User:Delimiter/Projects/FreeBSD CVE
Introduction
This page is for notes, definitions and references regarding the conversion of FreeBSD vulnerability data (a.k.a. vuxml) to and from SCAP OVAL.
So what is needed is something like oval2portaudit (similar to vuxml2portaudit) see auditfile in auditfile.tar within /var/db/portaudit/auditfile.tbz
Tasks
- figure out how vxquery really works
- get my hands on the oval.xml file and start a parser to convert to
- portaudit format
- tweak portaudit to allow polling of OVAL data also.
- Download, compile and run the OVAL interpreter
vxquery
vxquery /tmp/auditfile mt-daapd Parsing failed @ line 1: not well-formed (invalid token)
validation notes
Install /usr/ports/textproc/libxml2/
fetch http://cve.mitre.org/data/downloads/allitems.xml.gz gunzip allitems.xml.gz fetch http://cve.mitre.org/schema/cve/cve_1.0.xsd /usr/local/bin/xmllint --valid --noout --schema cve_1.0.xsd allitems.xml
OVAL Specifics
What are the valid/relevant platforms for FreeBSD?
TBD
Details of the OVAL xml data for FreeBSD
Definitions
ISAP
Information Security Automation Program (ISAP) is a U.S. government multi-agency initiative to enable automation and standardization of technical security operations.
SCAP
Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance).
NVD
NVD is the U.S. government content repository for ISAP and SCAP.
Authenticated Vulnerability and Patch Scanner
A product with the ability to scan a target system to locate and identify the presence of known software flaws and evaluate the software patch status to determine compliance with a defined patch policy using target system logon privileges.
portaudit qualifies as this
Vulnerability Database
A SCAP vulnerability database is a product that contains a catalog of security related software flaw issues labeled with CVEs where applicable. This data is made accessible to users through a search capability or data feed and contains descriptions of software flaws, references to additional information (e.g., links to patches or vulnerability advisories), and impact scores. The user-to-database interaction is provided independent of any scans, intrusion detection, or reporting activities. Thus, a product that only scans to find vulnerabilities and then stores the results in a database does not meet the requirements for an SCAP vulnerability database (such a product would map to a different SCAP capability). A product that presents the user general knowledge about vulnerabilities, independent of a particular environment, would meet the definition of an SCAP vulnerability database.
vuxml qualifies as this
Open Vulnerability Assessment Language (OVAL)
An XML-based language used for communicating the details of vulnerabilities, patches, security configuration settings, and other machine states in a machine-readable form.
OVAL ID
An identifier for a specific OVAL definition that conforms to the format for OVAL IDs. For more information please see the OVAL specification reference in Section 2.1.
References
Other URLs and references