피드 구독

Red Hat publishes security data using the Open Vulnerability and Assessment Language (OVAL). Depending on what you have installed, according to the Red Hat and OVAL compatibility FAQ, you'll need to scan streams for all products installed on your system. This post aims to answer the question of how to determine which stream to use when scanning a system. We’ll use an operating system and container image as target systems to explore the topic. 

On April 27, 2020 Red Hat started publishing repository-to-CPE mapping data (JSON file) to make this task easier. Then in December 2020 we added support for Red Hat Enterprise Linux update streams such as Extended Update Support (EUS). 

If you have a look at the OVAL files available for RHEL-8, you’ll get a rough idea of how they are split up. Each file roughly represents a product release, including main line RHEL-8, RHEL-8.x EUS, and other products such as OpenShift-4. We do this because if you haven’t installed OpenShift on your system vulnerabilities affecting OpenShift are not relevant to you. 

Operating System

Determining if the operating system should be scanned with Red Hat OVAL data or not first raises the question, is this a Red Hat operating system? To answer that, check the contents of:

$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 8.3 (Oopta)

The OVAL files themselves have a test which checks the installed operating system is the correct major version (e.g. 8 in this case). It does that by inspecting the version of the rpm providing the /etc/redhat-release file. For example:

$ rpm -q --whatprovides /etc/redhat-release
redhat-release-8.3-1.0.el8.x86_64

Determining which OVAL stream to use

If you have root privileges on the machine, a list of repo ids can be obtained using Subscription Manager, for example:

$ sudo subscription-manager repos --list-enabled
+----------------------------------------------------------+
    Available Repositories in /etc/yum.repos.d/redhat.repo
+----------------------------------------------------------+
Repo ID:   rhel-8-for-x86_64-baseos-rpms
Repo Name: Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)
Repo URL:  https://cdn.redhat.com/content/dist/rhel8/$releasever/x86_64/baseos/os
Enabled:   1

Repo ID:   rhel-8-for-x86_64-appstream-rpms
Repo Name: Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)
Repo URL:  https://cdn.redhat.com/content/dist/rhel8/$releasever/x86_64/appstream/os
Enabled:   1

This information shows all of the RPM repositories currently enabled on a system. You can then assume that any RPM on the system could come from any of those repositories.

Subscription Manager requires root privileges, so an alternative is to get a list of all the repositories installed rpms came from is with yum. Not all of the listed repos will necessarily be Red Hat repositories, if additional repositories have been added to the system.

$ yum info all 2>/dev/null | grep -i '^From repo' | awk '{print $4}' | sort -u
rhel-8-for-x86_64-appstream-rpms
rhel-8-for-x86_64-baseos-rpms

Therefore we know we need to look for OVAL data associated with the repositories. In the repository to cpe mapping, we find both of these repositories:

$ curl -s https://www.redhat.com/security/data/metrics/repository-to-cpe.json | jq -c '.data."rhel-8-for-x86_64-appstream-rpms"'
{"cpes":["cpe:/a:redhat:enterprise_linux:8::appstream"]}

$ curl -s https://www.redhat.com/security/data/metrics/repository-to-cpe.json | jq -c '.data."rhel-8-for-x86_64-baseos-rpms"'
{"cpes":["cpe:/o:redhat:enterprise_linux:8::baseos"]}

We, therefore, know that we need to look for RHEL 8 Oval Stream files for errata, which have the cpe:/o:redhat:enterprise_linux:8::baseos or appstream CPEs associated with them. Red Hat Product Security collects all these errata for the main line RHEL 8 into a single file called rhel-8.oval.xml.bz2. All the errata in this OVAL file apply to CPEs which start with cpe:/a:redhat:enterprise_linux:8.

You can use an OVAL file to scan a system with OpenSCAP. In this example we have an older kernel installed, and we see a match for the errata RHSA-2021:1093, indicating that we are vulnerable to CVE-2020-0466 amongst other vulnerabilities. The oscap command is provided by the openscap-scanner rpm.

$ rpm -q kernel
kernel-4.18.0-240.1.1.el8_3.x86_64

$ oscap oval eval rhel-8.oval.xml 
...
Definition oval:com.redhat.rhsa:def:20211093: true

Scanning EUS streams

When using an EUS stream, each major release (such as 8) is split into minor versions. The repository-to-cpe mapping now has a repo entry for each of the minor versions. For example, if you’re using RHEL 8.2 you enable a generic EUS repo called rhel-8-for-x86_64-baseos-eus-rpms, however in addition to that, you also have to set the minor version with a separate step. Once complete the enabled repos will look like this:

$ sudo subscription-manager repos --list-enabled
+----------------------------------------------------------+
    Available Repositories in /etc/yum.repos.d/redhat.repo
+----------------------------------------------------------+
Repo ID:   rhel-8-for-x86_64-baseos-eus-rpms
Repo Name: Red Hat Enterprise Linux 8 for x86_64 - BaseOS - Extended Update Support (RPMs)
Repo URL:  https://cdn.redhat.com/content/eus/rhel8/8.2/x86_64/baseos/os
Enabled:   1

Note that the repo ID is a generic one for RHEL8, and the minor release (8.2) is found in the URL. To support this scenario an OVAL for each minor EUS stream is being generated and additional mapping was added to the repository-to-cpe mapping for each minor release. So if the RHEL 8.2 EUS stream is enabled as above, you’ll find the appropriate CPE like this:

$ curl -s https://www.redhat.com/security/data/metrics/repository-to-cpe.json | jq
-c '.data."rhel-8-for-x86_64-baseos-eus-rpms__8_DOT_2"'
{"cpes":["cpe:/o:redhat:rhel_eus:8.2::baseos"]}

Container Image scanning

2021 Containers-pattern-Blog-thumbnail.png Checking /etc/redhat-release inside a container image will provide useful provenance information about the image operating system if the image is from Red Hat. The open source Clair project uses these regular expressions to try and match Red Hat containers.

Inside the container image, you can find one or more Image Content Manifest for each layer of the container image in the /root/buildinfo directory. Each Image Content Manifest contains content_set entries, which lists all of RPM repositories used in that layer of the container image. This information can be used to determine which OVAL file to use for scanning an image.

Clair is a vulnerability scanner supported as part of Red Hat Quay, a distributed and highly available container image registry. A working example is available in the open-source Clair Core project which demonstrates how to use the content_set file, installed rpms, and the repository to cpe mapping to discover vulnerabilities affecting that image.

First, it downloads all the OVAL data for each RHEL 6-8 release in the Updater Set package. When parsing the OVAL files for each major release (eg RHEL 8), the Common Product Enumeration (CPE) information can be found for each errata entry in the OVAL file. Each errata has a number of associated vulnerabilities, but all vulnerabilities in that errata can be associated with CPEs at this stage.

When doing a scan, each layer in the container image is scanned for RPM packages. Since each RPM is installed in a container image with a content_set, those packages are then matched to CPEs based on the content_set. Using the CPE information for installed RPMs, and the CPE information from the OVAL files, vulnerabilities are matched to installed RPMs in the container image. Finally images are coalesced so that earlier versions of RPMs installed in lower layers aren’t marked as vulnerable when a later version exists in a high layer.

Conclusion

In this post, we explored how to determine which OVAL stream to use to scan a RHEL system, or Red Hat container image for security vulnerabilities. The recent publishing of repository-to-cpe mapping now makes it possible to inspect the RPM repositories configured on the system to match against CPEs in OVAL streams. 

We learned the strategy Clair Core uses to match OVAL streams to RPMs installed in container images as an example and used that example to choose which OVAL stream to scan our example RHEL operating system. For more background on Security Vulnerability scanning in Red Hat products, see this recent post about tracking Red Hat security vulnerabilities by Dave Meurer.


저자 소개

Specializing in Kubernetes, container runtimes, and web applications, Jason Shepherd is a principal security engineer in Red Hat's Product Security team. With a passion for open source and dedication to client success, Shepherd is your go-to guy for security assessment and data for security audits.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

채널별 검색

automation icon

오토메이션

기술, 팀, 인프라를 위한 IT 자동화 최신 동향

AI icon

인공지능

고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트

open hybrid cloud icon

오픈 하이브리드 클라우드

하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요

security icon

보안

환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보

edge icon

엣지 컴퓨팅

엣지에서의 운영을 단순화하는 플랫폼 업데이트

Infrastructure icon

인프라

세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보

application development icon

애플리케이션

복잡한 애플리케이션에 대한 솔루션 더 보기

Original series icon

오리지널 쇼

엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리