-
Notifications
You must be signed in to change notification settings - Fork 676
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BugFix] [Infrastructure] Fix failing RHEL/7's "make validate" target when built on openscap 1.0.x #1048
[BugFix] [Infrastructure] Fix failing RHEL/7's "make validate" target when built on openscap 1.0.x #1048
Conversation
enabled / disabled" OVAL checks in the case we are building RHEL/7 "make validate" target with openscap-1.0.x In this case "service * enabled / disabled" OVAL checks won't be included in final OVAL since they require OVAL-5.11 support
chronyd_specify_multiple_servers.xml rule with shared one from shared/oval/oval_5.11 Since these checks depend on 'service_chronyd_enabled' OVAL, which is / will be included only in case oscap supports OVAL-5.11
"chronyd_specify_remote_server.xml" rule with one shared OVAL from shared/oval/oval_5.11 directory Since in the case service chronyd isn't enabled it doesn't make sense to check chronyd daemon settings (and service_chronyd_enabled OVAL requires oscap to support OVAL-5.11)
…e_servers' rule into two separate RHEL/6 and RHEL/7 OVALs Since: * in RHEL-6 case we are able to detect if 'service_ntpd_enabled' OVAL is satisfied just by OVAL-5.10 means, * but for RHEL-7 we need oscap to support OVAL-5.11. RHEL-7 version was placed into oval/oval_5.11 folder so it can be later re-used for Fedora too
…server' into separate RHEL-6 and RHEL-7 version Since: * in RHEL-6 case we are able to use it solely using OVAL-5.10 constructs, * but for RHEL-7 this is dependency on 'service_ntpd_enabled', which requires OVAL-5.11 constructs. Place it into shared/oval/oval_5.11 folder for future enhancements wrt to Fedora OVAL check
…form_rhel' OVAL checks for 'package_abrt_removed' in two different locations: $ find . -name package_abrt_removed.xml ./shared/oval/package_abrt_removed.xml ./RHEL/7/input/oval/oval_5.11/package_abrt_removed.xml Since this is bringing ambiguity to the build system wrt to this OVAL check inclusion.
build system ambiguity $ find . -name package_at_removed.xml ./shared/oval/package_at_removed.xml ./RHEL/7/input/oval/oval_5.11/package_at_removed.xml There have been two OVAL checks having 'multi_platform_rhel' as platform definition under different locations.
'package_audit_installed' OVAL check Right now there are multiple definitions of 'package_audit_installed' OVALs: $ find . -name package_audit_installed.xml ./shared/oval/package_audit_installed.xml ./RHEL/7/input/oval/package_audit_installed.xml ./RHEL/5/input/oval/package_audit_installed.xml ./Fedora/input/oval/oval_5.11/package_audit_installed.xml and intersection of the '<platform>' element of these checks isn't empty set. Therefore: * Merge CentOS {4,5}, Red Hat Enterprise Linux {4, 5, 6} definition under shared/oval/package_audit_installed.xml location, * Merge Red Hat Enterprise Linux 7 and Fedora * definition under shared/oval/oval_5.11/package_audit_installed.xml location (since these required OVAL-5.11) to get empty '<platform>' element intersection (remove the BS ambiguity).
'package_bluez_removed' OVAL check Right now there are multiple definitions of this OVAL at various places: $ find . -name package_bluez_removed.xml ./shared/oval/package_bluez_removed.xml ./RHEL/7/input/oval/oval_5.11/package_bluez_removed.xml both having 'multi_platform_rhel' specified as '<platform>' element. This is causing BS ambiguity (BS including OVAL into final OVAL also in case is shouldn't be). Fix this ambiguity.
