This comes up a lot when I talk with other Red Hat users, and it came up again today during a Red Hat Accelerators meeting, so I thought I’d share my solution to this pesky problem.
We’ve all been there; an auditor or your favorite infosec team has scanned your servers and found that apache is vulnerable to CVE-XXXX-YYYY. You know darn good and well that box was patched last week, and has the latest available versions of Apache httpd which resolves the CVE. But how to show them and convince them that Red Hat’s backporting policy (love it or hate it) works.
Enter OSCAP. With a quick handy command and a few files, you can generate a fancy report to show you know what your talking about and where they can stick their vulnerability scan!
Download a couple of quick files from Red Hat Security and place them where the oscap scanner utility can get to the.
Once downloaded make sure you have the openscap-scanner rpm installed (yum -y install openscap-scanner) then execute the following:
/usr/bin/oscap xccdf eval –report /tmp/$(uname -n)-report.html com.redhat.rhsa-all.xccdf.xml
This will generate a html file at /tmp/<hostname>-report.html. Open this up and you’ll get a fancy report to show your auditors! You can search by CVE number in the Rule Overview and it will take you right to the Errata which solves the CVE and show a pass/fail status for it.