How to accurately match OVAL security data to installed RPMs

Red Hat publishes security data using the Open Vulnerability and Assessment Language (OVAL). Depending on what you have installed, according to the Red Hat and OVAL compatibility FAQ, you'll need to scan streams for all products installed on your system. This post aims to answer the question of how to determine which stream to use when scanning a system. We’ll use an operating system and container image as target systems to explore the topic. 

On April 27, 2020 Red Hat started publishing repository-to-CPE mapping data (JSON file) to make this task easier. Then in December 2020 we added support for Red Hat Enterprise Linux update streams such as Extended Update Support (EUS). 

If you have a look at the OVAL files available for RHEL-8, you’ll get a rough idea of how they are split up. Each file roughly represents a product release, including main line RHEL-8, RHEL-8.x EUS, and other products such as OpenShift-4. We do this because if you haven’t installed OpenShift on your system vulnerabilities affecting OpenShift are not relevant to you. 

Operating System

Determining if the operating system should be scanned with Red Hat OVAL data or not first raises the question, is this a Red Hat operating system? To answer that, check the contents of:

$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 8.3 (Oopta)

The OVAL files themselves have a test which checks the installed operating system is the correct major version (e.g. 8 in this case). It does that by inspecting the version of the rpm providing the /etc/redhat-release file. For example:

$ rpm -q --whatprovides /etc/redhat-release
redhat-release-8.3-1.0.el8.x86_64

Determining which OVAL stream to use

If you have root privileges on the machine, a list of repo ids can be obtained using Subscription Manager, for example:

$ sudo subscription-manager repos --list-enabled
+----------------------------------------------------------+
    Available Repositories in /etc/yum.repos.d/redhat.repo
+----------------------------------------------------------+
Repo ID:   rhel-8-for-x86_64-baseos-rpms
Repo Name: Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)
Repo URL:  https://cdn.redhat.com/content/dist/rhel8/$releasever/x86_64/baseos/os
Enabled:   1

Repo ID:   rhel-8-for-x86_64-appstream-rpms
Repo Name: Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)
Repo URL:  https://cdn.redhat.com/content/dist/rhel8/$releasever/x86_64/appstream/os
Enabled:   1

This information shows all of the RPM repositories currently enabled on a system. You can then assume that any RPM on the system could come from any of those repositories.

Subscription Manager requires root privileges, so an alternative is to get a list of all the repositories installed rpms came from is with yum. Not all of the listed repos will necessarily be Red Hat repositories, if additional repositories have been added to the system.

$ yum info all 2>/dev/null | grep -i '^From repo' | awk '{print $4}' | sort -u
rhel-8-for-x86_64-appstream-rpms
rhel-8-for-x86_64-baseos-rpms

Therefore we know we need to look for OVAL data associated with the repositories. In the repository to cpe mapping, we find both of these repositories:

$ curl -s https://www.redhat.com/security/data/metrics/repository-to-cpe.json | jq -c '.data."rhel-8-for-x86_64-appstream-rpms"'
{"cpes":["cpe:/a:redhat:enterprise_linux:8::appstream"]}

$ curl -s https://www.redhat.com/security/data/metrics/repository-to-cpe.json | jq -c '.data."rhel-8-for-x86_64-baseos-rpms"'
{"cpes":["cpe:/o:redhat:enterprise_linux:8::baseos"]}

We, therefore, know that we need to look for RHEL 8 Oval Stream files for errata, which have the cpe:/o:redhat:enterprise_linux:8::baseos or appstream CPEs associated with them. Red Hat Product Security collects all these errata for the main line RHEL 8 into a single file called rhel-8.oval.xml.bz2. All the errata in this OVAL file apply to CPEs which start with cpe:/a:redhat:enterprise_linux:8.

You can use an OVAL file to scan a system with OpenSCAP. In this example we have an older kernel installed, and we see a match for the errata RHSA-2021:1093, indicating that we are vulnerable to CVE-2020-0466 amongst other vulnerabilities. The oscap command is provided by the openscap-scanner rpm.

