Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Compare NetBox inventory with database of known vulnerabilities #478

Open
mmguero opened this issue Nov 5, 2024 · 6 comments
Open

Compare NetBox inventory with database of known vulnerabilities #478

mmguero opened this issue Nov 5, 2024 · 6 comments
Labels
enhancement New feature or request external Depends on a bug or feature external to this project netbox Related to Malcolm's use of NetBox

Comments

@mmguero
Copy link
Collaborator

mmguero commented Nov 5, 2024

@mmguero cloned issue idaholab/Malcolm#134 on 2022-12-07:

Feature-tracking issue dependent on #131

@mmguero mmguero added enhancement New feature or request external Depends on a bug or feature external to this project netbox Related to Malcolm's use of NetBox labels Nov 5, 2024
@mmguero
Copy link
Collaborator Author

mmguero commented Nov 5, 2024

@mmguero commented on 2023-01-24:

@piercema suggests looking into Common Platform Enumeration (see also NIST and nmap.org) as a way to store the information about platforms of the devices in the inventory. I think that's a great idea.

As to where to store the information on a per-device basis, platform seems to make the most sense, if there is a place for it there. If not, creating a custom field type that either belongs to platform or belongs to devices/VMs seems like the way to go. If we can come up with the way to consistently store platform information with the devices we can reproducibly check it against a vulnerability database like CSAF.

@mmguero
Copy link
Collaborator Author

mmguero commented Nov 5, 2024

@mmguero commented on 2023-01-24:

Although as indicated here (nmap.org), a CPE name is definable as a URL of sorts that looks like cpe:2.3:a:microsoft:internet_explorer:8.0.6001:beta:*:*:*:*:*:*. As such, it's possible we could just store them in the device or VMs comments field instead of creating a custom type. This might be a first step to play with during development.

@mmguero
Copy link
Collaborator Author

mmguero commented Nov 5, 2024

@tschmidtb51 commented on 2023-01-31:

@piercema suggests looking into Common Platform Enumeration (see also NIST and nmap.org) as a way to store the information about platforms of the devices in the inventory. I think that's a great idea.

Sorry, I don't. CPE has some severe issues (e.g. look at the entries in the CPE dict for Siemens). I don't want to say that it doesn't work - in fact it works quite well for e.g. RedHat.

So my question is: Is it just for storing data? Then, the format doesn't really matter. Is it for matching against an advisory? Well, then you should have the same identifier the vendor uses in its advisories... And this might not necessarily be CPE or the data used in CPE. Although the vendor/product_name/product_version can get you quite far.

Happy to have a chat.

@mmguero
Copy link
Collaborator Author

mmguero commented Nov 5, 2024

@mmguero commented on 2023-01-31:

Thanks for the reply @tschmidtb51, copying this from my email to you for tracking purposes:

Here are our thoughts regarding this feature. I'm new to the world of vulnerability indicators and whatnot, although Melanie has got more experience with it. @piercema feel free to chime in if I've missed something here.

Here are the thoughts that led us to where we are:

  • What we're looking at CPE for is for matching, not just for storing the data for human-readable consumption or reports. If it were, NetBox has already got the platform model for the string to be stored in.
  • We're attempting to, in as much of a one-size-fits-all generic way, provide a way for software/firmware details about a device to be stored in a repeatable way for comparison against some feed or database of known vulnerabilities.
  • We'd prefer not to reinvent the wheel and come up with our own string format for storing this information.
  • Delegation to industry best practices technologies is used in referencing schemas for:
 * Platform Data:
    * Common Platform Enumeration (CPE) Version 2.3 [CPE23-N]
  • Some of @piercema's initial research has led her to the conclusion that CSAF as a format allows for specifying CPE data for assets, but that it is not consistently utilized across the feeds she was looking at.
  • As an alternative to CSAF, we've been talking about using the NIST API to pull CVEs from the NIST database, as it seems CPEs are used more consistently in that database. However we realize this is not quite an apples-to-apples comparison, as NIST is a specific database with an API to access it while CSAF is an open specification.

I think that's about it. I guess, in short, we'd love to hear your opinion on an alternative to CPE for representing platform information in a standardized way suitable for comparison against common vulnerability feed formats. I can see in some of your comments/commits on oasis-tcs/csaf (https://github.com/oasis-tcs/csaf/issues/91, https://github.com/oasis-tcs/csaf/pull/324, https://github.com/oasis-tcs/csaf/actions/workflows/cpe.yml, etc.) that this is something you've got experience with.

@mmguero
Copy link
Collaborator Author

mmguero commented Nov 5, 2024

@danpetraru commented on 2023-02-04:

For OS vulnerabilities you can use the wazuh api - piggyback on existing deployment OR add Wazuh to Malcolm - this would be a nice integration Pros : wazuh agents are easy to deploy, wazuh app has the requested data Cons : for large env. you do need proper/multi-node wazuh deployment

@mmguero
Copy link
Collaborator Author

mmguero commented Nov 5, 2024

@mmguero commented on 2023-05-16:

As part of our collaboration with BSI-Bund (www.bsi.bund.de, github org), they are going to be taking over this development of this feature. Marking as external, will update this issue as their work continues.

@mmguero mmguero added this to Malcolm Nov 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request external Depends on a bug or feature external to this project netbox Related to Malcolm's use of NetBox
Projects
Status: No status
Development

No branches or pull requests

1 participant