<?xml version="1.0" encoding="UTF-8"?>
<article version="5.0" xmlns="http://docbook.org/ns/docbook"
xml:lang="en">
<info>
<title>CVE Checker User Guide</title>
<author>
<personname><firstname>Sven</firstname><surname>Vermeulen</surname></personname>
<email>sven.vermeulen@siphos.be</email>
</author>
<pubdate>2017/03/01</pubdate>
</info>
<section>
<title>Introduction</title>
<para>Welcome to the CVE checker user guide. The purpose of this document
is to guide you through the installation and usage of CVE checker. But
before we start with that, a little warning is in place...</para>
<para>CVE checker does not provide security for your system. It is nothing
more than a tool that attempts to identify installed software on your
system and match those against the online database of CVE entries. As the
identification of installed software depends on simple rules that are
added by the community, it is very likely that it only detects a small
portion of the installed software on your system (especially if you are
running software that isn't all that popular). And even if the tool
detects the software appropriately, it still requires that the CVE entry
mentions this software with the same vendor and product name as this tool
detects - if not, CVE checker will not be able to match the installed
software against the online CVE database.</para>
<para>Okay, now that that is out of the way, let's start with the CVE
checker installation.</para>
</section>
<section>
<title>Installation</title>
<section>
<title>Requirements</title>
<para>The cvechecker tool requires the following packages to be
installed:</para>
<itemizedlist>
<listitem>
<para>libxslt - needed for the XSLT transformations (the online CVE
database exists of XML files and we need to convert those to CSV so
that we can easily import it into our own, local database)</para>
</listitem>
<listitem>
<para>libconfig - a C library that offers a simple way for
applications to read and handle configuration files</para>
</listitem>
<listitem>
<para>a database or database client. Currently, cvechecker
supports:</para>
<itemizedlist>
<listitem>
<para>sqlite3 - a local, embedded yet powerful database</para>
</listitem>
<listitem>
<para>mysql (through libmysql) - one of the more popular open
source databases</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>wget - a command-line tool to fetch online resources</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Installation</title>
<para>If your distribution already offers cvechecker through its package
management system, I strongly advise that you use that. The installation
instructions in this section assume that you do the installation
manually (and should reflect the steps that the distribution package
management system does for you).</para>
<para>First, download the latest cvechecker package from <link
xl:href="http://cvechecker.sourceforge.net">http://cvechecker.sourceforge.net</link>
(or <link
xl:href="http://sourceforge.net/projects/cvechecker/files/">http://sourceforge.net/projects/cvechecker/files/</link>),
then extract it into a temporary directory:</para>
<programlisting>~$ <command>tar xvzf cvechecker-1.O.tar.gz</command></programlisting>
<para>You need to select the database you want to use. cvechecker
currently supports mysql and sqlite, and this support is enabled through
the <command>./configure --enable-sqlite3</command> or
<command>./configure --enable-mysql</command> options. You can select
both too (they are not mutually exclusive) but you need to select at
least one of them.</para>
<para>Inside the extracted folder, first run
<command>./configure</command> with the proper
<command>--enable-<database></command> options, followed by
<command>make</command> and <command>make install</command>. If you use
the default settings, it will install the files inside
<filename>/usr/local</filename>, so you might need root privileges to
perform the <command>make install</command> step.</para>
<programlisting>~$ <command>cd cvechecker-1.0</command>
~$ <command>./configure --enable-sqlite3</command>
...
~$ <command>make</command>
...
