审计

在 SUSE Multi-Linux Manager 中,您可以通过一系列审计任务来跟踪客户端。您可以检查客户端上是否安装了所有最新的公共安全补丁 (CVE),执行订阅匹配,并使用 OpenSCAP 检查合规性。

在 SUSE Multi-Linux Manager Web UI 中,导航到审计执行审计任务。

1. CVE 审计

A CVE (Common Vulnerabilities and Exposures) is a fix for a publicly known security vulnerability.

只要有可用的 CVE,就必须在客户端上应用它们。

每个 CVE 包含一个标识号、漏洞说明以及更多信息的链接。CVE 标识号使用 CVE-YEAR-XXXX 格式。

在 SUSE Multi-Linux Manager Web UI 中,导航到审计  CVE 审计 以查看所有客户端及其当前补丁状态的列表。

By default, the patch data is updated at 23:00 every day. We recommend that before you begin a CVE audit you refresh the data to ensure you have the latest patches.

Procedure: Updating Patch Data

  1. 在 SUSE Multi-Linux Manager Web UI 中,导航到管理  任务日程安排,然后选择 cve-server-channels-default 日程安排。

  2. 单击 cve-server-channels-bunch

  3. Click Single Run Schedule to schedule the task. Allow the task to complete before continuing with the CVE audit.

过程:校验补丁状态

  1. 在 SUSE Multi-Linux Manager Web UI 中,导航到审计  CVE 审计

  2. 要检查特定 CVE 的补丁状态,请在 CVE 编号字段中键入 CVE 标识符。

  3. 选择您要查看的补丁状态,或保持选中所有状态以查看所有补丁状态。

  4. 单击 审计服务器 检查所有系统,或单击 审计映像 检查所有映像。

有关此页面上使用的补丁状态图标的详细信息,请参见 CVE 审计

For each system, the Actions column provides information about what you need to do to address vulnerabilities. If applicable, a list of candidate channels or patches is also given. You can also assign systems to a System Set for further batch processing.

可以使用 SUSE Multi-Linux Manager API 来校验客户端的补丁状态。使用 audit.listSystemsByPatchStatus API 方法。有关此方法的详细信息,请参见《SUSE Multi-Linux Manager API 指南》。

2. OVAL

In addition to retrieving CVE information from channel data, SUSE Multi-Linux Manager now includes an experimental feature that fetches CVE details from OVAL files. This functionality is currently considered a Technology Preview.

Users are encouraged to experiment with this feature and share feedback. However, it is not yet recommended for production use without thorough testing in a test environment.

The CVE Audit operation relies on two primary data sources: channels and OVAL (Open Vulnerability and Assessment Language). These two sources provide the metadata for conducting CVE audits, each serving a distinct purpose.

通道

Channels include the updated software packages, including the patches, and provide insights into the essential patches required to address vulnerabilities.

OVAL (Technology Preview)

In contrast, OVAL data supply the information about vulnerabilities themselves, and packages that render a system vulnerable to a CVE.

While it is possible to conduct CVE audits using only channels data, synchronizing OVAL data enhances the accuracy of the results, particularly in cases involving zero-day vulnerabilities or partially patched vulnerabilities.

OVAL data is much more lightweight than channels data. For example, OVAL data for openSUSE Leap 15.4 is around 50 MB.

Having synced OVAL data only, you can already perform CVE audits and check if your systems are vulnerable or not to a CVE, but you can’t apply patches since they come from channels.

Key characteristics of the OVAL feature include:

  • Disabled by default: The feature is turned off by default and must be explicitly enabled by the user by updating the configuration file rhn.conf and restarting relevant services.

  • Reversible: If any issues arise, users can revert back to the standard channel-based CVE audit.

  • Performance considerations: While initial testing has been conducted, there are still concerns regarding performance, and further optimizations may be needed.

  • OVAL data is updated at 23:00 every day by default. We recommend that before you begin a CVE audit you refresh the data to ensure you have the latest vulnerabilities metadata.
Procedure: Enabling OVAL Data Support

  1. Add or modify the following setting in rhn.conf:

    java.cve_audit.enable_oval_metadata=true

  2. Restart the Tomcat and Taskomatic services:

    systemctl restart tomcat taskomatic

If you encounter issues and need to revert to the default behavior, disable the feature by setting:

Procedure: Disabling OVAL Data Support

  1. Add or modify the following setting in rhn.conf:

    java.cve_audit.enable_oval_metadata=false

  2. Restart the Tomcat and Taskomatic services:

    systemctl restart tomcat taskomatic
Procedure: Updating OVAL Data

  1. In the SUSE Multi-Linux Manager Web UI, navigate to Admin  Task Schedules and select the oval-data-sync-default schedule.

  2. Click oval-data-sync-bunch.

  3. 单击 单次运行安排 以安排任务。

等待该任务完成,然后继续进行 CVE 审计。

2.1. Collect CPE

To be able to accurately identify what vulnerabilities apply to a certain client, we need to identify the operating system product that client uses. To do that, we collect the CPE (Common Platform Enumeration) of the client as a salt grain, then we save it to the database.

The CPE of newly registered clients will be automatically collected and saved to the database. However, for existing clients, it is necessary to execute the Update Packages List action at least once.

Procedure: Update Packages List

  1. In the SUSE Multi-Linux Manager Web UI, navigate to Systems  System List  All and select a client.

  2. Then go to the Software tab and select the Packages sub-tab.

  3. Click Update Packages List to update packages and collect the CPE of client.

2.2. OVAL Sources

To ensure the integrity and currency of the OVAL data, SUSE Multi-Linux Manager exclusively consumes OVAL data from the official maintainers of every product. Below, you can find the list of OVAL data sources.

Table 1. OVAL Sources
Product Source URL

openSUSE Leap

https://ftp.suse.com/pub/projects/security/oval

openSUSE Leap Micro

SUSE Linux Enterprise Server

SUSE Linux Enterprise Desktop

SUSE Linux Enterprise Micro

RedHat Enterprise Linux

https://www.redhat.com/security/data/oval/v2

Debian

https://www.debian.org/security/oval

Ubuntu

https://security-metadata.canonical.com/oval

OVAL metadata is used in CVE auditing for only a subset of clients, namely, clients that use openSUSE Leap, SUSE enterprise products, RHEL, Debian or Ubuntu. This is due to the absence of OVAL vulnerability definitions metadata for the other products.

3. CVE 状态

客户端的 CVE 状态通常是受影响不受影响已修补。这些状态仅取决于 SUSE Multi-Linux Manager 适用的信息。

在 SUSE Multi-Linux Manager 中,以下定义适用:

受特定漏洞影响的系统

系统中安装的某个软件包版本低于标记为漏洞的相关补丁中相同软件包的版本。

不受特定漏洞影响的系统

同时包含在标记为漏洞的相关补丁中的软件包未安装在系统上。

针对某个漏洞进行了修补的系统

系统中安装的某个软件包版本等同于或高于标记为漏洞的相关补丁中相同软件包的版本。

相关补丁

SUSE Multi-Linux Manager 在相关通道中已知的补丁。

相关通道

由 SUSE Multi-Linux Manager 管理的通道,该通道被指派到系统、是指派到系统的克隆通道的原始通道、是链接到系统上安装的产品的通道,或者是系统的过去或将来的服务包通道。

由于 SUSE Multi-Linux Manager 中使用的定义,CVE 审计结果在某些情况下可能不正确。例如,非受管通道、非受管软件包或不合规的系统可能会错误地报告结果。