[ubuntu-hardened] OVAL/XCCDF for Ubuntu

Marc Deslauriers marc.deslauriers at canonical.com
Fri Sep 16 20:05:06 UTC 2011


Hi Vincent,

On Fri, 2011-09-16 at 15:54 -0400, Vincent Batts wrote:
> howdy all,
> 
> After a brief discussion with sbeattie, kees and mdeslaur, in the
> #ubuntu-hardened irc channel, I understand that there are no official
> efforts to establish a OVAL and/or XCCDF for ubuntu releases. There
> are an increasing amount of utilities to generate reports, or execute
> tests from these file formats. One of which is openscap
> (http://www.open-scap.org/). A lot of it's efforts come from the
> redhat community.
> 
> Question to the community, are there any groups currently working on
> OVAL/XCCDF files, that would be willing to share?
> 
> mdeslaur,
> you mentioned access to the USN database, that might get accessed in
> an effort to generate these files. Can you provide more information on
> that?


We track our CVE information in this repository:
https://launchpad.net/ubuntu-cve-tracker

We also have a python pickle database that contains all the USNs we've
published, including descriptions and package versions. The database is
located here:

http://people.canonical.com/~ubuntu-security/usn/database.pickle

The tools in the ubuntu-cve-tracker are used to generate that database,
and can be looked at to gain knowledge of it's structure.

I think it would be fairly easy to write a python tool to parse the
pickle and automatically generate the OVAL metadata for Ubuntu updates.

Marc.






More information about the ubuntu-hardened mailing list