7. 7
SCAP コンポーネント
SCAP
Common Vulnerabilities and Exposures (CVE)
Common Configuration Enumeration (CCE)
Common Platform Enumeration (CPE)
Common Weakness Enumeration (CWE)
Common Vulnerability Scoring System (CVSS)
Extensible Configuration Checklist Description Format (XCCDF)
and so on….
Open Vulnerability and Assessment Language (OVAL)
言語
要素
8. 8
CVE:
Common Vulnerabilities and Exposures
CVE ID CPE Summary
CVE-2016-6662 cpe:/a:mariadb:mariadb:
10.1.15
Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x
through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27,
and 10.1.x before 10.1.17; and Percona Server before 5.5.51-
38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow
local users to create arbitrary configurations and bypass
certain protection mechanisms by setting general_log_file to a
my.cnf configuration.
CVE-2016-6662 cpe:/a:mariadb:mariadb:
10.1.16
CVE-2016-2107 cpe:/o:redhat:enterprise
_linux_server:7.0
Integer overflow in the EVP_EncryptUpdate function in
crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2
before 1.0.2h allows remote attackers to cause a denial of
service (heap memory corruption) via a large amount of data.
CVE-2016-2107 cpe:/o:novell:leap:42.1
CVE-2016-2107 cpe:/o:novell:opensuse:
13.2
CVE-2016-4979 cpe:/a:apache:http_serv
er:2.4.20
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18
namespace conflicts and therefore does not protect applications from the presence
of untrusted client data in the HTTP_PROXY environment variable, which might
allow remote attackers to redirect an application's outbound HTTP traffic to an
arbitrary proxy server via a crafted Proxy header in an HTTP request, as
demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2)
a CGI configuration of PHP, aka an "httpoxy" issue.
9. 9
XCCDF: XML 形式の検査項目設定言語
OS の構成がどのようになっていなければならないかを記述
<Profile id="docker-host">
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang=
"en-US">Standard Docker Host Security Profile</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang=
"en-US">This profile contains rules to ensure standard security baseline of
Red Hat Enterprise Linux 7 system running the docker daemon.
</description>
<select idref="service_docker_enabled" selected="true"/>
<select idref="enable_selinux_bootloader" selected="true"/>
<select idref="selinux_state" selected="true"/>
<select idref="selinux_policytype" selected="true"/>
<select idref="docker_selinux_enabled" selected="true"/>
<select idref="docker_storage_configured" selected="true"/>
<select idref="remediation_functions" selected="false"/>