[ubuntu-hardened] OVAL/XCCDF for Ubuntu

Marc Deslauriers marc.deslauriers at canonical.com
Fri Sep 16 20:05:06 UTC 2011

Hi Vincent,

On Fri, 2011-09-16 at 15:54 -0400, Vincent Batts wrote:
> howdy all,
> After a brief discussion with sbeattie, kees and mdeslaur, in the
> #ubuntu-hardened irc channel, I understand that there are no official
> efforts to establish a OVAL and/or XCCDF for ubuntu releases. There
> are an increasing amount of utilities to generate reports, or execute
> tests from these file formats. One of which is openscap
> (http://www.open-scap.org/). A lot of it's efforts come from the
> redhat community.
> Question to the community, are there any groups currently working on
> OVAL/XCCDF files, that would be willing to share?
> mdeslaur,
> you mentioned access to the USN database, that might get accessed in
> an effort to generate these files. Can you provide more information on
> that?

We track our CVE information in this repository:

We also have a python pickle database that contains all the USNs we've
published, including descriptions and package versions. The database is
located here:


The tools in the ubuntu-cve-tracker are used to generate that database,
and can be looked at to gain knowledge of it's structure.

I think it would be fairly easy to write a python tool to parse the
pickle and automatically generate the OVAL metadata for Ubuntu updates.


More information about the ubuntu-hardened mailing list