Many of you are probably aware that DISA earlier this year FINALLY released a mapping of IAVM-to-CVE data.
However, the problem still remains that administrators who are notified they need to become compliant with a specific IAVA have to manually find all the applicable CVE’s referenced to the specific IAVA. In some cases this is pretty easy with the IAVM-to-CVE tools mentioned above, but sometimes there are a lot of CVE’s referenced.
The process used to be having to look up all the IAVA’s from DISA, then go into Red Hat’s CVE Database ,see whats applicable, and what should it be installed is time consuming. Now some of you might say, “Why don’t you just do a yum-update -y and call it a day”? In a lot of cases, such as production database server, this is a poor idea.
Written in Bash, Yum-Cha.sh install all applicable IAVA’s missing on the system. An internet connection is required (won’t work on disconnected systems) to obtain the xml data and pull the updates.
Currently being implemented in version 2.0:
- -l — Log all data from Yum-Cha
- -f — Specify IAVM-to-CVE XML file (For offline use)
- -F — Specify file that contains column list of IAVA’s to install
- -c — Only check and DISPLAY CVE data
- -r — Recheck applicable IAVA has been properly installed
- -o — Generate HTML report
Yum-cha is only available for consulting engagements and to select customers. Cloud Buddha customers might see this in upcoming STIG AWS ec2 Instance releases.
Here is a demo of Yum-Cha installing all required IAVA patches on a Red Hat Enterprise Linux 5 system: