Before diving into the OVAL, we shall quickly brief the project from where it has evolved.
Overview of SCAP
Security Content Automation Protocol (SCAP), a project from NIST is widely adopted by many software and hardware manufacturers as a sophisticated framework of specifications for management and governance programs that can fall into the scope of automation such as configuration management, vulnerability management, system inventory identification, auditing and so on.
An organization can adopt SCAP standards by generating or consuming SCAP content which would be in an XML format where each of the SCAP components will have its own XML namespaces.
This framework of interoperable specifications encompassed several standards otherwise called SCAP Components. As we are unable to elucidate all of the components in this series of blog posts, we will be mainly focusing on “OVAL”, hence this brief.
SCAP components include many standards such as:
Supporting these components, there are several tools available which we can leverage to automate the derived definitions. One of them would be “OpenSCAP (oscap)” which we would be using later to perform the scan in this series of blogs posts.
Introduction of OVAL
OVAL (Open Vulnerability Assessment Language), a community standard from MITRE can be used to define the expected configuration aspects of the system under tests and report the actual state of the systems. The flexibility of using logical assertions on a state of an endpoint makes OVAL much more powerful and significant.
The OVAL not only enables interoperability between security products but also sets a standard for turning the information into an actionable format.
The use cases of OVAL capabilities help different verticals to achieve different tasks and some of those are as follows:
OVAL is not only limited to these but also a myriad other use cases. We would be sharing our research and another interesting avenue where we can fully leverage OVAL and its capabilities in upcoming blog posts.
Who is using OVAL
Through OVAL Adoption Program, many organizations and security products adopted OVAL complying interoperability between a wide variety of products and services which helps to secure the enterprise. You can find the organizations using OVAL in this list.
Since the OVAL community engagement and maintenance transitioned to CIS security, any individual or an organization could leverage CIS- security repository to find the updated OVAL content.
Anatomy of OVAL
The OVAL language is a pre-defined standard that can be used to describe the expected state of resources such that the tools function as OVAL interpreter could understand and scan the desired targets (there are a few OVAL interpreters such as “OpenSCAP (oscap)”, “jOVAL” which we would be discussing further). These expected states are a set of instructions defined in a standard XML schema called “OVAL Definitions” and the file be called an OVAL Definitions file.
A file can comprise one or more OVAL definitions and each of these definitions can have one or more tests describing desired configuration of a system by using logical assertions as shown in Fig-1.
Primarily there are four types of OVAL Definitions denoted in an attribute ‘Class’ while writing the definitions, as follows:
Based on these classes the OVAL interpreter collects the details of a system and compares the defined instructions with the collected system characteristics of a targeted system.
Writing an OVAL definition can be tricky if the standard XML schema and various parts of the definition is not understood. This following section will review the elements of a definition using an example
We will be using one of the definitions from the OVAL Definitions file produced by Canonical Security Team. For ease of understanding, we will breakdown the OVAL definition into the parts
Objective: Check if the Ubuntu system is vulnerable to CVE-2021-23971
<definition class="vulnerability" deprecated="false" id="oval:com.ubuntu.focal:def:2021239710000000" version="1">
<metadata>
<title>CVE-2021-23971 on Ubuntu 20.04 (focal) - medium.</title>
<affected family="unix">
<platform>Ubuntu 20.04</platform>
</affected>
<reference ref_id="CVE-2021-23971" ref_url="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23971" source="CVE"/>
<description>When processing a redirect with a conflicting Referrer-Policy, Firefox would have adopted the redirect's Referrer-Policy. This would have potentially resulted in more information than intended by the original origin being provided to the destination of the redirect. This vulnerability affects Firefox < 86.</description>
<advisory xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<severity>Medium</severity>
<ref>https://bugzilla.mozilla.org/show_bug.cgi?id=1678545</ref>
