Skip to content

jobselko/vulnerability-detection-scripts

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Vulnerability Detection Scripts

Travis CI test status

This repository contains vulnerability detection scripts that test whether a Red Hat Enterprise Linux system is vulnerable to a specific security vulnerability, usually those documented in Red Hat Security Bulletins.

Supported Systems and Bash Versions

Currently, the detection scripts are developed for Red Hat Enterprise Linux 6-8 (we still maintain Bash v3.2 compatibility, though).

They should work on all direct derivatives of RHEL (e.g. CentOS), but unless it is possible to reproduce the issue on Red Hat Enterprise Linux we cannot guarantee that the scripts will be supported on other systems.

Support Timeframe

The detection scripts are fully supported for two months after a vulnerability becomes public. After this time, only important bug fixes will be made.

Limitations

For compatibility reasons, the detection scripts have to be compatible with Bash v3.2 (early RHEL 5) and later. This means that some of the features available in newer Bash versions cannot be used (e.g. readarray).

Some of the scripts also contain a large RPM version list to check the installed RPMs against. Because Red Hat backports security patches and there are different update streams, a simple version comparison is often not possible. For a more detailed explanation see this blog post.

Basic Script Structure

Vulnerability detection scripts are meant to be self-contained. All utility functions from our library need to be copied inside the script.

Newer scripts also follow the following structure:

  • Check requirements for detection
  • Parse facts and store them in variables
  • Draw conclusions and store them in different variables
  • Present results based on facts and conclusions

All scripts support the --debug option to print out the state of the variables.

Testing

All scripts are analyzed using Shellcheck and tested using Bash Automated Testing System.

About

Vulnerability detection scripts for Red Hat Enterprise Linux

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Shell 100.0%