rpms/openscap
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import openscap-1.3.5-13.el9

Browse Source
This commit is contained in:
CentOS Sources 2021-12-07 12:39:17 -05:00 committed by Stepan Oksanichenko
parent 4feb9ec8b2
commit b8615cbfea
12 changed files with 3664 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
SOURCES/openscap-1.3.6-alternative-hostname-pr-1806.patch Normal file
View File

@ -0,0 +1,72 @@
From d97687c12ba6cbca1d732534ff7394bd14547d92 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 10 Sep 2021 14:53:42 +0200
Subject: [PATCH] Add an alternative source of hostname
If /etc/hostname can't be read, we will try to open /proc/sys/kernel/hostname instead.
Resolves: rhbz#1977668
---
src/XCCDF/result.c | 5 ++++
tests/API/XCCDF/unittests/CMakeLists.txt | 1 +
.../XCCDF/unittests/test_results_hostname.sh | 26 +++++++++++++++++++
3 files changed, 32 insertions(+)
create mode 100755 tests/API/XCCDF/unittests/test_results_hostname.sh
diff --git a/src/XCCDF/result.c b/src/XCCDF/result.c
index 91fcc6041d..c0ad4b926f 100644
--- a/src/XCCDF/result.c
+++ b/src/XCCDF/result.c
@@ -271,6 +271,11 @@ static char *_get_etc_hostname(const char *oscap_probe_root)
fp = oscap_fopen_with_prefix(oscap_probe_root, "/etc/hostname");
+ if (fp == NULL) {
+ dD("Trying to use /proc/sys/kernel/hostname instead of /etc/hostname");
+ fp = oscap_fopen_with_prefix(oscap_probe_root, "/proc/sys/kernel/hostname");
+ }
+
if (fp == NULL)
goto fail;
diff --git a/tests/API/XCCDF/unittests/CMakeLists.txt b/tests/API/XCCDF/unittests/CMakeLists.txt
index 52645834c4..6549538440 100644
--- a/tests/API/XCCDF/unittests/CMakeLists.txt
+++ b/tests/API/XCCDF/unittests/CMakeLists.txt
@@ -101,3 +101,4 @@ add_oscap_test("test_fix_arf.sh")
add_oscap_test("test_fix_resultid_by_suffix.sh")
add_oscap_test("test_generate_fix_ansible_vars.sh")
add_oscap_test("test_xccdf_requires_conflicts.sh")
+add_oscap_test("test_results_hostname.sh")
diff --git a/tests/API/XCCDF/unittests/test_results_hostname.sh b/tests/API/XCCDF/unittests/test_results_hostname.sh
new file mode 100755
index 0000000000..c4408affbb
--- /dev/null
+++ b/tests/API/XCCDF/unittests/test_results_hostname.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+. $builddir/tests/test_common.sh
+
+set -e
+set -o pipefail
+
+result=$(mktemp)
+tmpdir=$(mktemp -d)
+
+export OSCAP_PROBE_ROOT="$tmpdir"
+
+mkdir -p "$tmpdir/etc"
+echo "hostname_defined_in_etc_hostname" > "$tmpdir/etc/hostname"
+$OSCAP xccdf eval --results "$result" "$srcdir/test_single_rule.ds.xml" || ret=$?
+assert_exists 1 '/Benchmark/TestResult/target[text()="hostname_defined_in_etc_hostname"]'
+assert_exists 0 '/Benchmark/TestResult/target[text()="hostname_defined_in_proc_sys_kernel"]'
+
+rm -rf "$tmpdir/etc/hostname"
+mkdir -p "$tmpdir/proc/sys/kernel/"
+echo "hostname_defined_in_proc_sys_kernel" > "$tmpdir/proc/sys/kernel/hostname"
+$OSCAP xccdf eval --results "$result" "$srcdir/test_single_rule.ds.xml" || ret=$?
+assert_exists 0 '/Benchmark/TestResult/target[text()="hostname_defined_in_etc_hostname"]'
+assert_exists 1 '/Benchmark/TestResult/target[text()="hostname_defined_in_proc_sys_kernel"]'
+
+rm -f "$result"
+rm -rf "$tmpdir"

64
SOURCES/openscap-1.3.6-blueprint-fix-pr-1749.patch Normal file
View File

@ -0,0 +1,64 @@
From 5f0a9033b466d929613a2a55a1524ec75c09b5b0 Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Thu, 6 May 2021 08:14:12 +0200
Subject: [PATCH] Introduce OSBuild Blueprint fix type
---
utils/oscap-xccdf.c | 7 +++++--
utils/oscap.8 | 2 +-
xsl/xccdf-share.xsl | 1 +
3 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/utils/oscap-xccdf.c b/utils/oscap-xccdf.c
index 95c1c7658d..801e54fa35 100644
--- a/utils/oscap-xccdf.c
+++ b/utils/oscap-xccdf.c
@@ -275,7 +275,8 @@ static struct oscap_module XCCDF_GEN_FIX = {
.usage = "[options] xccdf-file.xml",
.help = GEN_OPTS
"\nFix Options:\n"
- " --fix-type <type> - Fix type. Should be one of: bash, ansible, puppet, anaconda (default: bash).\n"
+ " --fix-type <type> - Fix type. Should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes,\n"
+ " blueprint (default: bash).\n"
" --output <file> - Write the script into file.\n"
" --result-id <id> - Fixes will be generated for failed rule-results of the specified TestResult.\n"
" --template <id|filename> - Fix template. (default: bash)\n"
@@ -887,10 +888,12 @@ int app_generate_fix(const struct oscap_action *action)
template = "urn:xccdf:fix:script:ignition";
} else if (strcmp(action->fix_type, "kubernetes") == 0) {
template = "urn:xccdf:fix:script:kubernetes";
+ } else if (strcmp(action->fix_type, "blueprint") == 0) {
+ template = "urn:redhat:osbuild:blueprint";
} else {
fprintf(stderr,
"Unknown fix type '%s'.\n"
- "Please provide one of: bash, ansible, puppet, anaconda, ignition, kubernetes.\n"
+ "Please provide one of: bash, ansible, puppet, anaconda, ignition, kubernetes, blueprint.\n"
"Or provide a custom template using '--template' instead.\n",
action->fix_type);
return OSCAP_ERROR;
diff --git a/utils/oscap.8 b/utils/oscap.8
index 240b829d7b..6cae0ffe8a 100644
--- a/utils/oscap.8
+++ b/utils/oscap.8
@@ -395,7 +395,7 @@ Result-oriented fixes are generated using result-id provided to select only the
Profile-oriented fixes are generated using all rules within the provided profile. If no result-id/profile are provided, (default) profile will be used to generate fixes.
.TP
\fB\-\-fix-type TYPE\fR
-Specify fix type. There are multiple programming languages in which the fix script can be generated. TYPE should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes. Default is bash. This option is mutually exclusive with --template, because fix type already determines the template URN.
+Specify fix type. There are multiple programming languages in which the fix script can be generated. TYPE should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes, blueprint. Default is bash. This option is mutually exclusive with --template, because fix type already determines the template URN.
.TP
\fB\-\-output FILE\fR
Write the report to this file instead of standard output.
diff --git a/xsl/xccdf-share.xsl b/xsl/xccdf-share.xsl
index 9f8e587676..d7a9f3b7e2 100644
--- a/xsl/xccdf-share.xsl
+++ b/xsl/xccdf-share.xsl
@@ -295,6 +295,7 @@ Authors:
<xsl:when test="$fix/@system = 'urn:xccdf:fix:script:puppet'">Puppet snippet</xsl:when>
<xsl:when test="$fix/@system = 'urn:redhat:anaconda:pre'">Anaconda snippet</xsl:when>
<xsl:when test="$fix/@system = 'urn:xccdf:fix:script:kubernetes'">Kubernetes snippet</xsl:when>
+ <xsl:when test="$fix/@system = 'urn:redhat:osbuild:blueprint'">OSBuild Blueprint snippet</xsl:when>
<xsl:otherwise>script</xsl:otherwise>
</xsl:choose>
</xsl:variable>

