[ubuntu-hardened] OVAL/XCCDF for Ubuntu

dave bl db.pub.mail at gmail.com
Sat Sep 17 09:58:36 UTC 2011

On 17 September 2011 06:05, Marc Deslauriers
<marc.deslauriers at canonical.com> wrote:
> Hi Vincent,
> On Fri, 2011-09-16 at 15:54 -0400, Vincent Batts wrote:
>> howdy all,
>> After a brief discussion with sbeattie, kees and mdeslaur, in the
>> #ubuntu-hardened irc channel, I understand that there are no official
>> efforts to establish a OVAL and/or XCCDF for ubuntu releases. There
>> are an increasing amount of utilities to generate reports, or execute
>> tests from these file formats. One of which is openscap
>> (http://www.open-scap.org/). A lot of it's efforts come from the
>> redhat community.
>> Question to the community, are there any groups currently working on
>> OVAL/XCCDF files, that would be willing to share?
>> mdeslaur,
>> you mentioned access to the USN database, that might get accessed in
>> an effort to generate these files. Can you provide more information on
>> that?
> We track our CVE information in this repository:
> https://launchpad.net/ubuntu-cve-tracker
> We also have a python pickle database that contains all the USNs we've
> published, including descriptions and package versions. The database is
> located here:
> http://people.canonical.com/~ubuntu-security/usn/database.pickle
> The tools in the ubuntu-cve-tracker are used to generate that database,
> and can be looked at to gain knowledge of it's structure.
> I think it would be fairly easy to write a python tool to parse the
> pickle and automatically generate the OVAL metadata for Ubuntu updates.
> Marc.

Hum perhaps a "sane" information format could also be made available?
(if others want to use the data)
While pickle may work "fine tm" from python it will not play with
other languages as nicely as say json. It is also a "bad idea tm" to
load pickles you have not dumped your self.[0]

[0] http://nadiana.com/python-pickle-insecure

More information about the ubuntu-hardened mailing list