Monday, October 31, 2011

Testing ovaldi on CentOS 6...

In the previous post I described how to compile ovaldi tool for CentOS. In the mean time I tested that installation and found few more bugs in rpm handling code:
  • query format was wrong, i.e. the tag used was %{SIGGPG:pgpsig} but actually it should be %{SIGPGP:pgpsig}. I tested this on CentOS 6 and Fedora 15 and on both the second form is right. The first form returns (none).
  • After obtaining signature key from rpm, the code wrongly calculated starting offset  of the key, so you ended up with space before and last digit cutt of. (NOTE: This has been fixed in Ovaldi 5.10.1.1 so I removed that part from my patch!)
Both of those I corrected and the changes are included in the provided patch. If you downloaded that patch (or binaries) before this post was published, then download them again.

Since I had problems with rpm I extracted problematic part of the code into separate program and used it to test its functionality. You can obtain the test program here. If you compile it and start it, you'll note that it functions exactly as the following rpm query command:
rpm -q --qf '%{SIGPGP:pgpsig}' <packagename>
To compile it, use the following command:
gcc -o rpmq rpmq.c -lrpm
On Fedora you'll also need -lpopt option added on the end.

Oval definitions for RedHat's security advisories can be found on the following address. I downloaded rhsa.tar.bz2 which includes all the advisories, unpacked it and then modified OVAL description com.redhat.rhsa-20111409.xml. This particular description checks for a vulnerable openssl. To see if the check will detect vulnerability I downgraded openssl to the original version shipped with CentOS, i.e. openssl-1.0.0-4.el6.x86_64. Furthermore, I also had to heavily modify aforementioned OVAL description because CentOS doesn't have packages like RedHat, nor it is using the same signing key. So, the version I ended up can be obtained here (hope RedHat won't be mad on me for this! :))

Running that description within ovaldi on a vulnerable system produces the following output:
$ ovaldi -m -o org.centos.cesa-20111409.xml

----------------------------------------------------
OVAL Definition Interpreter
Version: 5.10 Build: 1
Build date: Oct 30 2011 21:40:11
Copyright (c) 2002-2011 - The MITRE Corporation
----------------------------------------------------

Start Time: Mon Oct 31 00:14:16 2011

 ** parsing org.centos.cesa-20111409.xml file.
    - validating xml schema.
 ** checking schema version
     - Schema version - 5.3
 ** skipping Schematron validation
 ** creating a new OVAL System Characteristics file.
 ** gathering data for the OVAL definitions.
      Collecting object:  FINISHED                         
 ** saving data model to system-characteristics.xml.
 ** running the OVAL Definition analysis.
      Analyzing definition:  FINISHED                      
 ** applying directives to OVAL results.
 ** OVAL definition results.

    OVAL Id                                 Result
    -------------------------------------------------------
    oval:org.centos.cesa:def:20111409        true          
    -------------------------------------------------------


 ** finished evaluating OVAL definitions.

 ** saving OVAL results to results.xml.
 ** running OVAL Results xsl: /opt/oval/share/ovaldi/xml/results_to_html.xsl.

----------------------------------------------------

Basically, it detects that there is the vulnerability present (clearly indicated by the result field which I set to bold to be more visible!). After performing an update to CentOS and running test again produces negative results, as expected, i.e.
$ ovaldi -m -o org.centos.cesa-20111409.xml

----------------------------------------------------
OVAL Definition Interpreter
Version: 5.10 Build: 1
Build date: Oct 30 2011 21:40:11
Copyright (c) 2002-2011 - The MITRE Corporation
----------------------------------------------------

Start Time: Mon Oct 31 00:16:55 2011

 ** parsing org.centos.cesa-20111409.xml file.
    - validating xml schema.
 ** checking schema version
     - Schema version - 5.3
 ** skipping Schematron validation
 ** creating a new OVAL System Characteristics file.
 ** gathering data for the OVAL definitions.
      Collecting object:  FINISHED                         
 ** saving data model to system-characteristics.xml.
 ** running the OVAL Definition analysis.
      Analyzing definition:  FINISHED                      
 ** applying directives to OVAL results.
 ** OVAL definition results.

    OVAL Id                                 Result
    -------------------------------------------------------
    oval:org.centos.cesa:def:20111409        false         
    -------------------------------------------------------


 ** finished evaluating OVAL definitions.

 ** saving OVAL results to results.xml.
 ** running OVAL Results xsl: /opt/oval/share/ovaldi/xml/results_to_html.xsl.

----------------------------------------------------
This time ovaldi produced the following files ovladi.log, results.xml, results.html and system-characteristics.xml.

With this I'm now pretty sure that ovaldi works on centos. Still, more extensive testing is absolutely necessary, but for the time being this, I think, is a great step forward.

So, here are some conclusions from this exercise:
  • CentOS doesn't have assigned CPE values past version 5. So, some procedure has to be initiated in that respect.
  • RedHat's oval descriptions can not be used for two reasons. First, the legality is questionable, and second, the change is not straightforward.
  • Editing of OVAL XML description files is very hard and error prone. Furthermore, ovaldi itself is not very helpful. For example, if you don't get IDs and references right, it will complain but the diagnostic information is basically useless.
Just as a note, when I had a problem that some test, or object or something else, is referenced but not defined, I used the following quick hack to find the offending ID:
for i in `grep _ref org.centos.cesa-20111409.xml | cut -f2 -d\"`do grep -q id=\"$i org.centos.cesa-20111409.xml || echo $i ; done
Which printed the offending ID.

That concludes this post. In some future post I'll describe in more detail the structure of OVAL description, and in the mean time you can find some old information on my homepage.

No comments:

About Me

scientist, consultant, security specialist, networking guy, system administrator, philosopher ;)

Blog Archive