Implement the Open Vulnerability Assessment Language for Ubuntu and derivatives

Registered by Thomas R. Jones on 2010-03-17

The need for a reliable information security posture plagues every distribution-----including Ubuntu. I propose that Ubuntu, and by the law of association its derivatives, implement the OVAL standard. OVAL is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. Recently, the charge of the standard was passed from Mitre to NIST. I have already constructed some 32,000+ inventory definitions in the OVAL XML language. They are awaiting transfer from my queue to NIST for approval and review by the community. Currently, I am developing an optimal XML structure to query each and every one of those inventory definitions available on Karmic for Ubuntu Source compliance. These compliance definitions are constructed with my intention of authoring and developing a Security Target(ST) for implementation of various PP(Protection Profiles) within Ubuntu according to the Common Criteria methodology. If Ubuntu is to be advanced further-----it MUST implement information security at its core. This is the future of Ubuntu.

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
Thomas R. Jones
Direction:
Needs approval
Assignee:
Thomas R. Jones
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

It should be possible for someone to implement an OVAL XML export (e.g. using Genshi) using the USN database and/or CVE tracker:
https://code.launchpad.net/~usn-tool/usn-tool/trunk
https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master

Currently developing JSP transforms for my Alfresco Records Management server. This allows many possibilities:
1) U.S. Department of Defense (DoD) 5015.02 certified document management system.
2) Source document upload via web client interface or terminal through WebDAV.
3) Transform of source document via PERL.
4) Query of existing system documents via JSP transforms.
5) Generation of supporting documents via JSP transforms.
6) Entire Security Team utilization through external access.

I envision the following: Source document creation. Transfer of source document to server. Transform script executes based on ruleset requirements. System queries existing OVAL documents for needed OVAL inventory definitions. If none exists, they are generated --- moved into pending approval folder of manager. If exist. they are imported. Transform generates Common Platform Enumeration(CPE) data in parallel with OVAL vulnerability definitions. The CPE is placed as metadata on resulting documents and possibly an email template is generated for submission to NIST/Mitre/DHS. OVAL is generated, validated, and moved and/or copied into manager pending approval folder. Email sent to manager that documents are awaiting review. Two manuals are generated post-transform of source document by simple bash script. One --- A system/security administration manual is generated in DocBook. This provides insight into OVAL requirements, granular instructions of OVAL deployment, tips and tricks necessary to implement the accompanied OVAL vulnerability definition. Two --- A end-user manual is generated in Docbook. This manual provides high-level information as to the process and implementation of the OVAL vulnerability definition. The expected results and what they mean. All docbook documents are digitally signed using XMLDSIG.

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.