OVAL Requirements and Recommendations for OVAL Compatibility - IPA - My JVN API

Name of Your Organization:

Information-technology Promotion Agency, Japan (IPA)

Web Site:

http://www.ipa.go.jp/index-e.html

Adopting Capability:

My JVN API

Capability home page:

http://jvndb.jvn.jp/en/apis/

General Capability Questions

Adoption Capabilities

If the functionality is available now, indicate "Yes." If it has been implemented but not released, indicate "Beta". If planned but not currently available, indicate "Planned". If there are no plans for a specific category, that section(s) is not included as part of the questionnaire below.

OVAL Definition Repository — Yes

Product Accessibility <AR_1.9>

Provide a short description of how and where your capability is made available to your customers and the public.

MyJVN Version Checker is the OVAL and XCCDF based free tool, easy-to-use on-line/off-line scanner that allows people to easily check whether the software installed on their PC is the latest version. MyJVN Security Configuration Checker is the OVAL and XCCDF based free tool, easy-to-use on-line/off-line scanner, which assess Windows/Linux security configuration, including password, lockout and etc. policies of CCE. These products download and use the OVAL and XCCDF content from MyJVN API, which is a software interface to access and utilize countermeasure information and OVAL repository stored in JVN and JVN iPedia.

Language Version Indication <AR_1.10>

Describe how and where the capability indicates the version of the OVAL Language used to validate, create, or update its content.

The products support primarily OVAL Versions 5.8 compatibility.

Capability Correctness Questions

Error Reporting <AR_2.1>

Indicate how a user who discovers an error in the capability’s use of OVAL can report the error.

Customers can contact a support helpdesk to report an error in the use of OVAL.

Responding to Error Reports <AR_2.2>

Describe the approach to responding to the above error reports and how applicable fixes will be applied.

All issues are investigated by the technical support team. If a defect is confirmed, it’ll be fixed by the development team. Upon release of the fix, the customer can use the latest version without any update operations.

Documentation Questions

Adoption Documentation <AR_3.1>

Provide a copy, or directions to the location, of where the documentation describes OVAL and OVAL Adoption for any customers. (AR_3.1)

The following documents describe our activities related to OVAL:

Language Support <AR_3.2>

List each supported component schema and specific OVAL Tests in those component schemas that are supported. (AR_3.2)

MyJVN API supports tests (registry_test, file_test, passwordpolicy_test and lockoutpolicy_test), objects (registry_object, file_object, passwordpolicy_object and lockoutpolicy_object), states (registry_state, file_state, passwordpolicy_state and lockoutpolicy_state) and variables (external_variable) for Microsoft Windows Operating Systems. Also it supports tests (rpminfo_test), objects (rpminfo_object), states (rpminfo_state) and variables (external_variable) for Linux Operating Systems.

OVAL Assessment Method <AR_3.3>

List each supported assessment method if applicable.

Query to a database of an endpoint's current configuration settings. Assessment of state by a host-based sensor.

OVAL Content Error Reporting <AR_3.4>

Provide a copy, or directions to the location, of where the documentation describes the procedure by which errors in OVAL content may be reported for any OVAL content that is produced by the product.

Customers can contact a support helpdesk to report an error in OVAL content.

Content Validity Questions

Syntax Error Detection and Reporting <AR_4.1> <AR_4.2> <AR_4.3> <AR_4.4>

Indicate how the product or repository detects and reports syntax errors in any OVAL content that is consumed by the product or repository.

The OVAL content that is downloaded from MyJVN API by MyJVN Version Checker and MyJVN Security Configuration Checker, is tested and XML schema validation is done. Customers can contact a support helpdesk to report a syntax error in OVAL content.

Type-Specific Capability Questions

Definition Evaluator Capability Questions

Content Transparency <AR_8.1> <AR_8.2>

Indicate how the product allows users to determine which OVAL Definitions are being evaluated and examine the details of those definitions.

