Frequently Asked Questions




A. OVAL

A1. What is OVAL?

Open Vulnerability and Assessment Language (OVAL®) is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL includes a language used to encode system details, and an assortment of content repositories held throughout the community. The language standardizes the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment. The repositories are collections of publicly available and open content that utilize the language. See About OVAL for additional information.

A2. Why OVAL? Is there a lot of support for something like this?

Until OVAL there was no common or structured means for system administrators and other end users to determine the existence of software vulnerabilities, configuration issues, programs, and/or patches in local systems. Much of the information was available as text-based descriptions from vulnerability and other knowledge sources such as software vendors, government agencies, tool vendors, and security consulting firms, however, it remained a labor-intensive and error-prone process for system administrators to read and interpret this unstructured information and make a determination of whether a particular vulnerability or configuration issue existed on a local system.

For operating system and application software vendors, the precise definitions of how to detect vulnerabilities or configuration issues found in OVAL definitions eliminate the need for exploit code as an assessment tool. And tool vendors who implemented closed and proprietary tests to check for the vulnerabilities implemented them in procedural code that could not be easily read and understood by a wide audience, if they made that code available at all.

OVAL solves these problems. The widespread availability of OVAL definitions will promote standardized vulnerability and configuration assessment and will provide consistent and reproducible information assurance metrics. Tools for collecting configuration information can be combined with OVAL content to provide for standardized assessment, resulting in more accurate determinations of existence and fewer false positives than what currently exists today. In addition, since OVAL definitions express security problems in a language familiar to system administrators, they will have a concrete and actionable impact on the specific group directly involved in security remediation efforts.

An integral component of OVAL is community involvement and support. OVAL definitions are based on a common XML definition schema approved by the OVAL Board, which includes members from major operating systems vendors, commercial information security tool vendors, academia, government agencies, and research institutions. Broad community participation in the OVAL effort comes from system administrators, software vendors, security analysts, and other members of the information security community reviewing and commenting on the OVAL schemas on the Developer’s Forum and/or reviewing each draft definition and discussing and debating it on the Community Forum, both of which are hosted on the OVAL Web site. This means the OVAL Language schema and definitions will reflect the insights and combined expertise of the broadest possible collection of security and system administration professionals.

Back to top

A3. What operating system platforms are supported?

Refer to the Language Releases page, and the OVAL Repository, for the specific OS versions supported.

A4. How is OVAL different from commercial vulnerability scanners?

OVAL itself is not a vulnerability scanner. Rather, it is an open language to express checks for determining whether software vulnerabilities—and configuration issues, programs, and patches—exist on a system. OVAL allows the sharing of technical details regarding how to identify the presence or absence of vulnerabilities on a computer system. The public nature of OVAL provides computer security researchers, software vendors, and system administrators with the means to collaborate to develop OVAL definitions. The end user of an OVAL-compliant tool benefits from this collaboration because of increased quality from the number of experts participating in the development of definitions, and now has the option of personally reviewing the individual definitions to see exactly how the vulnerability determination was made. This is in direct contrast to closed, proprietary methods of vulnerability assessment.

MITRE’s freely available OVAL Interpreter demonstrates the evaluation of OVAL Definitions. Based on a set of Definitions the interpreter collects system information, evaluates it, and generates a detailed OVAL Results file. It demonstrates OVAL in action, but has a limited user interface. (See F1. What is the OVAL Interpreter? Is it free to use?).

A5. Can’t hackers use this to break into my system?

Any public discussion or availability of vulnerability and configuration information may help a hacker. However, there are several reasons why the benefits of OVAL outweigh its risks:

A6. Can OVAL help me protect my system?

Yes, but only as a preventative measure. Once you have used OVAL definitions or OVAL-compatible information security products and services to determine which vulnerabilities or configuration issues exist on your system, you may then use this information to obtain appropriate software patches and fix information for remediation from your vendors or from vulnerability research databases and Web sites.

A7. Does OVAL tell me how to fix my system?

No. OVAL can only help you determine if there are vulnerabilities or configuration issues on your system. You must obtain all instructions, software patches, or remediation information from your vendors or information security advisories in order to address your system vulnerabilities or configuration issues.

A8. Isn’t the vulnerability information included in OVAL also in vulnerability databases?

Vulnerability databases include information about vulnerabilities that OVAL does not, such as the severity of the problem, whether it is locally or remotely exploitable, remediation information, and so on. Instead, OVAL definitions provide a detailed method for checking low-level configuration parameters on a computer to determine the presence or absence of software vulnerabilities. Vulnerability databases rarely have this kind of technical detail available.

A9. How can OVAL help me?

Use OVAL definitions or OVAL-compatible information security products and services as they become available to determine which, if any, software vulnerabilities, configuration issues, programs, or patches exist on your system (See F1. What is the OVAL Interpreter? Is it free to use?). Obtain appropriate fix information and software patches from your vendors and make the repairs. See A2. Why OVAL? and the About OVAL page for additional information.

A10. Who owns OVAL?

OVAL is an open community effort and is sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Operating as DHS’s Federally Funded Research and Development Center (FFRDC), MITRE has copyrighted the OVAL Language for the benefit of the community in order to ensure it remains a free and open standard, as well as to legally protect the ongoing use of it and any resulting content by government, vendors, and/or users. In addition, MITRE has trademarked ® the OVAL acronym and the OVAL logo to protect their sole and ongoing use by the OVAL effort within the information security arena.

The content of OVAL is a result of the collaborative efforts of MITRE and the OVAL Board, along with broad participation from the information security community. The Board includes representatives from numerous organizations such as operating system and security tool vendors, academic institutions, and government.

A11. How can my organization and I be involved?

An integral component of the OVAL effort is broad community participation. Visit the OVAL Community page for additional information.

A12. Is someone from OVAL available to speak or participate on panel discussions at industry-related events, meetings, etc.?

Yes, contact oval@cisecurity.org to have MITRE present a briefing or participate in a panel discussion about OVAL or Making Security Measurable, security automation, and/or related topics at your event.

A13. What is the relationship between OVAL and DHS?

OVAL is sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. MITRE, operating as DHS’s Federally Funded Research and Development Center (FFRDC), manages this OVAL Web site, community engagement, and discussion lists to enable open and public collaboration with all stakeholders.

A14. Does OVAL participate in link exchange arrangements?

No, OVAL does not exchange links with other Web sites. Only authorized links are allowed on the OVAL Web site such as references for OVAL content in the OVAL Repository and those for the OVAL Adoption Program, OVAL Board Members, and News about OVAL.

A15. Does OVAL offer RSS feeds?

See OVAL RSS Feeds.

A16. What are OVAL-IDs?

OVAL identifiers (OVAL-IDs) are assigned to all globally reusable components in the OVAL Language including OVAL definitions, objects, states, tests, and variables. OVAL-IDs use the format "oval:Organization DNS Name:ID Type:ID Value" where organization DNS Name is of the form ‘org.mitre.oval’; ID Type denotes the entity to which the ID is being applied (and can be one of the following values: def - Definition, obj - Object, ste - State, tst - Test, or var - Variable); and ID Value is an integer that is unique to the DNS name and ID Type pair that precedes it. For example, oval:org.mitre.oval:def:1115 or oval:com.redhat.rhsa:def:20060742.

A17. How do I use OVAL on my system?

To evaluate a set of OVAL Definitions on a single Windows 7 system, download and install the free OVAL Interpreter. The Interpreter is a reference implementation of the OVAL Language and demonstrates how OVAL Definitions, which are community-developed tests that check for the presence of software vulnerabilities, configuration issues, programs, and patches, can be evaluated on a single computer system. Next, get the latest set of OVAL Definitions hosted in the OVAL Repository — for example, get the latest set of vulnerability definitions for Windows 7 from https://oval.mitre.org/rep-data/5.10/org.mitre.oval/v/platform/microsoft.windows.7.xml — and run them against your system with the Interpreter. You may then review the results that are produced in the default Simple HTML View (see "results.html" in the same directory as the OVAL Interpreter).

A18. Is OVAL free for public use?

OVAL is an open standard. The OVAL Language and any resulting OVAL content based upon the language that is stored in the OVAL Repository are free to use by any organization or individual for any research, development, and/or commercial purposes, per the OVAL Terms of Use.

MITRE has copyrighted the OVAL Language for the benefit of the community in order to ensure it remains a free and open standard, as well as to legally protect the ongoing use of it and any resulting content by government, vendors, and/or users. MITRE has trademarked ® the OVAL acronym and the OVAL logo to protect their sole and ongoing use by the OVAL effort within the information security arena.

Please contact oval@cisecurity.org if you require further clarification on this issue.

Back to top

B. OVAL Language

B1. What is the OVAL Language?

The OVAL Language standardizes the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment.

The OVAL community has developed three schemas written in Extensible Markup Language (XML) to serve as the framework and vocabulary of the OVAL Language. These schemas correspond to the three steps of the assessment process: an OVAL System Characteristics schema for representing system information, an OVAL Definition schema for expressing a specific machine state, and an OVAL Results schema for reporting the results of an assessment.

See About the OVAL Language for more information.

B2. Why XML?

Every OVAL definition on the OVAL Web site is posted in Extensible Markup Language (XML) under a single OVAL-ID. XML is used as the framework for OVAL Definitions because XML’s data centric approach makes it easier to extract the logical criteria of a definition and allows it to be combined with other XML data in order to extend the usefulness of OVAL.

Because they are written in XML, OVAL definitions are machine readable and can be used as part of information security products and services, or the pseudocode can be read in hardcopy or electronic form by information security professionals such as system administrators, security analysts, etc. For tool vendors, XML are specifications and not implementation requirements. The XML information in OVAL can be converted into whatever implementation structure or format necessary for your tool or service.

Information about XML and programming in XML can be found in numerous locations on the Internet, including the World Wide Web Consortium Web site, through search engines such as Google, Yahoo, etc., in bookstores, or at your local library.

B3. Who created the OVAL schemas?

The OVAL schemas are created by MITRE and members of the OVAL Developer’s Forum and approved by the OVAL Board. Visit the OVAL Language Releases page to review or download the schemas. The schemas are also hosted on the OVALProject Language page on GitHub.com.

B4. Is there technical documentation that explains the XML elements, types, and attributes that comprise the OVAL Schemas?

Yes, OVAL Element Dictionaries for the latest version of OVAL are available in the OVAL Language section.

B5. Is there an OVAL Language "Sandbox"?

Yes, the OVAL Language Sandbox, hosted on GitHub.com, provides a collaborative environment for the community to propose and develop experimental capabilities for the OVAL Language. It allows the community to fully investigate and implement new capabilities before including them in an official release ensuring that only mature and implementable constructs are added to the OVAL Language. It also allows the OVAL effort to evolve and keep up with new and emerging technologies.

Back to top

C. OVAL Repository

C1. What is the OVAL Repository?

The OVAL Repository is the central meeting place for the OVAL Community to discuss, analyze, store, and disseminate OVAL definitions. OVAL definitions are standardized, machine-readable tests written in the Open Vulnerability and Assessment Language that check computer systems for the presence of software vulnerabilities, configuration issues, programs, and patches.

OVAL definitions, which are free to use and implement in information security products and services, are written in Extensible Mark-up Language (XML) and are available for most major platforms. See the OVAL Repository main page to review or download all OVAL definitions posted to date.

C2. What is OVAL content?

OVAL content includes any XML document written in the OVAL Language. For example, OVAL Definitions, OVAL System Characteristics files, and OVAL Results files.

C3. What information is included in an OVAL definition?

"OVAL definitions" are machine-readable, gold standard tests that definitively determine whether the specified software vulnerability, configuration issue, program, or patch is present on a system. There are four main classes of OVAL definitions:

A "Miscellaneous" class is also available for definitions that do not fall into any of the four main classes. Each OVAL definition includes metadata, a high-level summary, and the detailed definition. Definition metadata provides the OVAL-ID, status of the definition (Draft, Interim, or Accepted), the CVE name or other reference on which the definition (or definitions) is based, the version of the official OVAL Definition Schema the definition works with, a brief description of the security issue covered in the definition, the main author, and a list of the significant contributors to the development of the definition.

