Network Vulnerability Assessment – OVAL Test
Last time I briefly introduced OVAL Definition, I’ll continue for OVAL Test. Please note that both definition and test are defined in the same XML file. The OVAL test is subroutine of criteria defined in definition section. Here is an example of criteria for JScript 5.7 on Microsoft Windows XP SP3.
<criteria operator=”AND” comment=”JScript 5.7 on Microsoft Windows XP SP3″>
<criterion comment=”jscript.dll version is less than 5.7.6002.22145″ test_ref=”oval:com.vendor.oval:tst:102792″/>
</criteria>
We can see there is a test reference defined by oval:com.vendor.oval:tst:102792. Then, what’s the definition of test? The following is test definition. We can see that there are two parts, one is object, the other is state. The basic idea in here is, to verify if the object has the state. If yes, then the OVAL test is passed. Otherwise, OVAL test is failed.
<test id=”oval:com.vendor.oval:tst:102792″/>
<object object_ref=”oval:org.mitre.oval:obj:564″/>
<state state_ref=”oval:com.vendor.oval:ste:102792″/>
</test>
The object and state are defined as:
<file_object id=”oval:org.mitre.oval:obj:564″/>
<path var_ref=”oval:org.mitre.oval:var:200″ var_check=”all”/>
<filename>jscript.dll</filename>
</file_object>
…
…
<file_state id=”oval:com.vendor.oval:ste:102792″/>
<version datatype=”version” operation=”less than”>5.7.6002.22145</version>
</file_state>
It basically said that, in specified path, if jscript.dll version less than 5.7.6002.22145, then this is a vulnerability.
Right now, we can see that OVAL is a language to define vulnerabilities and how to do the test by using XML format. Obviously, the repository need people to maintain and put more released/observed vulnerabilities. Thanks,
