<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
<div class="moz-cite-prefix">On 1/27/17 2:53 AM, Sona Sarmadi wrote:<br>
</div>
<blockquote
cite="mid:3230301C09DEF9499B442BBE162C5E48AC314402@SESTOEX04.enea.se"
type="cite">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">Thanks
for your quick reply Shawn.<o:p></o:p></span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"><o:p> </o:p></span>
</p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">I
am trying to figure out how OVAL definitions work.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">For
example if I want to detect unpatched CVEs in my RedHat Linux
6, I should use OVAL definition below:<o:p></o:p></span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"><o:p> </o:p></span>
</p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"><a
moz-do-not-send="true"
href="https://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_6.xml"><span
style="color:windowtext">https://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_6.xml</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">Does
this file (</span><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">Red_Hat_Enterprise_Linux_6.xml)</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">
contains all CVEs which affects Redhat Linux 6 or only those
which have been fixed?
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">If
I haven’t applied all fixes provided by RedHat, will the
command below detect and report those CVEs?
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">oscap
oval eval --results rhsa-results-oval.xml --report
oval-report-RedHat6.html
<b>Red_Hat_Enterprise_Linux_6.xml</b><o:p></o:p></span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"><o:p> </o:p></span>
</p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">I
am asking this because I haven’t updated my RedHat for a
while, I think I should at least get some kernel CVEs
reported, but the result is all green.<o:p></o:p></span></p>
</blockquote>
<br>
If there was a RHSA released, there should be a corresponding SCAP
check. Ref:<br>
<a class="moz-txt-link-freetext" href="https://access.redhat.com/articles/221883">https://access.redhat.com/articles/221883</a><br>
<br>
The command is correct. It seems a bit odd that you have no
findings, if your system hasn't been patched for awhile (e.g. stock
install of RHEL 6.8). <br>
<br>
<br>
WRT how the OVAL works, an example from the firefox patches last
week:<br>
<br>
- First, OVAL will see what RHEL version you're on, and even
derivative (RHEL6 vs RHEL6 Workstation vs RHEL6 Desktop):<br>
<blockquote type="cite">
<meta charset="utf-8">
<div class="line" style="color: rgb(0, 0, 0); font-family:
monospace; font-size: 13px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px;"><span class="html-tag"><criteria<span
class="html-attribute"><span class="Apple-converted-space"> </span><span
class="html-attribute-name">operator</span>="<span
class="html-attribute-value">OR</span>"</span>></span></div>
<div class="collapsible-content" style="margin-left: 1em; color:
rgb(0, 0, 0); font-family: monospace; font-size: 13px;
font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: normal; letter-spacing:
normal; orphans: 2; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;"><span
class="text"></span>
<div class="line"><span class="html-tag"><criterion<span
class="html-attribute"><span class="Apple-converted-space"> </span><span
class="html-attribute-name">comment</span>="<span
class="html-attribute-value">Red Hat Enterprise Linux 6
Client is installed</span>"</span><span
class="html-attribute"><span class="Apple-converted-space"> </span><span
class="html-attribute-name">test_ref</span>="<span
class="html-attribute-value">oval:com.redhat.rhsa:tst:20170190004</span>"</span>/></span></div>
<div class="line"><span class="html-tag"><criterion<span
class="html-attribute"><span class="Apple-converted-space"> </span><span
class="html-attribute-name">comment</span>="<span
class="html-attribute-value">Red Hat Enterprise Linux 6
Server is installed</span>"</span><span
class="html-attribute"><span class="Apple-converted-space"> </span><span
class="html-attribute-name">test_ref</span>="<span
class="html-attribute-value">oval:com.redhat.rhsa:tst:20170190005</span>"</span>/></span></div>
<div class="line"><span class="html-tag"><criterion<span
class="html-attribute"><span class="Apple-converted-space"> </span><span
class="html-attribute-name">comment</span>="<span
class="html-attribute-value">Red Hat Enterprise Linux 6
Workstation is installed</span>"</span><span
class="html-attribute"><span class="Apple-converted-space"> </span><span
class="html-attribute-name">test_ref</span>="<span
class="html-attribute-value">oval:com.redhat.rhsa:tst:20170190006</span>"</span>/></span></div>
<div class="line"><span class="html-tag"><criterion<span
class="html-attribute"><span class="Apple-converted-space"> </span><span
class="html-attribute-name">comment</span>="<span
class="html-attribute-value">Red Hat Enterprise Linux 6
ComputeNode is installed</span>"</span><span
class="html-attribute"><span class="Apple-converted-space"> </span><span
class="html-attribute-name">test_ref</span>="<span
class="html-attribute-value">oval:com.redhat.rhsa:tst:20170190007</span>"</span>/></span></div>
<span class="text"></span></div>
<div class="line" style="color: rgb(0, 0, 0); font-family:
monospace; font-size: 13px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px;"><span class="html-tag"></criteria></span></div>
</blockquote>
<br>
- Second, it will check what version of firefox is installed (e.g.
