Skip to content

Feature 6096: Scan RHEL/CentOS hosts using OVAL definitions#6241

Merged
juan-fdz-hawa merged 40 commits intomainfrom
6096-use-oval-to-detect-centosred-hat-vulnerabilities
Jun 23, 2022
Merged

Feature 6096: Scan RHEL/CentOS hosts using OVAL definitions#6241
juan-fdz-hawa merged 40 commits intomainfrom
6096-use-oval-to-detect-centosred-hat-vulnerabilities

Conversation

@juan-fdz-hawa
Copy link
Copy Markdown
Contributor

@juan-fdz-hawa juan-fdz-hawa commented Jun 15, 2022
edited
Loading

#6096

Apologies for the huge PR - I took the opportunity to do a fair bit of clean up and add some missing tests.

This PR extends the OVAL parser/analyzer so that we can scan RHEL based systems. While working on this I discovered that the way we store RHEL software versions is a little bit inconsistent with the way Ubuntu software versions are stored (see #6236 ), that said, ignoring the Epoch didn't affect the accuracy of the results at all (probably because epoch numbers don't change that much).

Checklist for submitter

  • Changes file added for user-visible changes (in changes/ and/or orbit/changes/).
  • Ensured that input data is properly validated, SQL injection is prevented (using placeholders for values in statements)
  • Added/updated tests
  • Manual QA for all new/changed functionality

Juan Fernandez and others added 30 commits June 8, 2022 14:49
@juan-fdz-hawa
Remove CentOS post-processing
a5b42c2
@juan-fdz-hawa
Moved OVAL test data to upper directory
62ad2b4
@juan-fdz-hawa
Use t.TempDir()
53b2811
@juan-fdz-hawa
Renamed VulnerabilitySource constants
ca32887
@juan-fdz-hawa
Renamed DeleteVulnerabilitiesByCPECVE -> DeleteSoftwareVulnerabilities
99e7bce
@juan-fdz-hawa
Oval definitions for rhel based systems only use the major version as…
0b6a4e7 
… an identifier
@juan-fdz-hawa
Added OVAL input types for RHEL
f8c920a
@juan-fdz-hawa
WIP: Parse rhel OVAl defs
8173688
@juan-fdz-hawa
Added missing tests for mappers
c501925
@juan-fdz-hawa
Fill in parseRhelXML
5102127
@juan-fdz-hawa
Parse OVAL definitions for RHEL
b816a41
@juan-fdz-hawa
Added missing tests for parser
b4ddce2
@juan-fdz-hawa
Added rpm_verify_object and rpm_verify_state to parser
f624765
@juan-fdz-hawa
WIP: Extend analyzer to use OS tests results
924f813
@juan-fdz-hawa
Added implementation for object_state_string.go
b78ba66
@juan-fdz-hawa
Propagate errors from state objects
93019fa
@juan-fdz-hawa
Implemented ObjectStateSimpleValue
e25ac6e
@juan-fdz-hawa
Implemented #EvalSoftware on ObjectInfoState, which evaluates the pas…
93f9cc7 
…sed software against the specified state
@juan-fdz-hawa
Implement EvalOSVersion
48915d8
@juan-fdz-hawa
Wire up RpmVerifyFileTest and RpmInfoTest
0693dbe
@juan-fdz-hawa
Only allow Name and Version as state props for RpmVerifyFile
72cb655
@juan-fdz-hawa
Use vulnerability/testdata when populating vuln software in osquery-perf
bbc4d08
@juan-fdz-hawa
Extracted partial for ubuntu hosts
b4988fb
@juan-fdz-hawa
Added software inventory for CentOS and RedHat
c662aae
@juan-fdz-hawa
Don't match cpe->cves for rhel platforms
5251dc6
@juan-fdz-hawa
Added missing info to the rpm verify file tests, fixed misc bugs
577a965
@juan-fdz-hawa
Added CVEs, if vals is empty return identity when evaluating operator…
5fdb54f 
…_type, skip epoch when processing RPM evr strings
@juan-fdz-hawa
Added RHEL OVAL defs to test data
0eb8c1f
@juan-fdz-hawa
Added integration tests for RHEL
96311f8
@juan-fdz-hawa
Merge branch 'main' into 6096-use-oval-to-detect-centosred-hat-vulner…
cfb670c 
…abilities
@juan-fdz-hawa juan-fdz-hawa changed the title 6096 use oval to detect centos red hat vulnerabilities Feature 6096: Scan RHEL/CentOS hosts using OVAL definitions Jun 16, 2022
@juan-fdz-hawa juan-fdz-hawa temporarily deployed to Docker Hub June 16, 2022 14:11 Inactive
@juan-fdz-hawa juan-fdz-hawa temporarily deployed to Docker Hub June 16, 2022 14:19 Inactive
@juan-fdz-hawa juan-fdz-hawa marked this pull request as ready for review June 16, 2022 14:21
@juan-fdz-hawa juan-fdz-hawa requested a review from a team as a code owner June 16, 2022 14:21
@juan-fdz-hawa
Copy link
Copy Markdown
Contributor Author

