5.0 4 - Mark the OVAL data consumption as tech preview

CHANGELOG.md

@@ -1,3 +1,4 @@
+- Marked OVAL data consumption as Technology Preview
 - Restructured Server and Proxy Installation to better distinguish
   between SUSE Linux Enterprise Micro and SUSE Linux Enterprise
   Server as host operating system respectively (bsc#1239801)

modules/administration/pages/auditing.adoc

@@ -8,12 +8,10 @@ In the {productname} {webui}, navigate to [guimenu]``Audit`` to perform auditing
 
 
 
-// This probably needs to be broken into sub-sections. --LKB 20200205
-
 
 == CVE Audits
 
-A CVE (common vulnerabilities and exposures) is a fix for a publicly known security vulnerability.
+A CVE (Common Vulnerabilities and Exposures) is a fix for a publicly known security vulnerability.
 
 [IMPORTANT]
 ====
@@ -25,18 +23,14 @@ CVE identification numbers use the form ``CVE-YEAR-XXXX``.
 
 In the {productname} {webui}, navigate to menu:Audit[CVE Audit] to see a list of all clients and their current patch status.
 
-By default, the CVE data is updated at 2300 every day.
+By default, the patch data is updated at 23:00 every day.
 We recommend that before you begin a CVE audit you refresh the data to ensure you have the latest patches.
 
-
-
-.Procedure: Updating CVE Data
+.Procedure: Updating Patch Data
 . In the {productname} {webui}, navigate to menu:Admin[Task Schedules] and select the ``cve-server-channels-default`` schedule.
 . Click btn:[cve-server-channels-bunch].
 . Click btn:[Single Run Schedule] to schedule the task.
-    Allow the task to complete before continuing with the CVE audit.
-
-
+  Allow the task to complete before continuing with the CVE audit.
 
 .Procedure: Verifying Patch Status
 . In the {productname} {webui}, navigate to menu:Audit[CVE Audit].
@@ -46,17 +40,138 @@ We recommend that before you begin a CVE audit you refresh the data to ensure yo
 
 For more information about the patch status icons used on this page, see xref:reference:audit/audit-cve-audit.adoc[].
 
-
-For each system, the [guimenu]``Next Action`` column provides information about what you need to do to address vulnerabilities.
+For each system, the [guimenu]``Actions`` column provides information about what you need to do to address vulnerabilities.
 If applicable, a list of candidate channels or patches is also given.
 You can also assign systems to a [guimenu]``System Set`` for further batch processing.
 
-
 You can use the {productname} API to verify the patch status of your clients.
 Use the ``audit.listSystemsByPatchStatus`` API method.
 For more information about this method, see the {productname} API Guide.
 
