1、 International Telecommunication Union ITU-T X.1526TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (01/2014) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Cybersecurity information exchange Vulnerability/state exchange Language for the open definition of vulnerabilities and for th
2、e assessment of a system state Recommendation ITU-T X.1526 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTOR
3、Y X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.
4、1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV secur
5、ity X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersec
6、urity X.1500X.1519 Vulnerability/state exchange X.1520X.1539Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 CLOUD COMPUTING SECURITY Overview of c
7、loud computing security X.1600X.1601 Cloud computing security design X.1602X.1639 Cloud computing security best practices and guidelines X.1640X.1659 Cloud computing security implementation X.1660X.1679 Other cloud computing security X.1680X.1699 For further details, please refer to the list of ITU-
8、T Recommendations. Rec. ITU-T X.1526 (01/2014) i Recommendation ITU-T X.1526 Language for the open definition of vulnerabilities and for the assessment of a system state Summary Recommendation ITU-T X.1526 on the language for the open definition of vulnerabilities and for the assessment of a system
9、state (also known as, open vulnerability and assessment language, (OVAL) includes the three main steps of the assessment process: representing configuration information of endpoints for testing; analysing the endpoint for the presence of the specified machine state (vulnerability, configuration, pat
10、ch state, etc.) and reporting the results of this assessment. The purpose of OVAL is to provide an international, information security, community standard to promote open and publicly available security content and to standardize the transfer of this information across the entire spectrum of securit
11、y tools and services. OVAL is a language used to encode endpoint details, and an assortment of content repositories held throughout the community.History Edition Recommendation Approval Study Group Unique ID*1.0 ITU-T X.1526 2013-04-26 17 11.1002/1000/11752 2.0 ITU-T X.1526 2014-01-24 17 11.1002/100
12、0/12039 _ *To access the Recommendation, type the URL http:/handle.itu.int/ in the address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii Rec. ITU-T X.1526 (01/2014) FOREWORD The International Telecommunication Union
13、(ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and
14、issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these
15、 topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expres
16、sion “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicabil
17、ity) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Re
18、commendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability
19、 of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement thi
20、s Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2014 All rights reserved. No part of this publication may be reproduced, by any means what
21、soever, without the prior written permission of ITU. Rec. ITU-T X.1526 (01/2014) iii Table of Contents Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 1 4 Abbreviations and acronyms 2 5 Conventions 2 6 High-level requirements .
22、2 7 Correctness . 3 8 Documentation 4 9 Validity . 4 10 Specific capability requirements. 4 11 Review authority requirements . 7 12 Revocation 8 Bibliography. 9 iv Rec. ITU-T X.1526 (01/2014) Introduction Recommendation ITU-T X.1526 describes the use of the language for the open definition of vulner
23、abilities and for the assessment of a system state (also known as open vulnerability and assessment language (OVAL), an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the enti
24、re spectrum of security tools and services. OVAL includes a language used to encode endpoint details, and an assortment of content repositories held throughout the community. The language standardizes the three main steps of the assessment process: representing configuration information of endpoints
25、 for testing; analysing the endpoint for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment. The repositories are collections of publicly available and open content that utilize the language. The OVAL community
26、has developed three schemas written in extensible markup language (XML) to serve as the framework and vocabulary of the OVAL language. These schemas correspond to the three steps of the assessment process: an OVAL System Characteristics schema for representing endpoint information, an OVAL Definitio
27、n schema for expressing a specific machine state, and an OVAL Results schema for reporting the results of an assessment. Content written in the OVAL Language is located in one of the many repositories found within the community. One such repository is known as the OVAL repository. It is the central
28、meeting place for the OVAL community to discuss, analyse, store, and disseminate OVAL Definitions. Each definition in the OVAL repository determines whether a specified software vulnerability, configuration issue, program, or patch is present on an endpoint. The information security community contri
29、butes to the development of OVAL by participating in the creation of the OVAL Language on the OVAL developers forum and by writing definitions for the OVAL repository through the OVAL community forum. An OVAL board consisting of representatives from a broad spectrum of industry, academia, and govern
