OVAL Agent for Debian


The goal of this project would be the development of a mechanism to manage the security updateness status of clusters of Debian systems. Although there are a host of tools to check for the availability of security updates locally (such as update-notifier, integrated with the GNOME desktop, or cron-apt, more info available in the [http://www.debian.org/doc/manuals/securing-debian-howto/ch10.en.html#s-keep-secure Securing Debian Manual]), there is no easy way to manage tens or hundreds of systems.

The project should start by developing an [http://oval.mitre.org OVAL] agent for Debian, since OVAL already provides a uniform mechanism to check for and report to a central server the status of security updates. Some other distributions (currently RedHat) are using OVAL and using a standard would make it easier to integrate with even third party tools.

Once done, the developer should work in a mechanism to automaticaly generate OVAL queries from the Debian Security Advisories published (there is already a beta version of that tool in the project's website, but it is not yet deployed). That would make it possible to provide all the information (in a single file) of udpates available that the central station would download.

Optionally, it could also use the information available in the database managed by the [http://secure-testing-master.debian.net/ Debian Security Testing team] to generate OVAL information even for vulnerabilities that have not yet been patched in Debian. This information is currently available in the [http://security-tracker.debian.net/tracker/ Security bug Tracker] and there is only one tool (debsecan) that makes use of it.

Finally, a central monitor should be developed (an OVAL server). This server would distribute queries to OVAL agents in order to determine which systems need security updates. The administrator could check the central monitor and review systems which need to be patched, he should be able to mark updates as "not relevant" or "not considered for this system" so that the central station could be used as a tool to control when to update and patch systems or even what action to take in the system (if no updates are yet available from Debian)

Optionally, the central station could rate the urgency of the update using [http://www.first.org/cvss/ CVSS] (by using the CVE links available in the DSAs and extracting this information from the [http://nvd.nist.gov/ National Vulnerability Database]).