[BugFix] Debian make fix for openscap 1.0.x#960
Merged
isimluk merged 8 commits intoComplianceAsCode:masterfrom Jan 8, 2016
Merged
[BugFix] Debian make fix for openscap 1.0.x#960isimluk merged 8 commits intoComplianceAsCode:masterfrom
isimluk merged 8 commits intoComplianceAsCode:masterfrom
Conversation
added 8 commits
January 7, 2016 20:26
…uild is attempted on a system using openscap-1.0.x version: * e.g. 1.0.10 on RHEL-6, or * 1.0.9 on Debian/8 (Jessie) This fixes "No match found for key-sequence ['oval:ssg-service_sshd_disabled:def:1']" issue as reported at: [1] https://jenkins.open-scap.org/job/scap-security-guide-pull-requests/332/console [2] ComplianceAsCode#952 (comment) Testing report: -- Verified manually on recent RHEL-6 system the "Debian/8" "make" target (and therefore whole "make jenkins" target now builds successfully (even on system having openscap-1.0.x installed).
…sabled.csv' files (whole 'make services' target from the input/oval/templates/Makefile)
more verbose when raising ValueError (print concrete item)
[Update] [RHEVM3] Enhance the existing 'services_disabled.cvs' file
to support newly added DAEMONNAME functionality ('create_services_disabled.py'
helper script not to raise ValueError exception)
…led.csv" content to start using new daemon_name CSV value expected by 'create_services_disabled.py' helper script (prevent ValueError)
…led' CSV files [BugFix] [Firefox] Drop 'make services' target from input/oval/templates/Makefile
input/oval/oval_5.11/templates/Makefile for this product [BugFix] [OpenStack/RHEL-OSP/7] Update 'services_disabled' CSV file for this product to support daemon_name too
…daemon_name voluntary value [RHEL/6] Ditto
"input/oval/oval_5.11/templates" location to add support for daemon_name voluntary CSV value (for the case daemon name would differ from service name)
Member
|
This is wonderful. I'll smile a little bit longer today. Thanks! |
isimluk
added a commit
that referenced
this pull request
Jan 8, 2016
[BugFix] Debian make fix for openscap 1.0.x
Author
|
Thanks for the review, Simon! Much appreciated. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This changeset is performing the following:
[1] https://jenkins.open-scap.org/job/scap-security-guide-pull-requests/332/console
[2] #952 (comment)
It is fixing the issue on defining the
oval:ssg-service_sshd_disabled:def:1also for the case just OVAL-5.10 version is used in the final OVAL document (e.g.systemdunitdependencyconstruct is not available yet). It is doing the check based on the following two observations:<runlevel>OVAL object / test elements are not implemented in OpenSCAP yet when compiled on Debian system:[3] https://github.com/OpenSCAP/openscap/blob/maint-1.2/src/OVAL/probes/unix/runlevel.c#L210
Therefore instead of attempting to use the
<runlevel>elements we directly check content of/etc/rc*.d/folders (/etc/rc0.d../etc/rcS.d) to see if there are some entries likeS\d{2]sshpresent. If present, we consider the servicesshnot to be disabled on such a system. If not present, we consider thesshservice to be disabled on the system. This observation holds because:while in the case the
sshservice is enabled, the situation looks like the following:chkconfigcase is 'ssh', rather than 'sshd' (when e.g.systemdtool is used):vs
Therefore this first patch also enhances the
shared/oval/templates/create_services_disabled.pyhelper script to count with the possibility the daemon name might differ from service name,Then:
services_enabledandservices_disabledCSV files forWebminproduct (it can't happen Webmin would need to check status of some service),services_disabledCSV file for theRHEVM3product (in the first patch we enhancedcreate_services_disabled.pyhelper script to count with voluntarily provideddaemon_name[for the case daemon name would differ from service name]. Therefore we need to update the RHEVM3'sservices_disabled.csvCSV file to properly deal with this new feature,services_disabled.csv`` form for theRHEL/7``` product,services_enabledandservices_disabledCSV files forFirefoxproduct (it can't happen Firefox content would ever need to check some service is enabled),services_disabled.csvfile forOpenStack/RHEL-OSP/7product,services_disabled.csvform forRHEL/5andRHEL/6products,services_disabled.csvfile forDebian/8product for the case we are using openscap capable of OVAL-5.11 to build the content.Testing report:
The change has been manually tested on the following two systems:
Debian/8/makenow works && alsomake jenkinsnow works),make servicesare still working for all of the products touched within this changeset).Please review.
Thank you, Jan.