[ubuntu-hardened] OVAL/XCCDF for Ubuntu

Marc Deslauriers marc.deslauriers at canonical.com
Sat Sep 17 11:24:23 UTC 2011


On Sat, 2011-09-17 at 19:58 +1000, dave bl wrote:
> On 17 September 2011 06:05, Marc Deslauriers
> <marc.deslauriers at canonical.com> wrote:
> > Hi Vincent,
> >
> > On Fri, 2011-09-16 at 15:54 -0400, Vincent Batts wrote:
> >> howdy all,
> >>
> >> After a brief discussion with sbeattie, kees and mdeslaur, in the
> >> #ubuntu-hardened irc channel, I understand that there are no official
> >> efforts to establish a OVAL and/or XCCDF for ubuntu releases. There
> >> are an increasing amount of utilities to generate reports, or execute
> >> tests from these file formats. One of which is openscap
> >> (http://www.open-scap.org/). A lot of it's efforts come from the
> >> redhat community.
> >>
> >> Question to the community, are there any groups currently working on
> >> OVAL/XCCDF files, that would be willing to share?
> >>
> >> mdeslaur,
> >> you mentioned access to the USN database, that might get accessed in
> >> an effort to generate these files. Can you provide more information on
> >> that?
> >
> >
> > We track our CVE information in this repository:
> > https://launchpad.net/ubuntu-cve-tracker
> >
> > We also have a python pickle database that contains all the USNs we've
> > published, including descriptions and package versions. The database is
> > located here:
> >
> > http://people.canonical.com/~ubuntu-security/usn/database.pickle
> >
> > The tools in the ubuntu-cve-tracker are used to generate that database,
> > and can be looked at to gain knowledge of it's structure.
> >
> > I think it would be fairly easy to write a python tool to parse the
> > pickle and automatically generate the OVAL metadata for Ubuntu updates.
> >
> > Marc.
> 
> 
> Hum perhaps a "sane" information format could also be made available?
> (if others want to use the data)
> While pickle may work "fine tm" from python it will not play with
> other languages as nicely as say json. It is also a "bad idea tm" to
> load pickles you have not dumped your self.[0]
> 
> [0] http://nadiana.com/python-pickle-insecure
> 

Sure. The pickle database was for our own use, but if anyone wants to
work on something to generate OVAL data, we'll gladly provide a json
format.

Marc.





More information about the ubuntu-hardened mailing list