~$ <command>sudo -i</command>
~# <command>make install</command></programlisting>
<para>
If the <command>./configure</command> step fails (especially when using
the live code rather than a specific release), first run the following
command:
</para>
<programlisting>~$ <command>autoreconf --force --install</command></programlisting>
<para>Finally, create a group called cvechecker and change the
permissions of the installed folders so that this group has write
privileges inside the directory. These steps are performed when
executing <command>make postinstall</command> (you almost definitely
need root privileges now):</para>
<programlisting>~# <command>make postinstall</command></programlisting>
</section>
<section>
<title>Initial Configuration</title>
<para>With the software now installed, you need to perform an initial
configuration. This includes the setup of the databases, creation of the
user you are going to use to run cvechecker and initial pull of the CVE
entries from the Internet.</para>
<para>First, create a user that you will use to run cvechecker. The tool
does not require root privileges, so I recommend not to use root. I
personally use a dedicated user whose sole purpose is to, on a daily
basis, pull the latest updates from the Internet, generate a report and
mail that report to me. Make sure that this user is inside the
cvechecker group:</para>
<programlisting>~# <command>gpasswd -a <replaceable>youruser</replaceable> cvechecker</command></programlisting>
<para>Log on as that user, make sure his primary group is cvechecker and
set the umask to 002 or higher (such as 007).</para>
<programlisting>~# <command>su <replaceable>youruser</replaceable> -</command>
~$ <command>newgrp cvechecker</command>
~$ <command>umask 007</command></programlisting>
<para>Now, initialize the databases by running <command>cvechecker
-i</command>. This will create the sqlite3 databases or, if MySQL is
selected, create the appropriate tables and indexes in the selected
MySQL database (the tool does not create a MySQL database
itself).</para>
<programlisting>~$ <command>cvechecker -i</command></programlisting>
<section>
<title>Configuration File</title>
<para>The cvechecker command uses a configuration file which it looks
for in the location pointed to by the
<varname>CVECHECKER_CONFFILE</varname> variable or, if that variable
is not set, the users' home directory
(<filename>${HOME}/.cvechecker.rc</filename>),
<filename>/usr/local/etc/cvechecker.conf</filename> or
<filename>/etc/cvechecker.conf</filename>, in that order. The first
configuration file that parses correctly is used, the rest is ignored
(so there is no accumulation of configurations). Below, you'll find an
example configuration file which shows both the sqlite3 and mysql
support:</para>
<programlisting>#
# Generic settings
#
dbtype = "mysql";
#dbtype = "sqlite3";
cvecache = "/var/lib/cvechecker/cache";
datadir = "/usr/share/cvechecker";
stringcmd = "/usr/bin/strings -n 3 '@file@'";
version_url = "https://raw.github.com/sjvermeu/cvechecker/master/versions.dat";
#userkey = "servertag";
#
# For SQLite3
#
sqlite3: {
localdb = "/var/lib/cvechecker/local";
globaldb = "/var/lib/cvechecker/global.db";
};
#
# For MySQL
#
mysql: {
dbname = "cvechecker";
dbuser = "cvechecker_rw";
dbpass = "passwordforcvechecker_rw";
dbhost = "mysql.company.com";
};</programlisting>
<para>Most of the parameters (like cvecache, datadir, version_url and
even localdb and globaldb) will most likely be set correctly already
during the installation. However, it doesn't hurt to validate if the
locations mentioned are correct and that the user that will be used to
run cvechecker has the rights to write (to) files in the
locations.</para>
</section>
<section>
<title>Initialize SQLite3 Database</title>
<para>If you opt to use the sqlite3 databases, you need to initialize
those by running <command>cvechecker -i</command>. Because cvechecker
uses a lot of data, it will create various database files to spread
the data due to performance reasons. These locations are mentioned in
the configuration file.</para>
<programlisting>~# <command>cvechecker -i</command></programlisting>
<para>This is all that is needed to initialize the SQLite3
databases.</para>
</section>
<section>
<title>Initialize MySQL Database</title>
<para>If you opt to use the MySQL database, you first need to create
the database in your MySQL server. Installing and configuring a MySQL
server is beyond the scope of this document. Once a database is
created (say "cvechecker"), you can either initialize it through
<command>cvechecker -i</command> (if the user you connect to the
database to has sufficient privileges to drop and create tables and
indexes) or use the dump file
<filename>mysql_cvechecker.sql</filename> available in
/usr/share/cvechecker/.</para>
<programlisting>~# <command>cvechecker -i</command></programlisting>
<para>It is strongly advised that the user you
<emphasis>use</emphasis> has limited rights. Only the initialization
requires additional rights. When you are using cvechecker, it is
recommended that two roles are used:</para>
<itemizedlist>
<listitem>
<para>A cvechecker administrative role that has the rights to load
new CVE and CPE data as well as version matching rules</para>
</listitem>
<listitem>
<para>A cvechecker operational role that has the rights to insert
the matching data and read the CVE and version matching
rules</para>
</listitem>
</itemizedlist>
<para>We will talk about these roles later in this document.</para>
</section>
<section>
<title>Load CVE and version matching rules</title>
<para>Our last step is to load the upstream data in the
databases.</para>
<para>The upstream data consists out of</para>
<itemizedlist>
<listitem>
<para>CVE information (CVE identifiers together with the software
they are referring to) which is going to be pulled from
nvd.nist.gov, and</para>
</listitem>
<listitem>
<para>version matching rules (regular expressions and other
information needed to deduce the correct software and version
given an application file or binary) which is going to be pulled
from the cvechecker source code repository</para>
</listitem>
</itemizedlist>
<para>These steps are automated in a tool called
<command>pullcves</command>. This will take a very long time, so
please be patient (loading over half a million CVE entries in a
database is a time consuming - but one-time - activity). Future pulls
will not take this much time as they will not redownload the CVE
entries from all previous years (unless you ask it to).</para>
<programlisting>~$ <command>pullcves pull</command></programlisting>
</section>
</section>
<section>
<title>Upgrades</title>
<para>cvechecker tries to detect if its back-end was created with an
earlier version of cvechecker and update the back-end accordingly. For
sqlite3 databases, this usually isn't a problem as the tool has the
rights to add tables and indexes when needed.</para>
<para>However, when using MySQL databases, it is very likely that the
user you use is not authorized to update the back-end. To fix this,
first run cvechecker on the administrative host (where a more privileged
MySQL account can be used). It will update the back-ends for all users
as well. When new(er) versions are made available, we will also add the
necessary upgrade SQL scripts to launch so that you do not have to run
cvechecker with a database owner account.</para>
</section>
</section>
<section>
<title>Regular Runs</title>
<para>Whenever you want to perform a regular cvechecker run, you should
schedule five steps. If you use sqlite as the database backend, all steps
are to be scheduled on the same system. If you use MySQL however, it is
recommended to schedule the administrative tasks on a single system (the
"master" that is responsible for keeping the upstream data up-to-date) and
the operational tasks on all systems where you want to run cvechecker on
(and gather reports from).</para>
<para>The administrative tasks are:</para>
<orderedlist>
<listitem>
<para>pull in the latest CVE entries as well as software/version
detection rules</para>
</listitem>
</orderedlist>
<para>The operational tasks are:</para>
<orderedlist>
<listitem>
<para>generate a list of files to scan</para>
</listitem>
<listitem>
<para>gather installed software/version information</para>
</listitem>
<listitem>
<para>output which CVE entries might affect your system</para>
</listitem>
<listitem>
<para>generate a report informing you about the CVE entries</para>
</listitem>
</orderedlist>
<para>All these steps should be performed by the user you use to run
cvechecker, so don't forget:</para>
<programlisting>~$ <command>newgrp cvechecker</command>
~$ <command>umask 007</command></programlisting>
<section>
<title>Pull Data</title>
<para>To pull the necessary data from the Internet, run
<command>pullcves pull</command>:</para>
<programlisting>~$ <command>pullcves pull</command></programlisting>
</section>
<section>
<title>Generate List of Files</title>
<para>cvechecker uses a text file which sums up the files to scan. I
recommend that you provide it with a list of all executables files plus
/proc/version (on Linux). The latter allows cvechecker to verify if
there are kernel-related CVE entries for your Linux kernel.</para>
<programlisting>~$ <command>find / -type f -perm -o+x > scanlist.txt</command>
~$ <command>echo "/proc/version" >> scanlist.txt</command></programlisting>
<para>It is strongly advised to either umount or exclude file systems on
which no useful files are located (or that belong to different operating
systems, like a mounted Windows partition). You can use the
<parameter>-mount</parameter> (or <parameter>-xdev</parameter>) option
of <command>find</command> to stay within the selected device
(partition), or exclude directories (and their subdirectories), like
so:</para>
<programlisting>~$ <command>find / -path /mnt -prune -o -path /media -prune -o -type f -perm -o+x > scanlist.txt</command> </programlisting>
</section>
<section>
<title>Gather List of Installed Software/Versions</title>
<para>Import the generated scanlist.txt file in cvechecker. During the
import, cvechecker will output the software/versions it detected:</para>
<programlisting>~$ <command>cvechecker -b scanlist.txt</command></programlisting>
<section>
<title>Integrating with a package manager</title>
<para>You can integrate cvechecker with your package manager, telling
cvechecker to only add (or remove) files part of an installed (or
uninstalled) package rather than having to feed a full file system
listing. To do so, tell your package manager to call
<command>cvechecker -d -b <file></command> after each succesfull
installation, or <command>cvechecker -D -b <file></command>
before a desinstallation. The -d option tells cvechecker to add the
file content to the database (rather than replace) whereas -D tells
cvechecker to delete those entries in the database that are also in
the file.</para>
<para>A simple example for Gentoo would be to create a script
(/etc/portage/bashrc) which calls other scripts based on the ebuild
phase, such as
<filename>/etc/portage/bashrc.d/package.postinst</filename> or
<filename>/etc/portage/bashrc.d/package.prerm</filename>. These
scripts can then call <command>qlist</command> to create a file
containing the package file content which is then passed on to
<command>cvechecker</command>.</para>
<programlisting>~$ <command>cat /etc/portage/bashrc</command>
if [ -x "/etc/portage/bashrc.d/package.${EBUILD_PHASE}" ];
then
source "/etc/portage/bashrc.d/package.${EBUILD_PHASE}"
fi
~$ <command>cat /etc/portage/bashrc.d/package.prerm</command>
TMPFILE=$(mktemp);
[ ! -f "${TMPFILE}" ] && die "Cannot create temporary file.";
qlist ${CATEGORY}/${P} > "${TMPFILE}";
cvechecker -D -b "${TMPFILE}";
rm "${TMPFILE}";</programlisting>
</section>
<section>
<title>Adding through standard input</title>
<para>The cvechecker command will also accept standard input for the
--binlist (-b) option when the minus sign is used:</para>
<programlisting>~$ <command>find /usr/bin -type f | cvechecker -b -</command>
Searching for known software titles...
- Found match for /proc/version: cpe:/o:linux:linux_kernel:3.10.5-hardened:::</programlisting>
</section>
</section>
<section>
<title>Output Matching CVE Entries</title>
<para>Make cvechecker output the matching CVE entries. A standard output
might look like this:</para>
<programlisting>~$ <command>cvechecker -r</command>
File "/usr/bin/kbxutil" (CPE = cpe:/a:gnupg:gnupg:2.0.15:::) on host localhost (key localhost)
Potential vulnerability found (CVE-2010-2547)
Full vulnerability match (incl. edition/language)
File "/usr/bin/gpgsm" (CPE = cpe:/a:gnupg:gnupg:2.0.15:::) on host localhost (key localhost)
Potential vulnerability found (CVE-2010-2547)
Full vulnerability match (incl. edition/language)
File "/usr/bin/watchgnupg" (CPE = cpe:/a:gnupg:gnupg:2.0.15:::) on host localhost (key localhost)
Potential vulnerability found (CVE-2010-2547)
Full vulnerability match (incl. edition/language)</programlisting>
<para>However, if you would like to parse the output so that you can
generate a better-looking report, ask cvechecker to use CSV
output:</para>
<programlisting>~$ <command>cvechecker -r -C</command>
Outputversion,File,CPE,CVE,Matchtype,Hostname,Userkey
2,/usr/bin/kbxutil,cpe:/a:gnupg:gnupg:2.0.15:::,CVE-2010-2547,1,localhost,localhost
2,/usr/bin/gpgsm,cpe:/a:gnupg:gnupg:2.0.15:::,CVE-2010-2547,1,localhost,localhost
2,/usr/bin/watchgnupg,cpe:/a:gnupg:gnupg:2.0.15:::,CVE-2010-2547,1,localhost,localhost</programlisting>
