Vulnerability Assessment | OpenSCAP portal

Stress-free Security for Your IT Infrastructure

The list of security vulnerabilities is constantly growing, and ensuring that your systems are not vulnerable to currently known security flaws is a continuous process.

Security researchers are reporting their findings on a daily basis; new weaknesses in software products are constantly being identified either using automated tools designed to uncover security flaws, or while performing code reviews. [1]

Once an exploit [2] [3] [4] for a particular flaw is published, it becomes easy for an attacker to take advantage of the flaw and cause problems such as data leaks or arbitrary code execution. At the same time, known vulnerabilities are also commonly shared in exploit databases.

Any organization wishing to protect itself against these attacks must set up a proper and sustainable vulnerability management policy. A good policy satisfies multiple key concepts, which include:

Detailed knowledge of the underlying computer infrastructure

Continuous delivery of certified information about currently known security flaws and their impact

Quick identification of the current security status of each system (security analysis)

Prompt reaction — capability to instantly perform corrective operations where necessary (remedial action)

Possibility to perform security analysis in automated,unattended way on regular basis, regardless of the infrastructure’s complexity

Availability of proper software tools to carry out these tasks with minimal effort while preventing or at least minimizing outage periods

The process of vulnerability assessment is a procedure based on the knowledge of the organization’s system infrastructure. It aims to identify security vulnerabilities present in the system, determine the security impact and consequences of each detected vulnerability (remote code execution, privilege escalation, excessive resource consumption, denial of service, etc.), and to prioritize and perform corrective operations based on this knowledge.

Table #1 Sample result of a single vulnerability assessment run on a particular computer environment
System Identifier hostname or IP address
Vulnerability ID	Package	Impact	Result	Alternative Name
CVE-2014-0160	openssl	High	Not Vulnerable	Heartbleed
CVE-2014-6271	bash	Urgent	Not Vulnerable	Shellshock
CVE-2014-7169	bash	High	Not Vulnerable	Shellshock
CVE-2015-0235	glibc	Urgent	Vulnerable	GHOST
CVE-2015-3456	Various	High	Vulnerable	VENOM
CVE-2015-0204	openssl	Medium	Not Vulnerable	FREAK
CVE-2015-4000	Various	Medium	Vulnerable	Logjam
…

Today’s software is often composed of multiple components rather than being monolithic, and it is important to note that security flaws typically do not impact an entire infrastructure, but only relatively small parts of it – and the severity also often varies with specific usage of the affected component. This means it’s crucial to properly analyze the entire environment as well as individual components, so that vulnerabilities can be properly assessed and a proper remediation strategy can be developed for each flaw.

Many software vendors are taking security of their provided solutions very seriously, and publish security errata as well as notifications advising users to update once a fix is available. A few examples include Debian, Gentoo, Mageia, Red Hat, SUSE, and Ubuntu. These advisories are typically published in the form of RSS feeds or OVAL documents (Red Hat, SUSE), which are quickly applicable in many vulnerability assessment solutions including OpenSCAP. Security advisories being provided directly by software vendors are numerous. They are:

authentic — can be trusted,
contain complete information (identifying information for the affected product — its name and version, the list of security flaws being corrected within that erratum [5], security impact for each of the threats, etc.),
provide a convenient way to keep up to date,
are often available in multiple formats, allowing automated processing depending on custom preferences etc.

Software tools for performing vulnerability assessment are the best candidates for establishing a proper vulnerability management policy. These tools allow you to perform audits in a completely automated, unattended way on a regular basis. Security analysis performed in automated way ensures that the immediate security state of a system will be inspected without delays. Since information about the flaw’s impact usually included in the provided security advisories, it is possible during the initial scan to immediately report which components need updating and how urgent an update is. If multiple vulnerabilities are found at the same time, the scanner can build a prioritized list of updates, and then pass this information to other tools which then perform corrective operations, starting with the most exposed parts of the system [6].

How OpenSCAP Ecosystem Can Help

Detailed knowledge of the underlying computer infrastructure

Previously we mentioned the importance of detailed knowledge about your computer environment when creating and implementing vulnerability assessment strategies. Most environments are composed of many different applications and systems, making them difficult to assess manually — a manual analysis would take valuable time and potentially leave systems in a vulnerable state while it is being completed. In order to facilitate analysis, software vendors produce Common Platform Enumeration (CPE) tags for their solutions. CPEs provide a unique, unambiguous and standard way of identifying specific software products. Vulnerability assessment tools like OpenSCAP can then compare these tags with tags retrieved from vulnerability databases, and quickly identify flaws present in your environment.

Identifying, quantifying and prioritizing security flaws based on their impact

Once the scanner obtains a set of CPE tags identifying software in your environment, it compares them to CPE tags obtained from vulnerability databases, where each vulnerability has a set of tags assigned to it to identify affected software. If a match is found, the vulnerability definition itself is evaluated; the definition contains one or more criteria (tests) for determining if the vulnerability is actually present, arranged in a logical, hierarchical model. Some vulnerability definitions require all of its tests to pass, while others may only require one of multiple tests to pass — specifics vary based on the vulnerability itself.

After each vulnerability potentially affecting the system is evaluated, the scanner creates a report detailing which definitions have passed or failed. This information, along with additional considerations like the severity rating of each failure, is then used to create a prioritized list of flaws, which then serves as a roadmap for remediation.

Prompt reaction

When a vulnerability is disclosed and appears in databases, exploits to take advantage of this vulnerability always follow very soon. For this reason, having the ability to determine whether your systems are affected as soon as possible is invaluable in preventing attacks and maintaining a secure environment. OpenSCAP tools are typically able to perform a full vulnerability assessment in a matter of seconds, giving you the information you need to stay ahead of attackers as fast as possible.

Automated and unattended function

Another key concept when managing a security policy is the ability to perform vulnerability assessment scans regularly and automatically as part of a routine diagnostic. In addition to on-demand scans at any time, OpenSCAP allows you to perform routine scans at set times and dates in a completely unattended way. This enables you to set up a sustainable security management policy.

Minimizing required effort and outage periods

Many system administrators and experts prefer scheduled maintenance and outage periods when upgrading and updating their systems, with these periods often being scheduled on a particular day of the week or month. This is a reasonable approach during normal operations, when the top priority is to allow users uninterrupted access to services. However, if a vulnerability scan reveals the system to be affected by security flaws, remediation of these issues may become more important than keeping systems online at all costs. Reports generated by OpenSCAP can help you balance security with availability by providing detailed information about the severity and impact of each detected vulnerability – the information you need to determine if risks posed by vulnerabilities justify the costs of unplanned downtime.

Practical Examples

The following table demonstrates how various tools from the OpenSCAP ecosystem can be utilized to assist in establishing and maintaining of the sustainable vulnerability assessment process. Refer to the Tools page for a more detailed description and usage examples for the various tools from the suite.

Performing vulnerability assessment on newly installed Red Hat Enterprise Linux 6 Update 7 system using Red Hat’s OVAL content

rhel6_7_oscap_oval

Performing vulnerability assessment on newly installed Red Hat Enterprise Linux 6 Update 7 system using the SCAP Workbench tool using the Red Hat’s XCCDF content retrieved using the following commands:

# wget http://www.redhat.com/security/data/metrics/com.redhat.rhsa-all.xccdf.xml

# wget http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml

rhel6_7_xccdf_scan

Performing vulnerability assessment on newly installed openSUSE 13.2 system using SUSE’s OVAL content

openSUSE_13.2_oval

Snippet from an OVAL report created from an XML results file using the following command:

# oscap oval generate report /tmp/results.xml >/tmp/report.html

oval_report_4