Red Hat and OVAL compatibility

Q: What is the OVAL project?

The Open Vulnerability and Assessment Language (OVAL) project, maintained by The MITRE Corporation, is an international, information security effort that promotes open and publicly available security content, and seeks to standardize the transfer of this information across the entire spectrum of security tools and services. Refer to http://oval.mitre.org/ for further information.

Q: What is Red Hat doing with the OVAL project?

The Red Hat Security Response team helps customers evaluate and manage risk by tracking and investigating all security issues affecting Red Hat customers and providing timely and concise patches and security advisories via Red Hat® Network®.

Red Hat will be creating and supporting OVAL patch definitions, providing a machine-readable versions of our security advisories. This will allow OVAL-compatible tools to test for the presence of described vulnerabilities.

Red Hat was a founding board member of OVAL in 2002, and made a declaration of OVAL compatibility in May 2006.

Q: What Red Hat products will be OVAL compatible?

Red Hat currently provides OVAL patch definitions for security updates to Red Hat Enterprise Linux 3, 4, 5, and 6.

Q: How do I obtain the OVAL patch definitions?

The OVAL patch definitions are available individually and as a complete package, and are updated within an hour of a new security advisory being made available via the Red Hat Network:

http://www.redhat.com/security/data/oval/

Q: Will Red Hat provide tools to parse these definitions?

At this time Red Hat does not ship an OVAL definition interpreter. Many third-parties are creating both open source and commercial definition parsers that are OVAL compatible.

Q: How is OVAL different from Red Hat Network?

The Red Hat Network is an enterprise system management tool that keeps Red Hat Enterprise Linux systems up-to-date with the latest errata, and reports which systems need which updates. Red Hat support for OVAL provides an alternative machine-readable view of Red Hat security advisories, allowing administrators to use OVAL compatible tools to determine the patch state of software across heterogeneous networks.

Q: Why are you using an OVAL patch definition rather than a vulnerability definition?

Each OVAL patch definition maps one-to-one to a Red Hat Security Advisory (RHSA). Since an RHSA can contain fixes for multiple vulnerabilities, each vulnerability is listed separately by its CVE name, and has a link to its entry in our public bug database.

Q: Why are tests that check the RPM signature included?

Our OVAL patch definitions include a test to check if an RPM is signed by the appropriate Red Hat package signing key. This test is necessary to avoid false positives and negatives caused by users who may rebuild packages themselves or use packages from upstream. The signature check is necessary to maintain backwards compatibility and does not check a system's integrity or detect other deficiencies.

Q: What level of detail do the tests cover?

The Red Hat OVAL patch definitions are designed to check for vulnerable versions of RPM packages installed on a system. It is possible to extend these definitions to include further checks - for instance, to find out if the packages are being used in a vulnerable configuration. These definitions are designed to cover software and updates shipped by Red Hat. Additional definitions are required to detect the patch status of third-party software.

Q: Where can I go for more information?

The MITRE OVAL website contains an FAQ and more detailed information, including the full schema. If you wish to submit corrections, ask questions, or get more information about the Red Hat implementation of OVAL, contact the Security Response Team at secalert@redhat.com.