juan-fdz-hawa commented Jun 16, 2022

@lucasmrod - I think I got all the CentOS post-processing code, but could you please double check? Thanks

@juan-fdz-hawa juan-fdz-hawa temporarily deployed to Docker Hub June 20, 2022 19:22 Inactive
@juan-fdz-hawa juan-fdz-hawa temporarily deployed to Docker Hub June 20, 2022 19:23 Inactive
@juan-fdz-hawa juan-fdz-hawa temporarily deployed to Docker Hub June 21, 2022 12:40 Inactive
chiiph
chiiph reviewed Jun 21, 2022
View reviewed changes
Comment thread server/vulnerabilities/oval/analyzer_test.go
Arch string `json:"arch"`
}

func extract(src, dst string, t require.TestingT) {
Copy link
Copy Markdown
Contributor

@chiiph chiiph Jun 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should move this to pkg/ to a testing package.

@juan-fdz-hawa juan-fdz-hawa mentioned this pull request Jun 22, 2022
Merged
2 tasks
chiiph
chiiph reviewed Jun 22, 2022
View reviewed changes
Comment thread server/vulnerabilities/oval/parsed/object_info_state.go
)

type ObjectInfoState struct {
Name *ObjectStateString `json:",omitempty"`
Copy link
Copy Markdown
Contributor

@chiiph chiiph Jun 22, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be obvious to others, but what does this empty json field name do?

Copy link
Copy Markdown
Contributor Author

@juan-fdz-hawa juan-fdz-hawa Jun 22, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It depends on the object associated with the state, for example, in case the object is a dpkg package Name refers to the name of the package. It has omitempty because is not required.

Copy link
Copy Markdown
Contributor

@chiiph chiiph Jun 22, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Huh... Does it default to Name if the tag itself is not specified? TIL

chiiph
chiiph previously approved these changes Jun 23, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@chiiph chiiph left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Have we load tested this?

@juan-fdz-hawa juan-fdz-hawa self-assigned this Jun 23, 2022
@juan-fdz-hawa
Copy link
Copy Markdown
Contributor Author

juan-fdz-hawa commented Jun 23, 2022
edited
Loading

Looks good! Have we load tested this?

No, but I expect to see the same performance characteristics as with Ubuntu - the only difference is that this will consume more memory because the OVAL files for RHEL are bigger - I'll add a bench mark test for this

  • Benchmark this

@juan-fdz-hawa juan-fdz-hawa temporarily deployed to Docker Hub June 23, 2022 20:24 Inactive
@juan-fdz-hawa juan-fdz-hawa merged commit 9d01ba3 into main Jun 23, 2022
@juan-fdz-hawa juan-fdz-hawa deleted the 6096-use-oval-to-detect-centosred-hat-vulnerabilities branch June 23, 2022 20:44
@juan-fdz-hawa juan-fdz-hawa mentioned this pull request Jun 24, 2022
Closed
@lucasmrod lucasmrod mentioned this pull request Jun 29, 2022
Closed
@juan-fdz-hawa juan-fdz-hawa mentioned this pull request Jun 30, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@chiiph chiiph chiiph approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@juan-fdz-hawa juan-fdz-hawa

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@juan-fdz-hawa @codecov-commenter @chiiph