Auditing

In SUSE Multi-Linux Manager, you can keep track of your clients through a series of auditing tasks. You can check that your clients are up to date with all public security patches (CVEs), perform subscription matching, and use OpenSCAP to check for specification compliance.

In the SUSE Multi-Linux Manager Web UI, navigate to Audit to perform auditing tasks.

1. CVE Audits

A CVE (Common Vulnerabilities and Exposures) is a fix for a publicly known security vulnerability.

You must apply CVEs to your clients as soon as they become available.

Each CVE contains an identification number, a description of the vulnerability, and links to further information. CVE identification numbers use the form CVE-YEAR-XXXX.

In the SUSE Multi-Linux Manager Web UI, navigate to Audit  CVE Audit to see a list of all clients and their current patch status.

By default, the patch data is updated at 23:00 every day. We recommend that before you begin a CVE audit you refresh the data to ensure you have the latest patches.

Procedure: Updating patch data

  1. In the SUSE Multi-Linux Manager Web UI, navigate to Admin  Task Schedules and select the cve-server-channels-default schedule.

  2. Click cve-server-channels-bunch.

  3. Click Single Run Schedule to schedule the task. Allow the task to complete before continuing with the CVE audit.

Procedure: Verifying patch status

  1. In the SUSE Multi-Linux Manager Web UI, navigate to Audit  CVE Audit.

  2. To check the patch status for a particular CVE, type the CVE identifier in the CVE Number field.

  3. Select the patch statuses you want to look for, or leave all statuses checked to look for all.

  4. Click Audit Servers to check all systems, or click Audit Images to check all images.

For more information about the patch status icons used on this page, see CVE Audit.

For each system, the Actions column provides information about what you need to do to address vulnerabilities. If applicable, a list of candidate channels or patches is also given. You can also assign systems to a System Set for further batch processing.

You can use the SUSE Multi-Linux Manager API to verify the patch status of your clients. Use the audit.listSystemsByPatchStatus API method. For more information about this method, see the SUSE Multi-Linux Manager API Guide.

2. OVAL

The CVE Audit operation relies on two primary data sources: channels and OVAL (Open Vulnerability and Assessment Language). These two sources provide the metadata for conducting CVE audits, each serving a distinct purpose.

Channels

Channels include the updated software packages, including the patches, and provide insights into the essential patches required to address vulnerabilities.

OVAL

In contrast, OVAL data supply the information about vulnerabilities themselves, and packages that render a system vulnerable to a CVE.

While it is possible to conduct CVE audits using only channels data, synchronizing OVAL data enhances the accuracy of the results, particularly in cases involving zero-day vulnerabilities or partially patched vulnerabilities.

OVAL data is much more lightweight than channels data. For example, OVAL data for openSUSE Leap 15.4 is around 50 MB.

Having synced OVAL data only, you can already perform CVE audits and check if your systems are vulnerable or not to a CVE, but you can’t apply patches since they come from channels.

Key characteristics of the OVAL feature include:

  • Enabled by default: The feature is enabled by default and requires no additional configuration.

  • Reversible: If needed, users can disable OVAL data and revert to the standard channel-based CVE audit. See Disabling OVAL Data Support below.

  • OVAL data is updated at 23:00 every day by default. We recommend that before you begin a CVE audit you refresh the data to ensure you have the latest vulnerabilities metadata.

The following procedures can be used to enable, disable, or update OVAL data.

Procedure: Enabling OVAL data support

  1. Add or modify the following setting in file /etc/rhn/rhn.conf in the container:

    java.cve_audit.enable_oval_metadata=true

  2. Restart the Tomcat and Taskomatic services:

    systemctl restart tomcat taskomatic

Alternatively, use the procedure for disabling OVAL data support.

Procedure: Disabling OVAL data support

  1. Add or modify the following setting in rhn.conf:

    java.cve_audit.enable_oval_metadata=false

  2. Restart the Tomcat and Taskomatic services:

    systemctl restart tomcat taskomatic
Procedure: Updating OVAL data

  1. In the SUSE Multi-Linux Manager Web UI, navigate to Admin  Task Schedules and select the oval-data-sync-default schedule.

  2. Click oval-data-sync-bunch.

  3. Click Single Run Schedule to schedule the task.

Allow the task to complete before continuing with the CVE audit.

2.1. Collect CPE

To be able to accurately identify what vulnerabilities apply to a certain client, we need to identify the operating system product that client uses. To do that, we collect the CPE (Common Platform Enumeration) of the client as a Salt grain, then we save it to the database.

The CPE of newly registered clients will be automatically collected and saved to the database. However, for existing clients, it is necessary to execute the Update Packages List action at least once.

Procedure: Update packages list

  1. In the SUSE Multi-Linux Manager Web UI, navigate to Systems  System List  All and select a client.

  2. Then go to the Software tab and select the Packages sub-tab.

  3. Click Update Packages List to update packages and collect the CPE of client.

2.2. OVAL Sources

To ensure the integrity and currency of the OVAL data, SUSE Multi-Linux Manager exclusively consumes OVAL data from the official maintainers of every product. Below, you can find the list of OVAL data sources.

Table 1. OVAL Sources
Product Source URL

openSUSE Leap

https://ftp.suse.com/pub/projects/security/oval

openSUSE Leap Micro

SUSE Linux Enterprise Server

SUSE Linux Enterprise Desktop

SUSE Linux Enterprise Micro

RedHat Enterprise Linux

https://www.redhat.com/security/data/oval/v2

Debian

https://www.debian.org/security/oval

Ubuntu

https://security-metadata.canonical.com/oval

OVAL metadata is used in CVE auditing for only a subset of clients, namely, clients that use openSUSE Leap, SUSE enterprise products, RHEL, Debian or Ubuntu. This is due to the absence of OVAL vulnerability definitions metadata for the other products.

3. CVE Status

The CVE status of clients is usually either affected, not affected, or patched. These statuses are based only on the information that is available to SUSE Multi-Linux Manager.

Within SUSE Multi-Linux Manager, these definitions apply:

System affected by a certain vulnerability

A system which has an installed package with version lower than the version of the same package in a relevant patch marked for the vulnerability.

System not affected by a certain vulnerability

A system which has no installed package that is also in a relevant patch marked for the vulnerability.

System patched for a certain vulnerability

A system which has an installed package with version equal to or greater than the version of the same package in a relevant patch marked for the vulnerability.

Relevant patch

A patch known by SUSE Multi-Linux Manager in a relevant channel.

Relevant channel

A channel managed by SUSE Multi-Linux Manager, which is either assigned to the system, the original of a cloned channel which is assigned to the system, a channel linked to a product which is installed on the system or a past or future service pack channel for the system.

Because of the definitions used within SUSE Multi-Linux Manager, CVE audit results might be incorrect in some circumstances. For example, unmanaged channels, unmanaged packages, or non-compliant systems might report incorrectly.