This Splunk TA is meant as a reporting control for patch management on Red Hat and SuSE Enterprise Linux servers. Both Red Hat and SuSE provide OVAL definitions that can be used to enumerate patched and unpatched vulnerabilities:
This is a work in progress, currently only the data collection is working.
- openscap-utils
- wget
- libxslt
- Install this Splunk TA on your deployment server:
cd $SPLUNK_HOME/etc/deployment-apps
git clone https://github.com/jorritfolmer/splunk_ta_oscap_oval.git
-
Edit the RHELOVAL and SLESOVAL urls in bin/oscap_oval.sh
-
Mirror the Red Hat and SuSE OVAL files to a local webserver
wget -q https://support.novell.com/security/oval/suse.linux.enterprise.server.11.xml
wget -q http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml