Tag Archives: CIS

Assessing Linux Security Configurations with SCAP Workbench

Recently I had a chance to work with OpenSCAP. It’s a set of free and open-source tools for Linux Configuration Assessment and  a collection security content in SCAP (Security Content Automation Protocol) format.

In this post I will write about SCAP Workbench. It is a GUI application that can check the configuration of your local Linux host (or the remote host via ssh; note that agent installation is required), and show the settings that are not comply with some security standard, for example PCI DSS or DISA STIG.

SCAP Workbench PCI DSS CentOS7 localhost

Moreover, you can generate the script for automated remediation. You can also create your own scan profiles based on existing  SCAP content.

Continue reading

Vulnerability Databases: Classification and Registry

What publicly available Vulnerability Databases do we have? Well, I can only say that there are a lot of them and they are pretty different. Here I make an attempt to classify them.

It’s quite an ungrateful task. No matter how hard you try, the final result will be rather inaccurate and incomplete. I am sure someone will be complaining. But this is how I see it. 😉 If you want to add or change something feel free to make a comment bellow or email me@avleonov.com.

The main classifier, which I came up with:

  • There are individual vulnerability databases in which one identifier means one vulnerability. They try to cover all existing vulnerabilities.
  • And others are security bulletins. They cover vulnerabilities in a particular product or products. And they usually based on on patches. One patch may cover multiple vulnerabilities.

I made this diagram with some Vulnerability Databases. Note that I wanted to stay focused, so there are no exploit DBs, CERTs, lists of vulnerabilities detected by some researchers (CISCO Talos, PT Research, etc.), Media and Bug Bounty sites.

Vulnerability Databases classification

For these databases the descriptions of vulnerabilities are publicly available on the site (in html interface or downloadable data feed), or exist in a form of paid Vulnerability Intelligence service (for example, Flexera).

On one side there are databases of individual vulnerabilities, the most important is National Vulnerability Database. There are also Chinese, Japanese bases that can be derived from NVD or not.

On the other side we have security bulletins, for example RedHat Security Advisories.

And in the middle we have a Vulnerability Databases, for which it is not critical whether they have duplicated vulnerability IDs or not.

Continue reading

New National Vulnerability Database visualizations and feeds

Recently, the National Institute of Standards and Technology (NIST) introduced a new version of National Vulnerability Database (NVD) website.

NIST NVD new site

I will not say that I liked this redesign:

new NVD website

IMHO, old website with US flag was much prettier and useful:

old NVD website

But the very fact that the site is developing, I really like very much. Let’s see what’s new there.

Continue reading

Why you can’t update it all at once?

It’s the second part of our talk with Daniil Svetlov at his radio show “Safe Environment” recorded 29.03.2017. In this part we talk about vulnerabilities in Linux and proprietary software, problems of patch an vulnerability management, and mention some related compliance requirements.

How critical these vulnerabilities are? Are they really exploitable in our infrastructure?

Video with manually transcribed Russian/English subtitles:

Previous part “Programmers are also people who also make mistakes”.

Taking about the fact that if you use fully updated software and do not use some self-written scripts, programs, then in theory everything will be safe.

But recently there was some statistics that critical vulnerabilities stay in Linux kernel about 7 years from the moment they appeared as a result of a programmer’s error till the moment they were found by our white hat researcher.

But it is not clear during these seven years if cybercriminals have found them, used them and how many systems were broken using this vulnerabilities. Not to mention that some special government services may use it too.

For example: The latest Linux kernel flaw (CVE-2017-2636), which existed in the Linux kernel for the past seven years, allows a local unprivileged user to gain root privileges on affected systems or cause a denial of service (system crash). The Hacker News

Well yes. There is such a statistic. There is also some criticism from proprietary software developers. Like you say “many eyes that looks in code will find any error.” This is a quote from Linus Torvalds, if I’m not mistaken.

Not exactly. Linus’s Law is a claim about software development, named in honor of Linus Torvalds and formulated by Eric S. Raymond in his essay and book The Cathedral and the Bazaar (1999).[1][2] The law states that “given enough eyeballs, all bugs are shallow”; or more formally: “Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix obvious to someone.” Wikipedia

But in practice, yes, there are really old vulnerabilities that come up after many many years. Because apparently they did not looking for this vulnerabilities well enough.But we still don’t have anything else, except Linux kernel. Therefore, they can say anything, but they will use it anyway. It is in the first place.

Continue reading

.audit-based Compliance Management in Nessus

In this post I will briefly describe how Nessus .audit-based Compliance Management works, why I like it, what could be improved and why I suppose Tenable won’t do it soon. 😉

Nessus compliance checks are mainly presented in a form of special .audit scripts. This scripting language is very different from familiar NASL (Nessus Attack Scripting Language).

Basically, it is a collection of universal checks for various objects (e.g. existence of the line or parameter in the file, access permissions of the file,  service status, etc.). Of course, nowadays Сompliance Management is not only about Operating System and software (mis)configuration. We have different network devices, databases, cloud services, etc. but originally it was the main case.

By combining the universal checks  any requirement of low-level configuration standard (CIS, DISA, etc.) can be implemented. The similar principles are used in OVAL/SCAP content.

Continue reading