5 Auditing for Vulnerabilities By Using OVAL Definitions

You can use OVAL definition files to audit your system for known vulnerabilities and configuration issues. By performing an OVAL auditing scan, you are able to determine whether available security patches have been properly applied to a system.

Additionally, OVAL definition entries within a SCAP data stream file can be leveraged to run audits and to automatically download and use remote OVAL definitions, such as those provided by Oracle at https://linux.oracle.com/security.

If you have a disconnected environment, you can manually download OVAL definition files to make available to systems within your environment. Scans can be performed using the --local-files option to use pre-downloaded definitions.

Downloading OVAL Files

Oracle provides OVAL definitions for all errata on ULN. Use these definitions to ensure that all applicable errata are installed on an Oracle Linux system.

  1. Download the file from https://linux.oracle.com/security.

    The following file types are available:

    Individual OVAL definition files
    These files contain the definitions for specific security patches. For example, com.oracle.elsa-20205535.xml relates to ELSA-2020-5535.
    Consolidated OVAL definition files
    These files are compressed using the bzip2 algorithm and contain all of the OVAL definitions represented either by year or platform. For example, com.oracle.elsa-2022.xml.bz2 contains all of the definitions for the year 2022. A complete archive of all of the OVAL definitions for every ELSA patch is available in com.oracle.elsa-all.xml.bz2. Consolidated OVAL definitions are also provided for each Oracle Linux release in files named in the format com.oracle.elsa-ol<x>.xml.bz2.

    For example, to download the consolidated OVAL definitions for all ELSA patches for Oracle Linux 8, run:

    wget https://linux.oracle.com/security/oval/com.oracle.elsa-ol8.xml.bz2
  2. If you downloaded a compressed file, extract the OVAL definitions file:

    bzip2 -d com.oracle.elsa-ol8.xml.bz2
  3. To run a scan, see Running an OVAL Auditing Scan.

Displaying Information About an OVAL File

Use oscap info to display information about an OVAL file.

oscap info <path>/<OVAL-file>

For example:

oscap info com.oracle.elsa-2019.xml

Sample output:

Document type: OVAL Definitions
OVAL version: 5.3
Generated: 2019-12-20T00:00:00
Imported: 2020-02-14T17:29:37


You can download OVAL definition files (such as com.oracle.elsa-2019.xml) from https://linux.oracle.com/security/.

Validating OVAL Files

Use oscap validate and examine the exit code to validate an OVAL file against its schema. This confirms that the files are properly structured.

For example, to validate an OVAL file you can run:

oscap oval validate com.oracle.elsa-2019.xml \
  && echo "ok" || echo "exit code = $? not ok"

Running an OVAL Auditing Scan

Scan an Oracle Linux system against an OVAL definition file to verify that all applicable errata has been installed.

  1. If you need to manually download and install particular OVAL definitions, follow the instructions in Download the OVAL definition file.

  2. Perform a system audit using a specific OVAL definition file.

    Run the following command if you have manually downloaded an OVAL definition file and you wish to audit your system against it:

    sudo oscap oval eval –-results <path>/<results-name>.xml \
    --report <path>/<report-name>.html <path>/<OVAL-definition-file>.xml

    For example:

    sudo oscap oval eval --results /tmp/elsa-results-oval.xml \
    --report /var/www/html/elsa-report-oval.html com.oracle.elsa-all.xml

    The output appears as follows:

    Definition oval:com.oracle.elsa:def:20229690: false
    Definition oval:com.oracle.elsa:def:20229689: true
    Definition oval:com.oracle.elsa:def:20229683: false
    Definition oval:com.oracle.elsa:def:20229682: false
    Definition oval:com.oracle.elsa:def:20229680: false
    Definition oval:com.oracle.elsa:def:20229676: false
    Definition oval:com.oracle.elsa:def:20229675: false
    Definition oval:com.oracle.elsa:def:20229670: false
    Definition oval:com.oracle.elsa:def:20229669: false
    Definition oval:com.oracle.elsa:def:20229668: false
    Definition oval:com.oracle.elsa:def:20229667: false
    Definition oval:com.oracle.elsa:def:20229612: false
    Definition oval:com.oracle.elsa:def:20229609: false
    Definition oval:com.oracle.elsa:def:20229602: false
    Definition oval:com.oracle.elsa:def:20229601: true
    Evaluation done.

    The true flag means that the patch has not been applied to a system, while the false flag means that the patch has been applied.

  3. View the HTML report in a browser, as shown in the following figure.


If you omitted the --report option in the command to audit the system, you can still create the report later from the results file, for example:
sudo oscap oval generate report /tmp/elsa-results-oval.xml \ 

The image shows a partial view of the HTML version of an OVAL report generated by oscap. The top of the report contains general information about the scan report, as well as information about the definition generator. The information is presented in tabular format. The rest of the report shows detailed information (also in tabular format) about the system, as a result of the scan.