Name of Your Organization:

Greenbone Networks GmbH

Web Site:

http://www.greenbone.net

Adopting Capability:

Greenbone Security Manager

Capability home page:

http://www.greenbone.net/solutions/gsm.html

General Capability Questions

Adoption Capabilities

If the functionality is available now, indicate "Yes." If it has been implemented but not released, indicate "Beta". If planned but not currently available, indicate "Planned". If there are no plans for a specific category, that section(s) is not included as part of the questionnaire below.

OVAL Systems Characteristics Producer — Yes

Product Accessibility <AR_1.9>

Provide a short description of how and where your capability is made available to your customers and the public.

This functionality is a free service for Greenbone customers. The Greenbone Learning Center describes how to use the OVAL functionality. The Learning Center is publicly accessible at the Greenbone website and offers supporting downloads for free. See: http://www.greenbone.net/learningcenter/oval_sc.html

Language Version Indication <AR_1.10>

Describe how and where the capability indicates the version of the OVAL Language used to validate, create, or update its content.

The product supports OVAL Versions 5.3, 5.4, 5.5, 5.6, 5.7, 5.8, and 5.9.

Capability Correctness Questions

Error Reporting <AR_2.1>

Indicate how a user who discovers an error in the capability’s use of OVAL can report the error.

Any reports on potential errors, missing elements or other questions can be submitted via the usual Greenbone customer support channels.

Responding to Error Reports <AR_2.2>

Describe the approach to responding to the above error reports and how applicable fixes will be applied.

In case a defect was detected and fixed, the updates are activated via Greenbone Security Feed automatically in less than 24 hours. A shortcut in the web interface allows to trigger a immediate update.

Documentation Questions

Adoption Documentation <AR_3.1>

Provide a copy, or directions to the location, of where the documentation describes OVAL and OVAL Adoption for any customers.

The Greenbone Learning Center describes how to use the OVAL functionality. A sample guide for creating and retrieving a OVAL System Characeristics is available here: http://www.greenbone.net/learningcenter/oval_sc.html This page also gives an example on how to run ovaldi using the provided OVAL System Characteristics.

Language Support <AR_3.2>

List each supported component schema and specific OVAL Tests in those component schemas that are supported. (AR_3.2)

The provided System Charateristics are continously improved and extended. It is not required to update the Greenbone Security Manager product for this. The updated OVAL System Characeristics support is delivered and activated automatically within maximum of 24 hours after the update has been published.

It is important to understand that the Greenbone product acts as a remote scanner that is optionally provided with credentials for authenticated analysis. Depending on the granted access for the scanner, the collected System Characteristics may cover only what is obtainable from remote network perspective. Or it can cover all levels of detail in case the scanner was permitted to access the target host systems with suitable permissions.

OVAL Content Error Reporting <AR_3.3>

Provide a copy, or directions to the location, of where the documentation describes the procedure by which errors in OVAL content may be reported for any OVAL content that is produced by the product.

Any user feedback regarding OVAL System Characteristics, including error reports as well as feature requests, are handled via the standard Greenbone customer support.

Content Validity Questions

Syntax Error Detection and Reporting <AR_4.1> <AR_4.2> <AR_4.3> <AR_4.4>

Indicate how the product or repository detects and reports syntax errors in any OVAL content that is consumed by the product or repository.

For producing OVAL System Characteristics, the Greenbone product does not consume any OVAL content. Should errors occur during producing the System Characteristics, users are informed via the standard product methods for problem reporting.

Type-Specific Capability Questions

Systems Characteristics Producer Capability Questions

Collecting System Data <AR_5.2> <AR_5.3>

Explain the criteria used to collect system data that is included in an OVAL System Characteristics document.

While scanning target systems, the Greenbone product collects numerous information. After the security scan of a target finished, the host information is used to create a OVAL System Characteristics object. The coverage of the System Characteristics depends on the access grants that were provided for the scan. For example a remote authenticated scan will deliver a far more comprehensive System Characteristics than a remote unauthenticated scan.

Among the collected information are for example rpm or dpkg package databases. In general, the collection routine is maintained manually to cover most useful host data while keeping the size of the System Characteristics at a managable size. An automated process makes timely updates of this collection routine available.

The OVAL SC objects are then stored as part of the regular scan results. That means, these can be handled as any other scan result regarding analysis, searching, filtering, annotating, alerting and exporting.

Content Export <AR_5.2> <AR_5.3>

Indicate how the product allows users to export OVAL System Characteristics documents.

The Greenbone product uses a plugin framework for reporting. There are two report plugins for OVAL System Characteristics piblicly made available for download: One for single OVAL SC as XML file. And one that creates a zip-archive containing all the OVAL SC XML files each with the target IP address as base name.

Adoption Signature

Questions for Signature

Statement of Adoption <AR_1.2>

"As an authorized representative of my organization I agree that we will abide by all of the mandatory adoption requirements as well as all of the additional mandatory adoption requirements that are appropriate for our specific type of capability."

NAME: Dr. Jan-Oliver Wagner
TITLE: Managing Director

Statement of Accuracy <AR_1.2>

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability’s use of the OVAL Language and the interpretation of the logic."

NAME: Dr. Jan-Oliver Wagner
TITLE: Managing Director

Statement on Follow-On Correctness Testing Support <AR_1.7>

"As an authorized representative of my organization, we agree to support the Review Authority in follow-on correctness testing activities, where appropriate types of OVAL documents might need to be exchanged with other organizations attempting to prove the correctness of their capabilities."

NAME: Dr. Jan-Oliver Wagner
TITLE: Managing Director

Page Last Updated: January 05, 2012