Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make Auditing CVEs possible #89

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

gabrielstein
Copy link

Make possible to audit CVEs per Hosts
Make possible to download PDF Reports sorted per CVE Numbers
Make possible to call reports via REST-API
Make possible to commit reports to a private git repository(so it would be possible to access historical data and make easy to understand the chronology from the cve patching)

Copy link
Member

@rjmateus rjmateus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution. I have one technical question that I have sent.
From the implementation point of view I think this RFC will benefit from the implementation of the OVAL data [1]. That feature will create and keep up to date a CVE table, and will run CVE audits to each minion. So, in this regard part of this will be implemented in there. The missing part will be provide good reporting.

[1] https://github.com/uyuni-project/uyuni-rfc/blob/master/accepted/00098-cve-auditing-with-oval.md

[design]: #detailed-design

Steps for the implementation:
- Create a stored procedure/function on the reporting DB making it call on demand by the frontend/backend code.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We try to avoid store procedures as much as possible. The reason is because they are hard to maintain and debug.
Also, the report DB and "main" DB are separated in different schemas and can also be on different machines in the future.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok :)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would check the other RFC and I think that we can combine the work here.

- What use cases does it support? Produce real-time reports sorted by CVE-Number for the auditors and security teams
- What is the expected outcome? Have a table with the CVE Numbers and what hosts are affected. Have a report that could be called via REST-API and also could be integrated on every CI/CD workflows from operational teams.

We have a static and not a understable overview from the hosts affected by a CVE. As today, one should open the CVE Audit option on the menu, search for a CVE number, add to the form and expect a list from hosts affected by only this CVE. If there is a higher number from CVEs would be a lot of working doing a manual search per CVE Number. This makes the life from infrastructure managers so difficult -it is not possible to have an overview that is always updated and showed in the dashboard -
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please elaborate on what's not understandable from the current overview?

How do you envision it from UI perspective? Available CVE number is huge.

Would you like to identify which system is affected by a particular CVE(s), or if any system is affected by any CVE at all? Are you solely interested in CVEs that affect systems or even in those CVEs which doesn't affect any of the onboarded system?

Currently, we have limitation that we could only tell if a system is affected by CVE if assigned channels has patch which in turn fix that CVE. Depending on if that patch has been applied or not, we tell if system is affected or not. Based on this, we already show on system overview page if systems has some security updates or all good.

Now if I summarize and IIUC, what you likely want is the ability to provide a list of CVEs and then receive results indicating whether systems are affected or not based on that list. Please correct me, if that wouldn't suffice.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @admd !

Can you please elaborate on what's not understandable from the current overview?
It is everything static. How a admin will know if there is a new CVE affecting their servers and what CVE number it is? I did a lot of demos for customers showing the CVE Audit and I always had to search for a CVE number and check if one of the hosts is affected. Similar to NeuVector[0] we could use the same databases which they use to do this CVE checks and show it the hosts from Uyuni are affected.

It is nice that the CVEs are just show when the channel has a patch against it - but would not make more sense to display the real situation and what patches are being delivered? If it is just based on the channels from Uyuni it would give a false positive - well, my channels do not have the patch for CVE 12345, it means that my hosts are not affected.

[0] - Example how CVE Databases works for NeuVector: https://open-docs.neuvector.com/scanning/updating

- What is the expected outcome? Have a table with the CVE Numbers and what hosts are affected. Have a report that could be called via REST-API and also could be integrated on every CI/CD workflows from operational teams.

We have a static and not a understable overview from the hosts affected by a CVE. As today, one should open the CVE Audit option on the menu, search for a CVE number, add to the form and expect a list from hosts affected by only this CVE. If there is a higher number from CVEs would be a lot of working doing a manual search per CVE Number. This makes the life from infrastructure managers so difficult -it is not possible to have an overview that is always updated and showed in the dashboard -
and it is also not possible to have a generated report per PDF from the hosts affected by a CVE(a report sorted per CVE-Number. It should be also provided a way to generate this reports per REST-API and make it possible to have it integrated in a CI/CD Workflow.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We provide CSVs. Providing repost as PDFs is not something that we are gonna tackle for now.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@admd If we manage to have a real time dashboard the report in pdf would be easy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants