Tuesday, October 25, 2011

Installing and testing ovaldi on Windows 7...

When you are dealing with a single computer with a particular operating system, it is relatively easy to keep it safe. But, as the number of machines grows and becomes more heterogeneous, keeping them safe becomes very donating task. You may have automated updates and such, but they have to be checked from time to time in order to see if they function correctly. Still, if those computers are used (and by definition they are, more or less frequently), then they are like living organisms, they change. No matter if you are tweaking particular installation because user requested some new functionality or he requested removal of something that annoys him, or you are trying to diagnose why something worked and now it doesn't work, you will change something. After you are finished, you might think that changes you've made won't influence anything and leave for some later time to reverse them, and eventually you'll forget about them. But, any unintended change might bring system into a risk. So, it is important to perform regular checks in order to spot changes. Since such checks are time consuming and error prone, it is a good practice to use some tool that will do it for you. That tool could be OVAL.

But even if you are not an system administrator, but e.g. auditor, you can also benefit from OVAL since checks that you have to perform could be in some way prescribed and automated. In that way you can check larger sample of systems and achieve better accuracy and confidence in obtained results than by manual checks.

OVAL is basically a language that describes checks to be made, more concretely, it's an application of XML. Those checks could be conditional (i.e. depend on a system under audit, or if a particular component is installed or not), and they can be grouped with operators like AND, OR and NOT. There are many existing checks defined, for example, here are latest additions and updates, while here are complete databases for download. The tests are provided by some vendors (like RedHat) and also by community. Finally, you can add your own checks customized to your particular environment.

In themselves, those checks are worthless without a proper tool that will execute them. And here we have open source reference implementation, Ovaldi. Some security vendors have their own versions, which of course cost money. Ovaldi, on the other hand, is free, but you are forced to use command line. Ovaldi interprets (in a way) given database and produces reports, in XML and HTML formats. HTML is great for viewing results, while XML for parsing and automating scans.

I was testing ovaldi on Linux before with mixed success, but now I decided to try it on Windows 7. The reason that I believe that its use on workstations and servers on a periodic basis will make those computers more secure, and, by extension, the whole system more secure. In the text that follows I'm going to describe a process of installing, manually running the tool and analyzing the results. Automated testings I'll leave for some future post.

Download and install Ovaldi

Download page for Ovaldi is here. Note that this will take you to the latest version at the time this post was written, i.e. 5.10.1. So, before downloading check if there is a newer version, and if is, use that one. Don't forget to change all the references from version 5.10.1 to your version in the text that follows.

Anyway, you'll find there EXE versions for Windows, so select one that suits your environment. In my case that was 32-bit version, but if you have 64-bit version of Windows, download that one instead.

The file you've downloaded isn't regular installation file, so to install it you have to follow a bit different procedure. After download finishes, left click on file you downloaded and select option Run as administrator. Winzip dialog will appear which will ask you where to unzip (i.e. install) the files. Enter C:\Program Files\OVAL, or anything you wish but don't forget to change reference to that directory in later text to the one you've entered. Click Unzip button, and that's it. Ovaldi is installed.

Environment setup

To be able to run ovaldi without typing the whole path to it, add it to the PATH environment variable. To do that, click on Windows menu (left bottom corner) and then do left click on Computer item. Select Properties item and in window that appears select Advanced System Settings (option on the left). New window appears and there you'll notice Environment Variables... button on the right bottom. Click on it and new window appears. In this window there is System variables pane. Find there variable PATH and click on Edit. At the end of the line add the following text:
;C:\Program Files\OVAL\ovaldi-5.10.1\
Be carefull not to erase existing values! Close all the windows by clicking on OK, and close final window (the one opened with Properties on Computer) by clicking on X in upper right corner. Now, open command prompt and enter ovaldi followed by return. If you get help message then everything is OK and you can proceed to the next step. Otherwise, review previous steps.

