= OVAL Agent for Debian  =
 * '''Mentor:''' JavierFernandezSanguino
 * '''Student:''' PavelVinogradov
 * '''Summary''': Agent to monitor security update status of clusters of Debian systems
 * '''Original Idea''': [[SummerOfCode2007/ovalagent|Oval Agent]]
= Project Info =

 * '''VCS:'''  svn://svn.debian.org/oval/
 * '''Mailing list:''' oval-devel@lists.alioth.debian.org
 * '''Website:''' http://oval.alioth.debian.org/
 * '''Original proposal:''' [[http://nixdev.net/people/vinogradov/gsoc/2007/debian_soc_oval_proposal.txt|Submitted proposal]]
 
= Project Schedule (Duration 14 weeks (28 May-31 August)) =
'''Updated: 07.08.07'''

== Interim period ==
 * Recollect theoretical parts of XML language ('''Done''')
 * Prepare wiki, VCS, maillist, and project page ('''Done''')
 * Introduce myself to OVAL community at mitre.org ('''Done''')
 * Understand OVAL interpreter source code architecture ('''Done''')
 * Prepare basic implementation of OVAL query generator ('''Done''')

== Week 1-2 (From 28 May to 10 June) ==
 * Write OVAL query generator:
  * Implement DSA and WML parser ('''Done''')
  * Implement OVAL XML Definitions generator ('''Done''')
  * Implement OVAL objects and state generator ('''Done''')

== Week 3 (From 11 to 17 June) ==
 * Work on optimization resulted XML definitions ('''Done''')

== Week 4 (From 18 to 24 June) ==
 * Update project schedule ('''Done''')
 * Release beta version of OVAL definition generator: ('''Done''')
  * Write some documentation and comments to source code
  * Fix bug with string to unicode conversion
 * Start experiments with libapt-pkg library (read documentation and write code samples) ('''Done''')

 *'''Deliverable 0''': Publish updated project schedule ('''Done''')
 *'''Deliverable 1''': Release beta version of OVAl definition generator ('''Done''')

== Week 5 (From 25 June to 1 July) ==
 * Use libapt for package quering ('''Done''')
 * Start implementing DPKGInfoProbe class in OVAL interpretator ('''Done''')

Issues this week: lack of documentation of the libapt library, broken tests
with apt library, apt now in version change (0.7)

== Week 6 (From 2 to 8 July) ==
 * Testing with simple hand-made OVAL definitions ('''done''')
 * Code cleanup in OVAL definition generator ('''done''')
 * Implement DPKGInfoProbe class ('''done''' but commited in Week 7 in http://svn.debian.org/wsvn/oval/?rev=65&sc=1)

== Week 7 (From 9 to 15 July) ==
 * Testing with OVAL definitions generated from Debian dsa ('''done''' on week 10)
 * Fix bugs in OVAL definition generator if I find any during testing ('''done''')
 * Update OVAL definition generator to support OVAL 5.3 release ('''done''')
 
 *'''Deliverable 2''': OVAL interpretator with dpkg support. Release second beta of OVAL definition generator ('''done''')

== Week 8 (From 16 to 22 July) ==
 * Work on '''Testing with OVAL definitions generated from Debian dsa''' from week 7.('''done''') Problems:
  * Release test require implementation of TextFileContentProbes ('''done''' on week 10)
  * Architecture test require rewrite of criteria tree ('''done''' on week 10)
 * Build Debian packages for Oval Interpreter and definitions generator ('''done''' Moved from week 7)
 * Discussion about types of OVAL definition distribution (which protocols are supported and how to distribute updates), communication from server with OVAL agents. ('''done''' on 11 week)
 * Implement work with configuration file: ('''done'''  on 11 week)
  * information about agents
  * OVAL definition sources
  * suported protocols
  * updation intervals
  * server configuration
 * Implement automatic download of OVAL definitions (not all protocol supported now) ('''done'''  on 11 week)
  * download of OVAL definition from http and ftp sources, maybe rss/atom support

 *'''Deliverable 3''': Documentation about types of definition distribution, interaction between server and agent. ('''in progress''')
 * Google mid-term project evaluation. ('''pass''')

Mentor note: ¿Implement OVAL server? ('''done''' on week 12)

== Week 9 (From 23 to 29 July) ==
 AltLinux conference and Linux Fest ('''done''')

== Week 10 (From 30 July to 5 August) ==
 * Implement proxy support and remain protocols.
 * Implement OVAL agent:
  * interaction with server ('''done''')
  * downloading updates from server ('''done''')
  * quering local machine
  * send query results back to server
 * Implement simple interaction between server and agent ('''done''')
 * Distributing OVAL definitions to client and receive results

== Week 11 (From 6 to 12 August) ==
 * Work on OVAL definitions and result storage. ('''done''')
  * No any ideas currently there, but we need it for GTK frontend and report generation
 * Implement definitions updates (incremental?) ('''done''')
 * Build Debian packages for all tools

 * '''Deliverable 4''': oval-agent, oval-server, oval-definition-generator packages

== Week 12 (From 13 to 19 August) ==
 * GUI frontend for oval-server for data visualization:
  * OVAL definition data (include affected packages, descriptions, CVE links)
  * Agent reposts status (queried definitions, vulnerability affection status)
 * Build oval-server-gtk package

== Week 13 (From 20 to 26 August) ==
 * Reserve for code cleanup, bug fixing and documentation writing.
 * Release OVAL definition generator official version.
 * '''Deliverable 5''': Build all together, Write project report.
 * '''Google final project evaluation'''  

=== Current gap ===
 * oval-server
  * Implement proxy support and remain protocols in oval-server
 * oval-agent
  * quering local machine
  * send query results back to server
 * oval-server-gtk
 * build Debian packages for all tools

== Work not currently scheduled ==

This is a listing of work which is not currently scheduled in the GSOC project but would be nice to have:

 * Integrate interpreter generator with the National Vulnerability Database (which provides now CVSS scores and, consequently, ratings for vulnerabilities) 
 * Integrate interpreter generator with the Security Tracker (provides information of vulnerabilities which have *not* been fixed by a DSA yet). Extend generation so it covers more than DSAs.

I don't think that it would be necessary to change the interpreter generator
but have:

 * a tool that given a set of OVAL definitions, downloads data from
   NVD and completes them including risk information and (maybe)
   additional references
 * a tool that reads a set of OVAL definitions and adds to them (if they are
   not yet there) OVAL definitions based on data from the Security Tracker
  (that would help replace debsecan)

Possible mechanisms in the server side (update definitions):
  * Download OVAL definitions from official site, make changes to publish an RSS
    feed with OVAL data and to publish the full listing (pull mode)
  * Generate OVAL definitions based on emails from debian-security-announce 
    (push mode). Needs changes to the interpreter generator. 

Suggestions from OVAL developers:

 * I also noticed that you are using single quotes around all attribute values. This is perfectly legal, but different than just about all other xml documents I have seen. Any chance of switching to double quotes to be consistent with the rest of the oval content out there?
 * Definition class - you have set the class of the definition to "vulnerability". When a vulnerability definition evaluates to true on a host that means that the host has a specific vulnerability. We have chosen to write 1 or more OVAL definitions for a single vulnerability.
We tend not to write one OVAL definition to cover multiple vulnerabilities.