Support for security such as Firewalls and securing linux
- Posts: 7
- Joined: 2015/05/05 18:49:42
- Location: Minneapolis, MN, USA
The vulnerability management solution I am currently working with reports a lot of false positives for packages because it is evaluating the version number only.
For example, the current httpd package on CentOS 7 is Apache 2.4.6, many versions behind the current version, but it includes backported patches. This can be seen by viewing the RPM changelog:
Code: Select all
$ rpm -q --changelog httpd | grep CVE
- Resolves: #1566317 - CVE-2018-1312 httpd: Weak Digest auth nonce generation
- Resolves: #1696141 - CVE-2019-0217 httpd: mod_auth_digest: access control
- Resolves: #1696096 - CVE-2019-0220 httpd: URL normalization inconsistency
- Resolves: #1493065 - CVE-2017-9798 httpd: Use-after-free by limiting
- Resolves: #1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw()
It appears that I can use SCAP files (e.g. OVAL and XCCDF files) with the vulnerability management system. RHEL provides some files that appear to address this issue: https://www.redhat.com/security/data/oval/v2/
Are there similar files for CentOS? Would the RHEL files work for CentOS? Wondering if anyone has experience with this.
@cherdt - sometimes I forget that I have a twitter account
- Posts: 2018
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
CentOS does not provide such data, but you have 2 options:
1. Use RedHat's solution, but keep in mind that it might not work
2. Use Uyuni (upstream of SuSE Manager - spacewalk based)
The second option allows running SCAP or analyze the system based on installed packages . CVE report is taking data from the rpms and is quite reliable.