Download file definitions

Now you have interpreter and you need definitions that will be run by interpreter. Go to the following page. There you'll see section Downloads by Version and Namespace. You need to select class to download based on the version of oval interpreter you have. The following classes are available:
  • compliance - checks that the installation is compliant with good security practices.
  • inventory - checks that produce results of what is installed.
  • miscellaneous
  • patch
  • vulnerability - test that verify if there is a vulnerability present on the machine.
When you click on one of those classes you are presented with a new page that gives you a list of available definitions grouped by different criteria. For example, by clicking on vulnerability class (probably the largest one) you can select download by platform, family or all. There are pros and cons of each one. If you select by family (or all) you don't have to think which platform you have, you get everything and oval interpreter will not be confused that, e.g. there are Windows XP specific checks and you are running on Windows 7. But, this commodity goes at the expense of the execution time.

For the purpose of initial testing of oval, I went to download by platform/vulnerabilities, and there I downloaded file microsoft.windows.7.xml which I renamed into microsoft.windows.7.vulnerabilities.xml. I also downloaded equivalent files from compliance and inventory classes naming them microsoft.windows.compliance.xml and microsoft.windows.inventory.xml, respectively. All those files I placed into working directory that, from now on, I'll reference by WORK_DIR identifier. So, whenever you see that string, replace it with the full directory path of your working directory.

Running Ovaldi and viewing results

Ok, lets do the first scan to see what we are going to get. To start scan, open terminal windows, go to your working directory, and run the following command (this is a single line!):
ovaldi -m -a "c:\program files\oval\ovaldi-5.10.1\xml" -o microsoft.windows.7.vulnerability.xml -r 20111025-result.xml -x 20111025-result.html -d 20111025-system-characteristics.xml
This command will check vulnerabilities that are present on the system it runs on. Of course, only vulnerabilities defined in the database (microsoft.windows.7.vulnerability.xml) will checked. If the tool reports that there are no vulnerabilities, it only means there are no known vulnerabilities! The other options are:
  • Option -m. Don't check md5 sum of oval definitions file (in this case that is microsoft.windows.7.vulnerability.xml).
  • Option -a specifies where all the auxiliary files necessary for interpreter are. For example, default style sheet file is there, also, XML definitions and tests are also there. The default value of this option assumes that you are running ovaldi in its base directory (i.e. where it is installed) so it has to be specified in order for everything to work.
  • Option -o specifies oval definition file to use. 
  • Option -r specifies XML result file. The default value is results.xml and in the case of multiple runs, default file name will be overwritten. So, using this option prevents that from happening.
  • Option -x specifies HTML result file. This file is generated from XML result file by applying style sheet (XSL) file. Default file is used if none is specified on the command line.
  • Option -d specifies in which file will be saved system characteristics, i.e. installed options, existing files, etc. used during interpreter run of oval definition file.
After this command finishes you'll have three new files in the directory in which you run it (provided no errors occured). All of the files can be viewed by Web browser (e.g. Mozilla Firefox) but only the file specified as the argument to -x option is specifically meant to be viewed in such way. XML files are primarily used for automated processing.

When you open results file (20111025-results.html if you used the command given above) then you'll see four section named OVAL Results Generator Information, System Information, OVAL System Characteristics Generator Information and OVAL Definition Results.

The largest one will be OVAL Definition Results, which is a table with 5 columns. This first column is ID of a test performed, the second is result of a test, either it is positive (true) or negative (false). Then there is a class of a test, either inventory (i.e. something is installed or not), vulnerability checked, reference ID that links you to the description of that particular item on the Internet, and finally title that gives a short description of item.

1 comment:

Kamlesh Mallick said...

Thank you for this post.
I could understand how to use OVALDI.
Much appreciated.

Do you know if OVALDI supports the latest version of OVAL language?

For example OVAL definitions in SCAP 1.0 is supported by OVALDI.
But for some reason, for SCAP 1.2 spec, OVALDI throws an error.

About Me

scientist, consultant, security specialist, networking guy, system administrator, philosopher ;)

Blog Archive