Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Compare NetBox inventory with database of known vulnerabilities #134

Closed
mmguero opened this issue Dec 7, 2022 · 7 comments
Closed

Compare NetBox inventory with database of known vulnerabilities #134

mmguero opened this issue Dec 7, 2022 · 7 comments
Labels
enhancement New feature or request external Depends on a bug or feature external to this project netbox Related to Malcolm's use of NetBox

Comments

@mmguero
Copy link
Collaborator

mmguero commented Dec 7, 2022

Feature-tracking issue dependent on #131

@mmguero mmguero added enhancement New feature or request netbox Related to Malcolm's use of NetBox labels Dec 7, 2022
@mmguero mmguero added this to Malcolm Dec 7, 2022
@mmguero mmguero moved this to Todo (design) in Malcolm Dec 7, 2022
@mmguero mmguero moved this from Todo (design) to Todo (spike) in Malcolm Dec 7, 2022
@mmguero mmguero changed the title Compare NetBox inventory with database of known vulnerabilities Compare NetBox inventory with database of known vulnerabilities (CSAF) Dec 13, 2022
@mmguero
Copy link
Collaborator Author

mmguero commented Jan 24, 2023

@piercema suggests looking into Common Platform Enumeration (see also NIST and nmap.org) as a way to store the information about platforms of the devices in the inventory. I think that's a great idea.

As to where to store the information on a per-device basis, platform seems to make the most sense, if there is a place for it there. If not, creating a custom field type that either belongs to platform or belongs to devices/VMs seems like the way to go. If we can come up with the way to consistently store platform information with the devices we can reproducibly check it against a vulnerability database like CSAF.

@mmguero mmguero assigned mmguero and unassigned mmguero Jan 24, 2023
@mmguero
Copy link
Collaborator Author

mmguero commented Jan 24, 2023

Although as indicated here (nmap.org), a CPE name is definable as a URL of sorts that looks like cpe:2.3:a:microsoft:internet_explorer:8.0.6001:beta:*:*:*:*:*:*. As such, it's possible we could just store them in the device or VMs comments field instead of creating a custom type. This might be a first step to play with during development.

@mmguero mmguero assigned mmguero and piercema and unassigned mmguero Jan 31, 2023
@mmguero mmguero changed the title Compare NetBox inventory with database of known vulnerabilities (CSAF) Compare NetBox inventory with database of known vulnerabilities Jan 31, 2023
@tschmidtb51
Copy link

@piercema suggests looking into Common Platform Enumeration (see also NIST and nmap.org) as a way to store the information about platforms of the devices in the inventory. I think that's a great idea.

Sorry, I don't. CPE has some severe issues (e.g. look at the entries in the CPE dict for Siemens). I don't want to say that it doesn't work - in fact it works quite well for e.g. RedHat.

So my question is: Is it just for storing data? Then, the format doesn't really matter. Is it for matching against an advisory? Well, then you should have the same identifier the vendor uses in its advisories... And this might not necessarily be CPE or the data used in CPE. Although the vendor/product_name/product_version can get you quite far.

Happy to have a chat.

@mmguero
Copy link
Collaborator Author

mmguero commented Jan 31, 2023

Thanks for the reply @tschmidtb51, copying this from my email to you for tracking purposes:

Here are our thoughts regarding this feature. I'm new to the world of vulnerability indicators and whatnot, although Melanie has got more experience with it. @piercema feel free to chime in if I've missed something here.

Here are the thoughts that led us to where we are:

  • What we're looking at CPE for is for matching, not just for storing the data for human-readable consumption or reports. If it were, NetBox has already got the platform model for the string to be stored in.
  • We're attempting to, in as much of a one-size-fits-all generic way, provide a way for software/firmware details about a device to be stored in a repeatable way for comparison against some feed or database of known vulnerabilities.
  • We'd prefer not to reinvent the wheel and come up with our own string format for storing this information.
  • The CSAF framework's design principles (see https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#21-construction-principles) states the following, which to us appeared to indicate that CPE is the preferred platform referencing schema for use with CSAF. Is this not the case?
    • Delegation to industry best practices technologies is used in referencing schemas for:
      • Platform Data:
        • Common Platform Enumeration (CPE) Version 2.3 [CPE23-N]
  • Some of @piercema's initial research has led her to the conclusion that CSAF as a format allows for specifying CPE data for assets, but that it is not consistently utilized across the feeds she was looking at.
  • As an alternative to CSAF, we've been talking about using the NIST API to pull CVEs from the NIST database, as it seems CPEs are used more consistently in that database. However we realize this is not quite an apples-to-apples comparison, as NIST is a specific database with an API to access it while CSAF is an open specification.

I think that's about it. I guess, in short, we'd love to hear your opinion on an alternative to CPE for representing platform information in a standardized way suitable for comparison against common vulnerability feed formats. I can see in some of your comments/commits on oasis-tcs/csaf (https://github.com/oasis-tcs/csaf/issues/91, https://github.com/oasis-tcs/csaf/pull/324, https://github.com/oasis-tcs/csaf/actions/workflows/cpe.yml, etc.) that this is something you've got experience with.

@mmguero mmguero moved this from Todo (spike) to Todo (design) in Malcolm Feb 1, 2023
@danpetraru
Copy link

For OS vulnerabilities you can use the wazuh api - piggyback on existing deployment OR add Wazuh to Malcolm - this would be a nice integration Pros : wazuh agents are easy to deploy, wazuh app has the requested data Cons : for large env. you do need proper/multi-node wazuh deployment

@mmguero mmguero added the external Depends on a bug or feature external to this project label May 16, 2023
@mmguero
Copy link
Collaborator Author

mmguero commented May 16, 2023

As part of our collaboration with BSI-Bund (www.bsi.bund.de, github org), they are going to be taking over this development of this feature. Marking as external, will update this issue as their work continues.

@mmguero mmguero moved this from Todo (design) to In Progress (external) in Malcolm May 18, 2023
@mmguero mmguero added the CISA label Nov 13, 2023
@mmguero mmguero added the BSI label Jan 23, 2024
@mmguero mmguero removed the CISA label May 7, 2024
@mmguero mmguero removed the BSI label Jul 31, 2024
@mmguero
Copy link
Collaborator Author

mmguero commented Nov 5, 2024

Kamino closed and cloned this issue to cisagov/Malcolm

@mmguero mmguero closed this as completed Nov 5, 2024
@github-project-automation github-project-automation bot moved this from In Progress (external) to Done in Malcolm Nov 5, 2024
@mmguero mmguero removed the status in Malcolm Nov 5, 2024
@mmguero mmguero moved this to Migrated in Malcolm Nov 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request external Depends on a bug or feature external to this project netbox Related to Malcolm's use of NetBox
Projects
Status: Migrated
Development

No branches or pull requests

4 participants