From 2bf2c7ffa827fdfa5322c17eddc9ae0b05182506 Mon Sep 17 00:00:00 2001 From: HoussemNasri Date: Fri, 22 Sep 2023 23:17:35 +0100 Subject: [PATCH 01/10] Update patch statuses --- modules/reference/pages/audit/audit-cve-audit.adoc | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/modules/reference/pages/audit/audit-cve-audit.adoc b/modules/reference/pages/audit/audit-cve-audit.adoc index 73db476250b..ff4e3587d56 100644 --- a/modules/reference/pages/audit/audit-cve-audit.adoc +++ b/modules/reference/pages/audit/audit-cve-audit.adoc @@ -15,9 +15,14 @@ Clients are listed with a patch status icon. .Patch Status Icons |=== | Icon | Description | Action Required -| icon:exclamation-circle[role="red"] | Affected, patches are available in channels that are not assigned | The client is affected by a vulnerability and {productname} has patches for it, but the channels offering the patches are not assigned to the client. -| icon:exclamation-triangle[role="orange"] | Affected, at least one patch is available in an assigned channel | The client is affected by the vulnerability and {productname} has patches available in a channel that is directly assigned to the client. -| icon:circle[role="green"]| Not affected | There are no available CVE patches for this client. +| icon:exclamation-circle[role="red"] | Affected, patches are not released for the CVE. | The client is affected by a vulnerability for which a patch has not yet been released. +| icon:exclamation-circle[role="red"] | Affected, patches were released for the CVE but {productname} can't find them in any of the relevant channels. | The client is affected by a vulnerability that received a patch, but {productname} is unable to locate any of the patches in relevant channels. +| icon:shield[role="red"] | Affected, only partial patches are available for the CVE. | The client is affected by a vulnerability and {productname} has patches for it, but applying the patches will only fix some of the vulnerable packages. + +| icon:exclamation-triangle[role="orange"] | Affected, patches are available in channels that are not assigned | The client is affected by a vulnerability and {productname} has patches for it, but the channels offering the patches are not assigned to the client. +| icon:exclamation-triangle[role="orange"] | Affected, patches are available in a product migration target | The client is affected by a vulnerability and {productname} has patches for it, but applying the patch requires migrating the product to a newer version. +| icon:shield[role="orange"] | Affected, at least one patch is available in an assigned channel | The client is affected by the vulnerability and {productname} has patches available in a channel that is directly assigned to the client. +| icon:circle[role="green"]| Not affected | The client is not affected because none of the CVE vulnerable packages are installed. | icon:check-circle[role="green"] | Patched | A patch has been successfully installed on the client. |=== From 1b92b80645b9587daa5aed1749990d171981c369 Mon Sep 17 00:00:00 2001 From: HoussemNasri Date: Tue, 26 Sep 2023 01:26:18 +0100 Subject: [PATCH 02/10] Update the Auditing page --- modules/administration/pages/auditing.adoc | 54 +++++++++++++++++++--- 1 file changed, 47 insertions(+), 7 deletions(-) diff --git a/modules/administration/pages/auditing.adoc b/modules/administration/pages/auditing.adoc index f46f2bf207d..66abb4daa23 100644 --- a/modules/administration/pages/auditing.adoc +++ b/modules/administration/pages/auditing.adoc @@ -28,15 +28,11 @@ In the {productname} {webui}, navigate to menu:Audit[CVE Audit] to see a list of By default, the CVE data is updated at 2300 every day. We recommend that before you begin a CVE audit you refresh the data to ensure you have the latest patches. - - .Procedure: Updating CVE Data . In the {productname} {webui}, navigate to menu:Admin[Task Schedules] and select the ``cve-server-channels-default`` schedule. . Click btn:[cve-server-channels-bunch]. . Click btn:[Single Run Schedule] to schedule the task. - Allow the task to complete before continuing with the CVE audit. - - +Allow the task to complete before continuing with the CVE