-
Products
JBoss Enterprise Middleware
Red Hat JBoss Fuse Developer Studio Portfolio Edition Web Framework Kit Application Platform Web Server Data Grid Portal Platform Red Hat JBoss A-MQ SOA Platform Business Rules Management System (BRMS) Data Services Platform Messaging JBoss Operations Network JBoss Community or JBoss enterprise -
Solutions
Migration Center
Migrate to Red Hat Enterprise Linux Migration Center Systems management Upgrading to Red Hat Enterprise Linux JBoss Enterprise Middleware IBM AIX to Red Hat Enterprise Linux HP-UX to Red Hat Enterprise Linux Solaris to Red Hat Enterprise Linux UNIX to Red Hat Enterprise Linux Start a conversation with Red Hat Migration services -
Training
Courses and training paths
Popular and new courses JBoss Middleware Administration curriculum Core System Administration curriculum JBoss Middleware Development curriculum Advanced System Administration curriculum Linux Development curriculum Cloud Computing and Virtualization curriculum Cloud Computing, Virtualization, and Storage curriculum
Security measurement
The Red Hat® Security Response Team is committed to providing tools and data to help security measurement. Part of this commitment is our participation at board level in the MITRE Common Vulnerabilities and Exposures (CVE) and Open Vulnerability and Assessment Language (OVAL) projects.
We also provide reports and metrics. But more importantly we provide the raw data so customers and researchers can produce their own metrics for their unique situations and hold us accountable.
OVAL definitions
OVAL definitions are available for all vulnerabilities that affect Red Hat Enterprise Linux® 3, 4, 5, and 6:
-
OVAL definitions (consolidated XML file, .bz2) (constantly updated)
Vulnerability statements and acknowledgments
The Red Hat Security Response Team publishes acknowledgments and official statements for vulnerabilities currently under investigation and for vulnerabilities that don’t affect our products and services:
-
cve-metadata-from-bugzilla.xml (XML feed, updated twice a day)
These statements are also available directly in Red Hat vulnerabilities by CVE name.
Vulnerability data
CVE to date, CVE to severity, CVE to CVSS mapping
This data source maps CVE names to the dates the issues were first known to the public. This helps generate statistics based on days of risk. This data source also captures the severity of the issues and how we found out about them (dates and sources).
Although the dates may come from third parties, the severity classifications are given by the Red Hat Security Response Team and are specific to Red Hat, and thus will vary for other distributions and vendors.
This file is created manually and is updated every 1 or 2 weeks (or by request by contacting secalert@redhat.com):
-
cve_dates.txt (updated 2011-01-31)
RHSA to date mapping
This data source is a mapping of Red Hat security advisories to the dates and times the advisories were issued. Most of this data comes automatically from the Red Hat Network, but some entries requiring manual adjustment have been annotated:
-
release_dates.txt (updated twice a day)
RHSA to CVE and CPE mapping
This data source is a mapping of Red Hat Security Advisories to the vulnerabilities fixed (identified by CVE name). This file contains the product names affected in Common Platform Enumeration (CPE) format and the package names, allowing the file to be filtered by a product or package subset:
-
rhsamapcpe.txt (updated twice a day)
CPE lists for default installations
Red Hat Enterprise Linux ships with a large number of packages, but they’re not all installed by default. These files give lists of packages in default installations, which can be used to filter the metrics. The format is the CPE name with the package name appended:
CPE dictionary
CPE is a structured naming scheme for IT systems, software, and packages. For reference, we provide a dictionary that maps the CPE names we use to Red Hat product descriptions. Some of these CPE names are for new products that aren’t in the official CPE dictionary, and should therefore be treated as temporary CPE names:
-
cpe-dictionary.xml (updated twice a day)
Data analysis
We provide a Perl script that creates reports based on the cve_dates.txt, release_dates.txt, and rhsamapcpe.txt data sources above.
For a given product, such as Red Hat Enterprise Linux, and a date range, the script can list all the security issues fixed by severity and gives a days of risk metric (displayed as Average is x days) as well as vulnerability workflow statistics. For example, run the following command to create a summary report of all critical advisories for Red Hat Enterprise Linux 5:
perl daysofrisk.pl --cpe enterprise_linux:5 --severity C
-
daysofrisk.pl (updated 2011-01-05)
Sample reports
You can use the daysofrisk.pl script to run sample reports based on the above data sources. The following are pregenerated examples:
|
Distribution |
Dates |
Severity |
Metrics |
|
Red Hat Enterprise Linux 3 (all packages) |
20031022-20101031 |
All dates
|
179 vulnerabilities
|
|
Red Hat Enterprise Linux 4 (all packages) |
20050215-20110131 |
All dates
|
1786 vulnerabilities
|
|
Red Hat Enterprise Linux 4 AS (default installation packages) |
20050215-20110131 |
All dates
|
62 vulnerabilities
|
|
Red Hat Enterprise Linux 5 Server (default installation packages) |
20070314-20110131 |
All dates
|
897 vulnerabilities
|
|
Red Hat Enterprise Linux 5 (all packages) |
20070314-20110131 |
All dates
|
168 vulnerabilities
|
Other analysis
-
Risk report: Five years of Red Hat Enterprise Linux 4 [PDF]: This whitepaper looks at the state of security for the first 5 years of Red Hat Enterprise Linux 4, from its release on February 15, 2005. It includes metrics, key vulnerabilities, and the most common ways users were affected by security issues.
-
Mark Cox metrics weblog: Mark Cox, director of the Red Hat Security Response Team, publishes a weblog with insight into security measurement and metrics for Red Hat products.
