Tag Archives: OVAL

November 2023 – January 2024: New Vulristics Features, 3 Months of Microsoft Patch Tuesdays and Linux Patch Wednesdays, Year 2023 in Review

Hello everyone! It has been 3 months since the last episode. I spent most of this time improving my Vulristics project. So in this episode, let’s take a look at what’s been done.

Alternative video link (for Russia): https://vk.com/video-149273431_456239139

Also, let’s take a look at the Microsoft Patch Tuesdays vulnerabilities, Linux Patch Wednesdays vulnerabilities and some other interesting vulnerabilities that have been released or updated in the last 3 months. Finally, I’d like to end this episode with a reflection on how my 2023 went and what I’d like to do in 2024.

New Vulristics Features

Vulristics JSON input and output

In Vulristics you can now provide input data in JSON format and receive output in JSON format. Which opens up new opportunities for automation.

Continue reading

October 2023: back to Positive Technologies, Vulristics updates, Linux Patch Wednesday, Microsoft Patch Tuesday, PhysTech VM lecture

Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of October I was a guest lecturer at MIPT/PhysTech university. But first thing first.

Alternative video link (for Russia): https://vk.com/video-149273431_456239138

Back to Positive Technologies

On October 3, I joined the Positive Technologies team. There I will work on developing Vulnerability Management practices. I have already worked at PT for 6 years, from June 2009 to October 2015. And now, exactly 8 years later, I’m here again. I feel very pleasant emotions about this and have many plans. 🤩 I am sure that in the PT team I will be able to implement many cool things for the development of Vulnerability Management in Russia and abroad. 🙂

Continue reading

September 2023: VM courses, Bahasa Indonesia, Russian Podcasts, Goodbye Tinkoff, MS Patch Tuesday, Qualys TOP 20, Linux, Forrester, GigaOm, R-Vision VM

Hello everyone! On the last day of September, I decided to record another retrospective episode on how my Vulnerability Management month went.

Alternative video link (for Russia): https://vk.com/video-149273431_456239136

September was quite a busy month for me.

Vulnerability Management courses

I participated in two educational activities. The first one is an on-line cyber security course for my alma mater, Bauman Moscow State Technical University.

Continue reading

How Debian OVAL content is structured

Hello everyone! As we saw in the last episode, the results of vulnerability detection for one host produced by two different APIs can vary greatly. Therefore, in order to find out the truth, it is necessary to understand what vulnerability data is provided by the Linux distribution vendor and how this data is structured.

Alternative video link (for Russia): https://vk.com/video-149273431_456239114

Why is it important to do this? Because using data from a Linux distribution vendor, we can ask vulnerability detection API vendors questions: why are you detecting in a different way than described in this data? And then we will understand what caused the difference. And we will either adjust the API for vulnerability detection, or we will adjust the content of the Linux distribution vendor. Either way, it will be a success! In any case, the transparency of the vulnerability detection process will increase.

Last time we looked at vulnerabilities for Debian host and Debian Docker base image. So let’s continue with Debian. In particular, with the official Debian OVAL (Open Vulnerability and Assessment Language) content.

Debian OVAL content can be downloaded from the https://debian.org/security/oval/ website. For Debian 11.6 it will be https://debian.org/security/oval/oval-definitions-bullseye.xml (~48M).

Continue reading

How to Perform a Free Ubuntu Vulnerability Scan with OpenSCAP and Canonical’s Official OVAL Content

Hello everyone! Five years ago I wrote a blogpost about OpenSCAP. But it was only about the SCAP Workbench GUI application and how to use it to detect security misconfigurations.

Alternative video link (for Russia): https://vk.com/video-149273431_456239104

This time, I will install the OpenSCAP command line tool on Ubuntu and use it to check for vulnerabilities on my local host.

Continue reading

End of CentOS Linux. Where to migrate?

Hello everyone! As you probably know, CentOS Linux, the main Enterprise-level Linux server distribution, will soon disappear. It wasn’t hard to predict when RedHat acquired CentOS in 2014, and now it is actually happening. End of life of CentOS Linux 8 was 31.12.2021. There won’t be CentOS Linux as downstream for RedHat anymore. Only CentOS Stream, that will be upstream for RedHat, more or less a testing distro like Fedora.

Of course, it is a matter of debate whether security guys can actually decide which Linux distributions a company will use and set that as a requirement. But in any case, the security guys will definitely take part in the decision. I made a poll in my Telegram channel. 113 people voted. So, let’s take a look at the results and discuss which of the Linux distributions we can recommend to IT teams.

Continue reading

Publicly available Tenable .audit scripts

This is most likely a slowpoke news, but I just found out that Tenable .audit files with formalized Compliance Management checks are publicly available and can be downloaded without any registration. ?? However, you must accept the looooong license agreement.

Tenable .audit script

So, I have two (completely theoretical!) questions ?:

  1. What if someone supports the .audit format in some compliance tool and gives the end user an ability to use this content by Tenable to asses their systems? Will it be fair and legal?
  2. What if someone uses this content as a source of inspiration for his own content, for example, in a form of OVAL/SCAP or some scripts? Will it be fair and legal?
Continue reading