<ref>https://www.mozilla.org/security/advisories/mfsa2021-07/</ref>
<ref>https://ubuntu.com/security/notices/USN-4756-1</ref>
</advisory>
</metadata>
<criteria negate="false" operator="AND">
<extend_definition applicability_check="true" comment="Ubuntu 20.04 (focal) is installed." definition_ref="oval:com.ubuntu.focal:def:100" negate="false"/>
<criteria negate="false" operator="OR">
<criterion comment="firefox package in focal was vulnerable but has been fixed (note: '86.0+build3-0ubuntu0.20.04.1')." negate="false" test_ref="oval:com.ubuntu.focal:tst:2021239680000000"/>
<criterion comment="mozjs52 package in focal is affected and may need fixing." negate="false" test_ref="oval:com.ubuntu.focal:tst:201699690000020"/>
<criterion comment="mozjs68 package in focal is affected and may need fixing." negate="false" test_ref="oval:com.ubuntu.focal:tst:2020123870000020"/>
</criteria>
</criteria>
</definition>
OVAL Definitions
The <definition> elements have to be enclosed with < definitions> as per the standard.</definitions></definition>
OVAL Tests, Objects and States
<tests>
<linux-def:dpkginfo_test check="at least one" check_existence="at_least_one_exists" comment="Does the 'firefox' package exist and is the version less than '86.0+build3-0ubuntu0.20.04.1'?" deprecated="false" id="oval:com.ubuntu.focal:tst:2021239680000000" state_operator="AND" version="1">
<linux-def:object object_ref="oval:com.ubuntu.focal:obj:201447150000000"/>
<linux-def:state state_ref="oval:com.ubuntu.focal:ste:2021239680000000"/>
</linux-def:dpkginfo_test>
</tests>
<objects>
<linux-def:dpkginfo_object comment="The 'firefox' package binaries." deprecated="false" id="oval:com.ubuntu.focal:obj:201447150000000" version="1">
<linux-def:name datatype="string" mask="false" operation="equals" var_check="at least one" var_ref="oval:com.ubuntu.focal:var:201447150000000"/>
</linux-def:dpkginfo_object>
</objects>
<states>
<linux-def:dpkginfo_state comment="The package version is less than '0:86.0+build3-0ubuntu0.20.04.1'." deprecated="false" id="oval:com.ubuntu.focal: ste:2021239680000000" operator="AND" version="1">
<linux-def:evr check_existence="at_least_one_exists" datatype="debian_evr_string" entity_check="all" mask="false" operation="less than">0:86.0+build3-0ubuntu0.20.04.1</linux-def:evr>
</linux-def:dpkginfo_state>
</states>
The OVAL states determine how a condition needs to be checked by the interpreter. As mentioned, any ‘state’ should have a reference mapped to a corresponding ‘object’ in a ‘test’. In this example, the ‘state’ determines the version of the package and it returns true when the version is less than ‘0:86.0+build3-0ubuntu0.20.04.1’.
Though we have a hardcoded value with the attribute, we can also make use of variables by referencing the variable “oval:com.ubuntu.focal:var:201447150000000” in an object or a state just like we saw in <objects> section. The <variables> elements can have one or more constant or local variables. As shown below, we have a constant variable with different values of Firefox and its components.</variables></objects>
<variables>
<constant_variable comment="'firefox' package binaries" datatype="string" deprecated="false" id="oval:com.ubuntu.focal:var:201447150000000" version="1">
<value>firefox</value>
<value>firefox-geckodriver</value>
<value>firefox-mozsymbols</value>
</constant_variable>
</variables>
The definition file which we used as an example can be downloaded from here
Using OpenSCAP (oscap) Scanner
In order to validate the written OVAL definition and scan against the target system, we require a utility called “oscap” a command-line scanner from OpenSCAP project, which is an open-source implementation of SCAP providing capabilities and potential features that are required for the organizations or software products that adopted OVAL definitions.
We will use ‘oscap’ scanner for our example which can be downloaded from the previous section. Though oscap have a great potential to perform other operations, we will be using it to evaluate the definition and scan the target system. More information on oscap can be read from their user manual.
This section demonstrates how to use different options of oscap command-line scanner.
Here, we finish part-1 of this series of post on OVAL.
Unlike OpenSCAP there are commercial tools such as ‘jOVAL’ (which is now part of ARCTIC WOLF) that can be used to scan the local or remote targets.
Contributing to the Community
Our threat research team is always happy to contribute to the community, hence we published the OVAL content for some of CVEs assigned to Atlassian Products like Jira Server. You can download the content from our public repository here.
References:
IN-HOUSE EXPERTISE
Get practical solutions to real-world challenges, straight from experts who conquered them.
View all our articles