How to show auditors your Red Hat Servers really are patched for that CVE

This comes up a lot when I talk with other Red Hat users, and it came up again today during a Red Hat Accelerators meeting, so I thought I’d share my solution to this pesky problem.

We’ve all been there; an auditor or your favorite infosec team has scanned your servers and found that apache is vulnerable to CVE-XXXX-YYYY.  You know darn good and well that box was patched last week, and has the latest available versions of Apache httpd which resolves the CVE.  But how to show them and convince them that Red Hat’s backporting policy (love it or hate it) works.

Enter OSCAP.  With a quick handy command and a few files, you can generate a fancy report to show you know what your talking about and where they can stick their vulnerability scan!

Download a couple of quick files from Red Hat Security and place them where the oscap scanner utility can get to the.

https://www.redhat.com/security/data/metrics/com.redhat.rhsa-all.xccdf.xml
https://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml

Once downloaded make sure you have the openscap-scanner rpm installed (yum -y install openscap-scanner) then execute the following:

/usr/bin/oscap xccdf eval –report /tmp/$(uname -n)-report.html com.redhat.rhsa-all.xccdf.xml

This will generate a html file at /tmp/<hostname>-report.html.  Open this up and you’ll get a fancy report to show your auditors!  You can search by CVE number in the Rule Overview and it will take you right to the Errata which solves the CVE and show a pass/fail status for it.

Hope this helps some of my fellow Accelerators and all you other admins struggling with this fight! Stay strong!
Will

1 thought on “How to show auditors your Red Hat Servers really are patched for that CVE”

  1. This web page is showing an em-dash in front of ‘report’, it should be a double hyphen (“–report”, assuming the blog software doesn’t reformat it).

    That aside, this is a fantastic tool for educating auditors unwise in the ways of Red Hat patching!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.