This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP OVAL Content Project"

From OWASP
Jump to: navigation, search
m
m
Line 9: Line 9:
 
<br>  
 
<br>  
  
PHP Related Security Definitions.
+
==== PHP Security Settings<br>  ====
  
Below is a sample OVAL definition file which detects if Apache web server is running
+
'''PHP OVAL definitions''' can be downloaded from [http://owasp-oval.googlecode.com/files/php.xml here]
  
----
+
Please note that these are designed to work on PHP Module loaded by Apache2 web server running on Linux OS
  
&lt;?xml version ="1.0" encoding="utf-8"?&gt; &lt;oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#solaris solaris-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd"&gt;
+
Details on these definitions can be found [https://docs.google.com/spreadsheet/pub?hl=en_US&key=0AhyObjO7VTMDdHlxbHFrN2VUdHp1NWZUQ0sxNGZOb1E&hl=en_US&gid=0 here]
 
 
&lt;generator&gt;
 
&lt;oval:product_name&gt;OWASP OVAL Content Project&lt;/oval:product_name&gt;
 
&lt;oval:schema_version&gt;5.10&lt;/oval:schema_version&gt;
 
&lt;oval:timestamp&gt;2011-12-07T11:18:10.417-04:00&lt;/oval:timestamp&gt;
 
&lt;/generator&gt;
 
&lt;definitions&gt;
 
&lt;definition id ="oval:org.owasp.oval:def:1" class ="compliance" version="1"&gt;
 
&lt;metadata&gt;
 
&lt;title&gt;Apache2 is running&lt;/title&gt;
 
&lt;description&gt;Apache2 has been found to be running&lt;/description&gt;
 
&lt;/metadata&gt;
 
&lt;criteria&gt;
 
&lt;criterion comment="test" test_ref="oval:org.owasp.oval:tst:1"/&gt;
 
&lt;/criteria&gt;
 
&lt;/definition&gt;
 
&lt;/definitions&gt;
 
 
 
  &lt;tests&gt;
 
&lt;process58_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:org.owasp.oval:tst:1" version="1" comment="Apache2 running" check_existence="at_least_one_exists" check="at least one"&gt;
 
&lt;object object_ref="oval:org.owasp.oval:obj:1"/&gt;
 
&lt;/process58_test&gt;
 
&lt;/tests&gt;
 
 
 
  &lt;objects&gt;
 
&lt;process58_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:org.owasp.oval:obj:1" version="1"&gt;
 
&lt;command_line operation="pattern match"&gt;.*apache2 .*&lt;/command_line&gt;
 
&lt;pid datatype="int" operation="greater than"&gt;0&lt;/pid&gt;
 
&lt;/process58_object&gt;
 
&lt;/objects&gt;
 
 
 
&lt;/oval_definitions&gt;
 
  
 
<br>  
 
<br>  
  
 
----
 
----
 
<br>
 
 
<br>
 
 
==== PHP Security Settings<br>  ====
 
 
{| width="200" border="1" cellpadding="1" cellspacing="1"
 
|-
 
! scope="col" | No
 
! scope="col" | Setting
 
! scope="col" | Recommended Value
 
! scope="col" | Description
 
! scope="col" | OVAL Definition
 
|-
 
| 1
 
| register_globals
 
| <span class="Apple-tab-span" style="white-space:pre"> </span>Off
 
| http://www.php.net/manual/en/security.globals.php
 
| TBD
 
|-
 
| 2
 
| magic_quotes_gpc
 
| <span class="Apple-tab-span" style="white-space:pre"> </span>On
 
| http://us3.php.net/manual/en/security.magicquotes.whynot.php
 
| TBD
 
|-
 
| 3
 
| expose_php
 
| <span class="Apple-tab-span" style="white-space:pre"> </span>Off
 
| Reduce the amount of information available which includes the PHP version within the HTTP header (e.g., X-Powered-By: PHP/5.3.7).
 
| TBD
 
|}
 
 
<br>
 
 
<br>
 
 
 
<br>  
 
<br>  
  

Revision as of 10:46, 26 December 2011

Main

This project’s goal is to create standardized assesment documents (in OVAL XML format) for various application platforms such as .NET, Java, PHP etc. For example, there are several settings like Web.Config file which impacts security of ASP.NET web application. Likewise, PHP.INI has several security related settings. By creating OVAL definitions for these checks, it will enable any OVAL compatible tool (including the free OVAL Interpreter) to perform these checks.



PHP Security Settings

PHP OVAL definitions can be downloaded from here

Please note that these are designed to work on PHP Module loaded by Apache2 web server running on Linux OS

Details on these definitions can be found here



Project About

PROJECT INFO
What does this OWASP project offer you? 		RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP OVAL Content Project (home page)
Purpose:
  • The purpose of this project is to create OVAL content to enable any OVAL compatible tool find security issues which can be represented in a standard format.
  • More about OVAL from MITRE website:
  • Open Vulnerability and Assessment Language (OVAL®) is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services.
    • This project will strive to create OVAL content (which are simply XML files) for common security mis-configurations. For example, refer to http://www.codeproject.com/KB/web-security/web-based-applications.aspx for list of top 10 Application Security Vulnerabilities in Web.config Files which may impact any ASP.NET web application. Each of these security settings can be tested easily by writing corresponding OVAL checks. In this particular case, xmlfilecontent_item can be used.
    • There are already free tools (OVAL Interpreters) available which can be readily used to check content conforming to OVAL standard.
    • OVAL community is quite active and there is fast amount of content available in OVAL repository maintained at MITRE website.
    • By providing standard OWASP reviewed OVAL content to general public, this project goal is to make it easier for anyone involved in finding configuration related vulnerabilities in any web application platform
License: Creative Commons Attribution ShareAlike 3.0 license
who is working on this project?
Project Leader(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Main links:
Key Contacts
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_OVAL_Content_Project&oldid=121831"