 
+== OVAL
+
+[IMPORTANT]
+====
+In addition to retrieving CVE information from channel data, {productname} now includes an experimental feature that fetches CVE details from OVAL files.
+This functionality is currently considered a *Technology Preview*.
+
+Users are encouraged to experiment with this feature and share feedback.
+However, it is not yet recommended for production use without thorough testing in a test environment.
+====
+
+
+The CVE Audit operation relies on two primary data sources: channels and OVAL (Open Vulnerability and Assessment Language).
+These two sources provide the metadata for conducting CVE audits, each serving a distinct purpose.
+
+Channels::
+Channels include the updated software packages, including the patches, and provide insights into the essential patches required to address vulnerabilities.
+
+OVAL (Technology Preview)::
+In contrast, OVAL data supply the information about vulnerabilities themselves, and packages that render a system vulnerable to a CVE.
+
+While it is possible to conduct CVE audits using only channels data, synchronizing OVAL data enhances the accuracy of the results, particularly in cases involving zero-day vulnerabilities or partially patched vulnerabilities.
+
+OVAL data is much more lightweight than channels data.
+For example, OVAL data for {opensuse} Leap 15.4 is around 50{nbsp}MB.
+
+Having synced OVAL data only, you can already perform CVE audits and check if your systems are vulnerable or not to a CVE, but you can't apply patches since they come from channels.
+
+
+[NOTE]
+====
+Key characteristics of the OVAL feature include: 
+
+* *Disabled by default*: The feature is turned off by default and must be explicitly enabled by the user by updating the configuration file [litaral]``rhn.conf`` and restarting relevant services.
+* *Reversible*: If any issues arise, users can revert back to the standard channel-based CVE audit.
+* *Performance considerations*: While initial testing has been conducted, there are still concerns regarding performance, and further optimizations may be needed.
+
+* OVAL data is updated at 23:00 every day by default.
+  We recommend that before you begin a CVE audit you refresh the data to ensure you have the latest vulnerabilities metadata.
+====
+
+
+.Procedure: Enabling OVAL Data Support
+
+. Add or modify the following setting in [literal]``rhn.conf``:  
+
++
+----
+java.cve_audit.enable_oval_metadata=true
+----
++
+. Restart the Tomcat and Taskomatic services:
+
++
+----
+systemctl restart tomcat taskomatic
+----
+
+If you encounter issues and need to revert to the default behavior, disable the feature by setting:
+
+
+.Procedure: Disabling OVAL Data Support
+
+. Add or modify the following setting in [literal]``rhn.conf``:
++
+----
+java.cve_audit.enable_oval_metadata=false
+----
++
+. Restart the Tomcat and Taskomatic services:
+
++
+----
+systemctl restart tomcat taskomatic
+----
+
+
+.Procedure: Updating OVAL Data
+. In the {productname} {webui}, navigate to menu:Admin[Task Schedules] and select the ``oval-data-sync-default`` schedule.
+. Click btn:[oval-data-sync-bunch].
+. Click btn:[Single Run Schedule] to schedule the task.
+
+Allow the task to complete before continuing with the CVE audit.
+
+
+=== Collect CPE
+
+To be able to accurately identify what vulnerabilities apply to a certain client, we need to identify the operating system product that client uses. To do that, we collect the CPE (Common Platform Enumeration) of the client as a salt grain, then we save it to the database.
+
+The CPE of newly registered clients will be automatically collected and saved to the database.
+However, for existing clients, it is necessary to execute the ``Update Packages List`` action at least once.
+
+.Procedure: Update Packages List
+. In the {productname} {webui}, navigate to menu:Systems[System List > All] and select a client.
+. Then go to the [guimenu]``Software`` tab and select the [guimenu]``Packages`` sub-tab.
+. Click btn:[Update Packages List] to update packages and collect the CPE of client.
+
+
+=== OVAL Sources
+
+To ensure the integrity and currency of the OVAL data, {productname} exclusively consumes OVAL data from the official maintainers of every product. Below, you can find the list of OVAL data sources.
+
+[[oval-sources]]
+[cols="1,1", options="header"]
+.OVAL Sources
+|===
+| Product | Source URL
+| openSUSE Leap .5+.^| https://ftp.suse.com/pub/projects/security/oval
+| openSUSE Leap Micro
+| SUSE Linux Enterprise Server
+| SUSE Linux Enterprise Desktop
+| SUSE Linux Enterprise Micro
+| RedHat Enterprise Linux | https://www.redhat.com/security/data/oval/v2
+| Debian | https://www.debian.org/security/oval
+| Ubuntu | https://security-metadata.canonical.com/oval
+|===
+
+
+[NOTE]
+====
+OVAL metadata is used in CVE auditing for only a subset of clients, namely, clients that use openSUSE Leap, SUSE enterprise products, RHEL, Debian or Ubuntu. This is due to the absence of OVAL vulnerability definitions metadata for the other products.
+====
+
 
 == CVE Status
 
@@ -80,6 +195,7 @@ A patch known by {productname} in a relevant channel.
 Relevant channel::
 A channel managed by {productname}, which is either assigned to the system, the original of a cloned channel which is assigned to the system, a channel linked to a product which is installed on the system or a past or future service pack channel for the system.
 
+
 [NOTE]
 ====
 Because of the definitions used within {productname}, CVE audit results might be incorrect in some circumstances.