Citadel Security Software Inc.

Transcription

1 i

2

3 Citadel Security Software Inc. Hercules Vulnerability Assessment and Remediation Overview Document Number: Hercules v4.1 Document Version: 1.0 May 2006

4 Acknowledgements THIS SOFTWARE AND DOCUMENTATION IS PROVIDED "AS IS," AND COPYRIGHT HOLDERS MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. COPYRIGHT HOLDERS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THE SOFTWARE OR DOCUMENTATION. The name and trademarks of copyright holders may NOT be used in advertising or publicity pertaining to the software without specific, written prior permission. Title to copyright in this software and any associated documentation will at all times remain with copyright holders. AssetGuard, Citadel, and ConnectGuard are trademarks of Citadel Security Software Inc. Hercules and Hercules FlashBox are registered trademarks of Citadel Security Software Inc. Hercules software is copyrighted by Citadel Security Software Inc. This software and/or methods using this software and/or portions or combinations thereof are covered by U.S. Patent No. 7,000,247 and U.S. and foreign patents pending and trademarks. Active Directory, Notepad, Microsoft, Windows, Windows NT, Windows Server, and SQL Server are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Adobe and Adobe Reader are registered trademarks of Adobe Systems Incorporated. AIX and PowerPC are trademarks or registered trademarks of International Business Machines Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other countries. Apache is a trademark of the Apache Software Foundation. AppSight is a trademark of Insight Software Ltd. CVE and MITRE, and OVAL are either trademarks or registered trademarks of the MITRE Corporation. Foundstone and FoundScan Engine are either trademarks or registered trademarks of Foundstone, Inc. HP-UX, PA-RISC, and Tru64 are trademarks or registered trademarks of Hewlett Packard Company in the United States. Intel and Pentium are registered trademarks of Intel. Internet Security Systems, System Scanner, Internet Scanner, and SiteProtector are either trademarks or registered trademarks of Internet Security Systems, Inc. Linux is a registered trademark of Linus Torvalds. Mac OS X is a registered trademark of Apple Computer, Inc. ncircle and ncircle IP360 are either registered trademarks or trademarks of ncircle Network Security, Inc. QualysGuard and Qualys are trademarks of Qualys, Inc. Red Hat is a registered trademark of Red Hat, Inc. REM, Retina, and eeye are either trademarks or registered trademarks of eeye Digital Security. SAINT is a registered trademark of the Saint Corporation. SANS is a trademark of SANS/ESCAL. SecureScoutSP is a trademark of NexantiS Corporation. Shavlik and HfNetChk are either trademarks or registered trademarks of Shavlik Technologies, LLC. STAT and Guardian are either trademarks or registered trademarks of Harris Corporation. Sun and Solaris are trademarks of Sun Microsystems, Inc. in the United States and other countries. UNIX is a registered trademark in the United States and other countries, exclusively licensed through X/Open Company, Ltd. WinZip is a registered trademark of WinZip Computing, Inc. W3C SOFTWARE NOTICE AND LICENSE Copyright World Wide Web Consortium (Massachusetts Institute of Technology Institut National de Recherche en Informatique et en Automatique < Keio University < All Rights Reserved. This W3C work (including software, documents, or other related items) is being provided by the copyright holders under the following license. By obtaining, using and/or copying this work, you (the licensee) agree that you have read, understood, and will comply with the following terms and conditions: Permission to use, copy, modify, and distribute this software and its documentation, with or without modification, for any purpose and without fee or royalty is hereby granted, provided that you include the following on ALL copies of the software and documentation or portions thereof, including modifications, that you make.the full text of this NOTICE in a location viewable to users of the redistributed or derivative work. Any pre-existing intellectual property disclaimers, notices, or terms and conditions. If none exist, a short notice of the following form (hypertext is preferred, text is permitted) should be used within the body of any redistributed or derivative code: "Copyright 2004 World Wide Web Consortium (Massachusetts Institute of Technology Institut National de Recherche en Informatique et en Automatique Keio University All Rights Reserved. Legal/" Notice of any changes or modifications to the W3C files, including the date changes were made. (We recommend you provide URIs to the location from which the code is derived.) All other products are trademarks of their respective holders. Copyright by Citadel Security Software Inc. All rights reserved. Citadel Security Software Inc. * Two Lincoln Centre * 5420 LBJ Freeway, Suite 1600 * Dallas, TX Phone: (214) * Fax: (214) * [email protected] * Website:

