bpmcdevitt/brendan.mcdevitt.tech
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
brendan.mcdevitt.tech/_programming/2021-01-06-command-line-redhat-pkg-auditor.markdown
Brendan McDevitt e6c312a1ec big update
2022-02-25 01:56:24 -05:00

15 KiB
Raw Permalink Blame History

layout title date categories
programming command line: redhat package auditor 2021-01-06 programming

Command Line Programming - RedHat Package Auditor

I am working on a project where I am looking into vulnerabilities for Redhat and CentOS systems. Throughout my time as a sysadmin I have always been a huge fan of command-line programs. This is one of the programs that I hacked together to make my job easier.

Making my life easier

For a project I am working on, I am having to compare operating system vendor data against NVD data and have been working in a spreadsheet initially to record the results. I am looking to see if NVD has captured correct CPE data from the operating system vendors source. To start I was manually looking at CVE/Advisory postings from Redhat and comparing with what was on NVDs page for the given CVE. This grew tediuous rather quickly after I got through a handful of CVEs. I needed to write a tool that would query Redhat's API and give me all the needed info on that CVE. My first step was to see if there was anything available that could do this quickly. After looking online and finding old, outdated programs, I thought it would be quicker if I hacked together something.

I am a big linux nerd and have always loved using different command-line programs. I have been using it for over 5 years now and I am always stumbling upon new command-line driven programs. Writing command-line programs is fun and this was an opportunity to write a new one.

This program will query Redhats Security API and spit back CVE data. I have taken some of the examples from the README document that is linked here with the source code.

{%highlight bash %} ./rpm_pkg_audit.rb --help Usage: rpm_pkg_audit.rb [options] -p, --pkg PKGNAME Takes a base pkg name and returns cves from redhats security API. -l, --list List packages in the XML datafile. -x, --xmlpkg PKGNAME The pkg name you want to audit from xml file rpm-to-cve.xml -r, --refresh Refresh rpm-to-cve.xml file with latest pkgs and cves -c, --cve CVE-2020-1234 Takes a cve id and returns cve json from redhats security API. -f, --cves-from-file cves.txt Takes a file one cve id per line and sends a batch request to redhat security API -a, --advisory RHSA-2019:0997 Takes a RHSA advisory and sends an API request to redhat RHSA-2015:2155 {%endhighlight%}
# CVES We can query for CVE's using two options: {% highlight bash %} --cve --cves-from-file {%endhighlight%} Here are some examples: ### Single CVE {% highlight bash %} ./rpm_pkg_audit.rb --cve CVE-2016-3627 {% endhighlight %}
{% highlight json %} { "threat_severity": "Moderate", "public_date": "2016-03-21T00:00:00Z", "bugzilla": { "description": "CVE-2016-3627 libxml2: stack exhaustion while parsing xml files in recovery mode", "id": "1319829", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1319829" }, "cvss": { "cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "verified" }, "cwe": "CWE-674", "details": [ "The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document.", "Missing recursive loop detection checks were found in the xmlParserEntityCheck() and xmlStringGetNodeList() functions of libxml2, causing application using the library to crash by stack exhaustion while building the associated data. An attacker able to send XML data to be parsed in recovery mode could launch a Denial of Service on the application." ], "affected_release": [ { "product_name": "Red Hat Enterprise Linux 6", "release_date": "2016-06-23T00:00:00Z", "advisory": "RHSA-2016:1292", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "libxml2-0:2.7.6-21.el6_8.1" }, { "product_name": "Red Hat Enterprise Linux 7", "release_date": "2016-06-23T00:00:00Z", "advisory": "RHSA-2016:1292", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "libxml2-0:2.9.1-6.el7_2.3" }, { "product_name": "Red Hat JBoss Core Services 1", "release_date": "2016-12-15T00:00:00Z", "advisory": "RHSA-2016:2957", "cpe": "cpe:/a:redhat:jboss_core_services:1" } ], "package_state": [ { "product_name": "Red Hat Enterprise Linux 5", "fix_state": "Will not fix", "package_name": "libxml2", "cpe": "cpe:/o:redhat:enterprise_linux:5" }, { "product_name": "Red Hat JBoss Enterprise Web Server 3", "fix_state": "Will not fix", "package_name": "libxml2", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3" } ], "name": "CVE-2016-3627" } {%endhighlight%}

