[CentOS] CentOS Security Advisories OVAL feed??

Tue, 04 Aug 2020 09:35:14 -0700 

Dear List,
I have spent some time playing around with oscap and the RHEL OVAL feed (https://www.redhat.com/security/data/oval/v2/RHEL8/, also check Chapter 16 of the RHEL 8 Design Guide). Because I could not find an existing OVAL file for CentOS, I downloaded one of the RHEL8 files and managed to modify (eg. the rhel-8.1-e4s.oval.xml) it to make it work on a CentOS machine. Basically I just had to change the package signing key check to use the CentOS key and I had to replace the redhat-release RPM package name with "centos-release". Obviously, this would violate all kinds of rights if redistributed, due to the fact that the upstream vendor is named all over the place, but technically it "worked". 


On an internal system running a freshly updated CentOS 8.1 system I 
ended up with three errors, titled:



* RHSA-2019:4269: container-tools:rhel8 security and bug fix update 
(Important)



* RHSA-2019:3403: container-tools:rhel8 security, bug fix, and 
enhancement update (Important)


* RHSA-2019:2799: nginx:1.14 security update (Important)

This raises some questions (some of them connected), namely:


Q1) There are no equivalent CESA advisories for those RHSA advisories: 
why is that? Note that there are also no equivalent CentOS packages to 
those mentioned in the RHSA advisories. (My guess: because, when the 
advisories where issued, Centos already had moved on to 8.2)



Q2) Does this indicate a problem in the release process / handling of 
upstream updates on the side of the CentOS project? Were the advisories 
missed at the time of issuance?



Q3) Does this indicate that only the latest CentOS (minor) release can 
be considered "secure" or "patched"?



Q4) Is there a native OVAL file released from the CentOS project 
covering these issues? It could be extremely similar to the RHEL one, 
but it should take the answers to the above questions into account (eg. 
it could require the latests minor-release and there would only be one 
file for CentOS 8 if the answer to Q3 is "yes").



Q5) If the answer to the last question is "no": shouldn't there be such 
a resource?


Thanks for any answers.

peter

_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos






















					Reply via email to