[BugFix] [Infrastructure] Fix failing RHEL/7's "make validate" target when built on openscap 1.0.x #1048
Conversation
enabled / disabled" OVAL checks in the case we are building RHEL/7 "make validate" target with openscap-1.0.x In this case "service * enabled / disabled" OVAL checks won't be included in final OVAL since they require OVAL-5.11 support
chronyd_specify_multiple_servers.xml rule with shared one from shared/oval/oval_5.11 Since these checks depend on 'service_chronyd_enabled' OVAL, which is / will be included only in case oscap supports OVAL-5.11
"chronyd_specify_remote_server.xml" rule with one shared OVAL from shared/oval/oval_5.11 directory Since in the case service chronyd isn't enabled it doesn't make sense to check chronyd daemon settings (and service_chronyd_enabled OVAL requires oscap to support OVAL-5.11)
…e_servers' rule into two separate RHEL/6 and RHEL/7 OVALs Since: * in RHEL-6 case we are able to detect if 'service_ntpd_enabled' OVAL is satisfied just by OVAL-5.10 means, * but for RHEL-7 we need oscap to support OVAL-5.11. RHEL-7 version was placed into oval/oval_5.11 folder so it can be later re-used for Fedora too
…server' into separate RHEL-6 and RHEL-7 version Since: * in RHEL-6 case we are able to use it solely using OVAL-5.10 constructs, * but for RHEL-7 this is dependency on 'service_ntpd_enabled', which requires OVAL-5.11 constructs. Place it into shared/oval/oval_5.11 folder for future enhancements wrt to Fedora OVAL check
…form_rhel' OVAL checks for 'package_abrt_removed' in two different locations: $ find . -name package_abrt_removed.xml ./shared/oval/package_abrt_removed.xml ./RHEL/7/input/oval/oval_5.11/package_abrt_removed.xml Since this is bringing ambiguity to the build system wrt to this OVAL check inclusion.
build system ambiguity $ find . -name package_at_removed.xml ./shared/oval/package_at_removed.xml ./RHEL/7/input/oval/oval_5.11/package_at_removed.xml There have been two OVAL checks having 'multi_platform_rhel' as platform definition under different locations.
'package_audit_installed' OVAL check
Right now there are multiple definitions of 'package_audit_installed' OVALs:
$ find . -name package_audit_installed.xml
./shared/oval/package_audit_installed.xml
./RHEL/7/input/oval/package_audit_installed.xml
./RHEL/5/input/oval/package_audit_installed.xml
./Fedora/input/oval/oval_5.11/package_audit_installed.xml
and intersection of the '<platform>' element of these checks
isn't empty set.
Therefore:
* Merge CentOS {4,5}, Red Hat Enterprise Linux {4, 5, 6} definition
under shared/oval/package_audit_installed.xml location,
* Merge Red Hat Enterprise Linux 7 and Fedora * definition under
shared/oval/oval_5.11/package_audit_installed.xml location
(since these required OVAL-5.11)
to get empty '<platform>' element intersection (remove the BS ambiguity).
'package_bluez_removed' OVAL check Right now there are multiple definitions of this OVAL at various places: $ find . -name package_bluez_removed.xml ./shared/oval/package_bluez_removed.xml ./RHEL/7/input/oval/oval_5.11/package_bluez_removed.xml both having 'multi_platform_rhel' specified as '<platform>' element. This is causing BS ambiguity (BS including OVAL into final OVAL also in case is shouldn't be). Fix this ambiguity.
'package_chronyd_installed' OVAL check Right now there are two locations: $ find . -name package_chrony_installed.xml ./RHEL/7/input/oval/package_chrony_installed.xml ./Fedora/input/oval/oval_5.11/package_chrony_installed.xml Therefore: * Create one shared/oval/oval_5.11 one (since package_chronyd_installed is required only in case we check 'service_chronyd_enabled', which requires OVAL-5.11 constructs)
'package_cronie_installed' OVAL check Current status: $ find . -name package_cronie_installed.xml ./shared/oval/package_cronie_installed.xml ./RHEL/6/input/oval/package_cronie_installed.xml ./Fedora/input/oval/oval_5.11/package_cronie_installed.xml
'package_firewalld_installed' OVAL check Current status: $ find . -name package_firewalld_installed.xml ./shared/oval/package_firewalld_installed.xml ./RHEL/7/input/oval/package_firewalld_installed.xml ./Fedora/input/oval/oval_5.11/package_firewalld_installed.xml => create one shared/oval/oval_5.11 OVAL check and delete those unnecessary ones
'package_iputils_removed' OVAL check Current status: $ find . -name package_iputils_removed.xml ./shared/oval/package_iputils_removed.xml ./RHEL/7/input/oval/oval_5.11/package_iputils_removed.xml But for RHEL-7 'package_iputils_removed' is required only in case OVAL-5.11 is supported (for service_rdisc_disabled check). => we can't use shared version.
'package_nfs-utils_removed' OVAL check Current status: $ find . -name package_nfs-utils_removed.xml ./shared/oval/package_nfs-utils_removed.xml ./RHEL/7/input/oval/oval_5.11/package_nfs-utils_removed.xml There are two locations having '<platform>multi_platform_rhel</platform>' platform tag set. But for RHEL-7 the OVAL is required only if we are checking NFS service status (only if oscap supports OVAL-5.11) => we can't use shared/ version. Fix that.
'package_ntp_installed' OVAL check Current status: $ find . -name package_ntp_installed.xml ./shared/oval/package_ntp_installed.xml ./RHEL/7/input/oval/package_ntp_installed.xml ./RHEL/5/input/oval/package_ntp_installed.xml ./Debian/8/input/oval/package_ntp_installed.xml => * Replace RHEL/5 version with enhancing shared/oval version, * Remove 'multi_platform_rhel' from shared/oval version (since in RHEL-7 case we want the OVAL included only in case oscap supports OVAL-5.11)
'package_oddjob_removed' OVAL check Current status: $ find . -name package_oddjob_removed.xml ./shared/oval/package_oddjob_removed.xml ./RHEL/7/input/oval/oval_5.11/package_oddjob_removed.xml Both having 'multi_platform_rhel' as <platform>. But we need: * RHEL/6 version for both OVAL-5.10 and OVAL-5.11, * But RHEL/7 version only for OVAL-5.11 version => can't use shared/ version
'package_qpid-cpp-server_removed' OVAL check Current status: $ find . -name package_qpid-cpp-server_removed.xml ./shared/oval/package_qpid-cpp-server_removed.xml ./RHEL/7/input/oval/oval_5.11/package_qpid-cpp-server_removed.xml Both of the OVALs having '<platform>' tag set to 'multi_platform_rhel'. But we need 'package_qpid-cpp-server_removed' OVAL for RHEL-7 only in case oscap supports OVAL-5.11 version (as a prerequisite for service * removed check) => it's not possible to use shared/ version of this OVAL. Fix that.
iankko
added
bugfix
| @@ -5,11 +5,14 @@ | |||
| <metadata> | |||
| <title>Package audit Installed</title> | |||
| <affected family="unix"> | |||
| <platform>multi_platform_rhel</platform> | |||
| <platform>CentOS 4</platform> | |||
| <platform>CentOS 5</platform> | |||
There was a problem hiding this comment.
If RHEL6, should CentOS6 be included too?
There was a problem hiding this comment.
If RHEL6, should CentOS6 be included too?
No. This change isn't adding support for CentOS 6. It's just combining the platform tags from RHEL/5/input/oval/package_audit_installed.xml and Red Hat Enterprise Linux 6 part from shared/oval/package_audit_installed.xml. Red Hat Enterprise Linux 7 platform needs to be split into separate oval under shared/oval/oval_5.11 directory because package_audit_installed is not a standalone OVAL. It's used only as a prerequisite OVAL for service_auditd_enabled, which should be included only in moment oscap on system supports OVAL-5.11 (otherwise we will have one unused OVAL when using 5.10 and make validate will complain).
There was a problem hiding this comment.
On 2/21/16 4:17 PM, Ján Lieskovský wrote:
In shared/oval/package_audit_installed.xml
#1048 (comment):@@ -5,11 +5,14 @@
<title>Package audit Installed</title>
<platform>multi_platform_rhel</platform><platform>CentOS 4</platform><platform>CentOS 5</platform>@shawndwells https://github.com/shawndwells
If RHEL6, should CentOS6 be included too?No. This change isn't adding support for |CentOS 6|. It's just
combining the platform tags from
|RHEL/5/input/oval/package_audit_installed.xml| and |Red Hat
Enterprise Linux 6| part from
|shared/oval/package_audit_installed.xml|. |Red Hat Enterprise Linux
7| platform needs to be split into separate oval under
|shared/oval/oval_5.11| directory because |package_audit_installed| is
not a standalone OVAL. It's used only as a prerequisite OVAL for
|service_auditd_enabled|, which should be included only in moment
oscap on system supports OVAL-5.11 (otherwise we will have one unused
OVAL when using 5.10 and |make validate| will complain).
Asked a different way: On lines 10-12 you have added CPE tags for RHEL4,
RHEL5, and RHEL6. On lines 8 and 9, you have added CentOS 4 and CentOS 5.
Is there a reason RHEL6 was added, but not CentOS 6? Should we take this
PR as an opportunity to add CentOS6 CPE tags?
There was a problem hiding this comment.
Hi Shawn,
Asked a different way: On lines 10-12 you have added CPE tags for RHEL4, RHEL5,
RHEL4 and RHEL5 CPE tags are present in current RHEL/5 version of that OVAL.
and RHEL6.
RHEL6 was included in current "multi_platform_rhel" which is in shared/ OVAL.
On lines 8 and 9, you have added CentOS 4 and CentOS 5.
Same case like above, CentOS 4 and CentOS 5 are already present in:
https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/5/input/oval/package_audit_installed.xml#L8
This change is just moving those platforms from RHEL/5/input/oval/package_audit_installed.xml to shared/oval/package_audit_installed.xml.
Is there a reason RHEL6 was added,
RHEL6 is already present in shared version of the OVAL (covered by multi_platform_rhel):
https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/package_audit_installed.xml#L8
multi_platform_rhel = RHEL6, RHEL7 from config/oval.config:
https://github.com/OpenSCAP/scap-security-guide/blob/master/config/oval.config#L27
So this change is just:
- moving from RHEL-5 script into shared/ one,
- keeping just RHEL-6 one in the shared/
- removing RHEL-7 one and moving it into shared/oval/oval-5.11 (the reason is we don't want
package_audit_installedOVAL to be included on RHEL-7 always. Only in case the content is built on system supporting OVAL-5.11 (becausepackage_audit_installedis just prerequisite forservice_auditd_enabledOVAL check. Or vice versa, ifservice_auditd_enabledisn't included [it's not because systemdunitdependency -- OVAL 5.11 construct won't be included], it doesn't make sense to includepackage_audit_installedin that case too, because that would be unused OVAL. andverify-references.pywould complain about that =>make validatewould fail).
but not CentOS 6? Should we take this PR as an opportunity to add CentOS6 CPE tags?
No. Sorry. I am not willing to add CentOS 6 tags via this PR. It's a blocker (till this isn't merged, all other PRs will be failing => people won't even consider reviewing them). Besides that adding CentOS 6 tags would need further testing, if this doesn't break something else. I would rather have a separate PR doing nothing else, just adding CentOS6 platform tags, than to combine them with this PR.
Sounds reasonable?
Thanks, Jan.
|
@jan-cerny or @mpreisler Thanks!, Jan. |
|
@iankko I have reviewed your pull request. It looks good to me. Thanks for this big contribution. ACK. |
[BugFix] [Infrastructure] Fix failing RHEL/7's "make validate" target when built on openscap 1.0.x
|
@jan-cerny |
This changeset is fixing failing
make validatetarget forRHEL/7product when building on RHEL-6 system with openscap-1.0.x (not supporting OVAL-5.11 language version yet).The change:
verify-references.pyhelper script forRHEL/7in the case oscap OVAL-5.10 is used not to check forservice * enabled / disabledOVAL checks (since these need OVAL-5.11 constructs and won't be included in that scenario),make validatetarget will complain about present, but unreferenced OVAL check).Also, the
scap-security-guide-pull-requestJenkins testing job has been modified to perform the test on all three of the systems:RHEL/6,RHEL/7, andFedora 23since we need the content to validate properly in the following scenarios:
ShellCheckexecutable installed (to also test syntax sanity of remediation scripts).Please review.
Thank you, Jan.