Red Hat Security Advisories Now OVAL Compatible
Published: June 27, 2006
by Timothy Prickett Morgan
Commercial Linux distributor Red Hat announced last week that it has rejiggered the security advisory format for its Red Hat Enterprise Linux 3 and 4 versions so these advisories now conform to the format specified by the Open Vulnerability Assessment Language, or OVAL.
Computers have automated many business processes in the world--ranging from billing and accounting in decades ago to the distribution of information through the Internet--but the one thing that computers still do not do well is manage themselves. One of the holy grails of the system administration field is to automate, to the extent possible, how computers are managed, such that a policy-based program should be able to figure out what to do when an event, such as a security patch to a Linux operating system, occurs.
Such automation is particularly important in heavily computerized systems, such as those built by the armies, navies, and air forces of the world. And to that end, defense contractor Mitre has for a number of years been putting forth OVAL as an open source format in which security alerts can be formatted; in fact, Mitre hosts a repository of OVAL alerts. The interesting thing about OVAL, which is one of the many variants of XML, is that it not only encodes information about security vulnerabilities and their patches, but also encodes the means to check if a particular system has the software features or system state that relates to a security vulnerability, and therefore can assess whether or not a patch should be applied. Changing a system as little as possible enhances stability. Red Hat, Microsoft, IBM, and the Debian community are the only operating system vendors on the OVAL board so far, and they all see the need to automate security patching, which is a labor-intensive and error-prone process. Getting security alerts into a common format, which means tools can be used to filter data contained in the alerts, is the first step.
"As a founding member of the OVAL board, we've been working with the Mitre Corporation on OVAL for many years," explained Mark Cox, Red Hat's security response team lead. "Just as the Mitre CVE project has become common for dealing with vulnerability patches, we expect the same rapid adoption for the OVAL project. This initiative forms part of our commitment to make the deployment of security ubiquitous through the use of industry-wide standards."