Red Hat and OVAL

The details around Red Hat’s use of OVAL have been publicly documented for years; to cite the OVAL FAQ:

The OVAL project

The Open Vulnerability and Assessment Language (OVAL) project, maintained by the Center for Internet Security (CIS), is an international, information security effort that promotes open and publicly available security content, and seeks to standardize the transfer of this information across the entire spectrum of security tools and services. Refer to https://oval.cisecurity.org/ for further information.

Red Hat and the OVAL project

Red Hat Product Security helps customers evaluate and manage risk by tracking and investigating all security issues affecting Red Hat customers and providing timely and concise patches and security advisories via the Red Hat Customer Portal.

Red Hat creates and supports OVAL patch definitions, providing a machine-readable versions of our security advisories. This allows OVAL-compatible tools to test for the presence of vulnerabilities for which Red Hat has released security updates that could be applied to the system.

Red Hat was a founding board member of OVAL in 2002, and made a declaration of OVAL compatibility in May 2006.

The OVAL patch definitions

The OVAL patch definitions are available as a "stream" for a particular product and version, and are updated within an hour of a new security advisory being made available via the Red Hat Customer Portal.

Each OVAL patch definition maps one-to-one to a Red Hat Security Advisory (RHSA). Since an RHSA can contain fixes for multiple vulnerabilities, each vulnerability is listed separately by its CVE name, and has a link to its entry in our public bug database.

The OVAL streams

RPM package versions are not comparable between different repositories that are not designed to be enabled simultaneously (for example: an RPM package released in Red Hat Enterprise Linux 7.2 will have a higher version but may be at a lower patch level than another RPM package released later for Red Hat Enterprise Linux 7.1 EUS), the OVAL definitions are divided into "Streams" by product and version. To completely evaluate a system it needs to be evaluated against the streams for all products installed on that system.

Resources

Last updated