OVAL Study Notes
Developed by MITRE, OVAL is a descriptive language used to define technical details such as inspection items and vulnerabilities. OVAL uses standard XML format to organize its content. It provides sufficient flexibility to analyze the system status, vulnerabilities, configurations, patches, and other situations of Windows, Linux, Unix, and various embedded operating systems. It can also be used to describe test reports. OVAL can clearly describe security-related checkpoints, which are machine readable and can be directly applied to automated security scanning. The core of OVAL is "Open", which means that anyone can make their own contribution to the development of OVAL, share knowledge and experience, and avoid repeated efforts. In fact, XCCDF is designed to support interaction with a variety of basic configuration check technologies. Among them, we recommend that the default inspection technology is MITRE's OVAL. In actual SCAP applications, XCCDF and OVAL usually appear in pairs. XCCDF defines the checklist, while OVAL defines the specific implementation details of each checklist.
OVAL is described in XML format and contains the following XML formats: OVAL Definition Schema and OVAL System feature Schema) and OVAL Result Schema ). The OVAL System feature format is used to describe the system information snapshot. This snapshot can be used to match the OVAL definition file to obtain the evaluation result. The OVAL result format is used to describe the evaluation result.
Among the three OVAL formats, the OVAL Definition Format plays an important role. The OVAL definition format provides a machine-readable guide for evaluating system security, it can be used to describe system configuration information, analyze system security status, and report evaluation results. Typical XML documents in the OVAL Definition Format are composed of Definition, Test, Object, State, and Variable, its structure is relatively simple. It mainly lists the elements by enumeration, as shown in.
"Definition" is the most important component. It references one or more "tests" and determines the overall results based on the test results, "test" uses "object" and "status" to interact with the system and obtain the check result. "status" can use a fixed value or reference a value in "variable. The logical relationship between the components of OVAL is shown in. In, Definition1 contains two "tests" Test1 AND Test2. Assuming that the criterion is the logical relationship of AND, if both Test are True, the result of the entire Definition1 is True. For example, if the Test1 test result is True AND the Test2 test result is False, the entire Definition test result is False based on the conditions Test1 = True AND Test2 = True in Definition1.
OVAL Definition
Definition is used to describe how to check a specific security issue. Generally, an OVAL document contains multiple "Definitions ". There are four main definitions: Vulnerability: describes how to determine whether a specific Vulnerability exists in the system based on the system status; Patch: similar to the Vulnerability definition, however, it focuses more on how to determine whether a specific patch is installed in the system; Software (Inventory): describes how to determine whether a specific software is installed in the system; Compliance (Compliance ): describes how to determine whether the system meets a specific configuration requirement. Table 1 is a sample data defined by OVAL.
Rule Field |
Meaning |
Sample Data |
Id |
Definition ID, which must be globally unique |
Oval: gov. nist. usgcb. winseven: def: 7 |
Version |
Definition version |
2 |
Class |
Specify the Definition category (vulnerabilities, patches, software, compliance, etc) |
Compliance |
Metadata (meta tag ): |
Title |
Definition title |
Minimum Password Length |
Affected |
Name and version of the affected operating system or application |
Microsoft Windows 7 |
References |
Defining between this Definition and other checklists or documents |
NIST SP800-68 Appendix A, 1.4b Http://cce.mitre.org CCE-9357-5 |
Description |
Definition description |
Minimum Password Length |
Criteria ): |
Extend_definition definition_ref |
Another Definition identifier (when this Definition needs to be used together with another Definition) |
Oval: gov. nist. cpe. oval: def: 1 |
Extend_definition comment |
It is generally used to identify the cause of the above Definition. In this example, it is used to determine whether the target operating system meets the requirements. |
Windows 7 is installed |
Criterion test_ref |
ID of the Test used by this Definition |
Oval: gov. nist. usgcb. winseven: tst: 36 |
Criterion comment |
It is usually a piece of human-readable language used to describe the Test's detection behavior. |
Minimum Password Length is greater than or equal to the prescribed value |
OVAL test
Test is executed by defining a group of OVAL objects and OVAL states. The data structure of the OVAL Test is shown in table 2, figure 2 clearly shows how the OVAL object and the OVAL state in the OVAL test cooperate with each other to perform the test.