<para>The default behavior of <command>cvechecker</command> is to only
report on those CVEs who specifically target the software and version
you have installed. However, you might want to be informed about
software matches for CVEs that affect <emphasis>higher</emphasis>
versions than the versions installed on your system. Not all CVEs
contain a full list of all versions affected but rather mention only the
highest version vulnerable. The default reporting within
<command>cvechecker</command> wouldn't be triggered when this is the
case, but if you add <command>-H</command> or
<command>--reporthigher</command>, <command>cvechecker</command> will
also report on higher versions.</para>
</section>
<section>
<title>(Optional) Generate A Report</title>
<para>You can use the cvechecker output to generate a report. Within the
cvechecker distribution, sample reporting files are available that show
you a simple method. Of course, reporting is not part of this tools'
goals; the primary purpose of this step is to show you that the output
can indeed be used for reporting purposes. To facilitate (simple)
reporting, a cvereport script has been provided which uses the sample
reports currently. In the future, this will be enhanced with
distribution-specific checks.</para>
<programlisting>~$ <command>cvereport -d /home/john/cvereport-20100902/ /home/john/cvechecker/acknowledgements.xml</command></programlisting>
<para>The default report will use the default
<command>cvechecker</command> report. If you want to report using higher
version matches as well, use <command>-D</command> instead of
<command>-d</command>.</para>
<para>Below is a sample acknowledgements XML file. Its use should be
self-explanatory:</para>
<programlisting><?xml version="1.0" encoding="UTF-8"?>
<acknowledgements>
<!-- I chose to use the CVE number as id for the resolution/comment text, but this is not mandatory -->
<resolution id="CVE-2008-4101">Has been solved by security update #17 (vim-1.7-b3)</resolution>
<comment id="CVE-2010-2547">Under investigation, bug opened on distributions bug site (#332329)</comment>
<!-- The @comment or @resolution should refer to one of the above descriptions.
Its use however is optional (you don't need to give comments) -->
<file name="/usr/bin/kbxutil" cve="CVE-2010-2547" state="acknowledged" comment="CVE-2010-2547" />
<file name="/usr/bin/vim" cve="CVE-2008-4101" state="irrelevant" resolution="CVE-2008-4101" />
</acknowledgements></programlisting>
<para>The final document (report.html) can then be mailed, published or
in any other way sent to you.</para>
<para>If the report shows new CVE entries matching your system,
investigate those CVE entries by first acknowledging and, if necessary,
either update the software on your system or mark the entry as
irrelevant.</para>
</section>
</section>
<section>
<title>Detected Software</title>
<para>The tool also supports listing the detected software/version on your
system. This allows you to verify if the tool can detect the software you
want to track CVE reports of.</para>
<programlisting>~$ <command>cvechecker -s</command>
Detected vendor="wpa_supplicant", product="wpa_supplicant", version="0.6.10", update="", edition="", language="" on host="localhost", userkey="localhost"
...</programlisting>
<para>You can also request the list of files that were used by cvechecker
to identify the software:</para>
<programlisting>~$ <command>cvechecker -S</command>
Detected vendor="wpa_supplicant", product="wpa_supplicant", version="0.6.10", update="", edition="", language="" on host="localhost", userkey="localhost"
Files that contributed to this detection:
- /usr/sbin/wpa_supplicant
- /usr/bin/wpa_cli</programlisting>
<para>These options also support the -C switch (to enable CSV-like output
for easier parsing);</para>
<programlisting>~$ <command>cvechecker -S -C</command>
Outputversion,Vendor,Product,Version,Update,Edition,Language,Hostname,Userkey,Files
2,wpa_supplicant,wpa_supplicant,0.6.10,,,,localhost,localhost,/usr/sbin/wpa_supplicant /usr/bin/wpa_cli </programlisting>
</section>
<section>
<title>Watch Lists</title>
<para>With cvechecker, you can also "pretend" to have particular software
(or hardware or operating systems) installed on your system. By feeding
this so-called watchlist to cvechecker, it will add these titles to the
database and assume they are also installed on the system.</para>
<para>An example watchlist is given next. Right now, the cvechecker application
requires at least 8 fields so a number of trailing field separators might be needed.
The example shows a watchlist for two applications:</para>
<programlisting>~$ <command>cat watchlist.txt</command>
cpe:/a:dropbear_ssh_project:dropbear_ssh:2016.74:::
cpe:/a:libexpat:expat:2.2.0:::</programlisting>
<para>It is recommended to use the watch lists simultaneously with the
binary file listing. If you use it separately, don't forget to use the
delta options. Otherwise, all detected software versions will be cleared
from the database.</para>
<programlisting>~$ <command>cvechecker -b binlist.txt -w watchlist.txt</command>
~$ <command>cvechecker -w watchlist.txt --deltaonly</command></programlisting>
</section>
<section>
<title>Configuring cvechecker</title>
<para>The cvechecker tool uses a configuration file to find out where to
store its intermediate and final data (such as downloaded XML files, CSV
files, database files).</para>
<para>The tool first looks for the configuration file pointed towards by
the CVECHECKER_CONFFILE variable. If that environment variable doesn't
exist, then .cvechecker.rc inside the users' home directory is looked for.
If it can't find it, it will look for /usr/local/etc/cvechecker.conf and,
if that file doesn't exist either, /etc/cvechecker.conf.</para>
<section>
<title>Configuration File Format</title>
<para>The cvechecker configuration file currently requires 6
configuration items:</para>
<programlisting>#
# Generic settings
#
dbtype = "mysql";
#dbtype = "sqlite3";
cvecache = "/var/lib/cvechecker/cache";
datadir = "/usr/share/cvechecker";
stringcmd = "/usr/bin/strings -n 3 '@file@'";
version_url = "https://raw.github.com/sjvermeu/cvechecker/master/versions.dat";
#userkey = "servertag";
#
# For SQLite3
#
sqlite3: {
localdb = "/var/lib/cvechecker/local";
globaldb = "/var/lib/cvechecker/global.db";
}
#
# For MySQL
#
mysql: {
dbname = "cvechecker";
dbuser = "cvechecker_rw";
dbpass = "passwordforcvechecker_rw";
dbhost = "mysql.company.com";
};</programlisting>
<para>These items describe the following resources:</para>
<itemizedlist>
<listitem>
<para>dbtype tells the cvechecker application which back-end to use.
Currently, "sqlite", "sqlite3" and "mysql" are supported (sqlite and
sqlite3 result in the same back-end)</para>
</listitem>
<listitem>
<para>cvecache is a (cvechecker writeable) directory where pullcves
will download all XML files and store the transformed XML2CSV files
(containing the CVE entry data). Although it is not used anymore
after being imported into the local databases, pullcves relies on
the availability of the XML files to find out if it needs to
(re)download and import CVE entries. So if you want to clean out the
directory, make (empty) files named after the XML files so that
pullcves does not redownload and reimport the CVE entry data (not
that this will render the application unusable, but it takes a
while)</para>
</listitem>
<listitem>
<para>datadir is a directory where cvechecker-related files are
stored, including the XSLT transformation files used to convert CVE
XML files in CSV files as well as the sample reporting files as used
in this document</para>
</listitem>
<listitem>
<para>stringcmd is the command that cvechecker launches against a
file to get the files' content. Currently, this is the only
supported method for cvechecker to identify the
software/version.</para>
</listitem>
<listitem>
<para>version_url is the location where pullcves can find the latest
software/version matching rules to identify installed software on
the system.</para>
</listitem>
<listitem>
<para>userkey is an optional setting which is used for server-side
RDBMS support. When set, the data is stored with this particular key
(next to the systems' hostname) as owner. This allows for multiple
cvechecker runs on the same system (hostname + userkey) with
different usages, but also to map cvechecker runs in larger
organizations with that systems server tag/serial number/asset
tag.</para>
<para>If not set, userkey is set to the hostname of the system (so
data is owned by "hostname + hostname").</para>
</listitem>
<listitem>
<para>sqlite3: combines all sqlite specific settings, which
are:</para>
<itemizedlist>
<listitem>
<para>localdb is a (cvechecker writeable) directory where
cvechecker will store its sqlite3 databases containing the CPE
data (identification information of software/versions) as well
as the local systems' matching file/software pairs and all
downloaded CVE entries</para>
</listitem>
<listitem>
<para>globaldb is a (cvechecker writeable) sqlite3 database
