[Open-scap] vulnerability scan to detect security flaws, new/ unpatched CVEs
Shawn Wells
shawn at redhat.com
Sun Jan 29 23:29:17 UTC 2017
On 1/27/17 2:53 AM, Sona Sarmadi wrote:
>
> Thanks for your quick reply Shawn.
>
> I am trying to figure out how OVAL definitions work.
>
> For example if I want to detect unpatched CVEs in my RedHat Linux 6, I
> should use OVAL definition below:
>
> https://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_6.xml
>
> Does this file (*Red_Hat_Enterprise_Linux_6.xml)*contains all CVEs
> which affects Redhat Linux 6 or only those which have been fixed?
>
> If I haven’t applied all fixes provided by RedHat, will the command
> below detect and report those CVEs?
>
> oscap oval eval --results rhsa-results-oval.xml --report
> oval-report-RedHat6.html *Red_Hat_Enterprise_Linux_6.xml*
>
> I am asking this because I haven’t updated my RedHat for a while, I
> think I should at least get some kernel CVEs reported, but the result
> is all green.
>
If there was a RHSA released, there should be a corresponding SCAP
check. Ref:
https://access.redhat.com/articles/221883
The command is correct. It seems a bit odd that you have no findings, if
your system hasn't been patched for awhile (e.g. stock install of RHEL
6.8).
WRT how the OVAL works, an example from the firefox patches last week:
- First, OVAL will see what RHEL version you're on, and even derivative
(RHEL6 vs RHEL6 Workstation vs RHEL6 Desktop):
> <criteria operator="OR">
> <criterion comment="Red Hat Enterprise Linux 6 Client is
> installed" test_ref="oval:com.redhat.rhsa:tst:20170190004"/>
> <criterion comment="Red Hat Enterprise Linux 6 Server is
> installed" test_ref="oval:com.redhat.rhsa:tst:20170190005"/>
> <criterion comment="Red Hat Enterprise Linux 6 Workstation is
> installed" test_ref="oval:com.redhat.rhsa:tst:20170190006"/>
> <criterion comment="Red Hat Enterprise Linux 6 ComputeNode is
> installed" test_ref="oval:com.redhat.rhsa:tst:20170190007"/>
> </criteria>
- Second, it will check what version of firefox is installed (e.g. if
it's the old nonpatched version, fail the check). It will also make sure
the RPM is signed by RedHat, so we're not passing RPMs released by 3rd
parties.
> <rpminfo_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" check="at
> least one" comment="firefox is earlier than
> 0:45.7.0-1.el6_8"id="oval:com.redhat.rhsa:tst:20170190008" version="602">
> <object object_ref="oval:com.redhat.rhsa:obj:20170190002"/>
> <state state_ref="oval:com.redhat.rhsa:ste:20170190006"/>
> </rpminfo_test>
>
> <rpminfo_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" check="at
> least one" comment="firefox is signed with Red Hat redhatrelease2
> key"id="oval:com.redhat.rhsa:tst:20170190009" version="602">
> <object object_ref="oval:com.redhat.rhsa:obj:20170190002"/>
> <state state_ref="oval:com.redhat.rhsa:ste:20170190002"/>
> </rpminfo_test>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20170129/59fcb4db/attachment.htm>
More information about the Open-scap-list
mailing list