AnsweredAssumed Answered

Updated OVAL Support?

Question asked by Robert Sloan on Jun 17, 2019
Latest reply on Jul 10, 2019 by Robert Dell'Immagine

This question/commentary is going to be multi-part, largely because any question about OVAL definition support tends to die in the forums, and partly because I feel that any support needs to be all-in.

 

1: I'll repeat the general question that so few tend to get answers to - Does anyone here successfully use OVAL definitions with Qualys? I suspect this question gets so little traction because OVAL is largely defunct (with the latest commit to the "official" release being ~3 years ago), but there is a simplicity to the idea of being able to write your own definition files that spans all of the predecessors to the modern assessment engines.

My own question is actually more around finding if a file doesn't exist - you'd think it'd be as easy as flipping "check="at least one"" to "check="none exist"" in the file_test... but it doesn't look like that support was adopted in the schema until a later version. So flagging assets where, say, a vulnerability mitigation is missing that involves a 0-byte file in a key folder becomes impossible, but I can see assets where the file exists... which isn't the point. 

 

2: Simplicity stops at the idea of crafting OVAL definitions in Qualys because of the ancient version that is supported - 4.2. Even if I were to devote more cycles to learning the ins and outs of OVAL, it would be worthless in this context. As I stated before, v5.11.2 is the current version - with a tease of v6.0 being shown on the MITRE website. So, this means that finding any actual support for the 2005 version of the schema (4.2) is pretty much a shot in the dark with a near-zero chance at getting a useful response. The best authoring tool I have found (also defunct) is eSCAPe 1.2.2 from G2, which has a wizard mode that doesn't require me to be a self-proclaimed l33t to understand. However, the support for this STARTS at v5.3 and ends at 5.10 - but none of the files output from this tool are compatible with the supported schema in Qualys.

 

3: Finally, I'd ask that Qualys do one of two things here; 1) Provide support for newer versions of the OVAL schema so your user base can use authoring tools like eSCAPe, or 2) Build your own (included with VM) authoring tool for 4.2 and release it either as a stand-alone solution (maybe not ideal, but also not unlike the QBR), or in the Knowledgebase as a wizard when you click New -> OVAL Vulnerability (streamlined and ideal).

 

rdellimmagine, if there is currently a SME for this at Qualys, can you please loop them in? 
oval vm definitions

Outcomes