Product manual
GFI LanGuard 18 Appendix 2 - Certifications | 260
GFI LanGuard does not support HP–UX based machines and therefore it is beyond the scope of this
product to include these checks within its check definition database.
18.1.2 About OVAL Compatibility
OVAL Compatibility is a program established to develop consistency within the security community
regarding the use and implementation of OVAL. The main goal of the compatibility program is to
create a set of guidelines that will help enforce a standard implementation. An offshoot of this is that
users are able to distinguish between, and have confidence in, compatible products knowing that the
implementation of OVAL coincides with the standard set forth.
For a product or service to gain official OVAL Compatibility, it must adhere to the Requirements and
Recommendations for OVAL Compatibility and complete the formal OVAL Compatibility Process.
OVAL Compatibility means that GFI LanGuard incorporates OVAL in a pre–defined, standard way and
uses OVAL for communicating details of vulnerabilities, patches, security configuration settings, and
other machine states.
18.1.3 Submitting OVAL listing error reports
Any issues with the GFI LanGuard or the listing of the OVAL checks included with GFI LanGuard should
be reported to GFI through its official support lines.
GFI Software Ltd will endeavor to look into any issues reported and if any inconsistency or error is
ascertained, it will issue updates to fix such issues. Vulnerability check updates are usually released
on monthly basis.
18.2 Common Vulnerabilities and Exposures (CVE)
CVE (Common Vulnerabilities and Exposures) is a list of standardized names for vulnerabilities and
other information security exposures. Its aim is to standardize the names for all publicly known
vulnerabilities and security exposures.
CVE is a dictionary which aim is to facilitate data distribution across separate vulnerability databases
and security tools. CVE makes searching for information in other databases easier and should not be
considered as a vulnerability database by itself.
CVE is a maintained through a community–wide collaborative effort known as the CVE Editorial Board.
The Editorial Board includes representatives from numerous security–related organizations such as
security tool vendors, academic institutions, and governments as well as other prominent security
experts. The MITRE Corporation maintains CVE and moderates editorial board discussions.
18.2.1 About CVE Compatibility
"CVE–compatible" means that a tool, Web site, database, or service uses CVE names in a way that
allows it to cross–link with other repositories that use CVE names. CVE–compatible products and
services must meet the four requirements:
Compatibility Description
CVE Searchable A user must be able to search for vulnerabilities and related information using the CVE name.
CVE Output Information provided must include the related CVE name(s).
Mapping The repository owner must provide a mapping relative to a specific version of CVE, and must make a
good faith effort to ensure accuracy of that mapping.
Documentation The organization’s standard documentation must include a description of CVE, CVE compatibility, and
the details of how its customers can use the CVE–related functionality of its product or service.
Table 92: CVE Compatibility