SCAP XML feed parser and audit module
Closed this issue · 5 comments
I want to parse the SCAP (Security Content Automation Protocol) XML feed on a (configurable) schedule and compare installed software for announced CVEs. This would require pulling and parsing the SCAP XML, pulling out the data regarding vulnerable software and comparing that to installed versions / checksums / etc. This should also have an optional alert and trigger key for reaction.
Eventually (v2.0?) it would be able to support filtering the data on CVSS base score, and weakness categorization. ie; if CVSS base score ! > X then don't fail / alert.
This will be of help:
https://nvd.nist.gov/download.cfm (main feed page)
https://nvd.nist.gov/schema/nvd-cve-feed_2.0.xsd (schema documentation)
NVD Vulnerability Severity Ratings
NVD provides severity rankings of "Low," "Medium," and "High" in addition to the numeric CVSS scores
but these qualitative rankings are simply mapped from the numeric CVSS scores:
1. Vulnerabilities are labeled "Low" severity if they have a CVSS base score of 0.0-3.9.
2. Vulnerabilities will be labeled "Medium" severity if they have a base CVSS score of 4.0-6.9.
3. Vulnerabilities will be labeled "High" severity if they have a CVSS base score of 7.0-10.0.
We were talking about this today. We currently have salt states we use for deploying openscap and updating defintions, then we have scheduled states to run scans on a regular basis. having this incorporated with hubblestack would be great.
@dgmorrisjr I'd be interested in learning more about how you're currently using openscap. Maybe there are some practices we could integrate into HubbleStack.
Perhaps the simplest solution here is to write an oscap execution module. I'll create a separate ticket for that for exploration.
I asked one of my team members to join the hubblestack slack channel - Chris Reguerin. He is who is leading our openscap work for our team.