United States (change)
Shortcuts: Downloads Fedora Red Hat Network
Q: What is the OVAL project?
The Open Vulnerability and Assessment Language (OVAL) project, maintained by the MITRE Corporation, is an international information-security effort that promotes open and publicly available security content, and seeks to standardize the transfer of this information across the entire spectrum of security tools and services. See oval.mitre.org for more information.
Q: What is Red Hat doing with the OVAL project?
The Red Hat Security Response team helps customers evaluate and manage risk by tracking and investigating all security issues affecting Red Hat customers and providing timely and concise patches and security advisories via Red Hat® Network®.
Red Hat will be creating and supporting OVAL patch definitions, providing a machine-readable versions of our security advisories. This will allow OVAL-compatible tools to test for the presence of described vulnerabilities.
Red Hat was a founding board member of OVAL in 2002, and made a declaration of OVAL compatibility in May 2006.
Q: What Red Hat products will be OVAL compatible?
Red Hat is currently producing OVAL patch definitions for security updates to Red Hat Enterprise Linux® 3, 4, and 5.
Q: How do I obtain the OVAL definitions?
The OVAL definitions are available individually and as a complete package, and are updated within an hour of a new security advisory being made available via Red Hat Network. Red Hat's OVAL definitions are available at:
http://www.redhat.com/security/data/oval/
Q: Will Red Hat provide tools to parse these definitions?
At this time Red Hat does not ship an OVAL definition interpreter. Many third parties are creating both open source and commercial definition parsers that are OVAL compatible.
Q: How is OVAL different from Red Hat Network?
Red Hat Network is an enterprise system management tool that keeps Red Hat Enterprise Linux systems up to date with the latest errata and reports which machines need which updates. Red Hat support for OVAL provides an alternative machine-readable view of Red Hat security advisories, allowing administrators to use OVAL-compatible tools to determine the patch state of software across heterogeneous networks.
Q: Why are you using an OVAL patch definition rather than a vulnerability definition?
Each of our OVAL definitions is designed to directly correspond one-to-one with a Red Hat Security Advisory. An advisory may contain fixes for more than one vulnerability, so each fix is listed separately by its CVE name, and has a link to its entry in our public bug database.
Q: Why are tests that check the RPM signature included?
Our OVAL definitions include tests that check to make sure the RPM is signed by the appropriate Red Hat package signing key. This test is necessary to avoid false positives and negatives caused by users who may rebuild packages themselves or use packages from upstream. The signature check is necessary to maintain backwards compatibility and does not check on a systems integrity or detect other deficiencies.
Q: What level of detail do the tests cover?
The Red Hat OVAL patch definitions are designed to check for vulnerable versions of RPM packages installed on a system. It is possible to extend these definitions to include further checks - for instance, to see if the packages are being used in a vulnerable configuration. These definitions are designed to cover software and updates shipped by Red Hat. Additional definitions are required to detect the patch status of third party software.
Q: Where can I go for more information?
The MITRE OVAL website contains an FAQ and more detailed information, including the full schema. If you wish to submit corrections, ask questions, or get more information about the Red Hat implementation of OVAL, contact the Security Response Team at secalert@redhat.com.
Updates on the latest open source news and tools.