OVAL Agent for Debian


The goal of this project would be the development of a mechanism to manage the security status of clusters of Debian systems. Although there are a host of tools to check for the availability of security updates locally (such as update-notifier, integrated with the GNOME desktop, or cron-apt, more info available in the Securing Debian Manual), there is no easy way to manage tens or hundreds of systems.

Also, the tools currently available require all systems to access the Internet (or a mirror server) which makes their deployment more difficult for systems which are not connected to the Internet, or have a restricted or limited connection (which is common for systems deployed inside companies and some organizations)

Moreover, most desktop oriented security update notifiers focus on stable systems, and are not applicable to "testing" or "sid" systems.

The project should start by developing an OVAL agent for Debian, since OVAL already provides a uniform mechanism to check for and report to a central server the status of security updates. Some other distributions (currently ?RedHat) are using OVAL and using a standard would make it easier to integrate with even third party tools.

Once done, the developer should work in a mechanism to automatically generate OVAL queries from the Debian Security Advisories published (there is already a beta version of that tool in the project's website, but it is not yet deployed). That would make it possible to provide all the information (in a single file) of updates available that the central station would download.

It would also use the information available in the database managed by the Debian Security Testing team to generate OVAL information even for vulnerabilities that have not yet been patched in a given Debian distribution. This information is currently available in the Security bug Tracker and there is only one tool (debsecan) that makes use of it. This would extend the system so that it would be much more than just a "patch management system" and it would also make it useful for "testing" and "sid" Debian systems.

Finally, a central monitor should be developed (an OVAL server). This server would distribute queries to OVAL agents in order to determine which systems need security updates. The administrator could check the central monitor and review systems which need to be patched, he should be able to mark updates as "not relevant" or "not considered for this system" so that the central station could be used as a tool to control when to update and patch systems or even what action to take in the system (if no updates are yet available from Debian).

Notice that there are different ways to obtain information related to security updates:

A central server, which some organizations would like to located in an internal network (not connected to the Internet) should be able to use any of these. At the very minimum, a central server should be able to generate OVAL queries based on the e-mail messages it receives (when sent to the mailing list). Bandwidth usage should be taken into account: mail, RDF feeds and HTML parsing might be better than updating the Packages file from remote mirrors.

With this system an administrator could answer the following questions:

Optionally, the central station could rate the urgency of the update using CVSS (by using the CVE links available in the DSAs and extracting this information from the National Vulnerability Database).