30、ment organizations from around the world, oversees and approves the OVAL Language and monitors the posting of the definitions hosted on the OVAL website. This means that OVAL reflects the insights and combined expertise of the broadest possible collection of security and system administration profes
31、sionals worldwide. Recommendation ITU-T X.1526 has been developed bearing in mind the importance of maintaining, to the extent possible, technical compatibility between Recommendation ITU-T X.1526 and b-MITRE Adoption. Rec. ITU-T X.1526 (01/2014) 1 Recommendation ITU-T X.1526 Language for the open d
32、efinition of vulnerabilities and for the assessment of a system state 1 Scope Recommendation ITU-T X.1526 provides a structured means for the global exchange of publicly available security content and for the standardization of the transfer of this information across the entire spectrum of security
33、tools and services. The language for the open definition of vulnerabilities and for the assessment of a system state (also known as open vulnerability and assessment language (OVAL) includes a language used to encode endpoint details, and an assortment of content repositories held throughout the com
34、munity. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to
35、 revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within
36、 this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ISO/IEC 19757-3 ISO/IEC 19757-3:2006, Information technology Document Schema Definition Language (DSDL) Part 3: Rule-based validation Schematron. 3 Definitions 3.1 Terms defined elsewhere This Recommend
37、ation uses the following terms defined elsewhere: 3.1.1 review authority b-ITU-T X.1520: Any entity that performs a review. NOTE MITRE is the only review authority at this time. 3.1.2 user b-ITU-T X.1520: A consumer or potential consumer of the capability. 3.2 Terms defined in this Recommendation Th
38、is Recommendation defines the following terms: 3.2.1 authoring tool: A product that aids in the process of creating new open vulnerability and assessment language (OVAL) files (including products that consolidate existing OVAL Definitions into a single file). 3.2.2 assessment method: A specific meth
39、od that a product or service uses to evaluate an open vulnerability and assessment language (OVAL) Definition. OVAL supports assessment through: 1) query to a database of an endpoints current configuration settings, 2) an assessment of state by a host-based sensor, or 3) an assessment of state by a
40、remote-scanning sensor. 3.2.3 capability: A specific function or functions of a product, service, or repository. 3.2.4 correctness testing: The process of determining whether a product, service, or repository has correctly adopted open vulnerability and assessment language (OVAL). 2 Rec. ITU-T X.152
41、6 (01/2014) 3.2.5 definition evaluator: A product that uses an open vulnerability and assessment language (OVAL) Definition to guide evaluation and produces OVAL Results (full results) as output. 3.2.6 definition repository: A repository of open vulnerability and assessment language (OVAL) Definitio
42、ns made available to the community (free of charge or upon payment). 3.2.7 endpoint (based on the definition given in b-IETF RFC 5209): Any computing device that can be connected to a network such as a computer system, server, network appliance, mobile device, etc. “Such devices normally are associa
43、ted with a particular link layer address before joining the network and potentially an IP address once on the network.“. 3.2.8 owner (based on the definition given in b-ITU-T X.1520): The custodian (real person or company) having responsibility for the capability (as defined in this Recommendation).
44、 3.2.9 product: A security application, appliance, or security database that has one or more capabilities. 3.2.10 repository (based on the definition given in b-ITU-T X.1520): An implicit or explicit collection of security elements that supports a capability (as defined in this Recommendation), e.g.
45、, a vulnerability database, advisory archive, the set of signatures in an intrusion detection system (IDS), or website. 3.2.11 results consumer: A product that accepts open vulnerability and assessment language (OVAL) results as input and either displays those results to the user, or uses the result
46、s to perform some action (e.g., remediation, security information management (SIM). 3.2.12 system characteristics producer: A product that generates a valid open vulnerability and assessment language (OVAL) system characteristics document based on the details of a system. 3.2.13 test results: Data r
47、epresenting the outcome of correctness testing. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: CCE Common Configuration Enumeration CPE Common Platform Enumeration CVE Common Vulnerabilities and Exposures ID Identifier IDS Intrusion Detection System O
48、VAL Open Vulnerability and Assessment Language SIM Security Information Management XML Extensible Markup Language 5 Conventions The keywords “required“, “shall“, “shall not“, “should“, “should not“, “recommended“, “may“, and “optional“ in this Recommendation are interpreted in accordance with the IT
49、U-T Authors Guide. 6 High-level requirements The following items define the concepts, roles, and responsibilities related to the five different capabilities, each targeting a different usage of the OVAL Language, that comprise the proper use of the OVAL Language. These capabilities enable members of the OVAL community to easily understand how a given product is using the OVAL Language and how it might suit their needs. Rec. ITU-T X.1526 (01/2014) 3 The following requirements apply to all capa