containing the software/version matching rules and CPEs
associated with these rules</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>mysql: combines all mysql specific settings, which are:</para>
<itemizedlist>
<listitem>
<para>dbname is the name of the cvechecker database</para>
</listitem>
<listitem>
<para>dbuser is the user that cvechecker uses to connect to the
database</para>
</listitem>
<listitem>
<para>dbpass is the password that cvechecker uses to connect to
the database and authenticate itself</para>
</listitem>
<listitem>
<para>dbhost is the hostname where the database resides</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
<warning>
<para>If you need to change parameters, make sure that the file
containing the changed values contains all configuration directives
(and not just the changed one). cvechecker does not "fall back" to
other configuration files if a parameter is missing.</para>
</warning>
</section>
<section>
<title>MySQL Database Usage</title>
<para>When you use cvechecker with MySQL, then the following sections
might be of use to you...</para>
<section>
<title>User Roles</title>
<para>When using MySQL database(s), it is recommended to use two
separate roles:</para>
<itemizedlist>
<listitem>
<para>The cvechecker administrative role should have the rights to
SELECT, INSERT, UPDATE and DELETE data from tb_versionmatch,
tb_cve, tb_cpe, tb_cpe_versions, tb_cpe_parents, tb_binmatch and
tb_systems</para>
</listitem>
<listitem>
<para>The cvechecker operational role should have the rights
to</para>
<itemizedlist>
<listitem>
<para>SELECT, INSERT, UPDATE and DELETE data from
tb_binmatch</para>
</listitem>
<listitem>
<para>SELECT and INSERT data into tb_cpe, tb_cpe_versions and
tb_cpe_parents</para>
</listitem>
<listitem>
<para>SELECT data from tb_cve and tb_binmatch</para>
</listitem>
</itemizedlist>
<para>If the database supports row-level security, you can
configure the operational role on tb_binmatch with the additional
security setting of "WHERE HOSTNAME='hostname' AND
USERDEFKEY='userdefkey'" where hostname and userdefkey are the
clients' hostname and userdefined key (userkey) setting (which
defaults to the hostname again if no userkey is set).</para>
</listitem>
</itemizedlist>
<para>A third role "could" be created (which allows cvechecker to
(re)initialize its databases using <command>cvechecker -i</command>)
but this should only be activated during the (re)initialization and
locked again when the change is finished.</para>
</section>
<section>
<title>InnoDB or MyISAM?</title>
<para>The cvechecker tool currently uses InnoDB tables. The main
(only) reason for this is that the tool uses foreign key definitions
to keep referential integrity within the database. However, untrained
administrators might find InnoDB a lot slower to work with than
MyISAM. It is perfectly possible to use MyISAM tables instead of
InnoDB (cvechecker does not use the cascading delete functionality
within foreign key definitions):</para>
<orderedlist>
<listitem>
<para>Change the mysql_cvechecker.sql file by removing all
references to FOREIGN KEY ... statements as well as
ENGINE=InnoDB.</para>
</listitem>
<listitem>
<para>Load the (changed) SQL file in the MySQL database</para>
</listitem>
<listitem>
<para>Do <emphasis>not</emphasis> use cvechecker -i (as that runs
hardcoded SQL statements which will transition to InnoDB
again).</para>
</listitem>
</orderedlist>
<para>If you want to convert when data is already present, the easiest
method in my opinion is to dump the information to a .sql file, change
the .sql file and load it back in. However, other methods exist as
well - which ones I leave as an excercise in Internet search engines
for those interested ;-)</para>
</section>
</section>
</section>
<section>
<title>Software Matching Rules</title>
<para>The software matching rules, as identified inside the versions.dat
file, is pulled in and imported in the cvechecker database by
pullcves.</para>
<section>
<title>Syntax</title>
<para>The syntax of the versions.dat file is as follows:</para>
<programlisting>,[filestart],1,[fileexpression],[contentexpression],[ao],[vendor],[product],[version],[update],[edition],[language]</programlisting>
<para>The first comma is also used to inform cvechecker about the used
column separator. If by any chance a field requires a comma as content,
another separator can be chosen - just start the line with the chosen
separator character.</para>
<para>The other fields have the following description:</para>
<itemizedlist>