The high-level summary includes the following: "Vulnerable software exists," which states the specific operating system (OS), the name of the file with the vulnerability in it, application version, and patch status; and "Vulnerable configuration," which indicates if the service is running or not, specific configuration settings, and workarounds. The detailed portion of definitions provides the logic for checking for the system characteristics (OS installed, settings in the OS, software applications installed, and settings in applications) to indicate that vulnerable software exists, and configuration attributes (registry key values, file system attributes, and configuration files) to indicate that a vulnerable configuration exists.

Each definition is distinguished by a unique identifier (OVAL-ID). OVAL-IDs use the format "oval:Organization DNS Name:ID Type:ID Value" where organization DNS Name is of the form ‘org.mitre.oval’; ID Type denotes the entity to which the ID is being applied (and can be one of the following values: def - Definition, obj - Object, ste - State, tst - Test, or var - Variable); and ID Value is an integer that is unique to the DNS name and ID Type pair that precedes it. For example, oval:org.mitre.oval:def:1115. (Note that the OVAL-ID format extends across all of the globally reusable components in the OVAL Language - definitions, objects, states, tests, and variables.)

(Important: OVAL deprecated the use of the SQL format in November 2004. Any SQL versions of OVAL definitions should be considered to be for informational purposes only.)

C4. Who decides what goes in the OVAL definitions?

The OVAL Repository Moderator evaluates and reviews definitions for publication in the OVAL Repository. Once new definitions are published the OVAL Repository they are subject to community review. This community review takes place on the Community Forum Discussion List, an email list hosted on the OVAL Web site.

Back to top

C5. How does a vulnerability or exposure become an OVAL definition?

The OVAL Repository uses the publicly known vulnerabilities identified in the CVE List as the basis for its vulnerability definitions. Draft definitions against these vulnerabilities, configuration issues, and patches are written by members of the OVAL Repository community and submitted to the OVAL Repository Moderator for public comment and review. Public comments on new definitions are made on the Discussion List, a lightly moderated public forum for discussing the definitions in the OVAL Repository. After discussion has subsided, any modifications to new definitions are published in the OVAL Repository. Definitions are posted with "DRAFT," "INTERIM," or "ACCEPTED" status. (See "OVAL Definition Lifecycle " for a detailed description of this process.)

C6. Where does OVAL find out about the vulnerabilities used in the Vulnerability Definitions?

Most OVAL vulnerability definitions are based on the publicly known vulnerabilities identified in MITRE’s CVE List (see C7). This information comes from a variety of public sources including the application and operating system vendors themselves, security tool vendors, public vulnerability databases, and as a direct result of the open discussions on OVAL’s Community Forum email list.

On occasion, discussions on the community discussion list may bring to light new potential security vulnerabilities (see C12). In these instances, the relevant information will be forwarded to the CVE Initiative and if accepted, the issue will be assigned a CVE name with candidate status. Any subsequent OVAL definitions developed for this newly identified problem will include this CVE name.

C7. Do the OVAL Definitions address all vulnerabilities and exposures?

No. The intention of OVAL is to be comprehensive with respect to the most recent vulnerabilities identified on the CVE List for the platforms supported (see A3).

C8. What is CVE? What is the relationship between CVE and OVAL?

Common Vulnerabilities and Exposures (CVE®) is a list or dictionary that provides common names for publicly known information security vulnerabilities and exposures. CVE common names make it easier to share data across separate network security databases and tools that are CVE-compatible. CVE also provides a baseline for evaluating the coverage of an organization’s security tools. CVE content is determined by the CVE Editorial Board, which is composed of experts from the international information security community. The MITRE Corporation maintains CVE and manages the CVE Editorial Board. See http://cve.mitre.org.

OVAL uses the publicly known vulnerabilities identified in CVE List as the basis for most of the OVAL vulnerability definitions (see C5). If discussions in the Community Forum result in information about new and previously unreported vulnerabilities, this information and any supporting references will be forwarded to the CVE Initiative for possible addition to the list. MITRE manages both CVE and OVAL and the two teams work closely together.

