[Open-scap] Vulnerability detection accuracy for non-packaged Software!

Steve Grubb sgrubb at redhat.com
Mon Aug 1 12:58:43 UTC 2011 

On Sunday, July 31, 2011 09:19:23 AM Jan Muhammad wrote:
> For about a year or so I have using Nessus vulnerability scanner (now
> closed source);

But forked into OpenVAS.


> now thinking to switch to OpenScap along with Pakiti
> (http://pakiti.sourceforge.net/). I have configured and tested Pakiti
> partially (since my Pakiti Server has yet to fetch latest security updates
> from remote repositories). I came to the following conclusion.
> 
> Generally, the two most widely used methods for
> detecting vulnerable software and any other open ports are:-
> 
> Query the package database to see what has been “installed.”  (e.g. Pakiti)
> 
> Remotely scan open network ports. Many of these tools have
>      proprietary algorithms, which utilize service signatures to aid in the
>      determination of which versions of software are running. (e.g. Nessus
> Vulnerability Scanner)

I would rephrase these into:
1) Checking your installed software version numbers to see if they are known 
vulnerable
2) Attacking the software to see if its vulnerable.

Depending on what the software is doing, attacking it is bad.


> Though these two methods seem to be straightforward in
> finding vulnerabilities.
> 
> However, what about all of the software, which has
> been copied onto systems in non-package form such as Apache Tomcat servers
> and the numerous JAR files used?

If I were the admin for those systems, I would do the packaging myself so that if you 
ever need to do an upgrade and some files disappear due to redesign by upstream, all 
that's left on the system is what's needed. I would also run scans periodically to try 
and find software that is not packaged. But if you have been copying software without 
packaging it, then you have a problem...


> This information isn't in the package
> database because it wasn't “installed” but just copied. For example, it
> may be possible through the use of a port scanning software to detect and
> identify the Tomcat instances — provided they are running and are
> accessible via the network being scanned.
> 
> Is there any possibility to check for vulnerable software (as those in
> above examples) with OpenScap?

Yes and no. I'll cover the no first, OVAL is not designed to send network packets. Its 
design is along the lines of #1 above. It can query versions from package databases. 
The problem is that you need to have good content for your scan. For example, many 
distros backport patches. So, if you have generic content that says apache version 
2.2.18 and lower have a vulnerability and you have 2.2.16 installed from your distro, 
then it might be patched already and you would want content tuned specifically to your 
distro to make sure. The key is that it is a version check from the package database.

Now, that said, XCCDF does allow using things other than OVAL for a check. You might 
call nmap for example. But I have seen nmap crash production database daemons. So, it 
that really a good idea?

My advice is package up everything.

-Steve

More information about the Open-scap-list mailing list