audit. .Procedure: Verifying Patch Status . In the {productname} {webui}, navigate to menu:Audit[CVE Audit]. @@ -46,17 +42,61 @@ We recommend that before you begin a CVE audit you refresh the data to ensure yo For more information about the patch status icons used on this page, see xref:reference:audit/audit-cve-audit.adoc[]. - For each system, the [guimenu]``Next Action`` column provides information about what you need to do to address vulnerabilities. If applicable, a list of candidate channels or patches is also given. You can also assign systems to a [guimenu]``System Set`` for further batch processing. - You can use the {productname} API to verify the patch status of your clients. Use the ``audit.listSystemsByPatchStatus`` API method. For more information about this method, see the {productname} API Guide. +== OVAL +The CVE Audit operation relies on two primary data sources: Channels and OVAL. +These two sources provide us with metadata for conducting CVE audits, each serving a distinct purpose. + +1. **Channels:** Channels include the updated software packages, which include patches, and provide insights into the essential patches required to address CVEs. + +2. **OVAL:** In contrast, OVAL data supplies information about the vulnerabilities themselves and the packages that render +a system vulnerable to a CVE. + +While it is possible to conduct CVE audits using +only channels data, synchronizing OVAL data enhances +the accuracy of the results, particularly in cases involving zero-day vulnerabilities or partially patched +vulnerabilities. +OVAL data is also much more lightweight than channels data .e.g. OVAL data for openSUSE Leap 15.4 is around ~50 MB. +Having synced OVAL data only, you can already perform CVE audits and check if your systems are vulnerable or not to a CVE, but you can't apply patches since they come from channels. + +By default, OVAL data, is updated at 23:00 every day. We recommend that before you begin a CVE audit you refresh the data to ensure you have the latest vulnerabilities metadata. + +.Procedure: Updating OVAL Data +. In the {productname} {webui}, navigate to menu:Admin[Task Schedules] and select the ``oval-data-sync-default`` schedule. +. Click btn:[oval-data-sync-bunch]. +. Click btn:[Single Run Schedule] to schedule the task. +Allow the task to complete before continuing with the CVE audit. + +To ensure the integrity and currency of the OVAL data, {productname} exclusively depend on data provided by the OS products maintainers. Below, you can find the list of OVAL data sources. + +[[oval-sources]] +[cols="1,1", options="header"] +.OVAL Sources +|=== +| Product | Source URL +| openSUSE Leap .5+.^| https://ftp.suse.com/pub/projects/security/oval +| openSUSE Leap Micro +| SUSE Linux Enterprise Server +| SUSE Linux Enterprise Desktop +| SUSE Linux Enterprise Micro +| RedHat Enterprise Linux | https://www.redhat.com/security/data/oval/v2 +| Debian | https://www.debian.org/security/oval +| Ubuntu | https://security-metadata.canonical.com/oval +|=== + + +[NOTE] +==== +OVAL metadata is used in CVE auditing for only a subset of clients, namely, clients that use openSUSE Leap, SUSE enterprise products, RHEL, Debian or Ubuntu. This is due to the absence of OVAL vulnerability definitions metadata for the other products. +==== == CVE Status From 6621cf97bd6196f67b268dde5452bead554b8b98 Mon Sep 17 00:00:00 2001 From: HoussemNasri Date: Mon, 2 Oct 2023 23:33:12 +0100 Subject: [PATCH 03/10] Cleanup --- modules/administration/pages/auditing.adoc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/administration/pages/auditing.adoc b/modules/administration/pages/auditing.adoc index 66abb4daa23..79c2949658c 100644 --- a/modules/administration/pages/auditing.adoc +++ b/modules/administration/pages/auditing.adoc @@ -25,10 +25,10 @@ CVE identification numbers use the form ``CVE-YEAR-XXXX``. In the {productname} {webui}, navigate to menu:Audit[CVE Audit] to see a list of all clients and their current patch status. -By default, the CVE data is updated at 2300 every day. +By default, the patch data is updated at 23:00 every day. We recommend that before you begin a CVE audit you refresh the