Multiple CVES

{% highlight bash %}

create a file one cve per line

touch cves.txt echo "CVE-2016-3627" >> cves.txt echo "CVE-2016-1839" >> cves.txt

./rpm_pkg_audit.rb --cves-from-file cves.txt {% endhighlight %}

{% highlight json %} [ { "CVE": "CVE-2016-1839", "severity": "moderate", "public_date": "2016-05-23T00:00:00Z", "advisories": [ "RHSA-2016:1292", "RHSA-2016:2957" ], "bugzilla": "1338703", "bugzilla_description": "CVE-2016-1839 libxml2: Heap-based buffer overread in xmlDictAddString", "cvss_score": 4.3, "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "CWE": "CWE-122", "affected_packages": [ "libxml2-0:2.9.1-6.el7_2.3", "libxml2-0:2.7.6-21.el6_8.1" ], "resource_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1839.json" }, { "CVE": "CVE-2016-3627", "severity": "moderate", "public_date": "2016-03-21T00:00:00Z", "advisories": [ "RHSA-2016:1292", "RHSA-2016:2957" ], "bugzilla": "1319829", "bugzilla_description": "CVE-2016-3627 libxml2: stack exhaustion while parsing xml files in recovery mode", "cvss_score": 4.3, "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "CWE": "CWE-674", "affected_packages": [ "libxml2-0:2.9.1-6.el7_2.3", "libxml2-0:2.7.6-21.el6_8.1" ], "resource_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-3627.json" } ] {%endhighlight%}
This will give us json data back for multiple cves, in the order that we created them in our file. When we query with multiple cves in a file, we will split up the requests to groups of 500 cve ids.

Advisories

Redhat will post a security advisory when a vulnerability comes out. These are in the schema RHSA-YEAR:ADVISORY_NUM. As an example: RHSA-2019:0997

{% highlight bash %} ./rpm_pkg_audit.rb --advisory RHSA-2019:0997 {%endhighlight %}

{% highlight json %} [ { "CVE": "CVE-2019-9636", "severity": "important", "public_date": "2019-03-06T00:00:00Z", "advisories": [ "RHBA-2019:0763", "RHSA-2019:2980", "RHSA-2019:0806", "RHSA-2019:1467", "RHSA-2019:0981", "RHSA-2019:0710", "RHSA-2019:0765", "RHSA-2019:0997", "RHSA-2019:3170", "RHBA-2019:0764", "RHSA-2019:0902" ], "bugzilla": "1688543", "bugzilla_description": "CVE-2019-9636 python: Information Disclosure due to urlsplit improper NFKC normalization", "cvss_score": null, "cvss_scoring_vector": null, "CWE": "CWE-172", "affected_packages": [ "python3-0:3.6.8-2.el8_0", "python27-python-0:2.7.13-4.el6", "rhvm-appliance-0:4.2-20190411.1.el7", "python27-python-0:2.7.13-6.el7", "python-0:2.7.5-59.el7_4", "python-0:2.7.5-70.el7_5", "rh-python36-python-0:3.6.3-4.el6", "redhat-virtualization-host-0:4.2-20190411.1.el7_6", "python27:2.7-8000020190410132513.c0efe978", "rh-python35-python-0:3.5.1-12.el7", "rh-python35-python-0:3.5.1-12.el6", "python-0:2.7.5-77.el7_6", "python-0:2.6.6-68.el6_10", "rh-python36-python-0:3.6.3-7.el7" ], "resource_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-9636.json", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cvss3_score": "9.8" } ] {%endhighlight%}

rpm-to-cve.xml

Redhats Security API also posts a mapping of RPM packages to CVEs in a parseable XML file. This file can be downloaded here. This commandline program can also download a fresh XML file locally using the --refresh option.

{% highlight bash %} ./rpm_pkg_audit.rb --refresh {% endhighlight %}

I run this as a sanity check to make sure the cmd finished downloading the file succesfully {% highlight bash %} echo $? 0 {% endhighlight %}

We can search for packages listed in this xml file by passing the --list option and piping to a standard unix search tool like grep

{% highlight bash %} ./rpm_pkg_audit.rb --list | grep ^kernel {%endhighlight%}

We can query packages in this xml file by querying the exact package name {% highlight bash %} ./rpm_pkg_audit.rb --xmlpkg kernel-0:2.6.9-55.EL {%endhighlight%}

{% highlight json %} { "rhel_package_name": "kernel-0:2.6.9-55.EL", "cves": [ "CVE-2005-2873", "CVE-2005-3257", "CVE-2006-0557", "CVE-2006-1863", "CVE-2007-1592", "CVE-2007-3379" ], "cve_count": 6 }

{% endhighlight %}

### Query Redhat API For a package name

We can query the Redhat security API for a specific pkg by querying the BASE pkg name. In this example we query the API and send bash as a param.

{% highlight bash %} ./rpm_pkg_audit.rb --pkg bash {%endhighlight%}

{%highlight json %} [ { "cve_id": "CVE-2019-18276", "advisories": [ 
],
"affected_packages": [

]

}, { "cve_id": "CVE-2012-6711", "advisories": [

],
"affected_packages": [

]

}, { "cve_id": "CVE-2019-9924", "advisories": [ "RHSA-2020:1113", "RHSA-2020:3474", "RHSA-2020:3592", "RHSA-2020:3803", "RHBA-2020:1540" ], "affected_packages": [ "ansible-tower-36/ansible-tower:3.6.4-1", "bash-0:4.2.46-34.el7", "bash-0:4.2.46-32.el7_6", "bash-0:4.2.46-34.el7_7", "bash-0:4.2.46-30.el7_4" ] }, { "cve_id": "CVE-2017-5932", "advisories": [

],
"affected_packages": [

]

