Consuming OVAL security content and Integrate with Uyuni #197
Comments
ddemaio
added
Others
Larged Sized Project
admd
changed the title
|
Hello, I have experience of working with C++ , Python and Ruby. In databases I have worked with MySQL. This project sounds interesting to me. I would like to contribute to this project this summer. |
|
Hi @dhananjay8968 , thank you for your interest. You are quite well equipped for the 1st part but for the second one, you will need to have some java knowledge. |
|
Hi, Sure I would be learning Java and going through the get started and learn more about oval format. Are there any good first issues related to this so that I can try solving them? |
|
I'm glad to hear that. We have some easy issues, and you can choose any one of them to tackle. To setup the development env, these links could be helpful https://github.com/uyuni-project/uyuni/wiki/Java-Development-Environment and https://github.com/uyuni-project/uyuni/wiki/Uyuni-development-in-no-time |
|
Hi @admd, I wanted to get your opinion on a topic related to OVAL. As you know, OVAL allows for extending the core XML schema and defining system-specific elements, such as My question is, is it required of the project to support all of the available system extensions or only the ones specified by Linux? Or can we choose which system extensions we should support? Thank you for your time and assistance. Regards, |
|
Hey @HoussemNasri , in context of this project we are only interested in the ones specific to Linux. Having said that, this particular project is mainly about consuming these oval files but all of these oval files will be related to linux distros, mainly rpm and dpkg based. |
|
Hi , |
|
Hi @admd, Thank you for answering my previous question! It cleared a lot of doubts in my mind. Since then, I've made more progress on the proposal and wanted to add an alternative solutions section. So, I have been considering alternative approaches to the suggested parse-data-and-store-it-in-Postgresql solution. After doing some research, I came up with three possible alternatives:
What are your thoughts on the matter? Do you think these solutions would work better than the Postgresql solution? I look forward to hearing your feedback. Thanks |
|
Hi @HoussemNasri , Thank you for submitting your proposals. They all appear to be interesting, but there are certain limitations that we need to consider. Firstly, we prefer not to add any new dependencies, such as a new database, other than the one we already have. Hence, we have to stick to Postgres, although it could be a different schema or even a different Postgres database instance. Secondly, for our specific use case, we do not require every piece of information that is available in these files. Instead, we only need a subset of the data. Therefore, it would be better to store the only relevant information in the Postgres database rather than querying the XML files in memory or introducing a new database. |
@admd I see that Ubuntu is in the list of supported clients in Uyuni but I can't think of any way to determine if an Ubuntu machine is affected by consuming these oval files. Maybe by reading Ubuntu's channel information? |
|
Indeed. Uyuni handles Ubuntu differently and get errata information from https://usn.ubuntu.com/usn-db/database.json file and then based on that information decides if some product is affected or not. |
|
I see – through Also, the provided oval files use Furthermore, I began looking around in the codebase; I would appreciate it if you could point me to important classes or documents that I should check. Thanks! |
|
Hi @HoussemNasri
Then also with this approach we can't tell if fix is almost ready and currently being tested by QA but is not released yet. Now for SUSE products, we already have this information in the Oval files provided by SUSE security team. For all other distribution, I am not aware if we have this information available in oval files provided by their vendor. For the codebase, I would recommend setting up the dev env and start playing with the CVE audit feature. To setup the development env, these links could be helpful https://github.com/uyuni-project/uyuni/wiki/Java-Development-Environment and https://github.com/uyuni-project/uyuni/wiki/Uyuni-development-in-no-time For debugging, this would come handy https://github.com/uyuni-project/uyuni/wiki/Development-Environment-Alternative-Instructions Most of the CVE audit related code resides in this directory, at least the backend code https://github.com/uyuni-project/uyuni/tree/master/java/code/src/com/redhat/rhn/manager/audit General documentation about feature is here https://www.uyuni-project.org/uyuni-docs/en/uyuni/reference/audit/audit-cve-audit.html |
|
@admd Could you please review my GSOC proposal? Additionally, I have noticed a lack of activity regarding GSOC in Uyuni's Gitter chat. Is there another chat I should use, or are people in the Gitter chat not very active? |
|
Dear @Bhavya031 Thank you for submitting your proposal. Upon review, I find it to be good. As for communication, I suggest utilizing Gitter chat, yes there may be delays in response times but gitter is the only chat platform that we use when it comes to Uyuni. Thank you for your understanding. |
|
We should close it as the project is done. |
Project Title:
Consuming OVAL security content
Description:
OVAL® is an XML description and reporting format used to assess and report the state of an operating system. More in-depth information about OVAL can be found on the Mitre OVAL website.
SUSE is currently providing OVAL information for SUSE Linux Enterprise products that allow to assess and report on the RPM package versions affected by known security issues in a CVE to RPM name/version mapping.
The SUSE-provided OVAL data includes:
The patch-style OVAL data expresses all security updates on a patch level, these can include multiple CVEs per patch.
The vulnerability OVAL data expresses security vulnerabilities on a CVE level.
The OVAL data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
This information is currently published per major product line for all processor architectures in one XML file:
Ref: https://www.suse.com/de-de/support/security/oval/
All the files are available here https://ftp.suse.com/pub/projects/security/oval/
In general, each major version of SUSE has 3 oval files in the following format
- suse.linux.enterprise.server.[version]-[affected|patch].xml
In case of SLE 15, we have the following,
suse.linux.enterprise.server.15-affected.xml - This is CVE indexed, and contains released, not affected and affected info
suse.linux.enterprise.server.15.xml - It has the CVE based info, but it contains the released updates and the "not affected" ones
suse.linux.enterprise.server.15-patch.xml - Patch variant of the 2nd file
Deliverable:
Usual queries
There is some more useful info that we can display like CVSS score, take this page as inspiration to see what else we can show https://www.suse.com/security/cve/CVE-2022-0492.html
Uyuni is an open-source systems management solution that can manage various Linux distributions using a powerful web UI and API. One of the core features of Uyuni is the CVE audit. Currently, it looks at the channel files to convey information to figure out the information about the CVEs and present it to the user. It mostly works but it could be further improved by consuming the oval content from the 1st part.
For example, currently, Uyuni cannot distinguish between
This could be fixed with the oval files consumption.
Mentor: @admd @parlt91
Skills:
Skill Level:
The first part should be Medium but the second part could be tricky because it involves a huge code base which means the overall skill level here is Medium / Hard.
Prject Size: Large Sized Project (350 hours)
Get started:
The text was updated successfully, but these errors were encountered: