Red Hat OVAL v2 streams

The difference between Red Hat OVAL v1 and OVAL v2

The difference between Red Hat OVAL v1 and OVAL v2 is strictly structural; merely one of organization, not format. In OVAL v2 content is separated into streams instead of flat files or "everything" zip files in OVAL v1.

It is the organization of the OVAL definitions into product-version streams that allows Red Hat to support OVAL definitions for Red Hat products other than Red Hat Enterprise Linux (RHEL), as the OVAL definitions in a particular stream will only contain tests that are relevant to that product-version.

The Red Hat OVAL v2 product-version specific streams are enhanced to provide insight into which vulnerabilities are addressed (patched, definition class="patch") as well as yet to be addressed (un-patched, definition class="vulnerability") by Red Hat.

Red Hat OVAL v1 files are now deprecated by Red Hat Product Security.

Background

The nature of RPM and open source repositories present some unique challenges. RPM versions are not comparable outside of a given repository. As an example

In RHEL Extended Update Support (EUS) the "base" version of the RPMs is frozen, and then as updates are backported, an additional versioning number is added. This means that if RHEL 7.3 contained "kernel-1.2.3-4.el7", RHEL 7.3 EUS might additionally contain "kernel-1.2.3-4.1.el7_3" and "kernel-1.2.3-4.2.el7_3" when things are backported, whereas RHEL 7.4 would contain "kernel-1.2.3-5.el7".

Most of the Red Hat products leverage a technique called backporting to ingest upstream fixes. The RPM versions in an OVAL file generated for RHEL 7.4 will therefore always return ‘vulnerable’ results if applied against a RHEL 7.3 EUS system, since the installed kernel version will always be "a lower version than" the version in which the OVAL file says the CVE was fixed. The same can be true for other non-RHEL "layered products."

Here's how the package version, as a result of backporting, breaks down [2]:

Red Hat Enterprise Linux Bash shell package

OVAL v2 streams

To support non-base-RHEL products Red Hat OVAL v2 provides OVAL "streams" by product-version. A system running RHEL 7 base and Red Hat Satellite 6.4, for example, would want to use both those streams, and those streams only, to make the applicable OVAL data available [1].

Red Hat Product Security highly recommends all third party security solutions, with vulnerability scanning functionality, to migrate to using the appropriate OVAL streams in the v2 directory instead of consuming the historical OVAL files in the directory one level higher (OVAL v1). The traditional "v1" OVAL files are still accurate, but only if you exclusively care about base RHEL, which is what they were designed / generated for.

Explore Red Hat OVAL v2 streams

Resources

• [1] Evolving OVAL- Blog

• [2] What is backporting, and how does it apply to RHEL and other Red Hat products?