /usr/share/ovaldi/ -x Clip-Results.html -o /usr/share/clip/verification/clip-ovaldi.xml –m
This command basically tells the oval interpreter to run the clip assessment content (clip-ovaldi.xml) and output a webpage showing the results (Clip-Results.html). The default report Ovaldi outputs shows each test and whether they have passed or failed (true or false respectively). The report formatting is highly customizable, however it's outside the scope of this article to discuss such customization.
Figure 1: OVAL assessment process
Standardization and open collaboration benefits vendors and consumers and advances the industry as a whole. OVAL provides this standardization to the information security community. Security professionals benefit from the portability and easy customization of assessment content, as well as the broad vendor support that it offers. Whether you are assessing the impact of the latest vulnerability or checking for federal compliance, the already huge community of OVAL developers and users will have something to offer you.
ABOUT THE AUTHOR: Edward Sealing is a Linux Solutions Practice Engineer for Tresys Technology, a Columbia, Maryland based Linux security company. He provides testing and development on numerous projects, including his latest one incorporating OVAL into CLIP (Certifiable Linux Platform), an open source Linux security platform tool. Edward spent eight years in the United States Army where he specialized in SATCOM and Information Assurance. In 2006, he was awarded the Bronze Star for his Cyber-Security work while deployed to Kuwait and Iraq. Edward has an Associate's Degree in Computer Science, and has obtained the CISSP and CEH certifications. His specialties include computer network defense as well as auditing and assessing information systems and enclaves.