5 Contents 1 Overview Device Discovery Vulnerability Assessment... 3 Selecting a Vulnerability Assessment Tool...3 Preparing for Assessment...4 Running the Assessment Vulnerability Review Vulnerability Remediation Vulnerability Management Vulnerability Assessment Tools... 8 eeye Digital Security Retina Network Security Scanner...8 eeye Digital Security REM...9 Foundstone FoundScan Engine...9 Harris STAT Scanner...9 Harris STAT Guardian Scanner...9 ISS Internet Scanner...10 ISS System Scanner...10 ISS SiteProtector...10 Microsoft Baseline Security Analyzer...10 ncircle IP360 Vulnerability Management System...11 NexantiS SecureScout SP...11 Qualys QualysGuard Scanner...11 SAINT Scanning Engine...11 Tenable Nessus Scanner...12 Tenable NeWT Scanner...12 The MITRE Corporation OVAL Definition Interpreter...12 v

6 Customer Support When you purchase a Customer Support Agreement and register your Citadel software product, you are eligible to receive technical support according to the terms of the contract you purchased. Citadel provides two levels of technical support: Standard support Available by phone 7 A.M. - 7 P.M. US Central Standard Time on Citadel Security Software normal business days. Premium support Available by phone 7 days x 24 hours x 365 days of the year. Registered users can reach Citadel Customer Support in any of the following ways: Toll-free hot line at CITADEL, ( ) at [email protected] Customer Support Portal on the Citadel website at vi

7 1 Overview Promoting network security involves adopting proactive practices that identify and eliminate risks before they can be exploited. Vulnerabilities that can be exploited within an enterprise network include software defects, unnecessary services, unsecured accounts, backdoors, and misconfigurations. Remediating security vulnerabilities must be automated manual remediation has become cost prohibitive. Consider these metrics: When the average Microsoft Windows device is scanned for the first time it contains vulnerabilities. It takes a security administrator an average of one hour to fix each vulnerability or approximately 100 hours of manual remediation for each computer. If you apply these metrics to an enterprise network with several hundred or thousands of computers the timeframes, resources, and dollar amounts associated with manual vulnerability remediation become astronomical. This guide describes how to achieve a high level of network security at a low cost. The proposed best practice includes the following steps: 1. Device Discovery 2. Vulnerability Assessment 3. Vulnerability Review 4. Vulnerability Remediation 5. Vulnerability Management Device discovery is the process of identifying all devices on the network by IP address. Vulnerability assessment is the process of detecting known vulnerabilities on network computers. This process is performed with automated scanning software or auditing practices. Vulnerability review is the process of selecting the vulnerabilities to fix based on risk assessment, and determining whether the remediation can be automated. Vulnerability remediation is the process of eliminating the security flaws. Vulnerability management is the process of developing and implementing a policy compliance plan and scheduling automated vulnerability remediation. Such plans ensure these steps are performed as often as required to maintain a secure network. This guide is designed to help you devise an effective scanning and remediation strategy using Citadel s Hercules software and its supported assessment tools. Hercules automated vulnerability remediation solution is the first vulnerability remediation solution to automate the resolution of all classes of vulnerabilities. 1

8 2 Device Discovery Wireless access points, laptops and other mobile computing devices are proliferating in networks due to their ease of use and low acquisition costs. These devices can contain sensitive data assets and are easily exploitable Device discovery enables you to map your network, set a baseline for the identified devices, and track rogue devices as they enter or leave the network. Use an assessment tool or other network mapping software that scans all networks and sub-networks to identify all devices with their associated IP addresses. Information typically collected during device discovery includes the following: The number of devices The type of devices (such as computers with Windows operating systems, UNIX operating systems, Linux operating systems, Mac OS X operating system, and edge devices, printers, etc.) Unexpected or rogue devices Wireless networks It is important to match the devices found to internal IT asset tracking or equipment lists to validate each piece of equipment. Any devices found that are not accounted for via asset tracking require additional research. You should add such devices to the IT asset inventory or remove the devices from the network. In large computing environments, discovery can take a substantial amount of time. You should perform device discovery on a regular basis as part of centralized IT security control. Device discovery represents the first step to eliminating one of the biggest threats to corporate networks today exploitation of devices that are under the radar of IT security. 2

