a scap database model - nabblemaking-security-measurable.1364806.n2.nabble.com...a mini-system to...
TRANSCRIPT
www.lumension.com
A SCAP Database Model
All of SCAP data in a Relational Database
Requirements 2004/11/18
www.lumension.com
A mini-system to learn SCAP
A SCAP database with all of the SCAP data in it
Examples (with source code) Automatic updates utility
Automatic import of client data
Detection of equivalent OVAL elements
Schema-change tolerant DB design SCAP data formats (schema) are constantly change
Authors can lag in updating
Tools and data formats may be out of sync
Requirements 2004/11/18
www.lumension.com
XML and Databases
Xml is excellent for distribution, poor for analysis andreporting (databases are better) XML is single computer/thread centric (no sharing)
DB is data set centric with concurrent access
Exposes XML data as regular columns / rows Reporting staff do not need to learn XML
Requirements 2004/11/18
www.lumension.com
A simple logical database model
CCECceID
Xml
Definition
CPECpeID
Description
Xml
CVE
CveID
Xml
ImportTimeStamp
DeviceDeviceGuid
HostName
Description
HREFhref
MimeTypeID
Text
Oval
OvalID
OvalGuid
Xml
Version
AddDate
ID
XCCDFXml
XccdfGuid
AddDate
NamespaceUri
localName
XccdfElement
XccdfGuid
ElementID
Xml
XccdfElementGuid
Device_OvalStateDeviceGuid
OvalID
State
AsOf
Device_XccdfProfile
DeviceGuid
AddDate
ChangedDate
VendorStatements
Xml
CveID
AlternativeCVSSCveID
CVSS
Requirements 2004/11/18
www.lumension.com
What we will cover
Importing SCAP Xml files CVE - Vulnerability
CVSS – Scoring
OVAL -- Assessment
CPE – Product
XCCDF – Checklist
CCE – Configuration
Importing OVAL result files from clients
Querying OVAL elements for equivalency Reduce client test load by 25+%
Requirements 2004/11/18
www.lumension.com
Examples of importing / exporting data
Import of OVAL results into the database Files are dropped into a folder
Utility will pick up and insert into the database automatically
Export of equivalent OVAL element Eliminate redundant and duplicate data
OVAL comes from multiple sources
Duplications must be expected and handled
Requirements 2004/11/18
www.lumension.com
SCAP Import Utility
Two mode of operation: Drop the Xml files in a folder
Edit DataFiles.Xml to point to locations you want checked forchanges.
Files are uploaded into DB and processed automatically
sqlXml = new SqlXml(new XmlTextReader(fileName));db = new ImportDataBase();cmd = db.StoredProcedure("ImportScapXmlFile");cmd.Parameters.AddWithValue("FileName", fi.Name);cmd.Parameters.AddWithValue("ScapXml", sqlXml);cmd.ExecuteNonQuery();
Requirements 2004/11/18
www.lumension.com
Common Vulnerability Enumeration (CVE) http://nvd.nist.gov/
The physical data is simple – 2 columns
The logical data can consist of many columns andadditional rows. Calculated columns generates the logical columns.
Cross Apply generates the logical rows
Requirements 2004/11/18
www.lumension.com
Example of Computed Columns
XQuery is used to convert XML into Columns SELECT xml.value('(/*/@CVSS_score)[1]','float') as
CVSS_Score
Proper design tolerates change of schema Note: cve/1.2 and no namespace above
Requirements 2004/11/18
www.lumension.com
Example of Logical Rows
All of the data can beextracted into computed views We get multiple logical rows from
one physical row.
Tolerates typical evolution ofschema
Create View vCVE_VendorProduct Asselect CVEID,
item.value('./@name','varchar(100)') as ProductName,item.value('./@vendor','varchar(100)') as Vendor
from CVE Cross ApplyXml.nodes('//*[@name and @vendor]') as prod(item)
Requirements 2004/11/18
www.lumension.com
More logical rows examples
Requirements 2004/11/18
www.lumension.com
Common Vulnerability Scoring System (CVSS)
All CVEs come with a generic NIST determined CVSSscore and vector
Organizations may wish to determine their own scoreand vectors.
Computed column can automatically replace NIST valuewith your own.
AlternativeCVSSCveID
CVSS
CVECveID
Xml
ImportTimeStamp
localName
NamespaceUri
CVSS_vector
Published
Modif ied
severity
CVSS_Score
Requirements 2004/11/18
www.lumension.com
Open Vulnerability and Assessment Language (OVAL)
Physical table slightly more complex OvalID (could be computed)
Element Version (could be computed)
SchemaVersion is the version of OVAL
Comes from header of imported file
Requirements 2004/11/18
www.lumension.com
OVAL Logical Columns and Logical Rows
SELECT namespaceuri, count(*) as[Count] from OVAL group bynamespaceuri
SELECT localname, count(*) as [Count]from OVAL group by localname
Over 70 different logical recordlayouts
Requirements 2004/11/18
www.lumension.com
Some OVAL Logical Rows
Requirements 2004/11/18
www.lumension.com
Data is often hierarchical in the XML
Extract of hierarchy is easy definition test state
Object var
State var
Requirements 2004/11/18
www.lumension.com
Common Platform Enumeration (CPE)
CPE has a 2 column physical structure
<cpe-item name="cpe:///0verkill:0verkill"><title>0verkill 0verkill</title>
</cpe-item>
Requirements 2004/11/18
www.lumension.com
Putting the parts together
OVAL-CVE (CVSS) -CPE
Requirements 2004/11/18
www.lumension.com
Extensible Configuration Checklist Description Format(XCCDF)
No Global Identifiers results in more columns
One table is for identification only.
XCCDFXml
XccdfGuid
AddDate
NamespaceUri
localName
Version
Status
StatusDate
Title
Platform
XccdfElementXccdfGuid
ElementID
Xml
XccdfElementGuid
ID
NamespaceUri
localName
Requirements 2004/11/18
www.lumension.com
XCCDF computed and cross-apply
Requirements 2004/11/18
www.lumension.com
Putting SCAP into play
Identifying devices/computers…
Recording automated results
Recording manual results
Requirements 2004/11/18
www.lumension.com
Device / Host Identification
OVAL’s system_info node provides the pattern (includedwith all OVAL results)
Physical Table is just two columns
Requirements 2004/11/18
www.lumension.com
Device information
OVAL interpreters returns a <system_info> Contains sufficient information to uniquely identify the device
99.9% of the time
Requirements 2004/11/18
www.lumension.com
Device computed columns and logical rows
Requirements 2004/11/18
www.lumension.com
OVAL Results
Uploaded just like SCAP files Put into a folder and utility will upload
Complete history is kept (purge as needed) UploadID points to source document
Requirements 2004/11/18
www.lumension.com
Using the database to improve performance
OVAL data is coming from multiple authors Often the same element content is seen with many different ids
Some sources have 20% duplicate internally
If we can identify duplicate contents and eliminate it,then Size of the OVAL file to download is reduced
Number of tests and executions on the client is reduced and lesswork (i.e. CPU usage, memory) on the client.
Utility identifies duplicate content
Requirements 2004/11/18
www.lumension.com
This is just a start …
We have Viewed how SCAP elements are related
An elegant but simple design for a SCAP database
Supports reporting across multiple devices
Runs on free software (SQLExpress 2005)
Will support up to 4 gigs (with Express) for each of:
» Device history data
» SCAP import data history
» Current State data of devices
Automated import of SCAP data
Automated import of Device result files
Requirements 2004/11/18
www.lumension.com
Where do you get this stuff
Source: http://oval.lassesen.com/Nist2007/
Database: (Free – no expiry) Microsoft SQL Server Management Studio Express
Microsoft SQL Server 2005 Express Edition with AdvancedServices Service Pack 2
Allows full text search of XML
Requirements 2004/11/18