}, { "cve_id": "CVE-2016-9401", "advisories": [ "RHSA-2017:1931", "RHSA-2017:0725" ], "affected_packages": [ "bash-0:4.2.46-28.el7", "bash-0:4.1.2-48.el6" ] }, { "cve_id": "CVE-2016-7543", "advisories": [ "RHSA-2017:1931", "RHSA-2017:0725" ], "affected_packages": [ "bash-0:4.2.46-28.el7", "bash-0:4.1.2-48.el6" ] }, { "cve_id": "CVE-2016-0634", "advisories": [ "RHSA-2017:1931", "RHSA-2017:0725" ], "affected_packages": [ "bash-0:4.2.46-28.el7", "bash-0:4.1.2-48.el6" ] }, { "cve_id": "CVE-2014-6278", "advisories": [

],
"affected_packages": [

]

}, { "cve_id": "CVE-2014-6277", "advisories": [

],
"affected_packages": [

]

}, { "cve_id": "CVE-2014-7187", "advisories": [ "RHSA-2014:1312", "RHSA-2014:1311", "RHSA-2014:1354", "RHSA-2014:1306", "RHSA-2014:1865" ], "affected_packages": [ "bash-0:3.2-32.el5_9.3", "bash-0:3.2-33.el5_11.1.sjis.2", "bash-0:4.2.45-5.el7_0.4", "rhev-hypervisor6-0:6.5-20140930.1.el6ev", "bash-0:4.1.2-15.el6_5.2", "bash-0:3.2-32.el5_9.3.sjis.1", "bash-0:3.2-33.el5_11.4", "bash-0:4.1.2-15.el6_5.1.sjis.2" ] }, { "cve_id": "CVE-2014-7186", "advisories": [ "RHSA-2014:1312", "RHSA-2014:1311", "RHSA-2014:1354", "RHSA-2014:1306", "RHSA-2014:1865" ], "affected_packages": [ "bash-0:3.2-32.el5_9.3", "bash-0:3.2-33.el5_11.1.sjis.2", "bash-0:4.2.45-5.el7_0.4", "rhev-hypervisor6-0:6.5-20140930.1.el6ev", "bash-0:4.1.2-15.el6_5.2", "bash-0:3.2-32.el5_9.3.sjis.1", "bash-0:3.2-33.el5_11.4", "bash-0:4.1.2-15.el6_5.1.sjis.2" ] }, { "cve_id": "CVE-2014-6271", "advisories": [ "RHSA-2014:1354", "RHSA-2014:1294", "RHSA-2014:1293", "RHSA-2014:1295" ], "affected_packages": [ "bash-0:3.0-27.el4.2", "bash-0:3.2-33.el5_11.1.sjis.1", "bash-0:3.2-33.el5.1", "bash-0:4.2.45-5.el7_0.2", "rhev-hypervisor6-0:6.5-20140930.1.el6ev", "bash-0:4.1.2-15.el6_5.1", "bash-0:4.1.2-15.el6_5.1.sjis.1" ] }, { "cve_id": "CVE-2014-7169", "advisories": [ "RHSA-2014:1312", "RHSA-2014:1311", "RHSA-2014:1354", "RHSA-2014:1306", "RHSA-2014:1865" ], "affected_packages": [ "bash-0:3.2-32.el5_9.3", "bash-0:3.2-33.el5_11.1.sjis.2", "bash-0:4.2.45-5.el7_0.4", "rhev-hypervisor6-0:6.5-20140930.1.el6ev", "bash-0:4.1.2-15.el6_5.2", "bash-0:3.2-32.el5_9.3.sjis.1", "bash-0:3.2-33.el5_11.4", "bash-0:4.1.2-15.el6_5.1.sjis.2" ] }, { "cve_id": "CVE-2012-3410", "advisories": [

],
"affected_packages": [

]

}, { "cve_id": "CVE-2008-5374", "advisories": [ "RHSA-2011:1073", "RHSA-2011:0261" ], "affected_packages": [ "bash-0:3.0-27.el4", "bash-0:3.2-32.el5" ] } ] {% endhighlight %}

### Get the program! I hope somebody can make use of this program for easier system administration and security auditing purposes. I encourage all rhel/centos security admins to make use of it if you would like better insight into CVE data from the vendor source. You should be able to make use of the program by cloning my misc_rbtools directory from my Gitlab. I will be expanding this into its own Ruby gem in the coming days so please check back on this post. I will update the link to the Ruby Gem page once it has been ported to a Gem!

{%highlight bash %}

git clone https://git.mcdevitt.tech/bpmcdevitt/misc_rbtools.git Cloning into 'misc_rbtools'... remote: Enumerating objects: 56, done. remote: Counting objects: 100% (56/56), done. remote: Compressing objects: 100% (55/55), done. remote: Total 815 (delta 28), reused 0 (delta 0), pack-reused 759 Receiving objects: 100% (815/815), 118.60 MiB | 11.06 MiB/s, done. Resolving deltas: 100% (362/362), done.

cd misc_rbtools/security_tools/redhat_tools/ {%endhighlight%} You should now have access to the ./rpm_pkg_audit.rb script, have fun auditing!

{% include collapse.html %}