OVALdi - an open-source local vulnerability assessment scanner

OVALdi, also named the OVAL Interpreter, is an open-source tool developed by MITRE to demonstrate how the OVAL language may be used to scan a computer for vulnerabilities. This article provides a few hints about how to use this tool.

For now OVALdi is only a command-line tool with very limited documentation.

Download and install

• Download the ovaldi package or installer from: http://sourceforge.net/projects/ovaldi/
• On Windows, the installer is a simple auto-unzipper: Just click "unzip" and files should be copied in a folder such as "c:\Program Files\OVAL\ovaldi-5.x.x\".

Update vulnerability definitions

It is recommended to update the XML file containing vulnerability check definitions every time you run the tool:

• download XML definitions for your system: http://oval.mitre.org/rep-data/org.mitre.oval/v/index.html
  • For example, pick this file for Windows : http://oval.mitre.org/rep-data/org.mitre.oval/v/family/windows.xml
• then copy the XML file in the same directory as ovaldi. For example on Windows it should be similar to "c:\Program Files\OVAL\ovaldi-5.x.x\".

Scan

Open a shell or CMD window, go to the ovaldi folder, then run the following command (using the XML file name you have just downloaded):

ovaldi.exe -m -o windows.xml

The scanner will first validate the XML data according to the OVAL language schema, this can take a long time so be patient. At this stage, it may stop with an error message. This is usually due to a new version of the OVAL language which is not supported by the installed ovaldi version. In this case, just download a new ovaldi version to upgrade it.

At the end of the scanning process (which may take 5-10 minutes), several result files will be produced. Open the file results.html to look at results.

Known limitations

OVALdi is open-source and still under heavy development, so the results may not always be accurate:

• The repository of OVAL definitions is not complete yet: Not all vulnerabilities will be detected.
• Non-English versions of Windows do not seem to be supported as well as English versions: In practice you may encounter more false positives (reported vulnerabilities even when the patch is already installed).
• Potential bugs.

Additional resources

• Overview presentation: http://nvd.nist.gov/scap/docs/conference%20presentations/workshops/OVAL%20Tutorial%201%20-%20Overview.pdf