N00b Question about OVAL/SCAP files

[odermatt-rich]

I do not know if this is the proper place to ask this, but getting desperate to find an solution.

I work in a 'closed' lab at a government.
We run mostly RHEL systems but have a few Windows 10 systems for data analysis.
I need to run vulnerability scans for all systems.
RHEL is easy as Red Hat posts constant OVAL updates that I can run with openscap to get my checks.
For Windows systems I used to grab OVAL updates from the MITRE site and add it to my SCAP tool.
MITRE doesn't have that site anymore, that I can find.
Can anyone point to a place I can get monthly (quarterly?) OVAL updates I can use?
I have been trying to get scans with ACAS, but not working yet and have been told it is overkill for 3 Windows system, plus one server 2016 system (for authentication).
Thank you in advance, and sorry if this is the wrong place to ask this.
--rich

[vanderpol]

Rich, thanks for your question, as I've already provided my knowledge on this topic (that to my knowledge there isn't any current & comprehensive, public/open-source OVAL vulnerability content for RHEL or Windows) , I'll ping the rest of the @OVAL-Community/oval-board-members to see if anyone else has anything to add to this conversation.

[snodgrassb]

If you're required to follow DoD guidance then https://public.cyber.mil/stigs/downloads/ is where you should look. Or https://cyber.mil/stigs/scap/ if you have a CAC as the public view of Cyber Exchange seems to be unresponsive.

[odermatt-rich]

Thanks for response(s)
I do have a CAC, but that site doesn't have an OVAL equivalent.
Not really sure how to describe the differences, but the OVAL output shows what vulnerabilities - Windows patches I need to add.
SCAP is for hardening the system.
I need an alternative for scan my Windows systems.
Nessus/ACAS seems to be the preferred solution, but, as I said before, told kinda overkill for 4 systems.
So searching for something that is free, or very inexpensive for government spending, to replace what was being used.

[snodgrassb]

Well there wouldn't be any OVAL produced for the DoD in regards to IAVMs as ACAS was specifically contracted to perform that mission, as ordered by USCYBERCOM. So it's not the preferred solution, as far as DoD is concerned it's THE solution.

[dodys]

@odermatt-rich if you mean the old cveproject legacy data, there was an announcement about it last year:
https://www.cve.org/Media/News/item/blog/2024/07/02/Legacy-CVE-Download-Formats-No-Longer-Supported

Regarding RHEL, do note that they are also moving away from OVAL for vulnerability data
https://www.redhat.com/en/blog/red-hat-vex-files-cves-are-now-generally-available

[evgenyz]

Yep, we are moving. But RHEL8 and 9 will still have OVAL feeds.

[kentlandfield]

Sorry but I did not get the original mail from Rich. What is the question about CVE data? Thank you, Gracias, Grazie, Mahalo, Merci, Obrigado, Σας ευχαριστώ, Bedankt, Danke, ありがとう, धन्यवाद! , شكرا! -- Kent Landfield ***@***.***

…

On Feb 14, 2025, at 9:09 AM, Eduardo Barretto ***@***.***> wrote: @odermatt-rich <https://github.com/odermatt-rich> if you mean the old cveproject legacy data, there was an announcement about it last year: https://www.cve.org/Media/News/item/blog/2024/07/02/Legacy-CVE-Download-Formats-No-Longer-Supported Regarding RHEL, do not that they are also moving away from OVAL for vulnerability data https://www.redhat.com/en/blog/red-hat-vex-files-cves-are-now-generally-available — Reply to this email directly, view it on GitHub <#241 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAQVIN4ACSBCYBZLKWFMIIT2PYBKFAVCNFSM6AAAAABXC6OILWVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTEMRQGIYDINA>. You are receiving this because you are on a team that was mentioned.

[kentlandfield]

Nevermind. I found it and no question on CVE data seems to be asked. MITRE removed OVAL updates years ago from their site. Thank you, Gracias, Grazie, Mahalo, Merci, Obrigado, Σας ευχαριστώ, Bedankt, Danke, ありがとう, धन्यवाद! , شكرا! -- Kent Landfield ***@***.***

…

On Feb 14, 2025, at 9:54 AM, Kent Landfield ***@***.***> wrote: Sorry but I did not get the original mail from Rich. What is the question about CVE data? Thank you, Gracias, Grazie, Mahalo, Merci, Obrigado, Σας ευχαριστώ, Bedankt, Danke, ありがとう, धन्यवाद! , شكرا! -- Kent Landfield ***@***.*** > On Feb 14, 2025, at 9:09 AM, Eduardo Barretto ***@***.***> wrote: > > > @odermatt-rich <https://github.com/odermatt-rich> if you mean the old cveproject legacy data, there was an announcement about it last year: > https://www.cve.org/Media/News/item/blog/2024/07/02/Legacy-CVE-Download-Formats-No-Longer-Supported > > Regarding RHEL, do not that they are also moving away from OVAL for vulnerability data > https://www.redhat.com/en/blog/red-hat-vex-files-cves-are-now-generally-available > > — > Reply to this email directly, view it on GitHub <#241 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAQVIN4ACSBCYBZLKWFMIIT2PYBKFAVCNFSM6AAAAABXC6OILWVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTEMRQGIYDINA>. > You are receiving this because you are on a team that was mentioned. >

[securityguy]

I work mostly in the private sector with small orgs and I was also hoping that OVAL would be helpful for Windows.

At this point Nessus Pro is the leading solution for those of us who need a non-cloud solution, but it has become increasingly expensive. I can only justify the cost by spreading it across multiple clients.

Tenable has "Nessus Essentials" for free which allows you to scan up to 16 IPs. You'll need to review their licence to determine whether you can use it in your environment. I'll just say it's pretty popular for small networks. Some people install it on a VM so that they can quickly revert it to a clean state.

Another option is openvas/Greenbone. It evolved from an Nessus fork back when Nessus was open source. The web-ui is, to be polite, quirky, and the formatting of the report it produces is of a quality that I wouldn't want to show it to a customer. But the information it contains is useful. The free feed is pretty reasonable. They also have a commercial feed that is about half the price of Nessus Pro, but unfortunately they haven't figured out that if they dropped the price to something more reasonable they'd get a lot more customers.

From experience I can tell you that 98% + of findings when I run a vulnerability scan are related to missing patches/updates, many of which can be observed by simply asking the OS. So for technical users, openvas with the (free) community feed plus checking for outstanding OS patches is a pretty reasonable approach.