A SCAP Database Model
Download
Report
Transcript A SCAP Database Model
A SCAP Database Model
All of SCAP data in a Relational Database
[email protected]
www.lumension.com
A mini-system to learn SCAP
A SCAP database with all of the SCAP data in it
Examples (with source code)
Automatic updates utility
Automatic import of client data
Detection of equivalent OVAL elements
Schema-change tolerant DB design
SCAP data formats (schema) are constantly change
Authors can lag in updating
Tools and data formats may be out of sync
www.lumension.com
XML and Databases
Xml is excellent for distribution, poor for analysis and
reporting (databases are better)
XML is single computer/thread centric (no sharing)
DB is data set centric with concurrent access
Exposes XML data as regular columns / rows
Reporting staff do not need to learn XML
www.lumension.com
A simple logical database model
AlternativeCVSS
HREF
CPE
XCCDF
CveID
href
CpeID
Xml
CVSS
MimeTypeID
Description
XccdfGuid
Text
Xml
AddDate
NamespaceUri
Oval
CVE
OvalID
localName
CCE
CceID
XccdfElement
CveID
OvalGuid
Xml
Xml
Xml
XccdfGuid
ImportTimeStamp
Definition
Version
ElementID
NamespaceUri
Xml
AddDate
XccdfElementGuid
ID
VendorStatements
Xml
CveID
www.lumension.com
Device_OvalState
Device
DeviceGuid
DeviceGuid
OvalID
HostName
State
Description
AsOf
Xml
Device_XccdfProfile
DeviceGuid
AddDate
ChangedDate
What we will cover
Importing SCAP Xml files
CVE - Vulnerability
CVSS – Scoring
OVAL -- Assessment
CPE – Product
XCCDF – Checklist
CCE – Configuration
Importing OVAL result files from clients
Querying OVAL elements for equivalency
Reduce client test load by 25+%
www.lumension.com
Examples of importing / exporting data
Import of OVAL results into the database
Files are dropped into a folder
Utility will pick up and insert into the database automatically
Export of equivalent OVAL element
Eliminate redundant and duplicate data
OVAL comes from multiple sources
Duplications must be expected and handled
www.lumension.com
SCAP Import Utility
Two mode of operation:
Drop the Xml files in a folder
Edit DataFiles.Xml to point to locations you want checked for
changes.
Files are uploaded into DB and processed automatically
sqlXml = new SqlXml(new XmlTextReader(fileName));
db = new ImportDataBase();
cmd = db.StoredProcedure("ImportScapXmlFile");
cmd.Parameters.AddWithValue("FileName", fi.Name);
cmd.Parameters.AddWithValue("ScapXml", sqlXml);
cmd.ExecuteNonQuery();
www.lumension.com
Common Vulnerability Enumeration (CVE) http://nvd.nist.gov/
The physical data is simple – 2 columns
The logical data can consist of many columns and
additional rows.
Calculated columns generates the logical columns.
Cross Apply generates the logical rows
www.lumension.com
Example of Computed Columns
XQuery is used to convert XML into Columns
SELECT xml.value('(/*/@CVSS_score)[1]','float') as
CVSS_Score
Proper design tolerates change of schema
Note: cve/1.2 and no namespace above
www.lumension.com
Example of Logical Rows
All of the data can be
extracted into computed views
We get multiple logical rows from
one physical row.
Tolerates typical evolution of
schema
Create View vCVE_VendorProduct As
select
CVEID,
item.value('./@name','varchar(100)') as ProductName,
item.value('./@vendor','varchar(100)') as Vendor
from CVE Cross Apply
Xml.nodes('//*[@name and @vendor]') as prod(item)
www.lumension.com
More logical rows examples
www.lumension.com
Common Vulnerability Scoring System (CVSS)
All CVEs come with a generic NIST determined CVSS
score and vector
Organizations may wish to determine their own score
and vectors.
Computed column can automatically replace NIST value
with your own.
CVE
CveID
Xml
ImportTimeStamp
localName
NamespaceUri
CVSS_vector
Published
Modified
severity
CVSS_Score
www.lumension.com
AlternativeCVSS
CveID
CVSS
Open Vulnerability and Assessment Language (OVAL)
Physical table slightly more complex
OvalID (could be computed)
Element Version (could be computed)
SchemaVersion is the version of OVAL
Comes from header of imported file
www.lumension.com
OVAL Logical Columns and Logical Rows
SELECT localname, count(*) as [Count]
from OVAL group by localname
SELECT namespaceuri, count(*) as
[Count] from OVAL group by
namespaceuri
Over 70 different logical record
layouts
www.lumension.com
Some OVAL Logical Rows
www.lumension.com
Data is often hierarchical in the XML
Extract of hierarchy is easy
definition test state
Object var
State var
www.lumension.com
Common Platform Enumeration (CPE)
CPE has a 2 column physical structure
<cpe-item name="cpe:///0verkill:0verkill">
<title>0verkill 0verkill</title>
</cpe-item>
www.lumension.com
Putting the parts together
OVAL-CVE (CVSS) -CPE
www.lumension.com
Extensible Configuration Checklist Description Format
(XCCDF)
No Global Identifiers results in more columns
One table is for identification only.
XCCDF
Xml
XccdfElement
XccdfGuid
XccdfGuid
AddDate
ElementID
NamespaceUri
Xml
localName
XccdfElementGuid
Version
ID
Status
NamespaceUri
StatusDate
localName
Title
Platform
www.lumension.com
XCCDF computed and cross-apply
www.lumension.com
Putting SCAP into play
Identifying devices/computers…
Recording automated results
Recording manual results
www.lumension.com
Device / Host Identification
OVAL’s system_info node provides the pattern (included
with all OVAL results)
Physical Table is just two columns
www.lumension.com
Device information
OVAL interpreters returns a <system_info>
Contains sufficient information to uniquely identify the device
99.9% of the time
www.lumension.com
Device computed columns and logical rows
www.lumension.com
OVAL Results
Uploaded just like SCAP files
Put into a folder and utility will upload
Complete history is kept (purge as needed)
UploadID points to source document
www.lumension.com
Using the database to improve performance
OVAL data is coming from multiple authors
Often the same element content is seen with many different ids
Some sources have 20% duplicate internally
If we can identify duplicate contents and eliminate it,
then
Size of the OVAL file to download is reduced
Number of tests and executions on the client is reduced and less
work (i.e. CPU usage, memory) on the client.
Utility identifies duplicate content
www.lumension.com
This is just a start …
We have
Viewed how SCAP elements are related
An elegant but simple design for a SCAP database
Supports reporting across multiple devices
Runs on free software (SQLExpress 2005)
Will support up to 4 gigs (with Express) for each of:
» Device history data
» SCAP import data history
» Current State data of devices
Automated import of SCAP data
Automated import of Device result files
www.lumension.com
Where do you get this stuff
Source:
http://oval.lassesen.com/Nist2007/
Database: (Free – no expiry)
Microsoft SQL Server Management Studio Express
Microsoft SQL Server 2005 Express Edition with Advanced
Services Service Pack 2
Allows full text search of XML
www.lumension.com