Account Links: Cart | Register | Log In

Skip to content

Security Measurement

The Red Hat Security Response Team are committed to providing tools and data to help security measurement. Part of this commitment is our participation at board level in the MITRE CVE and OVAL projects. We also provide reports and metrics, but more importantly, we also provide the raw data so customers and researchers can produce their own metrics, for their own unique situations, and hold us accountable.

OVAL Definitions

OVAL definitions are available for all vulnerabilities that affect Red Hat Enterprise Linux 3, 4, and 5:

Vulnerability Statements

The Red Hat Security Response Team publishes official statements for vulnerabilities currently under investigation and for vulnerabilities that do not affect our products and services:

These statements also available directly from the National Vulnerability Database

Vulnerability Data

CVE to date and CVE to severity mapping

This data source maps CVE names to the dates the issues were first known to the public. This helps generate statistics based on "days of risk". This data source also captures the severity of the issues and how we found out about them (dates and sources). Although the dates may come from third-parties, the severity classifications are given by the Red Hat Security Response Team and are specific to Red Hat, and will vary for other distributions and vendors. This file is created manually, and is updated every one or two weeks (or by request, by contacting secalert@redhat.com):

RHSA to date mapping

This data source is a mapping of Red Hat Security Advisories to the dates and times the advisories were issued. Most of this data comes automatically from the Red Hat Network, but some entries requiring manual adjustment have been annotated:

RHSA to CVE and CPE mapping

This data source is a mapping of Red Hat Security Advisories to the vulnerabilities fixed (identified by CVE name). This file contains the product names affected in CPE format, and the package names, allowing the file to be filtered by a product or package subset:

CPE lists for default installations

Red Hat Enterprise Linux ships with a large number of packages, but they are not all installed by default. These files give lists of packages in default installations, which can be used to filter the metrics. The format is the CPE name with the package name appended:

CPE Dictionary

CPE is a structured naming scheme for information technology systems, software, and packages. For reference, we provide a dictionary mapping the CPE names we use, to Red Hat product descriptions. Some of these CPE names will be for new products that are not in the official CPE dictionary, and should therefore be treated as temporary CPE names:

Data Analysis

This Perl script creates reports based on the cve_dates.txt, release_dates.txt, and rhsamapcpe.txt data sources above. For a given product, such as Red Hat Enterprise Linux, and a date range, the script can list all the security issues fixed by severity and gives a "days of risk" metric, displayed as "Average is x days", as well as vulnerability work flow statistics. For example, run the following command to create a summary report of all critical advisories for Red Hat Enterprise Linux 5:

perl daysofrisk.pl --cpe enterprise_linux:5 --severity C

Sample Reports

You can use the daysofrisk.pl script to run sample reports based on the above data sources. The following are pre-generated examples:

DistributionDatesSeverityMetrics
Red Hat Enterprise Linux 3 (all packages)20031204-20090703all dates
Critical flaws
140 vulnerabilities
Average is 2.4 days
Median is 1 days
84% were within 1 day
Red Hat Enterprise Linux 4 (all packages)20050215-20090703all dates
For all flaws regardless of severity
1396 vulnerabilities
Average is 73.6 days
Median is 15 days
32% were within 1 day
Red Hat Enterprise Linux 4 AS (default installation packages) 20050215-20090703all dates
Critical flaws
12 vulnerabilities
Average is 1.5 days
Median is 0 days
91% were within 1 day
Red Hat Enterprise Linux 5 Server (default installation packages) 20070314-20090703all dates
For all flaws regardless of severity
506 vulnerabilities
Average is 59.1 days
Median is 2 days
50% were within 1 day
Red Hat Enterprise Linux 5 (all packages)20070314-20090703all dates
Critical flaws
89 vulnerabilities
Average is 0.5 days
Median is 1 days
98% were within 1 day

Other Analysis

Risk report: Four years of Red Hat Enterprise Linux 4

This Red Hat Magazine article looks at the state of security for the first four years of Red Hat Enterprise Linux 4 from its release on February 15th, 2005. It includes metrics, key vulnerabilities, and the most common ways users were affected by security issues.

Mark Cox metrics weblog

Mark Cox, Director of the Red Hat Security Response Team, publishes a weblog with insight into security measurement and metrics for Red Hat products.