$ rpm -q kernel
kernel-4.18.0-240.1.1.el8_3.x86_64

$ oscap oval eval rhel-8.oval.xml 
...
Definition oval:com.redhat.rhsa:def:20211093: true

Scanning EUS streams

When using an EUS stream, each major release (such as 8) is split into minor versions. The repository-to-cpe mapping now has a repo entry for each of the minor versions. For example, if you’re using RHEL 8.2 you enable a generic EUS repo called rhel-8-for-x86_64-baseos-eus-rpms, however in addition to that, you also have to set the minor version with a separate step. Once complete the enabled repos will look like this:

$ sudo subscription-manager repos --list-enabled
+----------------------------------------------------------+
    Available Repositories in /etc/yum.repos.d/redhat.repo
+----------------------------------------------------------+
Repo ID:   rhel-8-for-x86_64-baseos-eus-rpms
Repo Name: Red Hat Enterprise Linux 8 for x86_64 - BaseOS - Extended Update Support (RPMs)
Repo URL:  https://cdn.redhat.com/content/eus/rhel8/8.2/x86_64/baseos/os
Enabled:   1

Note that the repo ID is a generic one for RHEL8, and the minor release (8.2) is found in the URL. To support this scenario an OVAL for each minor EUS stream is being generated and additional mapping was added to the repository-to-cpe mapping for each minor release. So if the RHEL 8.2 EUS stream is enabled as above, you’ll find the appropriate CPE like this:

$ curl -s https://www.redhat.com/security/data/metrics/repository-to-cpe.json | jq
-c '.data."rhel-8-for-x86_64-baseos-eus-rpms__8_DOT_2"'
{"cpes":["cpe:/o:redhat:rhel_eus:8.2::baseos"]}

Container Image scanning

Checking /etc/redhat-release inside a container image will provide useful provenance information about the image operating system if the image is from Red Hat. The open source Clair project uses these regular expressions to try and match Red Hat containers.

Inside the container image, you can find one or more Image Content Manifest for each layer of the container image in the /root/buildinfo directory. Each Image Content Manifest contains content_set entries, which lists all of RPM repositories used in that layer of the container image. This information can be used to determine which OVAL file to use for scanning an image.

Clair is a vulnerability scanner supported as part of Red Hat Quay, a distributed and highly available container image registry. A working example is available in the open-source Clair Core project which demonstrates how to use the content_set file, installed rpms, and the repository to cpe mapping to discover vulnerabilities affecting that image.

First, it downloads all the OVAL data for each RHEL 6-8 release in the Updater Set package. When parsing the OVAL files for each major release (eg RHEL 8), the Common Product Enumeration (CPE) information can be found for each errata entry in the OVAL file. Each errata has a number of associated vulnerabilities, but all vulnerabilities in that errata can be associated with CPEs at this stage.

When doing a scan, each layer in the container image is scanned for RPM packages. Since each RPM is installed in a container image with a content_set, those packages are then matched to CPEs based on the content_set. Using the CPE information for installed RPMs, and the CPE information from the OVAL files, vulnerabilities are matched to installed RPMs in the container image. Finally images are coalesced so that earlier versions of RPMs installed in lower layers aren’t marked as vulnerable when a later version exists in a high layer.

Conclusion

In this post, we explored how to determine which OVAL stream to use to scan a RHEL system, or Red Hat container image for security vulnerabilities. The recent publishing of repository-to-cpe mapping now makes it possible to inspect the RPM repositories configured on the system to match against CPEs in OVAL streams. 

We learned the strategy Clair Core uses to match OVAL streams to RPMs installed in container images as an example and used that example to choose which OVAL stream to scan our example RHEL operating system. For more background on Security Vulnerability scanning in Red Hat products, see this recent post about tracking Red Hat security vulnerabilities by Dave Meurer.