9 3 Vulnerability Assessment Selecting a Vulnerability Assessment Tool You typically perform vulnerability assessment with an automated vulnerability assessment tool. Vulnerability assessment tools can be classified as Network-based or Host-based. Network-based assessment tools scan a range of IP addresses from a centralized computer. They probe and detect vulnerabilities through port scanning and other remote access methods. Host-based assessment tools require the installation of a client software component on each device you want to scan. The client software is responsible for inspecting the system for vulnerabilities and reporting findings to a centralized database or management console. Both of these architectures have advantages and disadvantages. In making a selection of the type of assessment tool to use, keep the following in mind: Determine which networks will be scanned and the transport routes used for assessment. Determine the appropriate rights required to perform the assessment. Many tools require administrative privileges to obtain complete scan results. Often this requirement determines who is responsible for scanning which devices. When evaluating host based vulnerability assessment tools, consider whether the tool includes client deployment tools and the method of client distribution. Evaluate the computing environment as a whole based on the device discovery process. Determine if the selected scanner provides an acceptable level of assessment for your platforms. Consider the types of checks that are performed Consider the operating systems that are supported. The quantity and quality of assessment intelligence data provided by the available tools varies greatly. Citadel recommends you perform scans using multiple tools to get a clear picture of your organizations current security posture. Using multiple tools provides some overlap in data. It also provides the benefit of performing additional checks that may not be identified by the primary scanner of choice. 3

10 Preparing for Assessment After selecting an appropriate vulnerability assessment tool, you must install and configure it to work appropriately in your environment. The configuration process requires an understanding of what knowledge is gained during device discovery. You must understand the appropriate audits or checks to perform against each device. Most scanners perform tests based on non-destructive and destructive methodologies. Nondestructive methodologies assess the device without attempting to break in or exploit the system. Destructive methodologies attempt to exploit the vulnerability on the system. In cases where the system is vulnerable, it can actually cause damage or downtime to the system. This is most notable when running assessments for denial of service attacks or buffer overflows that cause the device to stop responding. To prepare for the assessment, do the following: Carefully analyze the assessment policies available from the vendor Disable any destructive tests to prevent unwanted side effects Become intimately familiar with the testing process on the majority of the vulnerabilities being scanned Bandwidth requirements and CPU overhead should be taken into consideration before performing a scan. Performing an assessment of a medium to large size network with about 1500 devices can provide significant bandwidth utilization. Depending on the test selected, it can also generate moderate to high CPU utilization on the device being scanned. Additionally, it is best to schedule or run the assessment during non-peak business hours. This ensures the scanning software does not compete for bandwidth with normal daily business traffic. Running the Assessment After determining the devices to scan, the type of assessment to perform, and the best time of day to run the assessment, the next step is to implement the assessment process by distinct network segments. That is, use the assessment tool to scan each segment separately. Performing a phased assessment minimizes the bandwidth utilization when assessing a network composed of many devices For detailed instructions on how to perform an assessment, see the assessment tool documentation. 4

11 4 Vulnerability Review Depending on the number of devices scanned and the number of vulnerabilities scanned for, most assessment tools produce large volumes of data. During the vulnerability review process, you analyze the data generated during assessment to determine which devices and vulnerabilities will be remediated, in what order, and whether there are exceptions that must be handled manually. Almost all remediations can be automated. An example of a manual remediation is installing a patch to a third-party application. Citadel suggests you perform the review by the segments used for assessment. Consider the following approach: 1. During the initial review, the security team performs tasks such as the following: Create a list of unique, identified vulnerabilities. (Eliminate duplicate or extraneous data.) Devise a risk scale, such as 1 5, 1 being the highest risk. Determine the risk associated with each vulnerability and assign a risk rank to each. Prioritize the vulnerability list, beginning with the highest risk items. Hand off the list to the system owners and business unit directors. 2. System owners and business unit directors then take responsibility for the following: Review the risk to vulnerability assignments and revise as needed. Determine the acceptable level of risk to the network when weighed against requirements for accessibility. Define the cutoff in the prioritized list that divides vulnerabilities that will be remediated from those that will be tolerated. Review the revised list with the security assessment team for consensus. Use change control procedures, where applicable, to track updates. 3. Finally, the security assessment team make final decisions and perform handoffs as follows: Identify the vulnerabilities for which remediation can be automated; update the list. Plan automated remediation by subnetwork; hand off list for automated remediations to the individual who will use the Hercules software. Assign any remaining vulnerability remediation tasks to the team who will perform the manual remediations. 5

