You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/administration/pages/auditing.adoc
+74-13
Original file line number
Diff line number
Diff line change
@@ -8,12 +8,10 @@ In the {productname} {webui}, navigate to [guimenu]``Audit`` to perform auditing
8
8
9
9
10
10
11
-
// This probably needs to be broken into sub-sections. --LKB 20200205
12
-
13
11
14
12
== CVE Audits
15
13
16
-
A CVE (common vulnerabilities and exposures) is a fix for a publicly known security vulnerability.
14
+
A CVE (Common Vulnerabilities and Exposures) is a fix for a publicly known security vulnerability.
17
15
18
16
[IMPORTANT]
19
17
====
@@ -32,7 +30,7 @@ We recommend that before you begin a CVE audit you refresh the data to ensure yo
32
30
. In the {productname} {webui}, navigate to menu:Admin[Task Schedules] and select the ``cve-server-channels-default`` schedule.
33
31
. Click btn:[cve-server-channels-bunch].
34
32
. Click btn:[Single Run Schedule] to schedule the task.
35
-
Allow the task to complete before continuing with the CVE audit.
33
+
Allow the task to complete before continuing with the CVE audit.
36
34
37
35
.Procedure: Verifying Patch Status
38
36
. In the {productname} {webui}, navigate to menu:Audit[CVE Audit].
@@ -50,24 +48,83 @@ You can use the {productname} API to verify the patch status of your clients.
50
48
Use the ``audit.listSystemsByPatchStatus`` API method.
51
49
For more information about this method, see the {productname} API Guide.
52
50
51
+
53
52
== OVAL
54
-
The CVE Audit operation relies on two primary data sources: Channels and OVAL (Open Vulnerability and Assessment Language).
55
-
These two sources provide us with metadata for conducting CVE audits, each serving a distinct purpose.
53
+
54
+
[IMPORTANT]
55
+
====
56
+
In addition to retrieving CVE information from channel data, {productname} now includes an experimental feature that fetches CVE details from OVAL files.
57
+
This functionality is currently considered a *Technology Preview*.
58
+
59
+
Users are encouraged to experiment with this feature and share feedback.
60
+
However, it is not yet recommended for production use without thorough testing in a test environment.
61
+
====
62
+
63
+
64
+
The CVE Audit operation relies on two primary data sources: channels and OVAL (Open Vulnerability and Assessment Language).
65
+
These two sources provide the metadata for conducting CVE audits, each serving a distinct purpose.
56
66
57
67
Channels::
58
-
Channels include the updated software packages, which include patches, and provide insights into the essential patches required to address vulnerabilities.
68
+
Channels include the updated software packages, including the patches, and provide insights into the essential patches required to address vulnerabilities.
59
69
60
-
OVAL::
61
-
In contrast, OVAL data supplies information about the vulnerabilities themselves and the packages that render a system vulnerable to a CVE.
70
+
OVAL (Technology Preview)::
71
+
In contrast, OVAL data supply the information about vulnerabilities themselves, and packages that render a system vulnerable to a CVE.
62
72
63
73
While it is possible to conduct CVE audits using only channels data, synchronizing OVAL data enhances the accuracy of the results, particularly in cases involving zero-day vulnerabilities or partially patched vulnerabilities.
64
74
65
-
OVAL data is also much more lightweight than channels data.
75
+
OVAL data is much more lightweight than channels data.
66
76
For example, OVAL data for {opensuse} Leap 15.4 is around 50{nbsp}MB.
77
+
67
78
Having synced OVAL data only, you can already perform CVE audits and check if your systems are vulnerable or not to a CVE, but you can't apply patches since they come from channels.
68
79
69
-
By default, OVAL data is updated at 23:00 every day.
70
-
We recommend that before you begin a CVE audit you refresh the data to ensure you have the latest vulnerabilities metadata.