MyJVN Version Checker is XCCDF and OVAL based on-line/off-line scanner to check whether the software installed on their PC is the latest version. The results are shown as follows: "good (the latest version)", "poor (an older version)" or "N/A (not installed or non-supported version)". Also, MyJVN Security Configuration Checker is XCCDF and OVAL based on-line/off-line scanner to assess Windows/Linux security configuration. The results are judged as "good" or "bad" condition. The customer can relate the OVAL definition to the assessment result of these products.

Content Import Process Explanation <AR_8.3>

If the capability does not support consuming OVAL content at runtime, explain the documented process by which users can submit OVAL content for interpretation by the capability, including how quickly submitted content is made available to the capability.

MyJVN Version Checker and MyJVN Security Configuration Checker download the list of OVAL content and the definition data of OVAL content from MyJVN API automatically. Also, in these products, the OVAL content must be associated with an XCCDF benchmark file.

Content Evaluation <AR_8.4> <AR_8.5> <AR_8.6> <AR_8.7>

Indicate how users can review the detailed results of evaluating an OVAL Definition on a target system.

The results of MyJVN Version Checker are judged as "good", "poor" or "N/A". Also, the results of MyJVN Security Configuration Checker are judged as "good" or "bad". These products don’t support the output function of OVAL Results Document, but the customer can relate the OVAL result to the assessment result of these products as follows: true (good); false (poor, N/A and bad).

Full OVAL Results <AR_8.8>

Indicate how users can review the full OVAL Results of the evaluation of an OVAL Definition on a target system.

The overview pane of MyJVN Version Checker shows the list of the scanning target software and the summary of result which is judged as "good, poor and N/A". The detail pane shows the software version of the scanned target and the update website. The overview pane of MyJVN Security Configuration Checker shows the list of the scanning target configuration, the summary of result which is such as "good or bad" and the scanned target value. The detail pane shows website of how to change configuration.

Definition Repository Capability Questions

The following questions apply to only Definition Repository capabilities.

Unique IDs <AR_6.1> <AR_6.2> <AR_6.3>

Describe the process by which IDs are assigned and managed in the repository and how global uniqueness of IDs is ensured.

All the definitions provided by MyJVN API are assigned with ID’s in oval:jp.jvn.jvndb.v1.oval namespace. The repository management tool will ensure that ID’s assigned are unique.

Content Versioning <AR_6.4>

Describe the process by which the versions of Definitions, Tests, Objects, States, and Variables are managed in the repository.

At each modification to Definitions, Tests, Objects, States or Variables, the timestamp of OVAL content provided by MyJVN API is updated.

Standard References <AR_6.6> <AR_6.7> <AR_6.8>

Indicate how and when CVE, CCE, and CPE IDs are used as references on OVAL Definitions in the repository.

All definitions of configuration provided by MyJVN API will include CCE ID as reference. Also, all definitions of version check include CPE name as reference.

Content Updates <AR_6.9>

Describe the process by which users can retrieve content updates.

The content can be retrieved through the following MyJVN API interfaces:

  • getOvalList: The OVAL definition list that is filtered is acquired in XML format.
  • getOvalData: The OVAL definition is acquired in XML format which envelopes OVAL format.

Adoption Signature

Questions for Signature

Statement of Adoption <AR_1.2>

"As an authorized representative of my organization I agree that we will abide by all of the mandatory adoption requirements as well as all of the additional mandatory adoption requirements that are appropriate for our specific type of capability."

NAME: Chisato Konno
TITLE: Laboratory Director, Security Engineering Laboratory, IT Security Center

Statement of Accuracy <AR_1.2>

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability’s use of the OVAL Language and the interpretation of the logic."

NAME: Chisato Konno
TITLE: Laboratory Director, Security Engineering Laboratory, IT Security Center

Statement on Follow-On Correctness Testing Support <AR_1.7>

"As an authorized representative of my organization, we agree to support the Review Authority in follow-on correctness testing activities, where appropriate types of OVAL documents might need to be exchanged with other organizations attempting to prove the correctness of their capabilities."

NAME: Chisato Konno
TITLE: Laboratory Director, Security Engineering Laboratory, IT Security Center

Page Last Updated: February 27, 2014