12 5 Vulnerability Remediation Remediation is defined as the process of correcting a fault or deficiency, or, in this case, a vulnerability. Hercules software provides relief by automating the remediation of the vulnerabilities identified during the assessment process. The software also provides reports and management tools to track the vulnerabilities that must be handled manually. Performing remediation using Hercules software significantly reduces the amount of time required to research and deploy remediation to vulnerable systems. To manage manual remediations, a process should be created that determines when systems will be remediated and by which technician. In addition you must address the following items: Where is the device physically located? Can the device be accessed after hours? Is travel time involved? Does the technician have the necessary access rights (administrative etc.) to the system? Has the research been performed to know what is required to implement the fix? Does the fix involve updating software? Is the software downloadable from the Internet? Does the computer have access to the Internet? What happens after the fix is implemented? Does it require the system to be rebooted? If so, can it be rebooted without creating downtime for mission critical applications? Fortunately, Hercules vulnerability assessment system eliminates the majority of research related work required for manual remediations. After you develop the process and plan, you can proceed with remediation as follows: 1. Use Hercules to perform all automated remediations. 2. Execute the process for manual remediation. 6

13 6 Vulnerability Management Management of vulnerabilities and remediation is important to keep the network operating securely and efficiently. Vulnerability assessment and remediation is not a one-time process. Regularly scheduled vulnerability assessment and remediation must be consistently performed and managed to produce any level of success. Effectively managing vulnerabilities includes performing routine assessment and remediation as well as device discovery. Each company should review the personnel and resources within their organization to develop a security team to manage this process. Security personnel should be well trained and knowledgeable of industry best practices and the tools available. Citadel recommends you have at least one certified security professional available to assist with crises and provide knowledge assistance. Most importantly when managing vulnerability assessment and remediation, a plan must be developed to maintain the assessment checks performed by the assessment tools. This includes periodic updates via Internet enabled software downloads and upgrades from the software vendor. It is also highly recommended to maintain support contracts for commercially available security tools. This ensures that the product is maintained and updated in a timely manner and provides knowledgeable support staff when needed. Security news and vulnerability intelligence must be continually monitored to identify new threats as they emerge. Numerous free and subscription type services offer browser-based and direct feeds that supply timely security intelligence information. Implementing these procedures and practices will ensure that vulnerabilities are eliminated before they are exploited by malicious hackers to gain confidential data or induce downtime on the network. 7

14 7 Vulnerability Assessment Tools Hercules enterprise security software uses supported vulnerability assessment tools to assess the network and discover vulnerabilities on the devices it scans. After the assessment is complete, Hercules technology uses the results to build remediation profiles for the devices that were assessed. To simplify the remediation process, the Hercules vulnerability assessment and remediation system includes an import wizard for the following supported vulnerability assessment tools: eeye Digital Security Retina Network Security Scanner eeye Digital Security REM Security Management Console Foundstone, Inc. FoundScan Engine Harris STAT Scanner Harris STAT Scanner and above (Guardian) Internet Security Systems Internet Scanner Internet Security Systems SiteProtector Internet Security Systems System Scanner Microsoft Baseline Security Analyzer (MBSA) ncircle IP360 Vulnerability Management System NexantiS SecureScout SP Qualys, Inc. QualysGuard Scanner Saint Corporation SAINT Scanning Engine Tenable Network Security Nessus Scanner Tenable Network Security NeWT Scanner The MITRE Corporation OVAL Definition Interpreter Vulnerability assessment data from several different scanners can be combined to create a single view of all assessment data. This is accomplished by importing the data from several different sources. During the import process, the Hercules software automatically combines the vulnerability information and associates it with the appropriate device. eeye Digital Security Retina Network Security Scanner The eeye Digital Security Retina Network Security Scanner is a network based vulnerability assessment tool. It can be used to perform assessments on all devices on the network including Windows, UNIX, Linux, and edge devices. Retina can be used to schedule scans from the command line. It also offers a graphical user interface to assist users in managing assessment policies and scan sessions. For details on this product, see While Retina is performing a scan, it stores the results of the scan in a proprietary.rtd file or within an ODBC database connected by a DSN. Hercules Import Wizard for Retina uses this.rtd file or an ODBC database connection to import the results and create Remediation profiles. 8

