6.10 Running an OVAL Auditing Scan

Oracle provides OVAL definitions for all errata on ULN. You can use these definitions to ensure that all applicable errata are installed on an Oracle Linux system. For example, Spacewalk allows you to schedule regular auditing scans.

The following OVAL definition files are available:

com.oracle.elsa-cve.xml

OVAL definition file for a single ELSA security patch. For example, com.oracle.elsa-20150377.xml relates to ELSA-2015-0377.

com.oracle.elsa-year.xml.bz2

Compressed archive of OVAL definition files for all ELSA patches released in a given year.

com.oracle.else-all.xml.bz2

Compressed archive of all applicable OVAL definition files for all available ELSA patches.

To download an OVAL definitions file and perform an audit on a system:

  1. Use wget or a similar command to download a definitions file from https://linux.oracle.com/security, for example:

    # wget https://linux.oracle.com/security/oval/com.oracle.elsa-2017.xml.bz2
  2. In the definitions file is a compressed bz2 archive, use bzip2 to extract the OVAL definitions file:

    # bzip2 -d com.oracle.elsa-2017.xml.bz2
  3. Use oscap oval eval to audit a system using an OVAL definitions file, for example:

    # oscap oval eval --results /tmp/elsa-results-oval.xml \
      --report /var/www/html/elsa-report-oval.html \
      /tmp/com.oracle.elsa-2017.xml 
    Definition oval:com.oracle.elsa:def:20173580: false
    Definition oval:com.oracle.elsa:def:20173579: true
    Definition oval:com.oracle.elsa:def:20173576: false
    Definition oval:com.oracle.elsa:def:20173575: false
    Definition oval:com.oracle.elsa:def:20173574: true
    Definition oval:com.oracle.elsa:def:20173567: false
    Definition oval:com.oracle.elsa:def:20173566: false
    Definition oval:com.oracle.elsa:def:20173565: true
    Definition oval:com.oracle.elsa:def:20173539: true
    Definition oval:com.oracle.elsa:def:20173538: false
    Definition oval:com.oracle.elsa:def:20173537: false
    Definition oval:com.oracle.elsa:def:20173535: false
    
    ...
    Evaluation done.

    This example scan uses the OVAL definitions in com.oracle.elsa-2017.xml and outputs the XML results and HTML report files to /tmp and /var/www/html respectively. A result of true for a patch means that it has not been applied to a system; a result of false means that it has been applied.

    If you generate an XML results file but not the HTML report, you can use oscap oval generate report to convert the results file to an HTML report, for example:

    # oscap oval generate report /tmp/elsa-results-oval.xml \ 
      > /var/www/html/elsa-report-oval.html

You can view the HTML report in a browser as shown in Figure 6.3.

Figure 6.3 Sample OVAL Report