Back to top

C9. Are the OVAL definitions intended for public use?

OVAL’s definitions and Language schemas are all free to download, use, reference, and implement, per the Terms of Use. Members of the community are welcome to comment on OVAL’s definitions and schemas on the Community Forum and Developer’s Forum.

C10. How can I get the latest copies of the OVAL definitions? What do they cost, and are there any licensing fees?

You may review or download OVAL definitions from the main page of the OVAL Repository. All OVAL definitions—as well as all schemas and downloads on the OVAL Web site—are free to the public to use, download, reference, and implement with no licensing fees or restrictions as to their use. See the full Terms of Use statement for details.

C11. Can my organization or I submit OVAL definitions?

Yes. Members of the information security community may submit definitions to the OVAL Editor for review. Definitions must be based upon the OVAL Definition schema and the Submission Guidelines. See Submit Content for the specific steps and requirements.

C12. Can I include OVAL definition information in my product/security advisory/etc.?

Yes. OVAL definition information is free to use.

C13. I discovered a new security problem, how can I get it added to the OVAL Repository?

Except for software configuration issues, programs, and patches, OVAL definitions are based on vulnerability information from CVE entries. If new vulnerabilities come to light in discussions on OVAL’s public discussion email list, the information will be forwarded to the CVE Initiative.

Alternatively, after first contacting the vendor, you could post information to mailing lists such as Bugtraq or NTBugtraq. Or, you could contact a vulnerability analysis team, an emergency response team such as CERT, or other organizations that are specifically designed to handle such new information. Once the information has been verified through these other mechanisms, the new entries will make it into CVE and then be available to OVAL.

C14. How do I search the Repository by OVAL-ID?

The OVAL Repository’s Search page allows users to Search by OVAL-ID for any component in the OVAL Language that has been assigned an OVAL-ID including OVAL definitions, objects, states, tests, and variables (See A16. What is an OVAL-ID?).

You may “Search by OVAL-ID” by entering any of the following:

Definition ID – Searches the OVAL Repository for the single definition with the specified ID, for example searching for “oval:com.example:def:123” would return a url for that definition.

Definition Type & Integer – Searches the OVAL Repository for all definitions regardless of namespace that have the specified integer component. For example, searching for “def:123” would return the following results: oval:com.example:def:123, oval:org.mitre.oval:def:123, oval:com.abc:def:123, etc.

Integer-only – Searches the OVAL Repository for all OVAL Definitions whose Definition ID has the specified integer component. For example, searching for “123” would return the following results: oval:com.example:def:123, oval:org.mitre.oval:def:123, oval:com.abc:def:123, etc.

ID Type & Integer – Searches the OVAL Repository for all definitions that use any OVAL-ID of the specified ID Type with the specified integer components. For example, searching for “tst:123” returns all definitions that use any test with the specified type and integer components. See the example above for how to search for ‘def’ type.

Compete ID Other than Definition ID – Searches the OVAL Repository for any definitions that use the specified ID, for example, “oval:com.example:obj:123”. See above for how to search by “Definition ID,” which is handled differently.

C15. How do I search the Repository by OVAL Metadata?

The OVAL Repository’s Search page allows users to search OVAL Definitions by any combination of the following: title, description, platform, product, contributor, organization, class, family, status, reference source, and/or reference number. You may also search by OVAL-ID (see C14. How do I search the Repository by OVAL-ID?).

OVAL Tests, Objects, States, and Variables may also be searched on by their metadata.

Back to top

D. OVAL Adoption

D1. What does it mean to "adopt" OVAL?

For an information security product or service to be recognized as an official adopter of OVAL, it must provide one or more of the five high-level OVAL Capabilities, each of which targets a different usage of the OVAL Language:

These capabilities enable members of the OVAL community to easily understand how a given product is using the OVAL Language and how it might suit their needs. For additional information, please refer to the OVAL Adoption Program section.

D2. How can my product or service adopt OVAL? Are there specific requirements that must be met?

