Developers Guide for Network Vulnerability TestsTopUnderstanding Nikto resultsOvaldi (OVAL support in OpenVAS)

Ovaldi (OVAL support in OpenVAS)

(by Michael Wiegand)

The Open Vulnerability and Assessment Language (OVAL) is a standard that can be used - among other things - to describe known vulnerabilities and tests that can be used to assess whether a vulnerability is present on a target system. It uses XML documents e.g. to describe components of a potentially vulnerable system and to describe the state in which their components are. Other XML documents - the so called vulnerability definitions - describe particular states in which these components should be considered vulnerable. In contrast to NASL, OVAL definitions only formally describe how a vulnerable system is expected to look and are not in themselves programs describing a way to actively look for those vulnerabilities.

The OVAL community has created ovaldi, an open source reference implementation of an OVAL definition interpreter. Although ovaldi initially only supported checks of a local system, the OpenVAS project has created a patch that enables ovaldi to make use of the information collected by OpenVAS about remote systems.

Starting from OpenVAS 2.0 beta2, ovaldi support is present in OpenVAS. To enable ovaldi support, the use of ovaldi in the SVN revision 138 is recommended. Please refer to the OpenVAS website for the patch needed for ovaldi and up-to-date information regarding ovaldi integration. The latest information is available at

http://www.openvas.org/integrated-tools.html
.

Using ovaldi, you will be able to access hundreds of additional security checks provided as definitions in the OVAL standard such as security announcements regarding the Red Hat Enterprise Linux distribution. Be aware that the ovaldi integration into OpenVAS only supports a limited subset of the tests available in OVAL. Support for OVAL tests will be extended as the ovaldi integration matures.

Once you have successfully enabled support for OVAL plugins, the plugins will show up in the OpenVAS-Client in the "OVAL definitions" family. Most plugins will return one of the following values: "true", "false" or "unknown". These values are defined as follows:

true
The tests evaluated by ovaldi indicated that the vulnerability described in the definition is very likely to be present on the system.
false
The tests evaluated by ovaldi indicated that the vulnerability described in the definition is not likely to be present on the system.
unknown
The tests evaluated by ovaldi were inconclusive or ovaldi was unable to execute all tests required for this evaluation.

Note that a large number of tests will return "unknown" until extended OVAL support in OpenVAS has been established.

The results of the OVAL definitions will be shown in the same way as the results for other plugins, allowing you to assess the results conveniently from within OpenVAS-Client.

You can find more information about the OVAL project and the OVAL language at

http://oval.mitre.org/
. The project page for ovaldi can be found at

http://sourceforge.net/projects/ovaldi/
.

Developers Guide for Network Vulnerability TestsTopUnderstanding Nikto resultsOvaldi (OVAL support in OpenVAS)