<div dir="ltr">Hi Tyler,<div> </div><div>thanks for the changes. Now, I have around 109 fails.</div><div> </div><div><div>According to the scripts, if a CVE has one of the following statuses:</div><div><ul><li>needed </li><li>ignored </li><li>deferred </li><li>pending</li></ul></div><div>it is parsed as "vulnerable" status. The oval generated for "vulnerable" CVEs is: "check if the package exist". It doesn't check any version. This may make sense for some packages, but I think it is not possible to have 109 fails in an updated host.</div><div> </div><div>What mean those statuses?. </div><div> </div><div>I attached a file with the list of cve files that the Ubuntu Security Team should review.</div><div> </div><div><div>OVAL is a great tool and the Ubuntu process to generate the oval checks is almost ready. I think it just need a little review and be very careful during the process of assign a status to the cve file. This will be very useful for the community.</div></div><div> </div><div>Thanks.</div><div>Regards.</div></div><div> </div><div> </div></div><div class="gmail_extra"> <div class="gmail_quote">On Wed, Jul 5, 2017 at 6:02 PM, Tyler Hicks <<a href="mailto:tyhicks@canonical.com" target="_blank">tyhicks@canonical.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 07/05/2017 10:30 AM, Jesus Linares wrote: > Hi Tyler, > > The Ubuntu Security Team generates that file during CVE triage of > newly assigned CVEs. > > > that is a manual process, right?. Yes, it is manual. > > Because all versions are affected. If the status is 'needed', it means > that the Ubuntu Security team has not produced security updates that fix > the CVE. Therefore, all systems with the xfsprogs deb package installed > are affected. > > > So, right now, all systems with /xfsprogs /are vulnerable?. The cve was > in 2012, it is not possible... > > The description says that only affects to versions before 3.2.4. I think > you just need to update the > file: <a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150</a> > changing the line: > > xenial_xfsprogs: needed > > to > > xenial_xfsprogs: released (version?) > > > /parse_package_status /function for /needed > /status: <a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L149" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L149</a> > > If that line has the version, the python script will generate the proper > oval file. I thought that you were saying that, in general, a 'needed' status without a version number would generate problematic OVAL data. Now I understand that you were saying that CVE-2012-2150 needed to be retriaged. I've done that here: <a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/12855" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/12855</a> I've also committed the oval_lib.py change that you suggested: <a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/12856" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/12856</a> Thanks for debugging the issue and providing a fix! Let us know if you find any other issues in the generation of OVAL data. Tyler > > > I think I can't help more here, because the error is in the input files, > not in the scripts. > > What do you think?. > Thanks. > Regards. > > > > On Wed, Jul 5, 2017 at 5:12 PM, Tyler Hicks <<a href="mailto:tyhicks@canonical.com">tyhicks@canonical.com</a> <div><div class="h5">> <mailto:<a href="mailto:tyhicks@canonical.com">tyhicks@canonical.com</a>>> wrote: > > On 07/05/2017 09:57 AM, Jesus Linares wrote: > > Hi, > > > > it seems there are more errors. For example, I get a "fail" for the > > check: CVE-2012-2150. > > > > If we review the oval file for that check: > > > > <definition class="vulnerability" > > id="oval:com.ubuntu.xenial:def:20122150000" version="1"> > > ... > > <criteria> > > <extend_definition definition_ref="oval:com.ubuntu.xenial:def:100" > > comment="Ubuntu 16.04 LTS (xenial) is installed." > > applicability_check="true" /> > > <criterion test_ref="oval:com.ubuntu.xenial:tst:20122150000" > > comment="The 'xfsprogs' package in xenial is affected and needs > > fixing." /> > > </criteria> > > </definition> > > <linux-def:dpkginfo_test > id="oval:com.ubuntu.xenial:tst:20122150000" > > version="1" check_existence="at_least_one_exists" check="all" > > comment="Does the 'xfsprogs' package exist?"> > > <linux-def:object > object_ref="oval:com.ubuntu.xenial:obj:20122150000"/> > > </linux-def:dpkginfo_test> > > <linux-def:dpkginfo_object > > id="oval:com.ubuntu.xenial:obj:20122150000" version="1" > comment="The > > 'xfsprogs' package."