Make WARNING the default verbosity level

[mpreisler]

DO NOT MERGE, up for discussion.

@jan-cerny I have noticed that your oscap_set_verbose code defaults to unknown verbosity and no output. Do you recall what was the reasoning behind that? I expected WARNING level by default and stderr output, which is what this PR does.

Does the UNKNOWN verbose level have any meaning? It seems it's just used to flag that oscap_set_verbose was never run with non-NULL verbosity level.

Perhaps I am missing something.

[mpreisler]

(The Jenkins failure is expected)

[jan-cerny]

@mpreisler

I think that UNKNOWN level doesn't have any meaning, probably it is just a fallback value for oscap_string_to_enum.

However, now, in OpenSCAP you must directly specify verbosity level. The '--verbose' has a required argument.

If you omit the level, you will get an error:

oscap oval eval --verbose  /usr/share/xml/scap/ssg/content/ssg-fedora-oval.xml 
ERROR:    Invalid verbosity level! Verbosity level must be one of: DEVEL, INFO, WARNING, ERROR.

What's the reason behind this pull request? Do you want to reuse the function somewhere else? Or did you want to make the code more readable?

[mpreisler]

I want to make "warnings and up" visible by default, even without --verbose

[jan-cerny]

@mpreisler OK, That makes sense. Great idea! I think we can ignore the UNKNOWN value and default to WARNING.

[mpreisler]

@dahaic How do you feel about changing this in a maintenance branch? maint-1.2. If everything goes well there will be no change in output, if there are any warnings they will be shown in stderr.

[dahaic]

Personally, I see it as a bugfix, because proposed behaviour is something I would expect from any utility. So I have no issues with inclusion into the maintenance branch.

[mpreisler]

Ok, so we have a consensus here. I will change the tests accordingly and finish this up.

[jan-cerny]

@mpreisler The Jenkins fail here looks legit, there are multiple failing test cases in XCCDF directory.

[mpreisler]

@mpreisler The Jenkins fail here looks legit, there are multiple failing test cases in XCCDF directory.

Yeah, it's expected. Check out comment #630 (comment)

I need to change the tests one by one.

[mpreisler]

TODO:

• tests/API/XCCDF/applicability FIXED, warning filtered out
• tests/API/XCCDF/unittests FIXED, error loading SCE
• tests/API/XCCDF/variable_instance FIXED, error loading SCE
• tests/bz2 FIXED, error loading SCE
• tests/DS FIXED, error loading SCE
• tests/probes/sysctl FIXED
• tests/probes/sql57 FIXED

[mpreisler]

$ cat /tmp/test_remediation_subs_unresolved.out.RClcIQ
W: oscap: The xccdf:rule-result/xccdf:instance element was not found.

This looks like a serious bug found by this change, the instance is there, it's just that the code fails to find it. I will investigate further after I fix up the rest.

rule results XCCDF:

<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_moc.elpmaxe.www_benchmark_test" resolved="1">
  <status>accepted</status>
  <version>1.0</version>
  <model system="urn:xccdf:scoring:default"/>
  <Rule id="xccdf_moc.elpmaxe.www_rule_1" selected="true">
    <title xmlns:xhtml="http://www.w3.org/1999/xhtml">Ensure that file exists and it is not executable</title>
    <description xmlns:xhtml="http://www.w3.org/1999/xhtml">
      <xhtml:object id="#xccdf:value:asdfg"/>
    </description>
    <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" system="urn:xccdf:fix:script:sh">
        <instance xmlns="http://checklists.nist.gov/xccdf/1.2"/>
        touch test_file
        chmod a-x test_file
    </fix>
    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
      <check-content-ref name="oval:moc.elpmaxe.www:def:1" href="test_remediation_simple.oval.xml"/>
    </check>
  </Rule>
  <TestResult id="xccdf_org.open-scap_testresult_default-profile" start-time="2017-02-08T15:53:13" end-time="2017-02-08T15:53:13" version="1.0" test-system="cpe:/a:redhat:openscap:1.2.14">
    <benchmark href="./test_remediation_subs_unresolved.xccdf.xml" id="xccdf_moc.elpmaxe.www_benchmark_test"/>
    <title>OSCAP Scan Result</title>
    <identity authenticated="false" privileged="false">mpreisle</identity>
    <target>t450s</target>
    <target-address>127.0.0.1</target-address>
    <target-address>0:0:0:0:0:0:0:1</target-address>
    <target-facts>
      <fact name="urn:xccdf:fact:scanner:name" type="string">OpenSCAP</fact>
      <fact name="urn:xccdf:fact:scanner:version" type="string">1.2.14</fact>
      <fact name="urn:xccdf:fact:ethernet:MAC" type="string">00:00:00:00:00:00</fact>
    </target-facts>
    <rule-result idref="xccdf_moc.elpmaxe.www_rule_1" time="2017-02-08T15:53:13" weight="1.000000">
      <result>fail</result>
      <message severity="info">Fix execution was aborted: Text substitution failed.</message>
      <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" system="urn:xccdf:fix:script:sh">
        <instance xmlns="http://checklists.nist.gov/xccdf/1.2"/>
        touch test_file
        chmod a-x test_file
    </fix>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
        <check-content-ref name="oval:moc.elpmaxe.www:def:1" href="test_remediation_simple.oval.xml"/>
      </check>
    </rule-result>
    <score system="urn:xccdf:scoring:default" maximum="100.000000">0.000000</score>
  </TestResult>
</Benchmark>

[mpreisler]

Does anybody understand the code at https://github.com/OpenSCAP/openscap/blob/maint-1.2/src/XCCDF_POLICY/xccdf_policy_substitute.c#L168 ? I think it might be mistaking fix/instance with rule-result/instance but I don't know enough about this part of OpenSCAP to know for sure.

@jan-cerny @ybznek

[rsprudencio]

The only instance I can recall in the specs is the one related to textfilecontent result and according to the code, that's the correct relation: xccdf_rule_result_get_instances(data->rule_result);

I don't know the relation between those instances and this text substitution though, sorry 😞

[mpreisler]

I took another look and the instance it's looking for is really not in the rule-results. So it could be that the code is fine. I am leaning towards backlisting this warning in the test. So we will keep warning about this situation but the tests will pass when this warning is in that particular test. I will make the commit shortly.

[mpreisler]

@openscap-jenkins test this please

[rsprudencio]

@openscap-jenkins test this please

[mpreisler]

@openscap-jenkins test this please

This has passed before AFAIK.

[rsprudencio]

This was passed before AFAIK.

Yes I know, I was testing Jenkins, it's only failing on SSG PR's 😞

[jan-cerny]

What if the indentation level will change in future? I would put here instead of 6 spaces a regular expression matching at least one space.

[mpreisler]

Fixed

[jan-cerny]

@mpreisler Great job! Thank you.