ahkok
commented
5 years ago We have the processes in place and they are fully active, but, we are lacking on external communication.
Open cberho opened 5 years ago
ahkok
commented
5 years ago We have the processes in place and they are fully active, but, we are lacking on external communication.
cberho
commented
5 years ago @solrac901
solrac901
commented
5 years ago @ahkok can you educate me on the process that you are following, please. We scan Clear Linux a couple of weeks ago and we receive a blank report no issues no vulnerabilities. do you have like a vulnerability database that we can check https://access.redhat.com/security/security-updates/#/cve we want to check if the tools that we are testing are working as we expect. Regards.
nesiusra
commented
5 years ago Beyond saying we actively scan for and patch CVEs, and that we constantly iterate on our tooling and processes to make them more effective, there's little we can and should say about the tools we use or our workflows publicly; which is really a pretty common security practice itself.
If there's ever an issue with Clear Linux OS that originates from Intel content or as a result of our integration efforts, then depending on the severity an advisory might appear on the Intel Security Advisory portal in the initial issue description.
I'm happy to hear your scans came up blank. :)
nesiusra
commented
5 years ago Lastly - we do recognize it would be nice to have a Clear specific portal akin to what other distros have. We can keep this issue open for when we have more to share about that.
ahkok
commented
5 years ago We monitor CVE's posted ourselves and patch them aggressively. For now, the only record we have is our release notes and package git commit history. This will hopefully change and that's being worked on.
Secondary, since we also update packages relatively fast, we often update packages before CVE's are even posted.
we want to check if the tools that we are testing are working as we expect
In order to help you with that, I need to know what tools you are using, or alternatively, what API you need in order to do your scans.
ahkok
commented
5 years ago Per the documentation found on clearlinux.org the distribution uses Intel CVA (CVE Numbering Authority) to have CVE publishing.
I'm not a doc/web person. What documentation are you referring to here?
ahkok
commented
5 years ago We scan Clear Linux a couple of weeks ago and we receive a blank report no issues no vulnerabilities.
A good way to test your methodology is to download a really old version of clearlinux (e.g. live image) and scan that. :)
anselmolsm
commented
5 years ago We scan Clear Linux a couple of weeks ago and we receive a blank report no issues no vulnerabilities
Can you share the tool used?
cberho
commented
5 years ago @nesiusra agree lets keep it open for now; we understand its a long shot, which also requires to have published a process definition for vulnerability management, eventually something that will land on the project page for Community reference.
Per the documentation found on clearlinux.org the distribution uses Intel CVA (CVE Numbering Authority) to have CVE publishing. After carefully reviewing https://www.intel.com/content/www/us/en/security-center/default.html and checking advisories; there are non-related to Clear Linux. While the Operating System adheres to the principle of bleeding edge; users and community require a documented reference, in the form of procedure or advisory, for risk mitigation. Connected to previous point, Security tools (scanners) rely on vulnerability databases, which are one support element on the path to remediation.
Reference documentation: CVE IDs and how to get them Key details phrasing - BKM to build descriptions CVE project documentation
Other distros supporting CVE process: RH Security data Suse CVE Debian CVE Ubuntu