> > > <linux-def:name>xfsprogs</linux-def:name> > > </linux-def:dpkginfo_object> > > > > > > It is checking if the /xfsprogs /package exists. In my machine I have > > /xfsprogs 4.3.0+nmu1ubuntu1/ installed. So, the oscap is working > > properly. The point is: is my xfsprogs vulnerable?. If we take a look at > > the input file to generate the > > oval: <a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150</a> > <<a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150</a>> > > > > xfs_metadump in *xfsprogs before 3.2.4* does not properly > obfuscate > > file data, which allows remote attackers to obtain sensitive > > information by reading a generated image. > > > > > > The description says: xfsprogs before 3.2.4 and I have the version 4. > > Oval is only checking if the package exists, but not its version. The > > reason is: > > > > The function /parse_package_status > > > (<a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117</a> </div></div>> <<a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117</a>>) > /parses > > the line: > > > > * "xenial_xfsprogs: needed" > > of > <a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150</a> > <<a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150</a>> > > to > > * "{'note': "The 'xfsprogs' package in trusty is affected and needs > > fixing.", 'status': 'vulnerable'}". > > * That means check only the package, not the version, because > there is > > no version > > (<a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220</a> > <<a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220</a>>) > > > > If we take a look at other checks: > > > > * "xenial_git: released (1:2.7.4-0ubuntu1.1)" of > > <a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386</a> > <<a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386</a>> > > is parsed to > > * {'fix-version': '1:2.7.4-0ubuntu1.1', 'note': "The 'git' > package in > > xenial was vulnerable but has been fixed (note: > > '1:2.7.4-0ubuntu1.1').", 'status': 'fixed'} > > * Here the version is checked. > > > > So, my final questions are: > > > > * Who generates this > > file > <a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150</a> > <<a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150</a>>? > > The Ubuntu Security Team generates that file during CVE triage of newly > assigned CVEs. > > > * Why there is no a specific version? > > Because all versions are affected. If the status is 'needed', it means > that the Ubuntu Security team has not produced security updates that fix > the CVE. Therefore, all systems with the xfsprogs deb package installed > are affected. > > Do you know how that can be conveyed in the OVAL file? > > > > > There are 109 fails after fix the issue that I commented in the previous > > email and my OS is updated, so I suspect it is happening the same in the > > rest of checks. > > Thanks for tracking down the issue you described in your previous email. > I'll hold off on committing that change until you're able to get to the > bottom of the issue you describe in this email. > > Tyler > > > > > Thanks. > > Regards. > > > > > > > > > > On Wed, Jul 5, 2017 at 3:19 PM, Jesus Linares <<a href="mailto:jesus@wazuh.com">jesus@wazuh.com</a> <mailto:<a href="mailto:jesus@wazuh.com">jesus@wazuh.com</a>> > > <mailto:<a href="mailto:jesus@wazuh.com">jesus@wazuh.com</a> <mailto:<a href="mailto:jesus@wazuh.com">jesus@wazuh.com</a>>>> wrote: > > > > Hi, > > > > finally I found the > > issue: <a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110</a> > <<a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110</a>> > > <<a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110</a> > <<a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110</a>>> > > > > In that line there is an if-else. The /else /has the logic to add > > the "negate" attribute, but the /if/ doesn't have it. > > > > It is neccesary to replace the lines 111 to 113, for: > > > > negation_attribute = 'negate = "true" ' if 'negate' in > > test_refs[0] and test_refs[0]['negate'] else '' > > mapping['criteria'] = '<criterion test_ref="{0}" comment="{1}" > > {2}/>'.format(test_refs[0]['id'], > > escape(test_refs[0]['comment']), negation_attribute) > > > > > > In this way, the scan reports 109 fails instead of 1750. Now, I'm > > going to review these 109 fails. > > > > Please, update the script ASAP. > > > > Thanks. > > Regards. > > > > > > On Tue, Jul 4, 2017 at 7:50 PM, Jesus Linares <<a href="mailto:jesus@wazuh.com">jesus@wazuh.com</a> <mailto:<a href="mailto:jesus@wazuh.com">jesus@wazuh.com</a>> > > <mailto:<a href="mailto:jesus@wazuh.com">jesus@wazuh.com</a> <mailto:<a href="mailto:jesus@wazuh.com">jesus@wazuh.com</a>>>> wrote: > > > > Hi, > > > > I'm testing again the oval files for Xenial 16.04 (updated) and > > OpenSCAP reports 1750 /fails/... Something weird is > happening. I > > will check out this issue again, but I would appreciate any help. > > > > Here an example: > > > > <linux-def:dpkginfo_test > > id="oval:com.ubuntu.xenial:tst:20176919000" version="1" > > check_existence="any_exist" check="all" comment="*Returns > > true whether or not the 'drupal7' package exists.