Open Vulnerability and Assessment Language (OVAL) is an international information security community baseline standard, designed to check for the presence of vulnerabilities and configuration issues on computer systems.
The service supports the OVAL Definition Schema and the Platform Schema for Windows. These schemas define the structure and vocabulary of the OVAL vulnerability definitions. OVAL versions 4.0, 4.1 and 4.2 are supported. To learn more about OVAL, go to: http://oval.mitre.org
Managers have permission to add OVAL vulnerability definitions to the KnowledgeBase making them available for scanning. The service supports OVAL vulnerability definitions for Windows registry tests, Windows file tests and compound tests, which are Boolean combinations of other tests.
Trusted scanning for Windows must be configured and enabled to scan OVAL vulnerabilities. When this feature is enabled in an option profile, the service automatically attempts authentication to target hosts, based on user-supplied credentials, for all scans using the profile. To learn more, see About Trusted Scanning.
The steps below describe how to get started with scanning OVAL vulnerabilities.
The first step is to add new vulnerabilities to the KnowledgeBase. When creating a new vulnerability, you paste in XML for an OVAL vulnerability definition. OVAL vulnerability definitions are free to review and download from the OVAL Web site: http://oval.mitre.org/
For reporting purposes, you must provide text for the Impact and Solution fields. These will appear in vulnerability details whenever the vulnerability is referenced. The Threat field will be automatically populated with text from the <DESCRIPTION> tag in the OVAL XML. Optionally, you may also provide a vendor reference, Bugtraq ID, as well as CVSS Base and Temporal scores.
When saved, the OVAL XML is validated and the new vulnerability is added to the KnowledgeBase. Note that one OVAL ID may be defined for one vulnerability. When the vulnerability is added, the service automatically assigns it a unique QID starting at 130000. Subsequent QIDs are incremented by one, as in 130001, 130002, 130003, etc.
See Adding OVAL Vulnerabilities for step-by-step instructions.
Trusted scanning through Windows authentication must be configured and enabled in order to scan OVAL vulnerabilities.
If Windows authentication is already setup for your account, then continue to Step 3.
To setup Windows authentication:
Getting Started with Trusted Scanning
Create or edit an option profile that will be applied to the scan. See Managing Option Profiles.
The Vulnerability Detection section on the Scan tab of the option profile is where you specify the vulnerabilities to scan for. For an OVAL scan, it's best practice to select Custom and add a custom search list which identifies this important diagnostic QID:
QID 105186 Errors During Execution of User-Provided Detections
Including this QID provides important information about OVAL detections, such as information about errors reported and why an OVAL detection failed.
Depending on your scan you select vulnerabilities to include as follows:
To scan for all OVAL vulnerabilities in the KnowledgeBase: 1) Select Custom, 2) add a search list that includes QID 105186, and 3) select OVAL checks in the Include section.
To scan for one or more selected OVAL vulnerabilities: 1) Select Custom, and 2) add one or more search lists that include the OVAL vulnerabilities you want to scan for and QID 105186.
Note: If you select Complete and OVAL checks in the Include section, then all OVAL vulnerabilities that have been added to the KnowledgeBase are included. Note, however, the diagnostic QID 105186 is not included.
The Authentication section on the Scan tab of the option profile is where you enable authenticated scanning. You must select Windows to enable Windows authentication in order to successfully scan OVAL vulnerabilities.
After creating/editing the option profile to be used, you are ready to scan. You may launch an on demand scan or define a scheduled scan.
When detected, OVAL vulnerabilities appear in scan results just like any other vulnerability. Saved scan results verify whether authentication was successful. It is recommended that you resolve authentication failures before the next scan.
Verifying Authentication for Scans
User-provided CVSS Base and Temporal scores for an OVAL vulnerability are displayed with vulnerability details in reports and online views. Final CVSS scores for OVAL vulnerabilities appear in Auto scan reports when asset groups are included in the report target.
Tip: If you only want to report on OVAL vulnerabilities, create a vulnerability search list with the OVAL QIDs included as well as the diagnostic QID 105186. Note all OVAL vulnerabilities are assigned to the OVAL category in the KnowledgeBase. Then add that search list to the scan report template.