Volume 3, Number 24 -- June 27, 2006

Red Hat Security Advisories Now OVAL Compatible

Published: June 27, 2006

by Timothy Prickett Morgan

Commercial Linux distributor Red Hat announced last week that it has rejiggered the security advisory format for its Red Hat Enterprise Linux 3 and 4 versions so these advisories now conform to the format specified by the Open Vulnerability Assessment Language, or OVAL.

Computers have automated many business processes in the world--ranging from billing and accounting in decades ago to the distribution of information through the Internet--but the one thing that computers still do not do well is manage themselves. One of the holy grails of the system administration field is to automate, to the extent possible, how computers are managed, such that a policy-based program should be able to figure out what to do when an event, such as a security patch to a Linux operating system, occurs.

Such automation is particularly important in heavily computerized systems, such as those built by the armies, navies, and air forces of the world. And to that end, defense contractor Mitre has for a number of years been putting forth OVAL as an open source format in which security alerts can be formatted; in fact, Mitre hosts a repository of OVAL alerts. The interesting thing about OVAL, which is one of the many variants of XML, is that it not only encodes information about security vulnerabilities and their patches, but also encodes the means to check if a particular system has the software features or system state that relates to a security vulnerability, and therefore can assess whether or not a patch should be applied. Changing a system as little as possible enhances stability. Red Hat, Microsoft, IBM, and the Debian community are the only operating system vendors on the OVAL board so far, and they all see the need to automate security patching, which is a labor-intensive and error-prone process. Getting security alerts into a common format, which means tools can be used to filter data contained in the alerts, is the first step.

"As a founding member of the OVAL board, we've been working with the Mitre Corporation on OVAL for many years," explained Mark Cox, Red Hat's security response team lead. "Just as the Mitre CVE project has become common for dealing with vulnerability patches, we expect the same rapid adoption for the OVAL project. This initiative forms part of our commitment to make the deployment of security ubiquitous through the use of industry-wide standards."

Sponsored By

Now you can go direct to Micro Focus...

Announcing direct sales, service and support
for HP and Micro Focus customers!

All versions of Micro Focus products previously sold through HP or an HP reseller are now sold, serviced and supported directly by Micro Focus.

For more information, or to talk to a dedicated HP conversion specialist:
1-800-632-6265 Option 2

Editor: Timothy Prickett Morgan
Contributing Editors: Dan Burger, Joe Hertvik, Kevin Vandever,
Shannon O'Donnell, Victor Rozek, Hesh Wiener, Alex Woodie
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Linux Networx:  Clusterworx streamlines and simplifies cluster management
ANSYS:  Engineering simulation solutions for more than 30 years
Scalix:  Advanced email and calendaring for power users in the enterprise


Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement