Scoping and Work Goals document and Agenda for SCAP v2 Oval subgroup telecon Friday, August 2

8 views
Skip to first unread message

Sain, Joe

unread,
Jul 30, 2019, 3:19:16 PM7/30/19
to scap-d...@list.nist.gov

Greetings -

 

Please find attached and below the scoping document for the OVAL working group and the agenda for the OVAL telecon, which will be held Friday, August 2, at 11:00 AM EDT. The charter is intended to encapsulate initial thoughts regarding the direction of the working group's effort. These topics may be discussed in more detail at the telecon on Friday.

 

Please let us know if you have any questions or comments.

 

Regards,

Joe Sain

MITRE SCAP v2 Team

 

===

 

Scoping and Work Goals for SCAP v2 OVAL and Checking Languages Working Group

The SCAP v2 Community has created several targeted working groups to approach different sections of the SCAP v2 effort.

This working group, titled the OVAL and Checking Languages Working Group, is focusing on a few core topics:

  • Simplify the OVAL language for authors. This includes taming the complexity of the heavily relational structure of OVAL and making it simpler to reuse existing content in new checks. It also includes considering how to make common checks (e.g., "if running software X, then vulnerable) easy to write in the OVAL language.
  • Make it easier to apply OVAL to new contexts. Currently, this requires development of new schemas, which can create a significant time lag between a need and the creation of tools that can support content that addresses that need.
  • Make OVAL results easier to use. This includes improving the human readability of the results, clearer tracking of parameterization choices, and easier tracing of the causation of a result (e.g., what specific sub-checks caused the overall check to succeed or fail).
  • Better support for searches of OVAL repositories, making it easier to identify checks of interest to a user.

One of the first questions the group will need to address will be the magnitude of change being proposed to the language. Some proposals from prior discussions involved an almost complete rewrite of the OVAL language using different structures. (E.g., YAML or a programmatic language, rather than XML) This decision will drive all plans to address the challenges above.

It is acknowledged that this workgroup does not control the OVAL standard and that any changes to the language identified would need to be presented to the official OVAL Board for their consideration.

 

===

 

AGENDA - OVAL and Checking Languages Telecon – August 2, 2019

1.            Discuss Scope and Work Goals

                a.            Any disagreement or additions?

                b.            Is there a prioritization of the identified topics (either due to criticality of need or group interest)?

                c.             Which of the following issues should be the focus of the group's effort?

  • Ability to parameterize OVAL definitions.
  • Proposal of a script-based language to simplify aspects of OVAL.
  • Methods to locate and usefully extract OVAL definitions and definition components.

2.            Work shaping

                a.            What would an initial product look like? (Ideally, one that we could have a draft of by September 16 and the next SCAP workshop.)

                b.            What do early milestones look like?

                c.             Who can help contribute to those milestones?

3.            Resource identification

                a.            Do we need a GitHub or similar service?

                b.            Do we need to hold additional teleconferences?

 

 

Scoping and Work Goals for SCAP v2 OVAL and Checking Languages Working Group.docx
OVAL_WG_Telecon_Agenda-2_August_2019.docx
Reply all
Reply to author
Forward
0 new messages