'package_chronyd_installed' OVAL check Right now there are two locations: $ find . -name package_chrony_installed.xml ./RHEL/7/input/oval/package_chrony_installed.xml ./Fedora/input/oval/oval_5.11/package_chrony_installed.xml Therefore: * Create one shared/oval/oval_5.11 one (since package_chronyd_installed is required only in case we check 'service_chronyd_enabled', which requires OVAL-5.11 constructs)
'package_cronie_installed' OVAL check Current status: $ find . -name package_cronie_installed.xml ./shared/oval/package_cronie_installed.xml ./RHEL/6/input/oval/package_cronie_installed.xml ./Fedora/input/oval/oval_5.11/package_cronie_installed.xml
'package_firewalld_installed' OVAL check Current status: $ find . -name package_firewalld_installed.xml ./shared/oval/package_firewalld_installed.xml ./RHEL/7/input/oval/package_firewalld_installed.xml ./Fedora/input/oval/oval_5.11/package_firewalld_installed.xml => create one shared/oval/oval_5.11 OVAL check and delete those unnecessary ones
'package_iputils_removed' OVAL check Current status: $ find . -name package_iputils_removed.xml ./shared/oval/package_iputils_removed.xml ./RHEL/7/input/oval/oval_5.11/package_iputils_removed.xml But for RHEL-7 'package_iputils_removed' is required only in case OVAL-5.11 is supported (for service_rdisc_disabled check). => we can't use shared version.
'package_nfs-utils_removed' OVAL check Current status: $ find . -name package_nfs-utils_removed.xml ./shared/oval/package_nfs-utils_removed.xml ./RHEL/7/input/oval/oval_5.11/package_nfs-utils_removed.xml There are two locations having '<platform>multi_platform_rhel</platform>' platform tag set. But for RHEL-7 the OVAL is required only if we are checking NFS service status (only if oscap supports OVAL-5.11) => we can't use shared/ version. Fix that.
'package_ntp_installed' OVAL check Current status: $ find . -name package_ntp_installed.xml ./shared/oval/package_ntp_installed.xml ./RHEL/7/input/oval/package_ntp_installed.xml ./RHEL/5/input/oval/package_ntp_installed.xml ./Debian/8/input/oval/package_ntp_installed.xml => * Replace RHEL/5 version with enhancing shared/oval version, * Remove 'multi_platform_rhel' from shared/oval version (since in RHEL-7 case we want the OVAL included only in case oscap supports OVAL-5.11)
'package_oddjob_removed' OVAL check Current status: $ find . -name package_oddjob_removed.xml ./shared/oval/package_oddjob_removed.xml ./RHEL/7/input/oval/oval_5.11/package_oddjob_removed.xml Both having 'multi_platform_rhel' as <platform>. But we need: * RHEL/6 version for both OVAL-5.10 and OVAL-5.11, * But RHEL/7 version only for OVAL-5.11 version => can't use shared/ version
'package_qpid-cpp-server_removed' OVAL check Current status: $ find . -name package_qpid-cpp-server_removed.xml ./shared/oval/package_qpid-cpp-server_removed.xml ./RHEL/7/input/oval/oval_5.11/package_qpid-cpp-server_removed.xml Both of the OVALs having '<platform>' tag set to 'multi_platform_rhel'. But we need 'package_qpid-cpp-server_removed' OVAL for RHEL-7 only in case oscap supports OVAL-5.11 version (as a prerequisite for service * removed check) => it's not possible to use shared/ version of this OVAL. Fix that.
@@ -5,11 +5,14 @@ | |||
<metadata> | |||
<title>Package audit Installed</title> | |||
<affected family="unix"> | |||
<platform>multi_platform_rhel</platform> | |||
<platform>CentOS 4</platform> | |||
<platform>CentOS 5</platform> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If RHEL6, should CentOS6 be included too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If RHEL6, should CentOS6 be included too?
No. This change isn't adding support for CentOS 6
. It's just combining the platform tags from RHEL/5/input/oval/package_audit_installed.xml
and Red Hat Enterprise Linux 6
part from shared/oval/package_audit_installed.xml
. Red Hat Enterprise Linux 7
platform needs to be split into separate oval under shared/oval/oval_5.11
directory because package_audit_installed
is not a standalone OVAL. It's used only as a prerequisite OVAL for service_auditd_enabled
, which should be included only in moment oscap on system supports OVAL-5.11 (otherwise we will have one unused OVAL when using 5.10 and make validate
will complain).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On 2/21/16 4:17 PM, Ján Lieskovský wrote:
In shared/oval/package_audit_installed.xml
#1048 (comment):@@ -5,11 +5,14 @@
<title>Package audit Installed</title>
<platform>multi_platform_rhel</platform>
<platform>CentOS 4</platform>
<platform>CentOS 5</platform>
@shawndwells https://github.com/shawndwells
If RHEL6, should CentOS6 be included too?
