United States (change)
Shortcuts: Downloads Fedora Red Hat Network
Security Measurement
The Red Hat Security Response Team are committed to providing tools and data to help security measurement. Part of this commitment is our participation at board level in the Mitre CVE and OVAL projects. We also provide reports and metrics, but more importantly we also provide the raw data so that customers and researchers can produce their own metrics for their own unique situations and hold us accountable.
OVAL Definitions
OVAL definitions are available for all vulnerabilities that affect Red Hat Enterprise Linux 3, 4, 5
- OVAL definitions (consolidated xml file, .bz2) (constantly updated)
- OVAL repository (separate files)
Vulnerability Statements
The Red Hat Security response team publish official statements for vulnerabilities currently under investigation and for vulnerabilities that do not affect us. These are also available directly from the National Vulnerability Database
- CVE statements (xml) (Updated twice a day)
Vulnerability Data
CVE to date and CVE to severity mapping
This data source is a mapping of the CVE name to the date that the issue was first known to the public. This can help generate statistics based on "days of risk". We also use this data source to capture the severity of issues and how we found out about the issue (date and source). Although the dates may come from third parties, the severity classifications are given by the Red Hat Security Response team and are specific to Red Hat and will vary for other distributions and vendors). This file is created manually and we update it every week or two (or by request by contacting secalert@redhat.com).
- cve_dates.txt (Updated 2008-04-30)
RHSA to date mapping
This data source is a mapping of Red Hat Security Advisories to the date and time the advisory was issued. Most of this data comes automatically from the Red Hat Network, but we've annotated a few entries which needed manual adjustment
- release_dates.txt (Updated twice a day)
RHSA to CVE and CPE mapping
This data source is a mapping of Red Hat Security Advisories to the vulnerabilities fixed, identified by CVE name. The file contains the product names affected in CPE format so the file can be filtered by a product or package subset
- rhsamapcpe.txt (Updated twice a day)
CPE list for default installations
Red Hat Enterprise Linux ships with a large number of packages, but they are not all installed by default. These files give lists of packages in default installations which can be used to filter the metrics
Data Analysis
This Perl script is designed to run reports based on the data sources cve_dates, release_date, and rhsamapcpe above. For a given product, such as Red Hat Enterprise Linux, and date range it can list all the issues fixed by severity and give a "days of risk" metric as well as vulnerability workflow statistics. For example, run
perl daysofrisk.pl --cpe enterprise_linux:5 --severity C
- daysofrisk.pl (Updated 2007-09-21)
Sample Reports
Based on the above data sets and using daysofrisk.pl you can run sample reports. Here are some pre-generated examples:
| Distribution | Dates | Severity | Metrics |
|---|---|---|---|
| Red Hat Enterprise Linux 3 (all packages) | 20031204-20080430 | all dates Critical flaws | 96 vulnerabilities Average is 3.2 days Median is 1 days 78% were within 1 day |
| Red Hat Enterprise Linux 4 (all packages) | 20050215-20080430 | all dates For all flaws regardless of severity | 1061 vulnerabilities Average is 62.9 days Median is 16 days 29% were within 1 day |
| Red Hat Enterprise Linux 4 AS (default installation packages) | 20050215-20080430 | all dates Critical flaws | 8 vulnerabilities Average is 2.3 days Median is 0 days 87% were within 1 day |
| Red Hat Enterprise Linux 5 Server (default installation packages) | 20070314-20080430 | all dates For all flaws regardless of severity | 232 vulnerabilities Average is 52.6 days Median is 5 days 46% were within 1 day |
| Red Hat Enterprise Linux 5 (all packages) | 20070314-20080430 | all dates Critical flaws | 34 vulnerabilities Average is 0.4 days Median is 0 days 100% were within 1 day |
Other Analysis
Risk Report: Three years of Red Hat Enterprise Linux 4
Red Hat Magazine looks at the state of security for the first three years from release on Feb 15th 2005, including metrics, key vulnerabilities, and the most common ways users were affected by security issues.
Mark Cox metrics weblog
Security Response Director Mark Cox publishes a weblog with insight into security measurement and metrics for Red Hat products.