This lecture will present an overview over vulnerability assessment processes and methodologies
This exercise will be used to explore aspects of an assessment, complementing the work developed in the last laboratory.
As the scope we consider all hosts and services available at the laboratory network. The assessment should not try to pentest the systems, but small explorations are allowed. No data should be corrupted, and no credentials should be modified. Normal operation of the VMs should not be disrupted.
One of the lab virtual machines has an open access ubuntu system with
OpenSCAP installed. This tool will enable us to demonstrate the operation of several SCAP mecanisms, especially the ones related with the validation of policies.
In order to proceed, create a folder in the
user account with your name.
Do all work inside this folder, so that you do not impact your colleagues.
Download the compressed XML OVAL definitions from Canonical. The definition files follow
the following file naming convention:
com.ubuntu.<example release name>.usn.oval.xml.bz2
Therefore, the OVAL definitions are specific for each distribution, as they relate with the actual software and configurations of that distribution.
wget https://security-metadata.canonical.com/oval/com.ubuntu.$(lsb_release -cs).usn.oval.xml.bz2
Uncompress the data:
bunzip2 com.ubuntu.$(lsb_release -cs).usn.oval.xml.bz2
Check the content of the XML file and analyse its structure. Take one vulnerability, such as
CVE-2018-3174 and identify the test that is conducted to determine the existence of the vulnerability.
Using OpenSCAP you can evaluate the OVAL and generate an html report for all definitions:
oscap oval eval --report report.html com.ubuntu.$(lsb_release -cs).usn.oval.xml
The output to
stdout should be a series of lines for all the definitions being validated. A few minutes later, the tool should end.
The output is generated in the file
report.html. You can transfer the file using
scp and view it on your laptop:
scp user@IP:myfolder/report.html .
Analyse the report produced.
- Is there any vulnerability in the system?
- Are there critical vulnerabilities?
As you can see, the results display the details of each vulnerability, as well as a link to the CVE for each vulnerability. If you see any result listed as true, you will want to address that vulnerability immediately. Do understand, there are quite a lot of vulnerabilities tested , so hopefully the Ubuntu server will come up false for every test. If updates are lacking, new OVAL definition files may uncover other known vulnerabilities.
Of course, you don’t really have to scroll through the entirety of the results. You can always do a quick glance at the OVAL Results Generator Information to see how many vulnerabilities are:
- Unpatched (red)
- Patched (green)
- Errors (yellow)
- Unknown (blue)
- Other (white)
|OVAL Results Generator Information|
|Schema Version||Product Name||Product Version||Date||Time|
Another system is present in the network for you to assess. Repeat the steps and analyse the report.
- Combine all data from your assessment (network, and scap)
- Write a short summary to the network owner with the most relevant findings
- Include some recommendations