False Vulnerability reports from OVAL Content


Product Name

CIS-CAT Pro Assessor

Product Version

All

Date

Nov 18, 2020



 

Problem

False vulnerability being reported in CIS-CAT Pro Assessment. Appears to be an error in the content

 

Solution

CIS-CAT Pro Assessor CLI is designed primarily to assess CIS Benchmark configuration recommendations. However, it can also assess SCAP and OVAL content.

For Windows Vulnerability reports, the OVAL files are downloaded for these vulnerability assessments from the official OVAL Repository, which is operated by CIS. It is important to note that the content contained in the official OVAL Repository is not authored by CIS – instead, this content is submitted by those making contributions to the OVAL community. So CIS does perform structural QA on the content that is submitted. But CIS does not validate the instructions embodied by the content.

Therefore, there can be issues with the instructions embodied by the OVAL content. To best address these issues, the creator of the content should be tasked to review and fix the content. A GitHub issue can be created in the OVAL Repository to address this, and should include the exact OVAL definition identifier and labeled as a “bug” or “question”.

With this OVAL Community set up, there is a difference in the compatibility and support with CIS-CAT compared to the Benchmarks that are specifically built and updated to run in the CIS-CAT Pro Assessor.

Similarly for the Red Hat, SuSE and Ubuntu Linux Vulnerability content, this content is generated by the community, or in SLES case, Novell

If there are false flags in the assessment, that is actually more likely an issue with the OVAL content generated by the community, rather than the CIS-CAT Tools ability to assess the content and questions should be directed towards the appropriate community

 


Copyright © 2020

Center for Internet Security®