Join Log in
Score:-1
Stof avatar Ubuntu

Are there OVAL files for EOL releases?

cc flag
Stof

Has Ubuntu stopped publishing OVAL files for EOL releases, or are they archived somewhere but still accessible?

Here is the official Ubuntu information about OVAL data: https://ubuntu.com/security/oval

It is increasingly important to include OVAL definitions for SCAP scanners that find and remediate vulnerabilities in EOL distros. One might say that OVAL is most useful for identifying unpatched software, specifically on EOL systems that no longer have vendor support.

There are many legitimate scenarios, like healthcare and critical infrastructure with limited funds, to spare on ESM. Cost centres like I.T. and security are not priorities when people's health or availability of utilities are concerned. This is why OVAL should exist in perpetuity, as they become more valuable over time and less valuable when the distro is still not yet EOL.

Other distributions do exactly that:

Ubuntu should be keeping OVAL publications available regardless of EOL status, considering the above rationale that OVAL are most useful only after the EOL status is in place.

I would also love to get some of this clarified by the Ubuntu Security Team or a community member who's familiar with using OVAL from Ubuntu.

Note: OVAL files for current releases are not distributed by apt or any other release specific mechanism. Do not confuse the naming convention of a file name as being somehow inherently constrained to the life or availability of files that would only be used by the operating system or apt. OVAL files are not used by the Ubuntu operating system in any way, and an OVAL file for Warty would have the same value if used on the Hirsute release, because the affected software packages that are described by OVAL are not actually linked to the semantic naming of an Ubuntu release, or the semantic naming of the OVAL file name.

139
1 + 1
cn flag
Rinzwind
I pinged Oli for this He might know :)
0
Reply
Score:0
Stof avatar Ubuntu
cc flag
Stof

The OVAL files are semantically named and distributed using the same mechanism as the Ubuntu release code names. So an OVAL file that is semantically given the name Hirsute will not longer exist when Hirsute is EOL, because it was available using the Hirsute file publishing infrastructure.

While OVAL has no reason to be tightly coupled to a semantic naming scheme, and their primary use case will be when the release is EOL, it is unfortunate that the files are removed when the Ubuntu release is EOL.

If the OVAL files were not obtained during the release life cycle, there are 2 possible mechanisms to locate these OVAL files:

  1. If you are able to leverage ESM, you might be able to retrieve them. This is not confirmed by me, a comment indicated this (though comments also said to upgrade the system to a supported version, which is completely irrelevant).

  2. Check internet archives (such as Wayback Machine and Google Cache). I had limited success and was able to locate 1 EOL, because it was a small file size, while others are likely larger files and excluded in most caches.

If future readers find more methods of locating OVAL files with semantic naming of EOL Ubuntu releases, please leave a comment for others.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.