OVAL Remediation Proposal

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

OVAL Remediation Proposal

Zhou, Yuzheng
All,

We would like to submit the attached proposal to extend OVAL to support vulnerability remediation. This
proposal describes the OVAL remediation framework with sample OVALs and outlines HP's efforts on OVAL remediation standardization process.

Background
---------------------------
OVAL has been widely accepted and referenced by major
operating system and application software vendors. However, the current OVAL schema can only audit vulnerabilities and does not satisfy the existing strong market need for automated remediation of vulnerabilities. This OVAL remediation schema proposal is HP's contribution to the OVAL remediation standardization process.

Proposal
---------------------------
1.) Propose a detailed framework for extending OVAL to support vulnerability remediation.
2.) Submit a set of new OVAL elements based on the remediation framework.
3.) Provide several sample OVALs with remediation supplement to show how the remediation framework works.

We look forward to comments and questions.

Thanks,
Yuzheng


Yuzheng Zhou
HP Software
2000 Regency Parkway Suite 500, Cary, NC 27511
www.hp.com/go/software



OVAL_Remediation_Proposal_v1.2.pdf (599K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OVAL Remediation Proposal

Jon Baker
Administrator
Yuzheng,

We are currently reviewing your proposal. Your team has done a great
job of clearly defining a remediation proposal that would fit smoothly
into OVAL without a major impact on existing compatible products.

Your proposal is focused on vulnerability remediation, which is
understandable given the product line that your team supports. That
said, I think that this proposal could easily be extended to other
types of remediation too (compliance) by adding in new types of
<xxx_remedy>s.

I will reply with more concrete comments after oval developer days. I
plan to discuss this proposal at OVAL Developer Days next week.

Thanks for the great contribution,

Jon

============================================
Jonathan O. Baker
The MITRE Corporation
Email: [hidden email]



>-----Original Message-----
>From: Zhou, Yuzheng [mailto:[hidden email]]
>Sent: Monday, April 07, 2008 12:47 PM
>To: oval-remediation-discussion-list Open Remediation Language Commu
>Subject: [OVAL-REMEDIATION-DISCUSSION-LIST] OVAL Remediation Proposal
>
>All,
>
>We would like to submit the attached proposal to extend OVAL to
support
>vulnerability remediation. This
>proposal describes the OVAL remediation framework with sample OVALs
and
>outlines HP's efforts on OVAL remediation standardization process.
>
>Background
>---------------------------
>OVAL has been widely accepted and referenced by major
>operating system and application software vendors. However, the
current

>OVAL schema can only audit vulnerabilities and does not satisfy the
>existing strong market need for automated remediation of
>vulnerabilities. This OVAL remediation schema proposal is HP's
>contribution to the OVAL remediation standardization process.
>
>Proposal
>---------------------------
>1.) Propose a detailed framework for extending OVAL to support
>vulnerability remediation.
>2.) Submit a set of new OVAL elements based on the remediation
>framework.
>3.) Provide several sample OVALs with remediation supplement to show
how

>the remediation framework works.
>
>We look forward to comments and questions.
>
>Thanks,
>Yuzheng
>
>
>Yuzheng Zhou
>HP Software
>2000 Regency Parkway Suite 500, Cary, NC 27511
>www.hp.com/go/software
>