<listitem>
<para>filestart is a substring used by cvechecker to quickly find
possible matches. A filename that starts with filestart will be
considered for further evaluation.</para>
</listitem>
<listitem>
<para>1 is used to inform cvechecker about the used version matching
methodology. Currently only 1 is supported and means that it uses
the strings command output.</para>
</listitem>
<listitem>
<para>fileexpression is a regular expression used by cvechecker to
find out if the file really needs to be scanned. Usually, the
expression is just the filename, but for some binaries (like
perl5.8.8) or libraries (like libconfig.so.1.2.8) having a matching
regular expression allows cvechecker to identify these files as
being part of a supported match-rule</para>
</listitem>
<listitem>
<para>contentexpression is a regular expression used against the
strings command output to find (and obtain) the version, update,
edition and language of the software. It uses regular expression
groups to obtain the necessary information</para>
</listitem>
<listitem>
<para>'a' or 'o' tells cvechecker if the detected software is an
application (a) or operating system (o)</para>
</listitem>
<listitem>
<para>vendor tells cvechecker what the vendor is of the file</para>
</listitem>
<listitem>
<para>product tells cvechecker what the product is to which the file
belongs</para>
</listitem>
<listitem>
<para>version tells cvechecker what the detected version is of the
product</para>
</listitem>
<listitem>
<para>update, if applicable, tells cvechecker the specific update of
the software</para>
</listitem>
<listitem>
<para>edition, if applicable, tells cvechecker the specific edition
of the software</para>
</listitem>
<listitem>
<para>language, if applicable, tells cvechecker the specific
language of the software</para>
</listitem>
</itemizedlist>
<para>The parts starting from the [ao] field are also known as the CPE
or Common Platform Enumeration. See <link
xl:href="http://cpe.mitre.org">http://cpe.mitre.org</link> for more
information.</para>
<para>Some example lines are:</para>
<programlisting>,gzip,1,gzip,^([0-9]\.[0-9][0-9]*),a,gnu,gzip,\1,,,
,vim,1,vim,VIM - Vi IMproved ([0-9\.]+) ,a,vim,vim,\1,,,
,ncftp,1,ncftp,^.*NcFTP ([0-9\.]+)/([0-9]+) .*,a,ncftp_software,ncftp,\1,\2,,</programlisting>
</section>
<section>
<title>Validating 'versions.dat'</title>
<para>To validate the matching rules, you can ask cvechecker to tell you
if, and what CPE data it detects from a specific file:</para>
<programlisting>~$ <command>cvechecker -f /usr/bin/vim</command>
- Found match for /urs/bin/vim: cpe:/a:vim:vim:7.2:::</programlisting>
<para>In the above case, it detected for the /usr/bin/vim file vim
(product) from vim (vendor) versino 7.2. It was not able to deduce any
specific releases/edition/language (but that is not mandatory
anyway).</para>
<para>If you want to add additional rules, make sure that the dat-file
you will be importing contains the previous rules as well - cvechecker
will drop all previous rules while importing new ones.</para>
<programlisting>~$ <command>cvechecker -l /usr/local/var/cvechecker/cache/versions.dat</command>
Loading in new version data file...</programlisting>
</section>
<section>
<title>Helping with version rules management</title>
<para>The version matching rules are at the core of the
<command>cvechecker</command> tool. Without them, the tool is not able
to detect much of anything on your system. To allow you to contribute to
the version matching rules, the project also contains a tool called
<command>cverules</command>.</para>
<para>The <command>cverules</command> command, which currently only
supports Gentoo systems but should be easily portable towards other
distributions or even platforms, will attempt to generate version
matching rules for cvechecker that are currently not part of the project
but which should give additional matches on your system.</para>
<para>For instance, if cvechecker currently doesn't know how to detect
OpenLDAP versions, but you have OpenLDAP on your system, then
<command>cverules</command> might be able to deduce a (generic put
working) expression for the version matching rules which will allow
cvechecker to identify OpenLDAP. If you then send the output of the
<command>cverules</command> to the cvechecker project, then these
additional rules will be added to the version matching rules so that
your next <command>pullcves pull</command> will pull in these additional
rules.</para>
</section>
</section>
</article>
