[ubuntu-hardened] OVAL shows vulnerabilities when software is not installed

Jesus Linares jesus at wazuh.com
Fri Jul 7 08:37:55 UTC 2017

Thanks for the explanation. I understand that is not trivial. It may be a
good idea to review the Redhat OVAL process because it works very well:

But 109 is an approachable problem

I don't agree. If I have 100 Ubuntu servers and I run oscap every day... I
will get 10900 useless alerts. Of course, I can ignore them, but it is also
a hard task. On the other hand, 109 fails will be 200 in one year?. I think
the Ubuntu oval feed must be a feed with 0 false positives to be useful. I
mean, false positives must be fixed when you are aware of them.

Do not misunderstand, I appreciate all the work done, but I think this
process still needs a revision.

Thanks a lot!.

On Fri, Jul 7, 2017 at 2:13 AM, Seth Arnold <seth.arnold at canonical.com>

> On Thu, Jul 06, 2017 at 01:24:12PM +0200, Jesus Linares wrote:
> > it is parsed as "vulnerable" status. The oval generated for "vulnerable"
> > CVEs is: "check if the package exist". *It doesn't check any version*.
> This
> > may make sense for some packages, but I think it is not possible to have
> > 109 fails in an updated host.
> Strictly speaking, 109 fails in an updated host may make perfect sense:
> - The Ubuntu security team provides security support for packages in
>   main. The security team triages CVEs into different priorities and
>   may not get around to fixing 'low' or 'negligible' CVEs quickly.
> - The Ubuntu community provides security support for packages in universe.
>   The community may update some packages frequently (mariadb comes to
>   mind) while others never get updated.
> - As Tyler mentioned, it's possible for individual CVE entries to
>   incorrectly mark that an update is still needed for an issue even
>   though a fix has filtered in through Debian, perhaps years ago. We
>   fix these as we find them but probably the majority of fixes in this
>   category comes from Ubuntu community members researching the open CVEs
>   on their systems.
> This is one of my hopes of having a good OVAL tool: no one can inspect
> 4000 open CVEs to see which ones still need to be closed. But 109 is an
> approachable problem. If everyone with more open CVEs than they expect
> investigates a few we'll have this list knocked down in no time!
> Thanks
> --
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

*Jesus Linares*
*IT Security Engineer*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20170707/a838e64a/attachment.html>

More information about the ubuntu-hardened mailing list