*"> > > <linux-def:object > > object_ref="oval:com.ubuntu.xenial:obj:20076752000"/> > > </linux-def:dpkginfo_test> > > <linux-def:dpkginfo_object > > id="oval:com.ubuntu.xenial:obj:20076752000" version="1" > > comment="The 'drupal7' package."> > > <linux-def:name>drupal7</linux-def:name> > > </linux-def:dpkginfo_object> > > > > > > If the check return always true, it doesn't make sense... > > > > Thanks. > > Regards. > > > > > > > > On Wed, Nov 2, 2016 at 11:29 AM, Jesus Linares <<a href="mailto:jesus@wazuh.com">jesus@wazuh.com</a> <mailto:<a href="mailto:jesus@wazuh.com">jesus@wazuh.com</a>> > > <mailto:<a href="mailto:jesus@wazuh.com">jesus@wazuh.com</a> <mailto:<a href="mailto:jesus@wazuh.com">jesus@wazuh.com</a>>>> wrote: > > > > Hi, > > > > this is from the specific > > CVE: > xenial_libapache-mod-jk:not-affected(1:1.2.40+svn150520-1) > > > > So, if it is not affected for xenial, the check should > > include the "negate" in order to return that is not a > > vulnerability, right?. > > > > Regards. > > > > > > On Fri, Oct 28, 2016 at 9:10 PM, Seth Arnold > > <<a href="mailto:seth.arnold@canonical.com">seth.arnold@canonical.com</a> <mailto:<a href="mailto:seth.arnold@canonical.com">seth.arnold@canonical.com</a>> > > <mailto:<a href="mailto:seth.arnold@canonical.com">seth.arnold@canonical.com</a> <mailto:<a href="mailto:seth.arnold@canonical.com">seth.arnold@canonical.com</a>>>> wrote: > > > > On Fri, Oct 28, 2016 at 11:19:21AM +0200, Jesus Linares > > wrote: > > > I think this test should have the "negate" due to the comment "While > > > related to the CVE in some way, the 'libapache-mod-jk' > > package in* xenial > > > is not affected*". So, maybe the input of the script > > is wrong?. Where is > > > the input?. > > > > The input is from the ubuntu-cve-tracker bzr tree; > > > > <a href="https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master" rel="noreferrer" target="_blank">https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master</a> <<a href="https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master" rel="noreferrer" target="_blank">https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master</a>> > > <<a href="https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master" rel="noreferrer" target="_blank">https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master</a> <<a href="https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master" rel="noreferrer" target="_blank">https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master</a>>> > > > > In the case of this specific CVE: > > > > <a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111</a> > <<a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111</a>> > > <<a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111</a> > <<a href="http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111</a>>> > > > > Thanks > > > > -- > > ubuntu-hardened mailing list > > <a href="mailto:ubuntu-hardened@lists.ubuntu.com">ubuntu-hardened@lists.ubuntu.com</a> > <mailto:<a href="mailto:ubuntu-hardened@lists.ubuntu.com">ubuntu-hardened@lists.ubuntu.com</a>> > > <mailto:<a href="mailto:ubuntu-hardened@lists.ubuntu.com">ubuntu-hardened@lists.ubuntu.com</a> <div class="HOEnZb"><div class="h5">> <mailto:<a href="mailto:ubuntu-hardened@lists.ubuntu.com">ubuntu-hardened@lists.ubuntu.com</a>>> > > > <a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened" rel="noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened</a> > <<a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened" rel="noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened</a>> > <<a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened" rel="noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened</a> > <<a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened" rel="noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened</a>>> > > > > > > > > > > -- > > *Jesus Linares* > > /IT Security Engineer/ > > / > > / > > > > > > > > > > -- > > *Jesus Linares* > > /IT Security Engineer/ > > / > > / > > > > > > > > > > -- > > *Jesus Linares* > > /IT Security Engineer/ > > / > > / > > > > > > > > > > -- > > *Jesus Linares* > > /IT Security Engineer/ > > / > > / > > > > > > > > > > -- > *Jesus Linares* > /IT Security Engineer/ > / > / </div></div></blockquote></div> <div> </div>-- <div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Jesus Linares<div style="font-size:12.8px">IT Security Engineer</div><div style="font-size:12.8px"><img src="https://docs.google.com/uc?export=download&id=0Bx75KsPzHxO_THFpRzBONGpoeWs&revid=0Bx75KsPzHxO_aG5WOW1OU3p3V3JOVUczVDlPViszMTdGZUtrPQ" width="96" height="16"> </div></div></div> </div>