thr3ads.net - freebsd security - portaudit, vuxml & OVAL data [Nov 2008]

If this information is useful, please help other people find it:
Share via:

Mark Foster

2008-Nov-14 08:45 UTC

portaudit, vuxml & OVAL data

I have a project idea regarding the extension of portaudit (which now
solely relies on the vuxml data from security/vuxml) to additionally
parse OVAL (CVE) data from the SCAP project.
http://nvd.nist.gov/scap.cfm
http://oval.mitre.org/

I see that they already have a schema definition for FreeBSD found here:
http://oval.mitre.org/language/download/schema/version5.5/index.html

I could see this turning into a oval2portaudit tool accompanied by a
modification of portaudit (if necessary) to accomodate
additional/disparate data sources.

-- 
Realization #2031: That the "meaning of life" is now just another
Google
search.
Mark D. Foster <mark@foster.cc>
http://mark.foster.cc/ | http://conshell.net/

Eygene Ryabinkin

2008-Nov-14 13:20 UTC

head link

portaudit, vuxml & OVAL data

Mark, good day.

Fri, Nov 14, 2008 at 08:21:05AM -0800, Mark Foster
wrote:> I have a project idea regarding the extension of portaudit (which now
> solely relies on the vuxml data from security/vuxml) to additionally
> parse OVAL (CVE) data from the SCAP project.
> http://nvd.nist.gov/scap.cfm
> http://oval.mitre.org/
> 
> I see that they already have a schema definition for FreeBSD found here:
> http://oval.mitre.org/language/download/schema/version5.5/index.html
I had glanced over this: there are FreeBSD-specific test definitions,
but currently there are no FreeBSD-specific vulnerability data at OVAL.
At least I had not found one.
> I could see this turning into a oval2portaudit tool accompanied by a
> modification of portaudit (if necessary) to accomodate
> additional/disparate data sources.
I could be a bit stupid, but I don't understand how the data from CVE is
pushed to the OVAL.  From what I had seen, there should be some person
who will do it: looking at the sources of OVAL data for the different
OSes, I had found that one should still write some tests to see if the
vulnerability is applicable to the current system state.  If it is
really so, then writing such tests is more-or-less equal to the creation
of a new VuXML entry.

I have another idea: use CVE XML feeds,
  http://nvd.nist.gov/download.cfm#CVE_FEED
to create drafts of the VuXML entries that will be passed to the
human for the inspection.  Such inspection is needed anyway, because,
for example, FreeBSD could have the port with the backported patch.
So, feed contents will tell us that the program is vulnerable, but
the reality will be different.
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual   
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook 
    {_.-``-'         {_/            #
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20081114/1246f45c/attachment.pgp

freebsd security - Nov 2008 - portaudit, vuxml & OVAL data

portaudit, vuxml & OVAL data

portaudit, vuxml & OVAL data