Implement the Open Vulnerability Assessment Language for Ubuntu and derivatives
The need for a reliable information security posture plagues every distribution-
Blueprint information
- Status:
- Not started
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Thomas R. Jones
- Direction:
- Needs approval
- Assignee:
- Thomas R. Jones
- Definition:
- New
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
Whiteboard
It should be possible for someone to implement an OVAL XML export (e.g. using Genshi) using the USN database and/or CVE tracker:
https:/
https:/
Currently developing JSP transforms for my Alfresco Records Management server. This allows many possibilities:
1) U.S. Department of Defense (DoD) 5015.02 certified document management system.
2) Source document upload via web client interface or terminal through WebDAV.
3) Transform of source document via PERL.
4) Query of existing system documents via JSP transforms.
5) Generation of supporting documents via JSP transforms.
6) Entire Security Team utilization through external access.
I envision the following: Source document creation. Transfer of source document to server. Transform script executes based on ruleset requirements. System queries existing OVAL documents for needed OVAL inventory definitions. If none exists, they are generated --- moved into pending approval folder of manager. If exist. they are imported. Transform generates Common Platform Enumeration(CPE) data in parallel with OVAL vulnerability definitions. The CPE is placed as metadata on resulting documents and possibly an email template is generated for submission to NIST/Mitre/DHS. OVAL is generated, validated, and moved and/or copied into manager pending approval folder. Email sent to manager that documents are awaiting review. Two manuals are generated post-transform of source document by simple bash script. One --- A system/security administration manual is generated in DocBook. This provides insight into OVAL requirements, granular instructions of OVAL deployment, tips and tricks necessary to implement the accompanied OVAL vulnerability definition. Two --- A end-user manual is generated in Docbook. This manual provides high-level information as to the process and implementation of the OVAL vulnerability definition. The expected results and what they mean. All docbook documents are digitally signed using XMLDSIG.