[ubuntu-hardened] OVAL shows vulnerabilities when software is not installed
Jesus Linares
jesus at wazuh.com
Fri Jul 7 08:37:55 UTC 2017
Thanks for the explanation. I understand that is not trivial. It may be a
good idea to review the Redhat OVAL process because it works very well:
https://www.redhat.com/security/data/oval/.
But 109 is an approachable problem
I don't agree. If I have 100 Ubuntu servers and I run oscap every day... I
will get 10900 useless alerts. Of course, I can ignore them, but it is also
a hard task. On the other hand, 109 fails will be 200 in one year?. I think
the Ubuntu oval feed must be a feed with 0 false positives to be useful. I
mean, false positives must be fixed when you are aware of them.
Do not misunderstand, I appreciate all the work done, but I think this
process still needs a revision.
Thanks a lot!.
On Fri, Jul 7, 2017 at 2:13 AM, Seth Arnold <seth.arnold at canonical.com>
wrote:
> On Thu, Jul 06, 2017 at 01:24:12PM +0200, Jesus Linares wrote:
> > it is parsed as "vulnerable" status. The oval generated for "vulnerable"
> > CVEs is: "check if the package exist". *It doesn't check any version*.
> This
> > may make sense for some packages, but I think it is not possible to have
> > 109 fails in an updated host.
>
> Strictly speaking, 109 fails in an updated host may make perfect sense:
>
> - The Ubuntu security team provides security support for packages in
> main. The security team triages CVEs into different priorities and
> may not get around to fixing 'low' or 'negligible' CVEs quickly.
>
> - The Ubuntu community provides security support for packages in universe.
> The community may update some packages frequently (mariadb comes to
> mind) while others never get updated.
>
> - As Tyler mentioned, it's possible for individual CVE entries to
> incorrectly mark that an update is still needed for an issue even
> though a fix has filtered in through Debian, perhaps years ago. We
> fix these as we find them but probably the majority of fixes in this
> category comes from Ubuntu community members researching the open CVEs
> on their systems.
>
> This is one of my hopes of having a good OVAL tool: no one can inspect
> 4000 open CVEs to see which ones still need to be closed. But 109 is an
> approachable problem. If everyone with more open CVEs than they expect
> investigates a few we'll have this list knocked down in no time!
>
> Thanks
>
> --
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>
>
--
*Jesus Linares*
*IT Security Engineer*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20170707/a838e64a/attachment.html>
More information about the ubuntu-hardened
mailing list