The Open Vulnerability and Assessment Language (OVAL) is an international community standard maintained by MITRE to promote open and publicly available security content, and to standardize the transfer of this information in security tools and services. OVAL's goal is to assist security administrators by accelerating the process of analyzing a system for the presence of a vulnerability and recommend best practices for security configurations. MITRE's OVAL website encompasses a detailed overview at the following link: http://oval.mitre.org/about/index.html
On September 26, 2012, Cisco released OVAL content for Cisco IOS vulnerabilities that are disclosed in security advisories. This document contains frequently asked questions (FAQs) about Cisco OVAL content for security vulnerabilities.
A: Cisco is committed to protect customers by sharing critical security-related information in different formats. OVAL accelerates information exchange and consumption of security-related information. Utilizing OVAL, security administrators and other users can accelerate the process of determining the existence of software vulnerabilities, configuration issues, programs, and patches in Cisco IOS Software.
A: OVAL definitions are XML files containing the following information: checking a system for vulnerabilities, determining configuration issues, missing patches, ascertaining installed applications, and other security related information pertinent to the system. In respect to vulnerability checks, definitions are written to check for the presence of vulnerabilities in a system. OVAL definitions must comply with the OVAL definition schemata and data model, and should be written in accordance with the Authoring Style Guide defined by MITRE. Please visit MITRE's website at the following link for a detailed description of the OVAL definition process: http://oval.mitre.org/repository/about/stages.html
A: The OVAL community has developed three types of schemas, written in Extensible Markup Language (XML), to serve as the framework and vocabulary of the OVAL Language. These schemas correspond to the three steps of the assessment process: an OVAL System Characteristics schema for representing system information, an OVAL Definition schema for expressing a specific machine state, and an OVAL Results schema for reporting the results of an assessment.
The OVAL schemas are created by MITRE, members of the OVAL Developer's Forum, and approved by the OVAL Board. Visit MITRE's OVAL Language Releases website to review or download the schemas: http://oval.mitre.org/language/index.html
A: As a proactive measure, OVAL definitions can be used to determine which vulnerabilities or configuration issues exist on your Cisco IOS device. The information can be utilized to obtain appropriate software patches and fixes to remediate known vulnerabilities and evaluate if a device is configured as recommended according to industry best practices.
A: OVAL definitions can be downloaded directly from the Cisco IOS security advisories. Each Cisco IOS security advisory includes a link to the corresponding OVAL definition(s).
A: OVAL enables interoperability between security and network management products from different vendors in diverse vertical markets. This permits OVAL to automatically perform vulnerability and compliance assessments of network infrastructure and networking devices. All organizations participating in the OVAL Adoption Program are listed in MITRE's website at: http://oval.mitre.org/adoption/participants.html
Many vendors are working on integrating Cisco IOS schemas to support their products. The open source tool, jOVAL, supports Cisco IOS schemas. For more information concerning jOVAL, visit: http://joval.org
The following document provides step-by-step instructions on how to use OVAL content with available open source tools: http://www.cisco.com/web/about/security/intelligence/oval_scty_automation.html
A: Cisco is currently authoring OVAL definitions for Cisco IOS Software. However, Cisco is working with MITRE and the OVAL community to enhance and develop new schemas to enhance support for Cisco IOS Software and associated products.
A: Cisco product security incident response is the responsibility of the Cisco Product Security Incident Response Team (PSIRT). The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information related to Cisco products and networks. The on-call Cisco PSIRT works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks. More information about PSIRT and Cisco's Security Vulnerability Policy can be found at:
A: Customers can remain current with a variety of Cisco publications, including Cisco Security Advisories, Applied Mitigation Bulletins, Event Responses, and Threat Outbreak Alerts, by receiving a short message service (SMS) text message when new content is posted. This information can be obtained from Cisco's Security Center at: http://cisco.com/security
This document is part of Cisco Security Intelligence Operations.
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.