data to ensure you have the latest patches. -.Procedure: Updating CVE Data +.Procedure: Updating Patch Data . In the {productname} {webui}, navigate to menu:Admin[Task Schedules] and select the ``cve-server-channels-default`` schedule. . Click btn:[cve-server-channels-bunch]. . Click btn:[Single Run Schedule] to schedule the task. @@ -42,7 +42,7 @@ Allow the task to complete before continuing with the CVE audit. For more information about the patch status icons used on this page, see xref:reference:audit/audit-cve-audit.adoc[]. -For each system, the [guimenu]``Next Action`` column provides information about what you need to do to address vulnerabilities. +For each system, the [guimenu]``Actions`` column provides information about what you need to do to address vulnerabilities. If applicable, a list of candidate channels or patches is also given. You can also assign systems to a [guimenu]``System Set`` for further batch processing. @@ -54,7 +54,7 @@ For more information about this method, see the {productname} API Guide. The CVE Audit operation relies on two primary data sources: Channels and OVAL. These two sources provide us with metadata for conducting CVE audits, each serving a distinct purpose. -1. **Channels:** Channels include the updated software packages, which include patches, and provide insights into the essential patches required to address CVEs. +1. **Channels:** Channels include the updated software packages, which include patches, and provide insights into the essential patches required to address vulnerabilities. 2. **OVAL:** In contrast, OVAL data supplies information about the vulnerabilities themselves and the packages that render a system vulnerable to a CVE. @@ -75,7 +75,7 @@ By default, OVAL data, is updated at 23:00 every day. We recommend that before y . Click btn:[Single Run Schedule] to schedule the task. Allow the task to complete before continuing with the CVE audit. -To ensure the integrity and currency of the OVAL data, {productname} exclusively depend on data provided by the OS products maintainers. Below, you can find the list of OVAL data sources. +To ensure the integrity and currency of the OVAL data, {productname} exclusively consumes OVAL data from the official maintainers of every product. Below, you can find the list of OVAL data sources. [[oval-sources]] [cols="1,1", options="header"] From a0881c96a5318e95a09dad60b30a71c17be18ab1 Mon Sep 17 00:00:00 2001 From: HoussemNasri Date: Tue, 3 Oct 2023 23:59:50 +0100 Subject: [PATCH 04/10] Add Collecting CPE section --- modules/administration/pages/auditing.adoc | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/modules/administration/pages/auditing.adoc b/modules/administration/pages/auditing.adoc index 79c2949658c..aca82d0b5cf 100644 --- a/modules/administration/pages/auditing.adoc +++ b/modules/administration/pages/auditing.adoc @@ -75,6 +75,19 @@ By default, OVAL data, is updated at 23:00 every day. We recommend that before y . Click btn:[Single Run Schedule] to schedule the task. Allow the task to complete before continuing with the CVE audit. +=== Collecting CPE + +To be able to accurately identify what vulnerabilities apply to a certain client, we need to identify the operating system product that client uses. To do that, we collect the CPE (Common Platform Enumeration) of the client as a salt grain, then we save it to the database. + +The cpe of newly registered clients will be automatically collected and saved to the database. However, for existing clients, it is necessary to execute the ``Update Packages List`` action at least once to + +.Procedure: Update Packages List +. In the {productname} {webui}, navigate to menu:Systems[System List > All] and select a client. +. Then go to the [guimenu]``Software`` tab and select the [guimenu]``Packages`` sub-tab. +. Click btn:[Update Packages List] to update packages and collect the CPE of client. + +=== OVAL Sources + To ensure the integrity and currency of the OVAL data, {productname} exclusively consumes OVAL data from the official maintainers of every product. Below, you can find the list of OVAL data sources. [[oval-sources]] From 5d672bc177b1e531a7c95d41a3f9319f2897973f