15 eeye Digital Security REM The eeye Digital Security s family of scanners now includes the importing of scanned data from the REM (Remote Enterprise Management) Security Management Console. REM is a networkbased vulnerability assessment tool. It can be used to perform assessments on all devices on the network including Windows, UNIX, Linux, and edge devices. You can import vulnerability and device information directly from the REM database. The REM Security Management Console aggregates data from the Retina Security Scanner and Retina WiFi Scanner. For details, see Foundstone FoundScan Engine Foundstone FoundScan Engine( discovers and maps your complete network environment including routers, firewalls, servers and custom Web applications and then probes these areas for vulnerabilities. FoundScan consists of three components: an SQL database that holds scan data, an engine that scans for vulnerabilities, and a Web portal that allows users to access the information in the database through their Web browser. FoundScan imports the data directly from the FoundScan database into the Hercules database. The FoundScan engine is at the core of McAfee Foundstone Enterprise 4.0. Harris STAT Scanner The Harris STAT Scanner ( is a network based vulnerability assessment tool. It can be used to perform assessments on most network devices including Windows, UNIX, Linux, and edge devices. STAT Scanner offers a graphical user interface to assist users in managing assessment policies and scan sessions. While STAT is performing a scan, it stores the results of the scan in a database file. Hercules Import Wizard for STAT Scanner uses this database file to import the results and create remediation profiles. Harris STAT Guardian Scanner The Harris STAT Guardian Scanner ( is a network based vulnerability assessment tool. It can be used to perform assessments on most network devices including Windows, UNIX, Linux, and edge devices. The vulnerability assessment scan engine, STAT Scanner 6.2, is the foundation of STAT Guardian VMS. STAT Scanner 6.0 provides adaptive scanning capabilities to accurately find vulnerabilities in multiple computer operating platforms and applications. STAT Guardian stores the results of its scans in a database on a local web server. Hercules Import Wizard for STAT Guardian Scanner uses a web service on the local Guardian web server to import the results and create remediation profiles. Support begins with STAT Scanner

16 ISS Internet Scanner The Internet Security Systems (ISS) Internet Scanner is a network based vulnerability assessment tool. It can be used to perform assessments on all devices on the network including Windows, UNIX, Linux, and edge devices. Internet Scanner can be used to schedule scans from the command line. It also offers a graphical user interface to assist users in managing assessment policies and scan sessions. For details, see: While Internet Scanner is performing a scan, it stores the results of the scan in a database file. Hercules Import Wizard for Internet Scanner uses this database file to import the results and create remediation profiles. ISS System Scanner ISS System Scanner is a host based vulnerability assessment tool. It can be used to perform assessments on devices that it supports including Windows, UNIX, and Linux. System Scanner offers a graphical user interface to assist users in managing assessment policies and scan sessions. While System Scanner is performing a scan, it stores the results of the scan in a database file. Hercules Import Wizard for System Scanner uses this database file to import the results and create Remediation profiles. For details on the ISS System Scanner, see: ISS SiteProtector The Internet Security Systems SiteProtector management system enables you to monitor and control network security systems across multiple sites from a central location. You can monitor your networks for intrusion activity, assess vulnerabilities, and prioritize events. For details on SiteProtector, see: Microsoft Baseline Security Analyzer The Microsoft Baseline Security Analyzer (MBSA) allows administrators to scan local and remote systems for missing security patches as well as common security misconfigurations. MBSA includes a graphical and command line interface that can perform local or remote scans of Windows operating systems (Windows 2000, Windows XP, and Windows Server 2003). MBSA scans for missing security updates and service packs for Windows, IE, Internet Information Services (IIS), SQL Server, Exchange, and Windows Media Player. MBSA will create and store individual XML security reports for each computer scanned and will display the reports in the graphical user interface in HTML. For details on MBSA, see: You need a dedicated folder for the output files generated by the MBSA scan. The Hercules software browses the folder for the files, rather than browsing for each file individually. If you use MBSA 1.2.1, the output files are.xml files. If you use MBSA 2.0, the result is an html file with an.mbsa extension. 10