No. This change isn't adding support for |CentOS 6|. It's just
combining the platform tags from
|RHEL/5/input/oval/package_audit_installed.xml| and |Red Hat
Enterprise Linux 6| part from
|shared/oval/package_audit_installed.xml|. |Red Hat Enterprise Linux
7| platform needs to be split into separate oval under
|shared/oval/oval_5.11| directory because |package_audit_installed| is
not a standalone OVAL. It's used only as a prerequisite OVAL for
|service_auditd_enabled|, which should be included only in moment
oscap on system supports OVAL-5.11 (otherwise we will have one unused
OVAL when using 5.10 and |make validate| will complain).
Asked a different way: On lines 10-12 you have added CPE tags for RHEL4,
RHEL5, and RHEL6. On lines 8 and 9, you have added CentOS 4 and CentOS 5.
Is there a reason RHEL6 was added, but not CentOS 6? Should we take this
PR as an opportunity to add CentOS6 CPE tags?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Shawn,
Asked a different way: On lines 10-12 you have added CPE tags for RHEL4, RHEL5,
RHEL4 and RHEL5 CPE tags are present in current RHEL/5 version of that OVAL.
and RHEL6.
RHEL6 was included in current "multi_platform_rhel" which is in shared/ OVAL.
On lines 8 and 9, you have added CentOS 4 and CentOS 5.
Same case like above, CentOS 4 and CentOS 5 are already present in:
https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/5/input/oval/package_audit_installed.xml#L8
This change is just moving those platforms from RHEL/5/input/oval/package_audit_installed.xml
to shared/oval/package_audit_installed.xml
.
Is there a reason RHEL6 was added,
RHEL6 is already present in shared version of the OVAL (covered by multi_platform_rhel
):
https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/package_audit_installed.xml#L8
multi_platform_rhel
= RHEL6, RHEL7 from config/oval.config:
https://github.com/OpenSCAP/scap-security-guide/blob/master/config/oval.config#L27
So this change is just:
- moving from RHEL-5 script into shared/ one,
- keeping just RHEL-6 one in the shared/
- removing RHEL-7 one and moving it into shared/oval/oval-5.11 (the reason is we don't want
package_audit_installed
OVAL to be included on RHEL-7 always. Only in case the content is built on system supporting OVAL-5.11 (becausepackage_audit_installed
is just prerequisite forservice_auditd_enabled
OVAL check. Or vice versa, ifservice_auditd_enabled
isn't included [it's not because systemdunitdependency -- OVAL 5.11 construct won't be included], it doesn't make sense to includepackage_audit_installed
in that case too, because that would be unused OVAL. andverify-references.py
would complain about that =>make validate
would fail).
but not CentOS 6? Should we take this PR as an opportunity to add CentOS6 CPE tags?
No. Sorry. I am not willing to add CentOS 6
tags via this PR. It's a blocker (till this isn't merged, all other PRs will be failing => people won't even consider reviewing them). Besides that adding CentOS 6
tags would need further testing, if this doesn't break something else. I would rather have a separate PR doing nothing else, just adding CentOS6
platform tags, than to combine them with this PR.
Sounds reasonable?
Thanks, Jan.
@jan-cerny or @mpreisler Thanks!, Jan. |
@iankko I have reviewed your pull request. It looks good to me. Thanks for this big contribution. ACK. |
[BugFix] [Infrastructure] Fix failing RHEL/7's "make validate" target when built on openscap 1.0.x
@jan-cerny |
This changeset is fixing failing
make validate
target forRHEL/7
product when building on RHEL-6 system with openscap-1.0.x (not supporting OVAL-5.11 language version yet).The change:
verify-references.py
helper script forRHEL/7
in the case oscap OVAL-5.10 is used not to check forservice * enabled / disabled
OVAL checks (since these need OVAL-5.11 constructs and won't be included in that scenario),make validate
target will complain about present, but unreferenced OVAL check).Also, the
scap-security-guide-pull-request
Jenkins testing job has been modified to perform the test on all three of the systems:RHEL/6
,RHEL/7
, andFedora 23
since we need the content to validate properly in the following scenarios:
ShellCheck
executable installed (to also test syntax sanity of remediation scripts).Please review.
Thank you, Jan.