See OVAL Adoption Program Process and Requirements and Recommendations for OVAL Adoption for more information.

D3. How can products and services that have adopted OVAL help me?

See Benefits of OVAL Adoption.

D4. Can my organization register our product or service as an OVAL Adopter?

To make a declaration to adopt OVAL, send an email to oval@cisecurity.org with your company name and contact information, the type of product, the name of the product(s) or service(s), and the way in which your product is or will adopt OVAL.

D5. Can my organization be listed for supporting OVAL?

Yes, organizations with capabilities that support the use of OVAL can be listed on the OVAL Supporters page. Send an email to oval@cisecurity.org to request that your capability be added to the list.

Back to top

E. OVAL Community Forum & OVAL Board

E1. What is the role of the OVAL Community Forum email list and how can I join?

The OVAL Community Forum email discussion list is a lightly moderated public forum for new and previously posted OVAL Repository content, as well as the vulnerabilities and configuration issues themselves that affect definition writing.

Active participation is an important part of the OVAL effort. System administrators, software vendors, security analysts, developers, and other members of the information security community are all invited to participate. A confirmation will be sent to you verifying your addition to the list(s). View our Privacy Policy.

E2. What is the role of the OVAL Developer’s Forum email list and how can I join?

The OVAL Developer’s List is a lightly moderated public forum for discussing the OVAL Language as well as specific topics for developers such as addressing OVAL implementation issues and for assisting other developers in incorporating OVAL information into their tools and services.

Active participation is an important part of the OVAL effort. System administrators, software vendors, security analysts, developers, and other members of the information security community are all invited to participate. A confirmation will be sent to you verifying your addition to the list(s). View our Privacy Policy.

E3. Who is the OVAL Board?

The OVAL Board includes members from major operating systems vendors, commercial information security tool vendors, academia, government agencies, and research institutions. Other information security experts will be invited to participate on the Board on an as-needed basis based upon recommendations from Board members. Archives of Board meetings are available for review and comment in the OVAL Board section of the OVAL Web site.

E4. What is MITRE?

In partnership with government clients, The MITRE Corporation (MITRE) is a not-for-profit corporation working in the public interest. It addresses issues of critical national importance, combining systems engineering and information technology to develop innovative solutions that make a difference.

MITRE’s work is focused within Federally Funded Research and Development Centers (FFRDCs) for the: Department of Defense, Federal Aviation Administration, Internal Revenue Service and Department of Veterans Affairs, Department of Homeland Security, Administrative Office of the U.S. Courts, and the Centers for Medicare and Medicaid Services.

E5. What is MITRE’s role in OVAL?

MITRE created the OVAL Board, maintains OVAL with assistance from the Board, moderates the OVAL Community Forum and OVAL Developer’s email lists, and provides neutral guidance throughout the process to ensure that OVAL serves the public interest.

E6. Why is MITRE maintaining OVAL, and how long does MITRE plan to maintain it?

In accordance with its mission, MITRE has traditionally acted in the public interest. Its unique role allows it to provide an objective perspective to this effort. MITRE will maintain OVAL as long as it serves the community to do so.

E7. Is the OVAL effort represented on GitHub.com?

Yes, see the OVALProject page on GitHub.com.

Back to top

F. OVAL Interpreter

F1. What is the OVAL Interpreter? Is it free to use?

The OVAL Interpreter, which is hosted on SouceForge.net, is a freely available reference implementation that demonstrates the evaluation of OVAL Definitions. Based on a set of XML Definitions the Interpreter collects system information, evaluates it, and generates a detailed OVAL Results file. Developed to demonstrate the usability of OVAL Definitions and to ensure correct syntax and adherence to the OVAL Schemas by definition writers, it is not a fully functional scanning tool and has a simplistic user interface but running the Interpreter will provide a list of OVAL Definition IDs and their results on the system.

The OVAL Interpreter includes the following:

NOTE: The OVAL Interpreter is only one example of the many uses of OVAL. Visit the OVAL Adoption Program to learn more about the many ways information security products and services can incorporate OVAL.

Back to top