Auditing

In SUSE Manager, you can keep track of your clients through a series of auditing tasks. You can check that your clients are up to date with all public security patches (CVEs), perform subscription matching, and use OpenSCAP to check for specification compliance.

In the SUSE Manager Web UI, navigate to Audit to perform auditing tasks.

1. CVE Audits

A CVE (Common Vulnerabilities and Exposures) is a fix for a publicly known security vulnerability.

You must apply CVEs to your clients as soon as they become available.

Each CVE contains an identification number, a description of the vulnerability, and links to further information. CVE identification numbers use the form CVE-YEAR-XXXX.

In the SUSE Manager Web UI, navigate to Audit CVE Audit to see a list of all clients and their current patch status.

By default, the patch data is updated at 23:00 every day. We recommend that before you begin a CVE audit you refresh the data to ensure you have the latest patches.

Procedure: Updating Patch Data

In the SUSE Manager Web UI, navigate to Admin Task Schedules and select the cve-server-channels-default schedule.
Click cve-server-channels-bunch.
Click Single Run Schedule to schedule the task. Allow the task to complete before continuing with the CVE audit.

Procedure: Verifying Patch Status

In the SUSE Manager Web UI, navigate to Audit CVE Audit.
To check the patch status for a particular CVE, type the CVE identifier in the CVE Number field.
Select the patch statuses you want to look for, or leave all statuses checked to look for all.
Click Audit Servers to check all systems, or click Audit Images to check all images.

For more information about the patch status icons used on this page, see CVE Audit.

For each system, the Actions column provides information about what you need to do to address vulnerabilities. If applicable, a list of candidate channels or patches is also given. You can also assign systems to a System Set for further batch processing.

You can use the SUSE Manager API to verify the patch status of your clients. Use the audit.listSystemsByPatchStatus API method. For more information about this method, see the SUSE Manager API Guide.

2. OVAL

In addition to retrieving CVE information from channel data, SUSE Manager now includes an experimental feature that fetches CVE details from OVAL files. This functionality is currently considered a Technology Preview.

Users are encouraged to experiment with this feature and share feedback. However, it is not yet recommended for production use without thorough testing in a test environment.

The CVE Audit operation relies on two primary data sources: channels and OVAL (Open Vulnerability and Assessment Language). These two sources provide the metadata for conducting CVE audits, each serving a distinct purpose.

Channels: Channels include the updated software packages, including the patches, and provide insights into the essential patches required to address vulnerabilities.
OVAL (Technology Preview): In contrast, OVAL data supply the information about vulnerabilities themselves, and packages that render a system vulnerable to a CVE.

While it is possible to conduct CVE audits using only channels data, synchronizing OVAL data enhances the accuracy of the results, particularly in cases involving zero-day vulnerabilities or partially patched vulnerabilities.

OVAL data is much more lightweight than channels data. For example, OVAL data for openSUSE Leap 15.4 is around 50 MB.

Having synced OVAL data only, you can already perform CVE audits and check if your systems are vulnerable or not to a CVE, but you can’t apply patches since they come from channels.

Key characteristics of the OVAL feature include:

Disabled by default: The feature is turned off by default and must be explicitly enabled by the user by updating the configuration file rhn.conf and restarting relevant services.
Reversible: If any issues arise, users can revert back to the standard channel-based CVE audit.
Performance considerations: While initial testing has been conducted, there are still concerns regarding performance, and further optimizations may be needed.
OVAL data is updated at 23:00 every day by default. We recommend that before you begin a CVE audit you refresh the data to ensure you have the latest vulnerabilities metadata.

Procedure: Enabling OVAL Data Support

Add or modify the following setting in rhn.conf:
```
java.cve_audit.enable_oval_metadata=true
```
Restart the Tomcat and Taskomatic services:
```
systemctl restart tomcat taskomatic
```

If you encounter issues and need to revert to the default behavior, disable the feature by setting:

Procedure: Disabling OVAL Data Support

Add or modify the following setting in rhn.conf:
```
java.cve_audit.enable_oval_metadata=false
```
Restart the Tomcat and Taskomatic services:
```
systemctl restart tomcat taskomatic
```

Procedure: Updating OVAL Data

In the SUSE Manager Web UI, navigate to Admin Task Schedules and select the oval-data-sync-default schedule.
Click oval-data-sync-bunch.
Click Single Run Schedule to schedule the task.

Allow the task to complete before continuing with the CVE audit.

2.1. Collect CPE

To be able to accurately identify what vulnerabilities apply to a certain client, we need to identify the operating system product that client uses. To do that, we collect the CPE (Common Platform Enumeration) of the client as a salt grain, then we save it to the database.

The CPE of newly registered clients will be automatically collected and saved to the database. However, for existing clients, it is necessary to execute the Update Packages List action at least once.

Procedure: Update Packages List

In the SUSE Manager Web UI, navigate to Systems System List All and select a client.
Then go to the Software tab and select the Packages sub-tab.
Click Update Packages List to update packages and collect the CPE of client.

2.2. OVAL Sources

To ensure the integrity and currency of the OVAL data, SUSE Manager exclusively consumes OVAL data from the official maintainers of every product. Below, you can find the list of OVAL data sources.

Table 1. OVAL Sources
Product	Source URL
openSUSE Leap	https://ftp.suse.com/pub/projects/security/oval
openSUSE Leap Micro
SUSE Linux Enterprise Server
SUSE Linux Enterprise Desktop
SUSE Linux Enterprise Micro
RedHat Enterprise Linux	https://www.redhat.com/security/data/oval/v2
Debian	https://www.debian.org/security/oval
Ubuntu	https://security-metadata.canonical.com/oval

OVAL metadata is used in CVE auditing for only a subset of clients, namely, clients that use openSUSE Leap, SUSE enterprise products, RHEL, Debian or Ubuntu. This is due to the absence of OVAL vulnerability definitions metadata for the other products.

3. CVE Status

The CVE status of clients is usually either affected, not affected, or patched. These statuses are based only on the information that is available to SUSE Manager.

Within SUSE Manager, these definitions apply:

System affected by a certain vulnerability: A system which has an installed package with version lower than the version of the same package in a relevant patch marked for the vulnerability.
System not affected by a certain vulnerability: A system which has no installed package that is also in a relevant patch marked for the vulnerability.
System patched for a certain vulnerability: A system which has an installed package with version equal to or greater than the version of the same package in a relevant patch marked for the vulnerability.
Relevant patch: A patch known by SUSE Manager in a relevant channel.
Relevant channel: A channel managed by SUSE Manager, which is either assigned to the system, the original of a cloned channel which is assigned to the system, a channel linked to a product which is installed on the system or a past or future service pack channel for the system.

Because of the definitions used within SUSE Manager, CVE audit results might be incorrect in some circumstances. For example, unmanaged channels, unmanaged packages, or non-compliant systems might report incorrectly.