80
+
81
+
[NOTE]
82
+
====
83
+
Key characteristics of the OVAL feature include:
84
+
85
+
* *Disabled by default*: The feature is turned off by default and must be explicitly enabled by the user by updating the configuration file [litaral]``rhn.conf`` and restarting relevant services.
86
+
* *Reversible*: If any issues arise, users can revert back to the standard channel-based CVE audit.
87
+
* *Performance considerations*: While initial testing has been conducted, there are still concerns regarding performance, and further optimizations may be needed.
88
+
89
+
* OVAL data is updated at 23:00 every day by default.
90
+
We recommend that before you begin a CVE audit you refresh the data to ensure you have the latest vulnerabilities metadata.
91
+
====
92
+
93
+
94
+
.Procedure: Enabling OVAL Data Support
95
+
96
+
. Add or modify the following setting in [literal]``rhn.conf``:
97
+
98
+
+
99
+
----
100
+
java.cve_audit.enable_oval_metadata=true
101
+
----
102
+
+
103
+
. Restart the Tomcat and Taskomatic services:
104
+
105
+
+
106
+
----
107
+
systemctl restart tomcat taskomatic
108
+
----
109
+
110
+
If you encounter issues and need to revert to the default behavior, disable the feature by setting:
111
+
112
+
113
+
.Procedure: Disabling OVAL Data Support
114
+
115
+
. Add or modify the following setting in [literal]``rhn.conf``:
116
+
+
117
+
----
118
+
java.cve_audit.enable_oval_metadata=false
119
+
----
120
+
+
121
+
. Restart the Tomcat and Taskomatic services:
122
+
123
+
+
124
+
----
125
+
systemctl restart tomcat taskomatic
126
+
----
127
+
71
128
72
129
.Procedure: Updating OVAL Data
73
130
. In the {productname} {webui}, navigate to menu:Admin[Task Schedules] and select the ``oval-data-sync-default`` schedule.
@@ -76,7 +133,8 @@ We recommend that before you begin a CVE audit you refresh the data to ensure yo
76
133
77
134
Allow the task to complete before continuing with the CVE audit.
78
135
79
-
=== Collecting CPE
136
+
137
+
=== Collect CPE
80
138
81
139
To be able to accurately identify what vulnerabilities apply to a certain client, we need to identify the operating system product that client uses. To do that, we collect the CPE (Common Platform Enumeration) of the client as a salt grain, then we save it to the database.
82
140
@@ -88,6 +146,7 @@ However, for existing clients, it is necessary to execute the ``Update Packages
88
146
. Then go to the [guimenu]``Software`` tab and select the [guimenu]``Packages`` sub-tab.
89
147
. Click btn:[Update Packages List] to update packages and collect the CPE of client.
90
148
149
+
91
150
=== OVAL Sources
92
151
93
152
To ensure the integrity and currency of the OVAL data, {productname} exclusively consumes OVAL data from the official maintainers of every product. Below, you can find the list of OVAL data sources.
@@ -113,6 +172,7 @@ To ensure the integrity and currency of the OVAL data, {productname} exclusively
113
172
OVAL metadata is used in CVE auditing for only a subset of clients, namely, clients that use openSUSE Leap, SUSE enterprise products, RHEL, Debian or Ubuntu. This is due to the absence of OVAL vulnerability definitions metadata for the other products.
114
173
====
115
174
175
+
116
176
== CVE Status
117
177
118
178
The CVE status of clients is usually either ``affected``, ``not affected``, or ``patched``.
@@ -135,6 +195,7 @@ A patch known by {productname} in a relevant channel.
135
195
Relevant channel::
136
196
A channel managed by {productname}, which is either assigned to the system, the original of a cloned channel which is assigned to the system, a channel linked to a product which is installed on the system or a past or future service pack channel for the system.
137
197
198
+
138
199
[NOTE]
139
200
====
140
201
Because of the definitions used within {productname}, CVE audit results might be incorrect in some circumstances.
0 commit comments