OVAL Agent for Debian
Mentor: JavierFernandezSanguino
Student: PavelVinogradov
Summary: Agent to monitor security update status of clusters of Debian systems
Original Idea: Oval Agent
Project Info
VCS: svn://svn.debian.org/oval/
Mailing list: oval-devel@lists.alioth.debian.org
Website: http://oval.alioth.debian.org/
Original proposal: Submitted proposal
Project Schedule (Duration 14 weeks (28 May-31 August))
Updated: 07.08.07
Interim period
Recollect theoretical parts of XML language (Done)
Prepare wiki, VCS, maillist, and project page (Done)
Introduce myself to OVAL community at mitre.org (Done)
Understand OVAL interpreter source code architecture (Done)
Prepare basic implementation of OVAL query generator (Done)
Week 1-2 (From 28 May to 10 June)
- Write OVAL query generator:
Implement DSA and WML parser (Done)
Implement OVAL XML Definitions generator (Done)
Implement OVAL objects and state generator (Done)
Week 3 (From 11 to 17 June)
Work on optimization resulted XML definitions (Done)
Week 4 (From 18 to 24 June)
Update project schedule (Done)
Release beta version of OVAL definition generator: (Done)
- Write some documentation and comments to source code
- Fix bug with string to unicode conversion
Start experiments with libapt-pkg library (read documentation and write code samples) (Done)
Deliverable 0: Publish updated project schedule (Done)
Deliverable 1: Release beta version of OVAl definition generator (Done)
Week 5 (From 25 June to 1 July)
Use libapt for package quering (Done)
Start implementing DPKGInfoProbe class in OVAL interpretator (Done)
Issues this week: lack of documentation of the libapt library, broken tests with apt library, apt now in version change (0.7)
Week 6 (From 2 to 8 July)
Testing with simple hand-made OVAL definitions (done)
Code cleanup in OVAL definition generator (done)
Implement DPKGInfoProbe class (done but commited in Week 7 in http://svn.debian.org/wsvn/oval/?rev=65&sc=1)
Week 7 (From 9 to 15 July)
Testing with OVAL definitions generated from Debian dsa (done on week 10)
Fix bugs in OVAL definition generator if I find any during testing (done)
Update OVAL definition generator to support OVAL 5.3 release (done)
Deliverable 2: OVAL interpretator with dpkg support. Release second beta of OVAL definition generator (done)
Week 8 (From 16 to 22 July)
Work on Testing with OVAL definitions generated from Debian dsa from week 7.(done) Problems:
Release test require implementation of ?TextFileContentProbes (done on week 10)
Architecture test require rewrite of criteria tree (done on week 10)
Build Debian packages for Oval Interpreter and definitions generator (done Moved from week 7)
Discussion about types of OVAL definition distribution (which protocols are supported and how to distribute updates), communication from server with OVAL agents. (done on 11 week)
Implement work with configuration file: (done on 11 week)
- information about agents
- OVAL definition sources
- suported protocols
- updation intervals
- server configuration
Implement automatic download of OVAL definitions (not all protocol supported now) (done on 11 week)
- download of OVAL definition from http and ftp sources, maybe rss/atom support
Deliverable 3: Documentation about types of definition distribution, interaction between server and agent. (in progress)
Google mid-term project evaluation. (pass)
Mentor note: ¿Implement OVAL server? (done on week 12)
Week 9 (From 23 to 29 July)
?AltLinux conference and Linux Fest (done)
Week 10 (From 30 July to 5 August)
- Implement proxy support and remain protocols.
- Implement OVAL agent:
interaction with server (done)
downloading updates from server (done)
- quering local machine
- send query results back to server
Implement simple interaction between server and agent (done)
- Distributing OVAL definitions to client and receive results
Week 11 (From 6 to 12 August)
Work on OVAL definitions and result storage. (done)
- No any ideas currently there, but we need it for GTK frontend and report generation
Implement definitions updates (incremental?) (done)
- Build Debian packages for all tools
Deliverable 4: oval-agent, oval-server, oval-definition-generator packages
Week 12 (From 13 to 19 August)
- GUI frontend for oval-server for data visualization:
- OVAL definition data (include affected packages, descriptions, CVE links)
- Agent reposts status (queried definitions, vulnerability affection status)
- Build oval-server-gtk package
Week 13 (From 20 to 26 August)
- Reserve for code cleanup, bug fixing and documentation writing.
- Release OVAL definition generator official version.
Deliverable 5: Build all together, Write project report.
Google final project evaluation
Current gap
- oval-server
- Implement proxy support and remain protocols in oval-server
- oval-agent
- quering local machine
- send query results back to server
- oval-server-gtk
- build Debian packages for all tools
Work not currently scheduled
This is a listing of work which is not currently scheduled in the GSOC project but would be nice to have:
- Integrate interpreter generator with the National Vulnerability Database (which provides now CVSS scores and, consequently, ratings for vulnerabilities)
- Integrate interpreter generator with the Security Tracker (provides information of vulnerabilities which have *not* been fixed by a DSA yet). Extend generation so it covers more than DSAs.
I don't think that it would be necessary to change the interpreter generator but have:
- a tool that given a set of OVAL definitions, downloads data from
- NVD and completes them including risk information and (maybe) additional references
- a tool that reads a set of OVAL definitions and adds to them (if they are
- not yet there) OVAL definitions based on data from the Security Tracker
- (that would help replace debsecan)
Possible mechanisms in the server side (update definitions):
- Download OVAL definitions from official site, make changes to publish an RSS
- feed with OVAL data and to publish the full listing (pull mode)
- Generate OVAL definitions based on emails from debian-security-announce
- (push mode). Needs changes to the interpreter generator.
Suggestions from OVAL developers:
- I also noticed that you are using single quotes around all attribute values. This is perfectly legal, but different than just about all other xml documents I have seen. Any chance of switching to double quotes to be consistent with the rest of the oval content out there?
- Definition class - you have set the class of the definition to "vulnerability". When a vulnerability definition evaluates to true on a host that means that the host has a specific vulnerability. We have chosen to write 1 or more OVAL definitions for a single vulnerability.
We tend not to write one OVAL definition to cover multiple vulnerabilities.