if it's the old nonpatched version, fail the check). It will also
make sure the RPM is signed by RedHat, so we're not passing RPMs
released by 3rd parties.<br>
<blockquote type="cite">
<meta charset="utf-8">
<div class="collapsible" id="collapsible34" style="color: rgb(0,
0, 0); font-family: monospace; font-size: 13px; font-style:
normal; font-variant-ligatures: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px;">
<div class="expanded">
<div class="line"><span class="html-tag"><rpminfo_test<span
class="html-attribute"><span
class="Apple-converted-space"> </span><span
class="html-attribute-name">xmlns</span>="<span
class="html-attribute-value"><a class="moz-txt-link-freetext" href="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">http://oval.mitre.org/XMLSchema/oval-definitions-5#linux</a></span>"</span><span
class="html-attribute"><span
class="Apple-converted-space"> </span><span
class="html-attribute-name">check</span>="<span
class="html-attribute-value">at least one</span>"</span><span
class="html-attribute"><span
class="Apple-converted-space"> </span><span
class="html-attribute-name">comment</span>="<span
class="html-attribute-value">firefox is earlier than
0:45.7.0-1.el6_8</span>"</span><span
class="html-attribute"><span class="html-attribute-name">id</span>="<span
class="html-attribute-value">oval:com.redhat.rhsa:tst:20170190008</span>"</span><span
class="html-attribute"><span
class="Apple-converted-space"> </span><span
class="html-attribute-name">version</span>="<span
class="html-attribute-value">602</span>"</span>></span></div>
<div class="collapsible-content" style="margin-left: 1em;"><span
class="text"></span>
<div class="line"><span class="html-tag"><object<span
class="html-attribute"><span
class="Apple-converted-space"> </span><span
class="html-attribute-name">object_ref</span>="<span
class="html-attribute-value">oval:com.redhat.rhsa:obj:20170190002</span>"</span>/></span></div>
<span class="text"></span>
<div class="line"><span class="html-tag"><state<span
class="html-attribute"><span
class="Apple-converted-space"> </span><span
class="html-attribute-name">state_ref</span>="<span
class="html-attribute-value">oval:com.redhat.rhsa:ste:20170190006</span>"</span>/></span></div>
<span class="text"></span></div>
<div class="line"><span class="html-tag"></rpminfo_test><br>
<br>
</span></div>
</div>
</div>
<span class="text" style="color: rgb(0, 0, 0); font-family:
monospace; font-size: 13px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px;"></span>
<div class="collapsible" id="collapsible35" style="color: rgb(0,
0, 0); font-family: monospace; font-size: 13px; font-style:
normal; font-variant-ligatures: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px;">
<div class="expanded">
<div class="line"><span class="button collapse-button"
style="user-select: none; cursor: pointer; display:
inline-block; margin-left: -10px; width: 10px; background:
url("data:image/svg+xml,<svg
xmlns='http://www.w3.org/2000/svg' fill='#909090'
width='10' height='10'><path d='M0 0 L8 0 L4 7
Z'/></svg>"); vertical-align: bottom;
height: 10px;"></span><span class="html-tag"><rpminfo_test<span
class="html-attribute"><span
class="Apple-converted-space"> </span><span
class="html-attribute-name">xmlns</span>="<span
class="html-attribute-value"><a class="moz-txt-link-freetext" href="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">http://oval.mitre.org/XMLSchema/oval-definitions-5#linux</a></span>"</span><span
class="html-attribute"><span
class="Apple-converted-space"> </span><span
class="html-attribute-name">check</span>="<span
class="html-attribute-value">at least one</span>"</span><span
class="html-attribute"><span
class="Apple-converted-space"> </span><span
class="html-attribute-name">comment</span>="<span
class="html-attribute-value">firefox is signed with
Red Hat redhatrelease2 key</span>"</span><span
class="html-attribute"><span class="html-attribute-name">id</span>="<span
class="html-attribute-value">oval:com.redhat.rhsa:tst:20170190009</span>"</span><span
class="html-attribute"><span
class="Apple-converted-space"> </span><span
class="html-attribute-name">version</span>="<span
class="html-attribute-value">602</span>"</span>></span></div>
<div class="collapsible-content" style="margin-left: 1em;"><span
class="text"></span>
<div class="line"><span class="html-tag"><object<span
class="html-attribute"><span
class="Apple-converted-space"> </span><span
class="html-attribute-name">object_ref</span>="<span
class="html-attribute-value">oval:com.redhat.rhsa:obj:20170190002</span>"</span>/></span></div>
<span class="text"></span>
<div class="line"><span class="html-tag"><state<span
class="html-attribute"><span
class="Apple-converted-space"> </span><span
class="html-attribute-name">state_ref</span>="<span
class="html-attribute-value">oval:com.redhat.rhsa:ste:20170190002</span>"</span>/></span></div>
<span class="text"></span></div>
<div class="line"><span class="html-tag"></rpminfo_test></span></div>
</div>
</div>
</blockquote>
<br>
<br>
</body>
</html>