Rule Field |
Meaning |
Sample Data |
Test Type |
Use different node names to express different test types, such as files, registries, and policies. |
Passwordpolicy_test |
Id |
Unique id of this Test |
Oval: gov. nist. usgcb. winsseven: tst: 36 |
Version |
Version of Test |
2 |
Check_existence |
Required or not (such as registry key value) |
At_least_one_exists |
Object_ref |
Id of the Object used by this Test |
Oval: gov. nist. usgcb. winseven: obj: 27 |
State_ref |
Id of the State used by this Test |
Oval: gov. nist. usgcb. winseven: ste: 33 |
OVAL object
"Object" is used to describe the test subject. Because there are many types of test subjects (such as registries, group policies, files, and software packages), there are also many Object types, the data structures of each type are different. The following is a definition of passworkpolicy_object. It can be seen that the OVAL object of the System Policy class can be recognized by the interpreter only by specifying an id:
The following is a registry_object definition. You can see that the Registry-class OVAL object must specify the Registry Hive, registry key, and registry key name:
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\DW
DWAllowHeadless
OVAL status
State is used to describe the reference State value of the test subject. Similar to OVAL objects, State can be divided into multiple types, and the data structures of each type are different, the following is a definition of passwordpolicy_state:
You can use regular expressions in values to better match strings. The following is a registry_state definition used to identify that the value obtained in the Registry can match the string "Windows 7.
^[a-zA-Z0-9\(\)\s]*[Ww][Ii][Nn][Dd][Oo][Ww][Ss] 7[a-zA-Z0-9\(\)\s]*$
It can be seen that in the OVAL state, var_ref can be used to reference an OVAL variable to indicate the value of the OVAL state, or the value can be directly written to the value node.
OVAL variable
Variable defines the values required for State during test execution. It has three types: constant (constant_variable), local Variable (local_variable), and external Variable (external_variable ). A constant defines a Value that cannot be changed at run time. A local variable defines the Value that is directly used in OVAL, while an external variable is usually used to pass the Value of XCCDF to OVAL. The following is an external variable definition:
The following figure shows whether the verification system written by the younger brother is oval of win10:
<?xml version="1.0" encoding="UTF-8"?>-<oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"><generator><oval:product_name>The OVAL Repository</oval:product_name><oval:schema_version>5.10.1</oval:schema_version><oval:timestamp>2015-07-24T02:18:25.200-04:00</oval:timestamp></generator><definitions><definition xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" class="inventory" version="3" id="oval:org.mitre.oval:def:28779"><metadata><title>Microsoft Windows 10 Insider Preview is installed</title><affected family="windows"><platform>Microsoft Windows 10 Insider Preview</platform></affected><reference ref_id="microsoft_windows_10_insider_preview" source="ICM"/><description>The operating system installed on the system is Microsoft Windows 10 Insider Preview.</description><oval_repository><dates><submitted date="2015-05-07T08:31:03"><contributor organization="ALTX-SOFT">Maria Mikhno</contributor></submitted><status_change date="2015-05-12T14:33:42.950-04:00">DRAFT</status_change><status_change date="2015-06-01T04:00:20.683-04:00">INTERIM</status_change><status_change date="2015-06-22T04:00:44.312-04:00">ACCEPTED</status_change></dates><status>ACCEPTED</status></oval_repository></metadata><criteria><criterion test_ref="oval:org.mitre.oval:tst:99" comment="the installed operating system is part of the Microsoft Windows family"/><criterion test_ref="oval:org.mitre.oval:tst:138532" comment="Check if Microsoft Windows 10 Insider Preview is installed"/></criteria></definition></definitions><tests><family_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" version="1" id="oval:org.mitre.oval:tst:99" comment="the installed operating system is part of the Microsoft Windows family" check="only one" check_existence="at_least_one_exists"><object object_ref="oval:org.mitre.oval:obj:99"/><state state_ref="oval:org.mitre.oval:ste:99"/></family_test><registry_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" version="1" id="oval:org.mitre.oval:tst:138532" comment="Check if Microsoft Windows 10 Insider Preview is installed" check="all" check_existence="at_least_one_exists"><object object_ref="oval:org.mitre.oval:obj:5590"/><state state_ref="oval:org.mitre.oval:ste:38384"/></registry_test></tests><objects><family_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" version="1" id="oval:org.mitre.oval:obj:99" comment="This is the default family object. Only one family object should exist."/><registry_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" version="1" id="oval:org.mitre.oval:obj:5590" comment="This registry key identifies the Windows ProductName">