17 ncircle IP360 Vulnerability Management System The IP360 Vulnerability Management System from ncircle ( is an appliance-based vulnerability management solution that discovers, assesses, and protects devices within the enterprise network against common vulnerabilities. The IP360 Device Profilers track changes to the network environment, discover new vulnerabilities, and report network status using a non-disruptive scanning technology that accurately reveals the scope of your infrastructure without taxing network bandwidth. The IP360 Vulnerability Management System minimizes false positives and negatives associated with some scanners. The ncircle IP360 scanner can export the results of a scan in an XML file. Hercules Import Wizard for ncircle uses this XML file to import the results and create Remediation profiles. NexantiS SecureScout SP NexantiS SecureScout SP ( is a multi-user software product for enterprise vulnerability assessment needs. SecureScout SP provides automation, control and management of security testing. SecureScout SP users can enjoy an unprecedented level of Managed Security through the on-going testing of internal and public-facing IP addresses. For Managed Security Service Providers, SecureScout SP can be rebranded. SecureScout SP imports the data directly from the SecureScout database into the Hercules database. Qualys QualysGuard Scanner The QualysGuard ( scanner is currently offered as an ASP solution for customers to perform scans of devices accessible through an outward facing internet connection. QualysGuard performs various assessments on Windows, UNIX, Linux, Solaris, and network devices. Hercules software integrates with QualysGuard by allowing the import of previously saved scans from a local XML file or by authenticating to the QualysGuard service and downloading the appropriate scan reports for import. SAINT Scanning Engine The SAINT Scanning engine ( is a vulnerability scanner that pinpoints security risks accurately, while being easy to use. It finds targets, does a port scan, and then a vulnerability check. SAINT Scanning Engine imports the data directly from the SAINT database into the Hercules database. 11

18 Tenable Nessus Scanner Nessus ( is a network based vulnerability assessment tool that is supported by the Open Source community. It is free to download and use on any network and can be customized to fit specific environments. See Nessus is installed and runs on Linux or UNIX hosts. It can scan a variety of different platforms including Windows, UNIX, Linux, and edge devices. It is recommended that before attempting to install and use Nessus that you have a good understanding of UNIX or Linux and are comfortable with installing and configuring software on those platforms. Through the support of the Open Source communities, several Nessus clients have been developed that allow users to control and manage Nessus scans from platforms other than Linux. For example, NessusWx provides a Windows interface that allows scheduling and running of vulnerability assessments. These clients communicate with the Nessus server installed on a Linux or UNIX computer to perform the scan and reporting functions. Tenable NeWT Scanner Tenable Network Security ( produces NeWT, a Windows version of the Nessus scanner used with Windows 2000 and Windows XP machines. NeWT stands for "Nessus for Windows Technology". Hercules accepts NeWT data as an XML file. The MITRE Corporation OVAL Definition Interpreter OVAL (Open Vulnerability and Assessment Language) is a specification for describing vulnerabilities in XML format. This standard defines three main XML schemas, one of which is the OVAL Definitions Schema, which is used to test for the presence of specific vulnerabilities, configuration issues, and/or patches. The OVAL Definition Interpreter is a reference implementation of OVAL that was created to show how information can be collected from a computer to evaluate, and carry out the OVAL definitions for that platform. The OVAL Definition Interpreter can be downloaded from free of charge. The OVAL Importer enables the import of the results of files generated by the OVAL Definition Interpreter into Hercules. You can import OVAL results files from other supported OVALcompatible scanners, for example, ThreatGuard. The OVAL Importer will support version 4.1 and 4.2 of the OVAL Definition Interpreter. The OVAL Definition Interpreter runs on Windows and Red Hat operating systems, specifically, Windows NT 4.0, Windows 2000 Professional, Windows XP, Windows 2000 Server, and Windows Server 2003, Red Hat Linux 9, and Red Hat Enterprise Linux 3. 12