Security Measurement

OVAL definitions are available for all vulnerabilities that affect Red Hat Enterprise Linux 3, 4, 5

• OVAL definitions (consolidated xml file, .bz2) (constantly updated)
• OVAL repository (separate files)

The Red Hat Security response team publish official statements for vulnerabilities currently under investigation and for vulnerabilities that do not affect us. These are also available directly from the National Vulnerability Database

• CVE statements (xml) (Updated twice a day)

CVE to date and CVE to severity mapping

This data source is a mapping of the CVE name to the date that the issue was first known to the public. This can help generate statistics based on "days of risk". We also use this data source to capture the severity of issues and how we found out about the issue (date and source). Although the dates may come from third parties, the severity classifications are given by the Red Hat Security Response team and are specific to Red Hat and will vary for other distributions and vendors). This file is created manually and we update it every week or two (or by request by contacting secalert@redhat.com).

• cve_dates.txt (Updated 2009-01-05)

RHSA to date mapping

This data source is a mapping of Red Hat Security Advisories to the date and time the advisory was issued. Most of this data comes automatically from the Red Hat Network, but we've annotated a few entries which needed manual adjustment

• release_dates.txt (Updated twice a day)

RHSA to CVE and CPE mapping

This data source is a mapping of Red Hat Security Advisories to the vulnerabilities fixed, identified by CVE name. The file contains the product names affected in CPE format (with package name appended) so the file can be filtered by a product or package subset.

• rhsamapcpe.txt (Updated twice a day)

CPE list for default installations

Red Hat Enterprise Linux ships with a large number of packages, but they are not all installed by default. These files give lists of packages in default installations which can be used to filter the metrics (format is CPE name with package name appended)

• Red Hat Enterprise Linux 5 Server (default install)
• Red Hat Enterprise Linux 4 AS (default install)

CPE is a structured naming scheme for information technology systems, software, and packages. For reference we provide a dictionary mapping official CPE names to Red Hat product descriptions

• cpe-dictionary.xml (Updated automatically)

This Perl script is designed to run reports based on the data sources cve_dates, release_date, and rhsamapcpe above. For a given product, such as Red Hat Enterprise Linux, and date range it can list all the issues fixed by severity and give a "days of risk" metric as well as vulnerability workflow statistics. For example, run

perl daysofrisk.pl --cpe enterprise_linux:5 --severity C

• daysofrisk.pl (Updated 2008-12-03)

Sample Reports

126 vulnerabilities
Average is 2.6 days
Median is 1 days
83% were within 1 day

1243 vulnerabilities
Average is 71.1 days
Median is 15 days
31% were within 1 day

11 vulnerabilities
Average is 1.8 days
Median is 0 days
90% were within 1 day

373 vulnerabilities
Average is 60.3 days
Median is 1 days
50% were within 1 day

64 vulnerabilities
Average is 0.5 days
Median is 1 days
100% were within 1 day

Risk Report: Three years of Red Hat Enterprise Linux 4

Red Hat Magazine looks at the state of security for the first three years from release on Feb 15th 2005, including metrics, key vulnerabilities, and the most common ways users were affected by security issues.

Mark Cox metrics weblog

Security Response Director Mark Cox publishes a weblog with insight into security measurement and metrics for Red Hat products.