| Student | Houssem Nasri |
|---|---|
| Organization | openSUSE |
| Primary repository | uyuni-project/uyuni |
| Project name | Improve Security Auditing in Uyuni by Incorporating OVAL Data |
| Project mentors | @admd, @parlt91 |
| Project page | Google Summer of Code 2023 Project Page |
| Status | Completed |
Uyuni's current CVE auditing feature solely depends on channels data, which can lead to false system evaluations. To illustrate this, consider the scenario where you audit a system that has a vulnerability that hasn't been patched yet. In such cases, Uyuni would provide an incorrect assessment, indicating that the system is 'Not affected' or 'Patched', despite it being vulnerable to the unpatched vulnerability.
The incorrect evaluation is due to the absence of vulnerability data. Channels only offer patch data for packages that have been patched. The algorithm verifies the installed packages on the system based on this information. This puts us at risk of receiving a false system evaluation if a package does not have a patch yet.
The reason behind the incorrect results is because of deficiencies in the dependent data. Therefore, to achieve accurate audits, it is imperative to incorporate additional data sources that provide comprehensive vulnerability information, regardless if they have patches or not, in addition to channels.
The goal of the project is to utilize OVAL (Open Vulnerability and Assessment Language) data, which is widely adopted within the Linux community and offers a standardized format, and integrate it within the CVE auditing feature to achieve more accurate results.
#7466 — [GSOC23] - A - Implement a fully functional CVE auditing feature based on OVAL data
#7509 — [GSOC23] - B - Enable the downloading and synchronization of OVAL data
#7510 — [GSOC23] - C - Implement a StAX parser for OVAL files
#7570 — [GSOC23] - D - Define RPC endpoints for listing the affected packages regarding a CVE
uyuni-docs#2471 — [GSOC23] - E - Update CVE Audit documentation
#7556 — Fix NoClassDefFoundError when opening notifications
#7102 — Stay consistent with the Create/Refresh buttons order
#7163 — Fix CSV download exception
Goal: Develop a software module to parse and persist OVAL data for SUSE products
- Wrote an ADR for selecting an XML parsing library to parse the OVAL documents.
- Developed the parser component (with JAXB)
- Wrote a rough draft of the RFC
- Designed a draft database scheme and created the required tables
- Implemented and Tested the Test and Criteria evaluation algorithms
- Implemented an algorithm to extract vulnerable packages from SUSE OVAL definition
Goal: Integrate the developed module with Uyuni's codebase
- Integrated the OVAL parser with Uyuni
- Integrated the OVAL database code with Uyuni
- Reworked the OVAL database scheme to integrate well with Uyuni (naming, reuse available data, etc...)
- Optimized database code
- Updated the RFC
- Implemented and Tested the new CVE auditing algorithm
- Add support for SUSE products
Goal: Add support for Debian and Red Hat products
- Add support for Debian
- Add support for Red Hat
Goal: Final touches
- Develop the OVAL Downloader component
- Schedule the OVAL sync task with Taskomatic
- Refactoring and performance tuning
- Design and implement the needed UI components
- Read OVAL configurations from a file
- Implement a custom grain module to get server's CPE
- Implement a StAX parser for better performance
Goal: Spacecmd Integration
- Modify
CVEAuditHandlerto implement the OVAL methods - Define commands and help messages in python code
- Test python code
Goal: Support Ubuntu
- Add support for Ubuntu
A Buffer of one week is kept for any unpredictable delay
While the planned feature has been successfully implemented and is currently functional, there remain opportunities for further improvements and optimizations. You can find documentation of these potential enhancements in the 'Todo' section of the project board.