Wiki

• FrontPage
• RecentChanges
• FindPage
• HelpContents
• OvalAgentShedule

OVAL Agent for Debian

• Mentor: JavierFernandezSanguino

• Student: PavelVinogradov

• Summary: Agent to monitor security update status of clusters of Debian systems

• Original Idea: Oval Agent

Project Info

• VCS: svn://svn.debian.org/oval/

• Mailing list: oval-devel@lists.alioth.debian.org

• Website: http://oval.alioth.debian.org/

• Original proposal: Submitted proposal

Project Schedule (Duration 14 weeks (28 May-31 August))

Updated: 07.08.07

Interim period

• Recollect theoretical parts of XML language (Done)

• Prepare wiki, VCS, maillist, and project page (Done)

• Introduce myself to OVAL community at mitre.org (Done)

• Understand OVAL interpreter source code architecture (Done)

• Prepare basic implementation of OVAL query generator (Done)

Week 1-2 (From 28 May to 10 June)

• Write OVAL query generator:

  • Implement DSA and WML parser (Done)

  • Implement OVAL XML Definitions generator (Done)

  • Implement OVAL objects and state generator (Done)

Week 3 (From 11 to 17 June)

• Work on optimization resulted XML definitions (Done)

Week 4 (From 18 to 24 June)

• Update project schedule (Done)

• Release beta version of OVAL definition generator: (Done)

  • Write some documentation and comments to source code
  • Fix bug with string to unicode conversion

• Start experiments with libapt-pkg library (read documentation and write code samples) (Done)

• Deliverable 0: Publish updated project schedule (Done)

• Deliverable 1: Release beta version of OVAl definition generator (Done)

Week 5 (From 25 June to 1 July)

• Use libapt for package quering (Done)

• Start implementing DPKGInfoProbe class in OVAL interpretator (Done)

Issues this week: lack of documentation of the libapt library, broken tests with apt library, apt now in version change (0.7)

Week 6 (From 2 to 8 July)

• Testing with simple hand-made OVAL definitions (done)

• Code cleanup in OVAL definition generator (done)

• Implement DPKGInfoProbe class (done but commited in Week 7 in http://svn.debian.org/wsvn/oval/?rev=65&sc=1)

Week 7 (From 9 to 15 July)

• Testing with OVAL definitions generated from Debian dsa (done on week 10)

• Fix bugs in OVAL definition generator if I find any during testing (done)

• Update OVAL definition generator to support OVAL 5.3 release (done)

• Deliverable 2: OVAL interpretator with dpkg support. Release second beta of OVAL definition generator (done)

Week 8 (From 16 to 22 July)

• Work on Testing with OVAL definitions generated from Debian dsa from week 7.(done) Problems:

  • Release test require implementation of ?TextFileContentProbes (done on week 10)

  • Architecture test require rewrite of criteria tree (done on week 10)

• Build Debian packages for Oval Interpreter and definitions generator (done Moved from week 7)

• Discussion about types of OVAL definition distribution (which protocols are supported and how to distribute updates), communication from server with OVAL agents. (done on 11 week)

• Implement work with configuration file: (done on 11 week)

  • information about agents
  • OVAL definition sources
  • suported protocols
  • updation intervals
  • server configuration

• Implement automatic download of OVAL definitions (not all protocol supported now) (done on 11 week)

  • download of OVAL definition from http and ftp sources, maybe rss/atom support

• Deliverable 3: Documentation about types of definition distribution, interaction between server and agent. (in progress)

• Google mid-term project evaluation. (pass)

Mentor note: ¿Implement OVAL server? (done on week 12)

Week 9 (From 23 to 29 July)

• ?AltLinux conference and Linux Fest (done)

Week 10 (From 30 July to 5 August)

• Implement proxy support and remain protocols.
• Implement OVAL agent:

  • interaction with server (done)

  • downloading updates from server (done)

  • quering local machine
  • send query results back to server

• Implement simple interaction between server and agent (done)

• Distributing OVAL definitions to client and receive results

Week 11 (From 6 to 12 August)

• Work on OVAL definitions and result storage. (done)

  • No any ideas currently there, but we need it for GTK frontend and report generation

• Implement definitions updates (incremental?) (done)

• Build Debian packages for all tools

• Deliverable 4: oval-agent, oval-server, oval-definition-generator packages

Week 12 (From 13 to 19 August)

• GUI frontend for oval-server for data visualization:
  • OVAL definition data (include affected packages, descriptions, CVE links)
  • Agent reposts status (queried definitions, vulnerability affection status)
• Build oval-server-gtk package

Week 13 (From 20 to 26 August)

• Reserve for code cleanup, bug fixing and documentation writing.
• Release OVAL definition generator official version.

• Deliverable 5: Build all together, Write project report.

• Google final project evaluation

Current gap

• oval-server
  • Implement proxy support and remain protocols in oval-server
• oval-agent
  • quering local machine
  • send query results back to server
• oval-server-gtk
• build Debian packages for all tools

Work not currently scheduled

This is a listing of work which is not currently scheduled in the GSOC project but would be nice to have:

• Integrate interpreter generator with the National Vulnerability Database (which provides now CVSS scores and, consequently, ratings for vulnerabilities)
• Integrate interpreter generator with the Security Tracker (provides information of vulnerabilities which have *not* been fixed by a DSA yet). Extend generation so it covers more than DSAs.

I don't think that it would be necessary to change the interpreter generator but have:

• a tool that given a set of OVAL definitions, downloads data from
  • NVD and completes them including risk information and (maybe) additional references
• a tool that reads a set of OVAL definitions and adds to them (if they are
  • not yet there) OVAL definitions based on data from the Security Tracker
  • (that would help replace debsecan)

Possible mechanisms in the server side (update definitions):

• Download OVAL definitions from official site, make changes to publish an RSS
  • feed with OVAL data and to publish the full listing (pull mode)
• Generate OVAL definitions based on emails from debian-security-announce
  • (push mode). Needs changes to the interpreter generator.

Suggestions from OVAL developers:

• I also noticed that you are using single quotes around all attribute values. This is perfectly legal, but different than just about all other xml documents I have seen. Any chance of switching to double quotes to be consistent with the rest of the oval content out there?
• Definition class - you have set the class of the definition to "vulnerability". When a vulnerability definition evaluates to true on a host that means that the host has a specific vulnerability. We have chosen to write 1 or more OVAL definitions for a single vulnerability.

We tend not to write one OVAL definition to cover multiple vulnerabilities.