Scanning OVAL Vulnerabilities

You can scan OVAL vulnerabilities you have created using the OVAL standard and view the scan results within your account.

Note: The creation of the QIDs using the OVAL standard is subscription-based. These QIDs will not be visible in the VMDR -Vulnerabilities, Prioritization & Dashboard. 

Tell me about OVALTell me about OVAL

Open Vulnerability and Assessment Language (OVAL) is an international information security community baseline standard, designed to check for the presence of vulnerabilities and configuration issues on computer systems. Want to learn more? Visit http://oval.mitre.org/

What OVAL versions are supported?What OVAL versions are supported?

OVAL versions 4.0, 4.1 and 4.2 are supported.

What OVAL schemas are supported?What OVAL schemas are supported?

We support the OVAL Definition Schema and the Platform Schema for Windows. These schemas define the structure and vocabulary of the OVAL vulnerability definitions.

Windows OVAL checks are supportedWindows OVAL checks are supported

Only Windows is supported for OVAL based checks. Specifically the wrt test type (Windows Registry test), wft test type (Windows File tests) and cmp test type (Compound test) tests are supported.

 

Go to VM/VMDR > KnowledgeBase and select New > OVAL Vulnerability. Enter the OVAL vulnerability settings and click Save.

Make these settings: 1) Be sure to provide text for the Impact and Solution fields (these appear in vulnerability details in reports), and 2) In the OVAL section, paste in XML for an OVAL vulnerability definition. Show me samples

What happens next? We'll validate the OVAL XML and then the new vulnerability will be added to the KnowledgeBase. We'll automatically assign it a unique QID starting at 130000. Subsequent QIDs are incremented by one, as in 130001, 130002, 130003, etc.

Windows host authentication is required for scanning OVAL vulnerabilities. Be sure you have a Windows authentication record for the hosts you want to scan. If not, go to Scans > Authentication and configure one now. Learn more

In your option profile: 1) enable Windows authentication, and 2) add a custom search list under Vulnerability Detections as described below.

To scan all OVAL vulnerabilities: add a search list that has QID 105186, and select the check box "OVAL checks" in the Include section.

To scan select OVAL vulnerabilities: add a search list that has the specific OVAL QIDs you want to test plus QID 105186.

Tell me about QID 105186Tell me about QID 105186

QID 105186 "Errors During Execution of User-Provided Detections" is a diagnostic QID that will provide important information about OVAL detections like errors reported and will help you if OVAL detection fails.

Can I use the Complete option?Can I use the Complete option?

Yes you can use this option along with the "OVAL checks" option to scan for all OVAL vulnerabilities but QID 105186 will not be included in the scan. This is why we suggest you use search lists.

 

 

OVAL vulnerabilities appear in scan results just like any other vulnerability. You'll notice CVSS Base and Temporal scores for an OVAL vulnerability are displayed with vulnerability details in reports.

Yes you can easily create a report showing your OVAL vulnerabilities: 1) Create a vulnerability search list including the OVAL QIDs as well as the diagnostic QID 105186, 2) Add the search list to a scan report template, and 3) Run the scan template.