PDA

View Full Version : NVD CVE Data in Disconnected Setup



SteveBaker_ADS
06-Nov-2017, 12:35
I am trailing SUSE manager 3.1 in a disconnected (air-gapped) setup.

I can use an internet facing SMT server to pull in the required software channels and patches and manually move the date to the air-gapped SUSE Manager server for import.

One thing I cannot figure out how to do is to update the NVD CVE data to run patch audits. I can see the task to refesh the data, but obviously without being internet facing this doesn't do much. I also download the latest NVD CVE json files directly from NIST, but how/where do the files get imported.

I'm really keen to be able to audit the servers managed by SUSE Manager for the applicability of patches etc.

Does anyone know how to accomplish this ?

Many Thanks,

kwk
07-Nov-2017, 09:35
All information required for a "CVE audit" in SUSE Manager is contained in the patch data synced by SMT from update.suse.com.

The link to NVD is just for information purposes. SUSE Manager does not need or download any data from NVD.

SteveBaker_ADS
07-Nov-2017, 10:28
I am trailing SUSE manager 3.1 in a disconnected (air-gapped) setup.

I can use an internet facing SMT server to pull in the required software channels and patches and manually move the date to the air-gapped SUSE Manager server for import.

One thing I cannot figure out how to do is to update the NVD CVE data to run patch audits. I can see the task to refesh the data, but obviously without being internet facing this doesn't do much. I also download the latest NVD CVE json files directly from NIST, but how/where do the files get imported.

I'm really keen to be able to audit the servers managed by SUSE Manager for the applicability of patches etc.

Does anyone know how to accomplish this ?

Many Thanks,

Firstly, Thanks for the reply.

When I look in SUSE Manager, and query (under Audit >> CVE Audit) for a CVE I know I have a patch for (e.g. 2017-1770) I get nothing from the search. Its almost like I have no data to audit against.

Can you advise which channels I should be syncronising in SMT to ensure I am getting this feed ?
At the moment I am only synchronising;

SLES12-SP3-Pool
SLES12-SP3-Updates
SLE-Manager-Tools12-Pool
SLE-Manager-Tools12-Updates
SUSE-Manager-Server-3.1-Pool
SUSE-Manager-Server-3.1-Source-Pool
SUSE-Manager-Server-3.1-Updates



Many Thanks,

kwk
08-Nov-2017, 09:04
cve-2017-1770 is an unassigned cve and our SUSE Manager reference server also shows "The specified CVE number was not found. This can happen for very old or yet-unknown numbers, please also check it for possible typing errors."

However, 2017:1770 shows up as a SUSE security id for Xen on SLES11: https://www.suse.com/de-de/support/update/announcement/2017/suse-su-20171770-1/

CVE numbers are assigned by nist.gov, SUSE security ids are assigned by suse.com. Both numbers are independently assigned.

SteveBaker_ADS
08-Nov-2017, 11:00
Again, thanks for the reply.

I can see where I was going wrong (with my searching) and can now see successful audit output.

Many Thanks for your help with this.