6 Auditing for Vulnerabilities By Using OVAL Definitions

You can use OVAL definition files to audit a system for known vulnerabilities and configuration issues. By performing an OVAL auditing scan, you can see whether a system has had the appropriate security patches applied.

OVAL definition entries included in a SCAP data stream file can automatically download and apply remote OVAL definitions, such as the ones provided by Oracle at https://linux.oracle.com/security.

If you're working in a disconnected environment, you can manually download OVAL definition files to make available to systems within the environment. Scans can be performed with these local definition files using the --local-files option.

Downloading OVAL Files

Oracle provides OVAL definitions for all errata on ULN. Use these definitions to ensure that all applicable errata are installed on an Oracle Linux system.

  1. Download the definition files.

    Download the file from https://linux.oracle.com/security.

    The following file types are available:

    Individual OVAL definition files

    These files contain the definitions for specific security patches. For example, com.oracle.elsa-20205535.xml relates to ELSA-2020-5535.

    Consolidated OVAL definition files

    These files are compressed using the bzip2 algorithm and contain all OVAL definitions represented either by year or platform. For example, com.oracle.elsa-2024.xml.bz2 contains all the definitions for the year 2024. A complete archive of all the OVAL definitions for every ELSA patch is available in com.oracle.elsa-all.xml.bz2. Consolidated OVAL definitions are also provided for each Oracle Linux release in files named using the format com.oracle.elsa-olrelease.xml.bz2.

    For example, to download the consolidated OVAL definitions for all ELSA patches for Oracle Linux 9, run: 

    wget https://linux.oracle.com/security/oval/com.oracle.elsa-ol9.xml.bz2
  2. Extract the consolidated definition files, if required.

    If you downloaded a compressed file, extract the OVAL definition file: 

    bzip2 -d com.oracle.elsa-ol9.xml.bz2
  3. Run a scan.

    To run a scan, see Running an OVAL Auditing Scan.

Displaying Information About an OVAL File

You can display information about an OVAL file using the oscap info command.

The command syntax is as follows:

oscap info path/OVAL file

For example: 

oscap info com.oracle.elsa-2024.xml

The output shows the OVAL version and when the file was generated and imported:

Document type: OVAL Definitions
OVAL version: 5.11
Generated: date and time
Imported: date and time

Validating OVAL Files

You can validate an OVAL file against its schema using the oscap validate command.

Use oscap validate and examine the exit code to validate an OVAL file against its schema. This confirms that the file is correctly formatted.

For example, to validate the com.oracle.elsa-2024.xml OVAL file, run the following command: 

oscap oval validate com.oracle.elsa-2024.xml \
  && echo "ok" || echo "exit code = $? not ok"
ok

Running an OVAL Auditing Scan

Scan an Oracle Linux system against an OVAL definition file to verify that all applicable errata has been installed.

  1. Obtain the OVAL definition file.

    If you need to manually download and install particular OVAL definitions, follow the instructions in Download the OVAL definition file.

  2. Perform a system audit using the OVAL definition file.

    Run the following command if you have manually downloaded an OVAL definition file and you want to audit a system against it:

    sudo oscap oval eval –-results path/results-file-name.xml \
--report path/report-file-name.html path/OVAL-definition-file-name.xml

    For example:

    sudo oscap oval eval --results /tmp/elsa-results-oval.xml \
--report /var/www/html/elsa-report-oval.html com.oracle.elsa-all.xml

    The output appears as follows:

    ...
Definition oval:com.oracle.elsa:def:20259978: false
Definition oval:com.oracle.elsa:def:20259940: false
Definition oval:com.oracle.elsa:def:20259896: true
Definition oval:com.oracle.elsa:def:20259880: false
Definition oval:com.oracle.elsa:def:20259878: false
Definition oval:com.oracle.elsa:def:20259877: false
Definition oval:com.oracle.elsa:def:20259845: false
Definition oval:com.oracle.elsa:def:20259844: false
Definition oval:com.oracle.elsa:def:20259741: false
Definition oval:com.oracle.elsa:def:20259740: false
Definition oval:com.oracle.elsa:def:20259635: false
Definition oval:com.oracle.elsa:def:20259634: false
Definition oval:com.oracle.elsa:def:20259623: false
Definition oval:com.oracle.elsa:def:20259605: false
Definition oval:com.oracle.elsa:def:20259580: false
...
Evaluation done.

    Important:

    The true flag means that the patch has not been applied to a system, while the false flag means that the patch has been applied.

  3. View the HTML report.

    Open the report in a browser to view it. Sample HTML report:


    The image shows a partial view of the HTML version of an OVAL report generated by oscap. The top of the report contains general information about the scan report, as well as information about the definition generator. The information is presented in tabular format. The rest of the report shows detailed information (also in tabular format) about the system, as a result of the scan.

    Note:

    If you omitted the --report option in the command to audit the system, you can still create the report later from the results file, for example: 

    sudo oscap oval generate report /tmp/elsa-results-oval.xml \ 
/var/www/html/elsa-report-oval.html