Mon Sep 17 00:00:00 2001 From: Houssem Nasri Date: Thu, 21 Dec 2023 17:29:02 +0100 Subject: [PATCH 05/10] Update modules/administration/pages/auditing.adoc Co-authored-by: Karl Eichwalder --- modules/administration/pages/auditing.adoc | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/administration/pages/auditing.adoc b/modules/administration/pages/auditing.adoc index aca82d0b5cf..237775ea305 100644 --- a/modules/administration/pages/auditing.adoc +++ b/modules/administration/pages/auditing.adoc @@ -54,10 +54,11 @@ For more information about this method, see the {productname} API Guide. The CVE Audit operation relies on two primary data sources: Channels and OVAL. These two sources provide us with metadata for conducting CVE audits, each serving a distinct purpose. -1. **Channels:** Channels include the updated software packages, which include patches, and provide insights into the essential patches required to address vulnerabilities. +Channels:: +Channels include the updated software packages, which include patches, and provide insights into the essential patches required to address vulnerabilities. -2. **OVAL:** In contrast, OVAL data supplies information about the vulnerabilities themselves and the packages that render -a system vulnerable to a CVE. +OVAL:: +In contrast, OVAL data supplies information about the vulnerabilities themselves and the packages that render a system vulnerable to a CVE. While it is possible to conduct CVE audits using only channels data, synchronizing OVAL data enhances From 41cd82582a6e2a329320de5c18b27a108421a394 Mon Sep 17 00:00:00 2001 From: Houssem Nasri Date: Thu, 21 Dec 2023 17:29:20 +0100 Subject: [PATCH 06/10] Update modules/administration/pages/auditing.adoc Co-authored-by: Karl Eichwalder --- modules/administration/pages/auditing.adoc | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/modules/administration/pages/auditing.adoc b/modules/administration/pages/auditing.adoc index 237775ea305..0f86c585d7c 100644 --- a/modules/administration/pages/auditing.adoc +++ b/modules/administration/pages/auditing.adoc @@ -60,10 +60,7 @@ Channels include the updated software packages, which include patches, and provi OVAL:: In contrast, OVAL data supplies information about the vulnerabilities themselves and the packages that render a system vulnerable to a CVE. -While it is possible to conduct CVE audits using -only channels data, synchronizing OVAL data enhances -the accuracy of the results, particularly in cases involving zero-day vulnerabilities or partially patched -vulnerabilities. +While it is possible to conduct CVE audits using only channels data, synchronizing OVAL data enhances the accuracy of the results, particularly in cases involving zero-day vulnerabilities or partially patched vulnerabilities. OVAL data is also much more lightweight than channels data .e.g. OVAL data for openSUSE Leap 15.4 is around ~50 MB. Having synced OVAL data only, you can already perform CVE audits and check if your systems are vulnerable or not to a CVE, but you can't apply patches since they come from channels. From 80f2cd4deb4694a6d0cab57c51ceef60af7eb5a9 Mon Sep 17 00:00:00 2001 From: Houssem Nasri Date: Thu, 21 Dec 2023 17:29:33 +0100 Subject: [PATCH 07/10] Update modules/administration/pages/auditing.adoc Co-authored-by: Karl Eichwalder --- modules/administration/pages/auditing.adoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/administration/pages/auditing.adoc b/modules/administration/pages/auditing.adoc index 0f86c585d7c..ad4ee96631a 100644 --- a/modules/administration/pages/auditing.adoc +++ b/modules/administration/pages/auditing.adoc @@ -62,7 +62,8 @@ In contrast, OVAL data supplies information about the vulnerabilities themselves While it is possible to conduct CVE audits using only channels data, synchronizing OVAL data enhances the accuracy of the results, particularly in cases involving zero-day vulnerabilities or partially patched vulnerabilities. -OVAL data is also much more lightweight than channels data .e.g. OVAL data for openSUSE Leap 15.4 is around ~50 MB. +OVAL data is also much more lightweight than channels data. +For example, OVAL data for {opensuse} Leap 15.4 is around 50{nbsp}MB. Having synced OVAL data only, you can already perform CVE audits and check if your systems are vulnerable or not to a CVE, but you can't apply patches since they come from channels. By default, OVAL data, is updated at 23:00 every day. We recommend that before you begin a CVE audit you refresh the data to ensure you have the latest vulnerabilities metadata. From 7a75f124a0b596053c2773fc0151ba7c6dd4f9c2 Mon Sep 17 00:00:00 2001 From: Houssem Nasri Date: Thu, 21 Dec 2023 17:29:52 +0100 Subject: [PATCH 08/10] Update modules/administration/pages/auditing.adoc Co-authored-by: Karl Eichwalder --- modules/administration/pages/auditing.adoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/administration/pages/auditing.adoc b/modules/administration/pages/auditing.adoc index ad4ee96631a..5a2ccfd58f9 100644 --- a/modules/administration/pages/auditing.adoc +++ b/modules/administration/pages/auditing.adoc @@ -66,7 +66,8 @@ OVAL data is also much more lightweight than channels data. For example, OVAL data for {opensuse} Leap 15.4 is around 50{nbsp}MB. Having synced OVAL data only, you can already perform CVE audits and check if your systems are vulnerable or not to a CVE, but you can't apply patches since they come from channels. -By default, OVAL data, is updated at 23:00 every day. We recommend that before you begin a CVE audit you refresh the data to ensure you have the latest vulnerabilities metadata. +By default, OVAL data is updated at 23:00 every day. +We recommend that before you begin a CVE audit you refresh the data to ensure you have the latest vulnerabilities metadata. .Procedure: Updating OVAL Data . In the {productname} {webui}, navigate to menu:Admin[Task Schedules] and select the ``oval-data-sync-default`` schedule. From 4965bda9ae5024c7de622003c89070b35901125f Mon Sep 17 00:00:00 2001 From: Houssem Nasri Date: Thu, 21 Dec 2023 17:30:13 +0100 Subject: [PATCH 09/10] Update modules/administration/pages/auditing.adoc Co-authored-by: Karl Eichwalder --- modules/administration/pages/auditing.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/administration/pages/auditing.adoc b/modules/administration/pages/auditing.adoc index 5a2ccfd58f9..c4e8fb70047 100644 --- a/modules/administration/pages/auditing.adoc +++ b/modules/administration/pages/auditing.adoc @@ -73,6 +73,7 @@ We recommend that before you begin a CVE audit you refresh the data to ensure yo . In the {productname} {webui}, navigate to menu:Admin[Task Schedules] and select the ``oval-data-sync-default`` schedule. . Click btn:[oval-data-sync-bunch]. . Click btn:[Single Run Schedule] to schedule the task. + Allow the task to complete before continuing with the CVE audit. === Collecting CPE From d8304af0c9d51c9a98136e209cbbe622bbc6af5b Mon Sep 17 00:00:00 2001 From: Houssem Nasri Date: Thu, 21 Dec 2023 17:32:13 +0100 Subject: [PATCH 10/10] Update modules/administration/pages/auditing.adoc Co-authored-by: Karl Eichwalder --- modules/administration/pages/auditing.adoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/administration/pages/auditing.adoc b/modules/administration/pages/auditing.adoc index c4e8fb70047..2bb9bf9d7cc 100644 --- a/modules/administration/pages/auditing.adoc +++ b/modules/administration/pages/auditing.adoc @@ -80,7 +80,8 @@ Allow the task to complete before continuing with the CVE audit. To be able to accurately identify what vulnerabilities apply to a certain client, we need to identify the operating system product that client uses. To do that, we collect the CPE (Common Platform Enumeration) of the client as a salt grain, then we save it to the database. -The cpe of newly registered clients will be automatically collected and saved to the database. However, for existing clients, it is necessary to execute the ``Update Packages List`` action at least once to +The CPE of newly registered clients will be automatically collected and saved to the database. +However, for existing clients, it is necessary to execute the ``Update Packages List`` action at least once. .Procedure: Update Packages List . In the {productname} {webui}, navigate to menu:Systems[System List > All] and select a client.