583
SOURCES/openscap-1.3.6-blueprint-toml-pr-1810.patch Normal file
View File

@ -0,0 +1,583 @@
From b0b7626dca08acd4563ae42c1c27ccc0777b5357 Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Thu, 23 Sep 2021 00:58:29 +0200
Subject: [PATCH] Add proper Blueprint's remediation snippets handling for
generation of the final TOML document.
As the final Blueprint could not be created by just gluing up all
the snippets together we have to get a bit more creative.
---
docs/manual/manual.adoc | 15 ++
src/XCCDF_POLICY/xccdf_policy_remediate.c | 216 ++++++++++++++++--
src/common/list.c | 19 ++
src/common/list.h | 1 +
tests/API/XCCDF/unittests/CMakeLists.txt | 1 +
.../unittests/test_remediation_blueprint.sh | 27 +++
.../unittests/test_remediation_blueprint.toml | 45 ++++
.../test_remediation_blueprint.xccdf.xml | 102 +++++++++
8 files changed, 405 insertions(+), 21 deletions(-)
create mode 100755 tests/API/XCCDF/unittests/test_remediation_blueprint.sh
create mode 100644 tests/API/XCCDF/unittests/test_remediation_blueprint.toml
create mode 100644 tests/API/XCCDF/unittests/test_remediation_blueprint.xccdf.xml
diff --git a/docs/manual/manual.adoc b/docs/manual/manual.adoc
index e8664eb920..90e2cc2c63 100644
--- a/docs/manual/manual.adoc
+++ b/docs/manual/manual.adoc
@@ -1084,6 +1084,21 @@ scanned during this command. If you want to generate remediation only for the
failed rules based on scan results, refer to <<_reviewing_remediations,Reviewing
remediations>>.
+=== Generating Image Builder Blueprints
+
+OpenSCAP can also create a remediation in form of Image Builder (OSBuild) Blueprint. This remeditaion
+is intendeded to be used as a bootstrap for image creation and usually it will contain only essential
+elements of the configuration, elements that would be hard or impossible to change after the image
+is created, like partitioning or set of installed packages.
+
+It is recommended to combine this type of remediation with other types, executed on the running system.
+
+For example, to generate a blueprint remediation for RHEL 8 OSPP profile, run:
+
+----
+$ oscap xccdf generate fix --profile ospp --fix-type blueprint /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml > blueprint.toml
+----
+
== Details on SCAP conformance
=== Check Engines
diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
index 0b3a037a5f..6033c3b54b 100644
--- a/src/XCCDF_POLICY/xccdf_policy_remediate.c
+++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c
@@ -656,6 +656,78 @@ static int _write_fix_missing_warning_to_fd(const char *sys, int output_fd, stru
}
}
+struct blueprint_entries {
+ const char *pattern;
+ struct oscap_list *list;
+ pcre *re;
+};
+
+static inline int _parse_blueprint_fix(const char *fix_text, struct oscap_list *generic, struct oscap_list *services_enable, struct oscap_list *services_disable, struct oscap_list *kernel_append)
+{
+ const char *err;
+ int errofs;
+ int ret = 0;
+
+ struct blueprint_entries tab[] = {
+ {"\\[customizations\\.services\\]\\s+enabled[=\\s]+\\[([^\\]]+)\\]\\s+", services_enable, NULL},
+ {"\\[customizations\\.services\\]\\s+disabled[=\\s]+\\[([^\\]]+)\\]\\s+", services_disable, NULL},
+ {"\\[customizations\\.kernel\\]\\s+append[=\\s\"]+([^\"]+)[\\s\"]+", kernel_append, NULL},
+ // We do this only to pop the 'distro' entry to the top of the generic list,
+ // effectively placing it to the root of the TOML document.
+ {"\\s+(distro[=\\s\"]+[^\"]+[\\s\"]+)", generic, NULL},
+ {NULL, NULL, NULL}
+ };
+
+ for (int i = 0; tab[i].pattern != NULL; i++) {
+ tab[i].re = pcre_compile(tab[i].pattern, PCRE_UTF8, &err, &errofs, NULL);
+ if (tab[i].re == NULL) {
+ dE("Unable to compile /%s/ regex pattern, pcre_compile() returned error (offset: %d): '%s'.\n", tab[i].pattern, errofs, err);
+ ret = 1;
+ goto exit;
+ }
+ }
+
+ const size_t fix_text_len = strlen(fix_text);
+ size_t start_offset = 0;
+ int ovector[6] = {0};
+
+ for (int i = 0; tab[i].pattern != NULL; i++) {
+ while (true) {
+ const int match = pcre_exec(tab[i].re, NULL, fix_text, fix_text_len, start_offset,
+ 0, ovector, sizeof(ovector) / sizeof(ovector[0]));
+ if (match == -1)
+ break;
+
+ if (match != 2) {
+ dE("Expected 1 capture group matches per entry. Found %i!", match - 1);
+ ret = 1;
+ goto exit;
+ }
+
+ char *val = malloc((ovector[3] - ovector[2] + 1) * sizeof(char));
+ memcpy(val, &fix_text[ovector[2]], ovector[3] - ovector[2]);
+ val[ovector[3] - ovector[2]] = '\0';
+
+ if (!oscap_list_contains(kernel_append, val, (oscap_cmp_func) oscap_streq)) {
+ oscap_list_prepend(tab[i].list, val);
+ } else {
+ free(val);
+ }
+
+ start_offset = ovector[1];
+ }
+ }
+
+ if (start_offset < fix_text_len-1) {
+ oscap_list_add(generic, strdup(fix_text + start_offset));
+ }
+
+exit:
+ for (int i = 0; tab[i].pattern != NULL; i++)
+ pcre_free(tab[i].re);
+
+ return ret;
+}
static inline int _parse_ansible_fix(const char *fix_text, struct oscap_list *variables, struct oscap_list *tasks)
{
@@ -793,6 +865,18 @@ static int _xccdf_policy_rule_generate_fix(struct xccdf_policy *policy, struct x
return ret;
}
+static int _xccdf_policy_rule_generate_blueprint_fix(struct xccdf_policy *policy, struct xccdf_rule *rule, const char *template, struct oscap_list *generic, struct oscap_list *services_enable, struct oscap_list *services_disable, struct oscap_list *kernel_append)
+{
+ char *fix_text = NULL;
+ int ret = _xccdf_policy_rule_get_fix_text(policy, rule, template, &fix_text);
+ if (fix_text == NULL) {
+ return ret;
+ }
+ ret = _parse_blueprint_fix(fix_text, generic, services_enable, services_disable, kernel_append);
+ free(fix_text);
+ return ret;
+}
+
static int _xccdf_policy_rule_generate_ansible_fix(struct xccdf_policy *policy, struct xccdf_rule *rule, const char *template, struct oscap_list *variables, struct oscap_list *tasks)
{
char *fix_text = NULL;
@@ -914,25 +998,45 @@ static char *_comment_multiline_text(char *text)
static int _write_script_header_to_fd(struct xccdf_policy *policy, struct xccdf_result *result, const char *sys, int output_fd)
{
if (!(oscap_streq(sys, "") || oscap_streq(sys, "urn:xccdf:fix:script:sh") || oscap_streq(sys, "urn:xccdf:fix:commands") ||
- oscap_streq(sys, "urn:xccdf:fix:script:ansible")))
+ oscap_streq(sys, "urn:xccdf:fix:script:ansible") || oscap_streq(sys, "urn:redhat:osbuild:blueprint")))
return 0; // no header required
- const bool ansible_script = strcmp(sys, "urn:xccdf:fix:script:ansible") == 0;
- const char *how_to_apply = ansible_script ?
- "# $ ansible-playbook -i \"localhost,\" -c local playbook.yml\n"
- "# $ ansible-playbook -i \"192.168.1.155,\" playbook.yml\n"
- "# $ ansible-playbook -i inventory.ini playbook.yml" :
- "# $ sudo ./remediation-script.sh";
const char *oscap_version = oscap_get_version();
- const char *format = ansible_script ? "ansible" : "bash";
- const char *remediation_type = ansible_script ? "Ansible Playbook" : "Bash Remediation Script";
- const char *shebang_with_newline = ansible_script ? "" : "#!/usr/bin/env bash\n";
+ char *how_to_apply = "";
+ char *format = (char *)sys;
+ char *remediation_type = "Unknown";
+ char *shebang_with_newline = "";
+
+ if (oscap_streq(sys, "urn:xccdf:fix:script:ansible")) {
+ how_to_apply = "# $ ansible-playbook -i \"localhost,\" -c local playbook.yml\n"
+ "# $ ansible-playbook -i \"192.168.1.155,\" playbook.yml\n"
+ "# $ ansible-playbook -i inventory.ini playbook.yml";
+ format = "ansible";
+ remediation_type = "Ansible Playbook";
+ }
+
+ if (oscap_streq(sys, "urn:redhat:osbuild:blueprint")) {
+ how_to_apply = "# composer-cli blueprints push blueprint.toml";
+ format = "blueprint";
+ remediation_type = "Blueprint";
+ }
+
+ if (oscap_streq(sys, "") || oscap_streq(sys, "urn:xccdf:fix:script:sh") || oscap_streq(sys, "urn:xccdf:fix:commands")) {
+ how_to_apply = "# $ sudo ./remediation-script.sh";
+ format = "bash";
+ remediation_type = "Bash Remediation Script";
+ shebang_with_newline = "#!/usr/bin/env bash\n";
+ }
char *fix_header;
struct xccdf_profile *profile = xccdf_policy_get_profile(policy);
const char *profile_id = xccdf_profile_get_id(profile);
+ struct xccdf_benchmark *benchmark = xccdf_policy_get_benchmark(policy);
+ const char *benchmark_version_info = benchmark ? xccdf_benchmark_get_version(benchmark) : "Unknown";
+ const char *benchmark_id = benchmark ? xccdf_benchmark_get_id(benchmark) : "Unknown";
+
// Title
struct oscap_text_iterator *title_iterator = xccdf_profile_get_title(profile);
char *raw_profile_title = oscap_textlist_get_preferred_plaintext(title_iterator, NULL);
@@ -942,11 +1046,6 @@ static int _write_script_header_to_fd(struct xccdf_policy *policy, struct xccdf_
if (result == NULL) {
// Profile-based remediation fix
- struct xccdf_benchmark *benchmark = xccdf_policy_get_benchmark(policy);
- if (benchmark == NULL) {
- free(profile_title);
- return 1;
- }
// Description
struct oscap_text_iterator *description_iterator = xccdf_profile_get_description(profile);
char *profile_description = description_iterator != NULL ?
@@ -955,10 +1054,8 @@ static int _write_script_header_to_fd(struct xccdf_policy *policy, struct xccdf_
char *commented_profile_description = _comment_multiline_text(profile_description);
free(profile_description);
- const char *benchmark_version_info = xccdf_benchmark_get_version(benchmark);
- const char *benchmark_id = xccdf_benchmark_get_id(benchmark);
- const struct xccdf_version_info *xccdf_version = xccdf_benchmark_get_schema_version(benchmark);
- const char *xccdf_version_name = xccdf_version_info_get_version(xccdf_version);
+ const struct xccdf_version_info *xccdf_version = benchmark ? xccdf_benchmark_get_schema_version(benchmark) : NULL;
+ const char *xccdf_version_name = xccdf_version ? xccdf_version_info_get_version(xccdf_version) : "Unknown";
fix_header = oscap_sprintf(
"%s"
@@ -1026,9 +1123,8 @@ static int _write_script_header_to_fd(struct xccdf_policy *policy, struct xccdf_
result_id, format, remediation_type, remediation_type, how_to_apply
);
}
- free(profile_title);
- if (ansible_script) {
+ if (oscap_streq(sys, "urn:xccdf:fix:script:ansible")) {
char *ansible_fix_header = oscap_sprintf(
"---\n"
"%s\n"
@@ -1036,9 +1132,85 @@ static int _write_script_header_to_fd(struct xccdf_policy *policy, struct xccdf_
fix_header);
free(fix_header);
return _write_text_to_fd_and_free(output_fd, ansible_fix_header);
+ } else if (oscap_streq(sys, "urn:redhat:osbuild:blueprint")) {
+ char *blueprint_fix_header = oscap_sprintf(
+ "%s"
+ "name = \"%s\"\n"
+ "description = \"%s\"\n"
+ "version = \"%s\"\n",
+ fix_header, profile_id, profile_title, benchmark_version_info);
+ free(fix_header);
+ return _write_text_to_fd_and_free(output_fd, blueprint_fix_header);
} else {
return _write_text_to_fd_and_free(output_fd, fix_header);
}
+
+ free(profile_title);
+}
+
+static int _xccdf_policy_generate_fix_blueprint(struct oscap_list *rules_to_fix, struct xccdf_policy *policy, const char *sys, int output_fd)
+{
+ int ret = 0;
+ struct oscap_list *generic = oscap_list_new();
+ struct oscap_list *services_enable = oscap_list_new();
+ struct oscap_list *services_disable = oscap_list_new();
+ struct oscap_list *kernel_append = oscap_list_new();
+ struct oscap_iterator *rules_to_fix_it = oscap_iterator_new(rules_to_fix);
+ while (oscap_iterator_has_more(rules_to_fix_it)) {
+ struct xccdf_rule *rule = (struct xccdf_rule*)oscap_iterator_next(rules_to_fix_it);
+ ret = _xccdf_policy_rule_generate_blueprint_fix(policy, rule, sys, generic, services_enable, services_disable, kernel_append);
+ if (ret != 0)
+ break;
+ }
+ oscap_iterator_free(rules_to_fix_it);
+
+ struct oscap_iterator *generic_it = oscap_iterator_new(generic);
+ while(oscap_iterator_has_more(generic_it)) {
+ char *var_line = (char *) oscap_iterator_next(generic_it);
+ _write_text_to_fd(output_fd, var_line);
+ }
+ _write_text_to_fd(output_fd, "\n");
+ oscap_iterator_free(generic_it);
+ oscap_list_free(generic, free);
+
+ _write_text_to_fd(output_fd, "[customizations.kernel]\nappend = \"");
+ struct oscap_iterator *kernel_append_it = oscap_iterator_new(kernel_append);
+ while(oscap_iterator_has_more(kernel_append_it)) {
+ char *var_line = (char *) oscap_iterator_next(kernel_append_it);
+ _write_text_to_fd(output_fd, var_line);
+ if (oscap_iterator_has_more(kernel_append_it))
+ _write_text_to_fd(output_fd, " ");
+ }
+ _write_text_to_fd(output_fd, "\"\n\n");
+ oscap_iterator_free(kernel_append_it);
+ oscap_list_free(kernel_append, free);
+
+ _write_text_to_fd(output_fd, "[customizations.services]\n");
+ _write_text_to_fd(output_fd, "enabled = [");
+ struct oscap_iterator *services_enable_it = oscap_iterator_new(services_enable);
+ while(oscap_iterator_has_more(services_enable_it)) {
+ char *var_line = (char *) oscap_iterator_next(services_enable_it);
+ _write_text_to_fd(output_fd, var_line);
+ if (oscap_iterator_has_more(services_enable_it))
+ _write_text_to_fd(output_fd, ",");
+ }
+ _write_text_to_fd(output_fd, "]\n");
+ oscap_iterator_free(services_enable_it);
+ oscap_list_free(services_enable, free);
+
+ _write_text_to_fd(output_fd, "disabled = [");
+ struct oscap_iterator *services_disable_it = oscap_iterator_new(services_disable);
+ while(oscap_iterator_has_more(services_disable_it)) {
+ char *var_line = (char *) oscap_iterator_next(services_disable_it);
+ _write_text_to_fd(output_fd, var_line);
+ if (oscap_iterator_has_more(services_disable_it))
+ _write_text_to_fd(output_fd, ",");
+ }
+ _write_text_to_fd(output_fd, "]\n\n");
+ oscap_iterator_free(services_disable_it);
+ oscap_list_free(services_disable, free);
+
+ return ret;
}
static int _xccdf_policy_generate_fix_ansible(struct oscap_list *rules_to_fix, struct xccdf_policy *policy, const char *sys, int output_fd)
@@ -1145,6 +1317,8 @@ int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result *
// in Ansible we have to generate variables first and then tasks
if (strcmp(sys, "urn:xccdf:fix:script:ansible") == 0) {
ret = _xccdf_policy_generate_fix_ansible(rules_to_fix, policy, sys, output_fd);
+ } else if (strcmp(sys, "urn:redhat:osbuild:blueprint") == 0) {
+ ret = _xccdf_policy_generate_fix_blueprint(rules_to_fix, policy, sys, output_fd);
} else {
ret = _xccdf_policy_generate_fix_other(rules_to_fix, policy, sys, output_fd);
}
diff --git a/src/common/list.c b/src/common/list.c
index 2516d0f2f0..90381069f8 100644
--- a/src/common/list.c
+++ b/src/common/list.c
@@ -66,6 +66,25 @@ bool oscap_list_add(struct oscap_list * list, void *value)
return true;
}
+bool oscap_list_prepend(struct oscap_list * list, void *value)
+{
+ __attribute__nonnull__(list);
+ if (value == NULL) return false;
+
+ struct oscap_list_item *item = malloc(sizeof(struct oscap_list_item));
+ item->next = NULL;
+ item->data = value;
+ ++list->itemcount;
+
+ if (list->first == NULL) {
+ list->last = list->first = item;
+ } else {
+ item->next = list->first;
+ list->first = item;
+ }
+ return true;
+}
+
bool oscap_list_push(struct oscap_list *list, void *value)
{
return oscap_list_add(list,value);
diff --git a/src/common/list.h b/src/common/list.h
index 7a0694dc8a..3179c514f0 100644
--- a/src/common/list.h
+++ b/src/common/list.h
@@ -62,6 +62,7 @@ struct oscap_list *oscap_list_new(void);
void oscap_create_lists(struct oscap_list **first, ...);
bool oscap_list_add(struct oscap_list *list, void *value);
bool oscap_list_push(struct oscap_list *list, void *value);
+bool oscap_list_prepend(struct oscap_list *list, void *value);
bool oscap_list_pop(struct oscap_list *list, oscap_destruct_func destructor);
bool oscap_list_remove(struct oscap_list *list, void *value, oscap_cmp_func compare, oscap_destruct_func destructor);
struct oscap_list *oscap_list_clone(const struct oscap_list * list, oscap_clone_func cloner);
diff --git a/tests/API/XCCDF/unittests/CMakeLists.txt b/tests/API/XCCDF/unittests/CMakeLists.txt
index 52645834c4..9c17ebb78a 100644
--- a/tests/API/XCCDF/unittests/CMakeLists.txt
+++ b/tests/API/XCCDF/unittests/CMakeLists.txt
@@ -75,6 +75,7 @@ add_oscap_test("test_single_rule_stigw.sh")
add_oscap_test("test_remediation_simple.sh")
add_oscap_test("test_remediation_offline.sh")
add_oscap_test("test_remediation_metadata.sh")
+add_oscap_test("test_remediation_blueprint.sh")
add_oscap_test("test_remediation_bad_fix.sh")
add_oscap_test("test_remediation_subs_plain_text.sh")
add_oscap_test("test_remediation_subs_plain_text_empty.sh")
diff --git a/tests/API/XCCDF/unittests/test_remediation_blueprint.sh b/tests/API/XCCDF/unittests/test_remediation_blueprint.sh
new file mode 100755
index 0000000000..7c79822529
--- /dev/null
+++ b/tests/API/XCCDF/unittests/test_remediation_blueprint.sh
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+. $builddir/tests/test_common.sh
+
+set -e
+set -o pipefail
+
+name=$(basename $0 .sh)
+result=$(make_temp_file /tmp ${name}.out)
+stderr=$(make_temp_file /tmp ${name}.out)
+
+ret=0
+
+input_xml="$srcdir/${name}.xccdf.xml"
+valid_toml="$srcdir/${name}.toml"
+
+echo "Stderr file = $stderr"
+echo "Result file = $result"
+[ -f $stderr ]; [ ! -s $stderr ]; :> $stderr
+
+# The $valid_toml file was generated without ' # This file was generated by OpenSCAP 1.3.5 using:' line
+# to make the test independent from the scanner version. We have to filter this line from the output as well.
+
+$OSCAP xccdf generate fix --fix-type blueprint --profile 'common' "$input_xml" | grep -v "OpenSCAP" > "$result"
+
+diff $valid_toml $result
+
+rm "$result"
diff --git a/tests/API/XCCDF/unittests/test_remediation_blueprint.toml b/tests/API/XCCDF/unittests/test_remediation_blueprint.toml
new file mode 100644
index 0000000000..e189adca9d
--- /dev/null
+++ b/tests/API/XCCDF/unittests/test_remediation_blueprint.toml
@@ -0,0 +1,45 @@
+###############################################################################
+#
+# Blueprint for Profile title on one line
+#
+# Profile Description:
+# Profile description
+#
+# Profile ID: xccdf_moc.elpmaxe.www_profile_common
+# Benchmark ID: xccdf_moc.elpmaxe.www_benchmark_test
+# Benchmark Version: 1.0
+# XCCDF Version: 1.2
+#
+# $ oscap xccdf generate fix --profile xccdf_moc.elpmaxe.www_profile_common --fix-type blueprint xccdf-file.xml
+#
+# It attempts to fix every selected rule, even if the system is already compliant.
+#
+# How to apply this Blueprint:
+# composer-cli blueprints push blueprint.toml
+#
+###############################################################################
+
+name = "xccdf_moc.elpmaxe.www_profile_common"
+description = "Profile title on one line"
+version = "1.0"
+distro = rhel-80
+
+[[packages]]
+name = "aide"
+version = "*"
+
+[[customizations.filesystem]]
+mountpoint = "/home"
+size = 1
+
+[[customizations.filesystem]]
+mountpoint = "/tmp"
+size = 2
+
+[customizations.kernel]
+append = "foo=bar audit=1"
+
+[customizations.services]
+enabled = ["sshd","usbguard"]
+disabled = ["kdump"]
+
diff --git a/tests/API/XCCDF/unittests/test_remediation_blueprint.xccdf.xml b/tests/API/XCCDF/unittests/test_remediation_blueprint.xccdf.xml
new file mode 100644
index 0000000000..e685620dac
--- /dev/null
+++ b/tests/API/XCCDF/unittests/test_remediation_blueprint.xccdf.xml
@@ -0,0 +1,102 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_moc.elpmaxe.www_benchmark_test">
+ <status>accepted</status>
+ <version>1.0</version>
+ <Profile id="xccdf_moc.elpmaxe.www_profile_common">
+ <title>Profile title on one line</title>
+ <description>Profile description</description>
+ <select idref="xccdf_moc.elpmaxe.www_rule_1" selected="true"/>
+ </Profile>
+ <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_1">
+ <title>Install aide</title>
+ <fix system="urn:redhat:osbuild:blueprint">
+[[packages]]
+name = "aide"
+version = "*"
+</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
+ </check>
+ </Rule>
+ <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_2">
+ <title>Define /home</title>
+ <fix system="urn:redhat:osbuild:blueprint">
+[[customizations.filesystem]]
+mountpoint = "/home"
+size = 1
+</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
+ </check>
+ </Rule>
+ <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_3">
+ <title>Add audit=1 kernel option</title>
+ <fix system="urn:redhat:osbuild:blueprint">
+[customizations.kernel]
+append = "audit=1"
+</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
+ </check>
+ </Rule>
+ <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_4">
+ <title>Add foo=bar kernel option</title>
+ <fix system="urn:redhat:osbuild:blueprint">
+[customizations.kernel]
+append = "foo=bar"
+</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
+ </check>
+ </Rule>
+ <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_5">
+ <title>Define /tmp</title>
+ <fix system="urn:redhat:osbuild:blueprint">
+[[customizations.filesystem]]
+mountpoint = "/tmp"
+size = 2
+</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
+ </check>
+ </Rule>
+ <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_6">
+ <title>Enable usbguard</title>
+ <fix system="urn:redhat:osbuild:blueprint">
+[customizations.services]
+enabled = ["usbguard"]
+</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
+ </check>
+ </Rule>
+ <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_7">
+ <title>Disable kdump</title>
+ <fix system="urn:redhat:osbuild:blueprint">
+[customizations.services]
+disabled = ["kdump"]
+</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
+ </check>
+ </Rule>
+ <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_8">
+ <title>Set distro (RHEL 8.0)</title>
+ <fix system="urn:redhat:osbuild:blueprint">
+distro = rhel-80
+</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
+ </check>
+ </Rule>
+ <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_9">
+ <title>Enable sshd</title>
+ <fix system="urn:redhat:osbuild:blueprint">
+[customizations.services]
+enabled = ["sshd"]
+</fix>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
+ </check>
+ </Rule>
+</Benchmark>

124
SOURCES/openscap-1.3.6-empty-proc-in-offline-pr-1812.patch Normal file
View File

@ -0,0 +1,124 @@
From ea87ecab21a54741e64680977521837ccaf0206b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 5 Oct 2021 14:33:37 +0200
Subject: [PATCH] Allow empty /proc in offline mode
When scanning offline file systems the /proc might be empty. Currently,
OpenSCAP thinks that it means a permissions problems, which is often
true if it happens on a real system, but in offline mode it can be a
normal situation. We will not consider empty /proc an error in offline
mode.
The commit also includes a simple test case.
Inspired by eda9881e08f0398d1481f133fbb56c0080cfe9f3
Resolves: RHBZ #2008922
---
src/OVAL/probes/unix/process58_probe.c | 18 ++++++++++----
tests/probes/process58/CMakeLists.txt | 1 +
tests/probes/process58/empty_proc.sh | 33 ++++++++++++++++++++++++++
3 files changed, 47 insertions(+), 5 deletions(-)
create mode 100755 tests/probes/process58/empty_proc.sh
diff --git a/src/OVAL/probes/unix/process58_probe.c b/src/OVAL/probes/unix/process58_probe.c
index d1108fc59..29c582152 100644
--- a/src/OVAL/probes/unix/process58_probe.c
+++ b/src/OVAL/probes/unix/process58_probe.c
@@ -472,7 +472,7 @@ static inline char *make_defunc_str(char* const cmd_buffer){
static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx)
{
char buf[PATH_MAX];
- int err = PROBE_EACCESS, max_cap_id;
+ int max_cap_id;
DIR *d;
struct dirent *ent;
oval_schema_version_t oval_version;
@@ -501,6 +501,7 @@ static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx)
cmd_buffer[0] = '[';
// Scan the directories
+ bool any_pid_dir_found = false;
while (( ent = readdir(d) )) {
int fd, len;
char *tmp, state, tty_dev[128];
@@ -562,9 +563,7 @@ static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx)
}
}
-
- err = PROBE_ESUCCESS; // If we get this far, no permission problems
- dI("Have command: %s", cmd);
+ any_pid_dir_found = true;
cmd_sexp = SEXP_string_newf("%s", cmd);
pid_sexp = SEXP_number_newu_32(pid);
if ((cmd_sexp == NULL || probe_entobj_cmp(cmd_ent, cmd_sexp) == OVAL_RESULT_TRUE) &&
@@ -662,7 +661,16 @@ static int read_process(SEXP_t *cmd_ent, SEXP_t *pid_ent, probe_ctx *ctx)
}
closedir(d);
oscap_buffer_free(cmdline_buffer);
- return err;
+
+ if (!any_pid_dir_found) {
+ dW("No data about processes could be read from '%s'.", buf);
+ }
+ // In offline mode, empty /proc might be a normal situation and doesn't
+ // have to mean permissions problems
+ if (prefix)
+ return PROBE_ESUCCESS;
+ else
+ return any_pid_dir_found ? PROBE_ESUCCESS : PROBE_EACCESS;
}
int process58_probe_offline_mode_supported(void)
diff --git a/tests/probes/process58/CMakeLists.txt b/tests/probes/process58/CMakeLists.txt
index 17261dbb7..947665de6 100644
--- a/tests/probes/process58/CMakeLists.txt
+++ b/tests/probes/process58/CMakeLists.txt
@@ -2,6 +2,7 @@ if(ENABLE_PROBES_UNIX)
add_oscap_test("capability.sh")
add_oscap_test("command_line.sh")
add_oscap_test("dev_to_tty.sh")
+ add_oscap_test("empty_proc.sh")
add_oscap_test("loginuid.sh")
add_oscap_test("selinux_domain_label.sh")
add_oscap_test("sessionid.sh")
diff --git a/tests/probes/process58/empty_proc.sh b/tests/probes/process58/empty_proc.sh
new file mode 100755
index 000000000..2f0334b15
--- /dev/null
+++ b/tests/probes/process58/empty_proc.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+# This is regression test of RHBZ #2008922
+
+set -e -o pipefail
+
+. $builddir/tests/test_common.sh
+probecheck "process58" || exit 255
+
+name=$(basename $0 .sh)
+result=$(mktemp ${name}.out.XXXXXX)
+stderr=$(mktemp ${name}.err.XXXXXX)
+
+root=$(mktemp -d)
+
+# create an empty /proc in the offline file system dir
+mkdir -p "$root/proc"
+
+export OSCAP_PROBE_ROOT="$root"
+$OSCAP oval eval --results $result $srcdir/capability.oval.xml 2> $stderr
+
+[ $? -eq 0 ]
+grep -q "^W: oscap:\s\+No data about processes could be read from '$root/proc'." "$stderr"
+grep -q "OpenSCAP Error: Probe at sd=1 (process58) reported an error: Operation not permitted" "$stderr" && false
+grep -q "W: oscap:\s\+Can't receive message: 125, Operation canceled." "$stderr" && false
+
+[ -s "$result" ]
+assert_exists 1 '/oval_results/results/system/definitions/definition[@result="false"]'
+assert_exists 1 '/oval_results/results/system/oval_system_characteristics/collected_objects/object[@flag="does not exist"]'
+
+rm "$stderr"
+rm "$result"
+rm -r "$root"

92
SOURCES/openscap-1.3.6-http_error_fix-PR_1805.patch Normal file
View File

@ -0,0 +1,92 @@
From d2790140325a3d77264937c38d5076899c824dd4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 10 Sep 2021 10:11:00 +0200
Subject: [PATCH] Fail download on HTTP errors
When the HTTP server returns status code greater than or equal 400,
the download will fail.
Resolves: rhbz#2002733
---
src/common/oscap_acquire.c | 20 ++++++++++++++++++--
tests/DS/test_ds_misc.sh | 15 +++++++++++++++
2 files changed, 33 insertions(+), 2 deletions(-)
diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c
index cd9bfc36f6..8f4991751f 100644
--- a/src/common/oscap_acquire.c
+++ b/src/common/oscap_acquire.c
@@ -328,6 +328,14 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size)
CURLcode res;
+ /* CURLOPT_FAILONERROR - request failure on HTTP response >= 400 */
+ res = curl_easy_setopt(curl, CURLOPT_FAILONERROR, true);
+ if (res != 0) {
+ curl_easy_cleanup(curl);
+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_FAILONERROR: %s", curl_easy_strerror(res));
+ return NULL;
+ }
+
res = curl_easy_setopt(curl, CURLOPT_URL, url);
if (res != 0) {
curl_easy_cleanup(curl);
@@ -387,14 +395,22 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size)
}
res = curl_easy_perform(curl);
- curl_easy_cleanup(curl);
if (res != 0) {
- oscap_seterr(OSCAP_EFAMILY_NET, "Download failed: %s", curl_easy_strerror(res));
+ if (res == CURLE_HTTP_RETURNED_ERROR) {
+ long http_code = 0;
+ curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http_code);
+ oscap_seterr(OSCAP_EFAMILY_NET, "Download failed: %s: %ld", curl_easy_strerror(res), http_code);
+ } else {
+ oscap_seterr(OSCAP_EFAMILY_NET, "Download failed: %s", curl_easy_strerror(res));
+ }
+ curl_easy_cleanup(curl);
oscap_buffer_free(buffer);
return NULL;
}
+ curl_easy_cleanup(curl);
+
*memory_size = oscap_buffer_get_length(buffer);
char* data = oscap_buffer_bequeath(buffer); // get data and free buffer struct
return data;
diff --git a/tests/DS/test_ds_misc.sh b/tests/DS/test_ds_misc.sh
index 4d2dfc449a..159007518e 100755
--- a/tests/DS/test_ds_misc.sh
+++ b/tests/DS/test_ds_misc.sh
@@ -250,6 +250,19 @@ function test_ds_continue_without_remote_resources() {
rm -f "$result" "$oval_result"
}
+function test_ds_error_remote_resources() {
+ local DS="${srcdir}/$1"
+ local PROFILE="$2"
+ local result=$(mktemp)
+ local stderr=$(mktemp)
+
+ $OSCAP xccdf eval --fetch-remote-resources --profile "$PROFILE" --results "$result" "$DS" 2>"$stderr" || ret=$?
+ grep -q "Downloading: https://www.example.com/security/data/oval/oval.xml.bz2 ... error" "$stderr"
+ grep -q "OpenSCAP Error: Download failed: HTTP response code said error: 404" "$stderr"
+
+ rm -f "$result" "$stderr"
+}
+
function test_source_date_epoch() {
local xccdf="$srcdir/sds_multiple_oval/multiple-oval-xccdf.xml"
local result="$(mktemp)"
@@ -286,7 +299,9 @@ test_run "eval_cpe" test_eval_cpe eval_cpe/sds.xml
test_run "test_eval_complex" test_eval_complex
test_run "sds_add_multiple_oval_twice_in_row" sds_add_multiple_twice
test_run "test_ds_1_2_continue_without_remote_resources" test_ds_continue_without_remote_resources ds_continue_without_remote_resources/remote_content_1.2.ds.xml xccdf_com.example.www_profile_test_remote_res
+test_run "test_ds_1_2_error_remote_resources" test_ds_error_remote_resources ds_continue_without_remote_resources/remote_content_1.2.ds.xml xccdf_com.example.www_profile_test_remote_res
test_run "test_ds_1_3_continue_without_remote_resources" test_ds_continue_without_remote_resources ds_continue_without_remote_resources/remote_content_1.3.ds.xml xccdf_com.example.www_profile_test_remote_res
+test_run "test_ds_1_3_error_remote_resources" test_ds_error_remote_resources ds_continue_without_remote_resources/remote_content_1.3.ds.xml xccdf_com.example.www_profile_test_remote_res
test_run "test_source_date_epoch" test_source_date_epoch
test_exit

136
SOURCES/openscap-1.3.6-initialize-crapi-once-pr-1779.patch Normal file
View File

@ -0,0 +1,136 @@
From 5c422226df442855a7dc9834eb4ff74865394a92 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 8 Jul 2021 14:28:16 +0200
Subject: [PATCH 1/3] Initialize crypto API only once
The function `crapi_init` calls `gcry_check_version` which must be
called before any other function from the Libgcrypt library. That might
be violated when multiple threads executing multiple probes are running.
The mitigation proposed in this PR is to call `crapi_init` only once
when the session is initialized which means before any threads are
spawned.
See also: https://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html#Multi_002dThreading
Resolves: RHBZ#1959570
---
src/OVAL/oval_probe_session.c | 5 +++++
src/OVAL/probes/independent/filehash58_probe.c | 6 ------
src/OVAL/probes/independent/filehash_probe.c | 6 ------
src/OVAL/probes/independent/filemd5_probe.c | 6 ------
4 files changed, 5 insertions(+), 18 deletions(-)
diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
index 435ca148fd..6f6d7ad426 100644
--- a/src/OVAL/oval_probe_session.c
+++ b/src/OVAL/oval_probe_session.c
@@ -93,6 +93,11 @@ static void oval_probe_session_libinit(void)
SEXP_free((SEXP_t *)exp);
ncache_libinit();
+ /*
+ * Initialize crypto API
+ */
+ if (crapi_init (NULL) != 0)
+ return (NULL);
}
/**
diff --git a/src/OVAL/probes/independent/filehash58_probe.c b/src/OVAL/probes/independent/filehash58_probe.c
index ff1e065746..32a38562bd 100644
--- a/src/OVAL/probes/independent/filehash58_probe.c
+++ b/src/OVAL/probes/independent/filehash58_probe.c
@@ -210,12 +210,6 @@ int filehash58_probe_offline_mode_supported()
void *filehash58_probe_init(void)
{
- /*
- * Initialize crypto API
- */
- if (crapi_init (NULL) != 0)
- return (NULL);
-
/*
* Initialize mutex.
*/
diff --git a/src/OVAL/probes/independent/filehash_probe.c b/src/OVAL/probes/independent/filehash_probe.c
index 522d976512..6d8780dc95 100644
--- a/src/OVAL/probes/independent/filehash_probe.c
+++ b/src/OVAL/probes/independent/filehash_probe.c
@@ -190,12 +190,6 @@ int filehash_probe_offline_mode_supported()
void *filehash_probe_init(void)
{
- /*
- * Initialize crypto API
- */
- if (crapi_init (NULL) != 0)
- return (NULL);
-
/*
* Initialize mutex.
*/
diff --git a/src/OVAL/probes/independent/filemd5_probe.c b/src/OVAL/probes/independent/filemd5_probe.c
index d0de402d8b..99913581f0 100644
--- a/src/OVAL/probes/independent/filemd5_probe.c
+++ b/src/OVAL/probes/independent/filemd5_probe.c
@@ -163,12 +163,6 @@ int probe_offline_mode_supported()
void *probe_init (void)
{
- /*
- * Initialize crypto API
- */
- if (crapi_init (NULL) != 0)
- return (NULL);
-
/*
* Initialize mutex.
*/
From c4c26d99a59205d744befe52be4e81bcf5f55d9c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 13 Jul 2021 13:03:21 +0200
Subject: [PATCH 2/3] Add a missing include
---
src/OVAL/oval_probe_session.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
index 6f6d7ad426..295782b536 100644
--- a/src/OVAL/oval_probe_session.c
+++ b/src/OVAL/oval_probe_session.c
@@ -48,6 +48,7 @@
#include "oval_probe_ext.h"
#include "probe-table.h"
#include "oval_types.h"
+#include "crapi/crapi.h"
#if defined(OSCAP_THREAD_SAFE)
#include <pthread.h>
From 6241a8835574429a787e0dd48d2c0ac2a71499b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 15 Jul 2021 14:21:00 +0200
Subject: [PATCH 3/3] Don't initialize crypto on Windows
---
src/OVAL/oval_probe_session.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/OVAL/oval_probe_session.c b/src/OVAL/oval_probe_session.c
index 295782b536..b443cbcc80 100644
--- a/src/OVAL/oval_probe_session.c
+++ b/src/OVAL/oval_probe_session.c
@@ -97,8 +97,10 @@ static void oval_probe_session_libinit(void)
/*
* Initialize crypto API
*/
+#ifndef OS_WINDOWS
if (crapi_init (NULL) != 0)
return (NULL);
+#endif
}
/**

2158
SOURCES/openscap-1.3.6-local-files-pr-1769.patch Normal file
View File

File diff suppressed because it is too large Load Diff

242
SOURCES/openscap-1.3.6-memory-limit-pr-1827.patch Normal file
View File

@ -0,0 +1,242 @@
From a7a0c4a3f528594bb3181174b6986e9c50a684b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 30 Aug 2021 15:44:37 +0200
Subject: [PATCH 1/3] Lower memory limits and improve their checking
This patch attempts to mitigate problems caused by a large amount of
collected objects such as rhbz#1932833.
Specifically, these changes are made:
- Lower the threshold so that the amount of used memory is checked when
only 1000 items are collected for the given OVAL object. That's
because 32768 items (the original value) is already a large amount which
occupies a lot of memory during further processing.
- Lower the memory usage ratio limit for the probe to 10 %. We have
found experimentally that giving the probe 15 % or more will cause the
oscap process to be killed when processing the collected data and
generating results.
- In the calling function probe_item_collect, distinguish between return
codes which means different behavior when there is insufficient memory
than when the memory consumption can't be checked.
- Improve the warning message to show greater details about memory
consumption to the user.
- Remove the check for the absolute amount of remaining free memory. As
we can see on the example of rhbz#1932833, on systems with large
amount of memory the remaining memory of 512 MB isn't enough memory for
openscap to process the collected data. At the same time, if we lowered
the usage ratio, we don't need this anymore.
- Remove useless message "spt:" from the verbose log because it's
produced many times and pollutes the log extremely.
---
src/OVAL/probes/probe/icache.c | 23 +++++++++++------------
src/common/memusage.c | 2 --
2 files changed, 11 insertions(+), 14 deletions(-)
diff --git a/src/OVAL/probes/probe/icache.c b/src/OVAL/probes/probe/icache.c
index 7e16daa334..af7b528372 100644
--- a/src/OVAL/probes/probe/icache.c
+++ b/src/OVAL/probes/probe/icache.c
@@ -487,9 +487,8 @@ int probe_icache_nop(probe_icache_t *cache)
return (0);
}
-#define PROBE_RESULT_MEMCHECK_CTRESHOLD 32768 /* item count */
-#define PROBE_RESULT_MEMCHECK_MINFREEMEM 512 /* MiB */
-#define PROBE_RESULT_MEMCHECK_MAXRATIO 0.8 /* max. memory usage ratio - used/total */
+#define PROBE_RESULT_MEMCHECK_CTRESHOLD 1000 /* item count */
+#define PROBE_RESULT_MEMCHECK_MAXRATIO 0.1 /* max. memory usage ratio - used/total */
/**
* Returns 0 if the memory constraints are not reached. Otherwise, 1 is returned.
@@ -511,18 +510,12 @@ static int probe_cobj_memcheck(size_t item_cnt)
c_ratio = (double)mu_proc.mu_rss/(double)(mu_sys.mu_total);
if (c_ratio > PROBE_RESULT_MEMCHECK_MAXRATIO) {
- dW("Memory usage ratio limit reached! limit=%f, current=%f",
- PROBE_RESULT_MEMCHECK_MAXRATIO, c_ratio);
+ dW("Memory usage ratio limit reached! limit=%f, current=%f, used=%ld MB, free=%ld MB, total=%ld MB, count of items=%ld",
+ PROBE_RESULT_MEMCHECK_MAXRATIO, c_ratio, mu_proc.mu_rss / 1024, mu_sys.mu_realfree / 1024, mu_sys.mu_total / 1024, item_cnt);
errno = ENOMEM;
return (1);
}
- if ((mu_sys.mu_realfree / 1024) < PROBE_RESULT_MEMCHECK_MINFREEMEM) {
- dW("Minimum free memory limit reached! limit=%zu, current=%zu",
- PROBE_RESULT_MEMCHECK_MINFREEMEM, mu_sys.mu_realfree / 1024);
- errno = ENOMEM;
- return (1);
- }
}
return (0);
@@ -547,6 +540,7 @@ int probe_item_collect(struct probe_ctx *ctx, SEXP_t *item)
{
SEXP_t *cobj_content;
size_t cobj_itemcnt;
+ int memcheck_ret;
if (ctx == NULL || ctx->probe_out == NULL || item == NULL) {
return -1;
@@ -556,7 +550,12 @@ int probe_item_collect(struct probe_ctx *ctx, SEXP_t *item)
cobj_itemcnt = SEXP_list_length(cobj_content);
SEXP_free(cobj_content);
- if (probe_cobj_memcheck(cobj_itemcnt) != 0) {
+ memcheck_ret = probe_cobj_memcheck(cobj_itemcnt);
+ if (memcheck_ret == -1) {
+ dE("Failed to check available memory");
+ return -1;
+ }
+ if (memcheck_ret == 1) {
/*
* Don't set the message again if the collected object is
diff --git a/src/common/memusage.c b/src/common/memusage.c
index fc6909e6fb..c6755f21f1 100644
--- a/src/common/memusage.c
+++ b/src/common/memusage.c
@@ -137,8 +137,6 @@ static int read_status(const char *source, void *base, struct stat_parser *spt,
sp = oscap_bfind(spt, spt_size, sizeof(struct stat_parser),
linebuf, (int(*)(void *, void *))&cmpkey);
- dD("spt: %s", linebuf);
-
if (sp == NULL) {
/* drop end of unread line */
while (strchr(strval, '\n') == NULL) {
From ded3d58cd62259b217a9ab35030827ac3cb8dd45 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 7 Sep 2021 13:52:50 +0200
Subject: [PATCH 2/3] Allow to set memory ratio by environment variable
If the probe memory usage ratio limit will be too small or too big
in some situation, the user will be able to modify the limit easily
by setting the environment variable OSCAP_PROBE_MEMORY_USAGE_RATIO
to a different value. This can also help users when debugging memory
problems.
---
docs/manual/manual.adoc | 1 +
src/OVAL/probes/probe/icache.c | 9 ++++-----
src/OVAL/probes/probe/probe.h | 1 +
src/OVAL/probes/probe/worker.c | 12 ++++++++++++
4 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/docs/manual/manual.adoc b/docs/manual/manual.adoc
index 90e2cc2c63..825844bc71 100644
--- a/docs/manual/manual.adoc
+++ b/docs/manual/manual.adoc
@@ -1613,6 +1613,7 @@ not considered local by the scanner:
* `OSCAP_PROBE_ROOT` - Path to a directory which contains mounted filesystem to be evaluated. Used for offline scanning.
* `SEXP_VALIDATE_DISABLE` - If set, `oscap` will not validate SEXP expressions during its execution.
* `SOURCE_DATE_EPOCH` - Timestamp in seconds since epoch. This timestamp will be used instead of the current time to populate `timestamp` attributes in SCAP source data streams created by `oscap ds sds-compose` sub-module. This is used for reproducible builds of data streams.
+* `OSCAP_PROBE_MEMORY_USAGE_RATIO` - maximum memory usage ratio (used/total) for OpenSCAP probes, default: 0.1
Also, OpenSCAP uses `libcurl` library which also can be configured using environment variables. See https://curl.se/libcurl/c/libcurl-env.html[the list of libcurl environment variables].
diff --git a/src/OVAL/probes/probe/icache.c b/src/OVAL/probes/probe/icache.c
index af7b528372..a397d35ec2 100644
--- a/src/OVAL/probes/probe/icache.c
+++ b/src/OVAL/probes/probe/icache.c
@@ -488,13 +488,12 @@ int probe_icache_nop(probe_icache_t *cache)
}
#define PROBE_RESULT_MEMCHECK_CTRESHOLD 1000 /* item count */
-#define PROBE_RESULT_MEMCHECK_MAXRATIO 0.1 /* max. memory usage ratio - used/total */
/**
* Returns 0 if the memory constraints are not reached. Otherwise, 1 is returned.
* In case of an error, -1 is returned.
*/
-static int probe_cobj_memcheck(size_t item_cnt)
+static int probe_cobj_memcheck(size_t item_cnt, double max_ratio)
{
if (item_cnt > PROBE_RESULT_MEMCHECK_CTRESHOLD) {
struct proc_memusage mu_proc;
@@ -509,9 +508,9 @@ static int probe_cobj_memcheck(size_t item_cnt)
c_ratio = (double)mu_proc.mu_rss/(double)(mu_sys.mu_total);
- if (c_ratio > PROBE_RESULT_MEMCHECK_MAXRATIO) {
+ if (c_ratio > max_ratio) {
dW("Memory usage ratio limit reached! limit=%f, current=%f, used=%ld MB, free=%ld MB, total=%ld MB, count of items=%ld",
- PROBE_RESULT_MEMCHECK_MAXRATIO, c_ratio, mu_proc.mu_rss / 1024, mu_sys.mu_realfree / 1024, mu_sys.mu_total / 1024, item_cnt);
+ max_ratio, c_ratio, mu_proc.mu_rss / 1024, mu_sys.mu_realfree / 1024, mu_sys.mu_total / 1024, item_cnt);
errno = ENOMEM;
return (1);
}
@@ -550,7 +549,7 @@ int probe_item_collect(struct probe_ctx *ctx, SEXP_t *item)
cobj_itemcnt = SEXP_list_length(cobj_content);
SEXP_free(cobj_content);
- memcheck_ret = probe_cobj_memcheck(cobj_itemcnt);
+ memcheck_ret = probe_cobj_memcheck(cobj_itemcnt, ctx->max_mem_ratio);
if (memcheck_ret == -1) {
dE("Failed to check available memory");
return -1;
diff --git a/src/OVAL/probes/probe/probe.h b/src/OVAL/probes/probe/probe.h
index 1c7a3b1b00..d3a488c4d5 100644
--- a/src/OVAL/probes/probe/probe.h
+++ b/src/OVAL/probes/probe/probe.h
@@ -83,6 +83,7 @@ struct probe_ctx {
SEXP_t *filters; /**< object filters (OVAL 5.8 and higher) */
probe_icache_t *icache; /**< item cache */
int offline_mode;
+ double max_mem_ratio;
};
typedef enum {
diff --git a/src/OVAL/probes/probe/worker.c b/src/OVAL/probes/probe/worker.c
index 94fe5c2037..3ef489b40d 100644
--- a/src/OVAL/probes/probe/worker.c
+++ b/src/OVAL/probes/probe/worker.c
@@ -52,6 +52,10 @@ extern int chroot(const char *);
#include "probe-table.h"
#include "probe.h"
+/* default max. memory usage ratio - used/total */
+/* can be overridden by environment variable OSCAP_PROBE_MEMORY_USAGE_RATIO */
+#define OSCAP_PROBE_MEMORY_USAGE_RATIO_DEFAULT 0.1
+
extern bool OSCAP_GSYM(varref_handling);
extern void *OSCAP_GSYM(probe_arg);
@@ -1064,6 +1068,14 @@ SEXP_t *probe_worker(probe_t *probe, SEAP_msg_t *msg_in, int *ret)
pctx.offline_mode = probe->selected_offline_mode;
+ pctx.max_mem_ratio = OSCAP_PROBE_MEMORY_USAGE_RATIO_DEFAULT;
+ char *max_ratio_str = getenv("OSCAP_PROBE_MEMORY_USAGE_RATIO");
+ if (max_ratio_str != NULL) {
+ double max_ratio = strtod(max_ratio_str, NULL);
+ if (max_ratio != 0)
+ pctx.max_mem_ratio = max_ratio;
+ }
+
/* simple object */
pctx.icache = probe->icache;
pctx.filters = probe_prepare_filters(probe, probe_in);
From 0f5cf5b09f469920616a2037d0f9c81cf0868a58 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 15 Sep 2021 14:41:30 +0200
Subject: [PATCH 3/3] Update src/OVAL/probes/probe/worker.c
Co-authored-by: Evgeny Kolesnikov <evgenyz@gmail.com>
---
src/OVAL/probes/probe/worker.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/OVAL/probes/probe/worker.c b/src/OVAL/probes/probe/worker.c
index 3ef489b40d..1183ed06bf 100644
--- a/src/OVAL/probes/probe/worker.c
+++ b/src/OVAL/probes/probe/worker.c
@@ -1072,7 +1072,7 @@ SEXP_t *probe_worker(probe_t *probe, SEAP_msg_t *msg_in, int *ret)
char *max_ratio_str = getenv("OSCAP_PROBE_MEMORY_USAGE_RATIO");
if (max_ratio_str != NULL) {
double max_ratio = strtod(max_ratio_str, NULL);
- if (max_ratio != 0)
+ if (max_ratio > 0)
pctx.max_mem_ratio = max_ratio;
}

25
SOURCES/openscap-1.3.6-oscap-ssh-local-files-pr-1786.patch Normal file
View File

@ -0,0 +1,25 @@
From 9f9a322b73e71bb4945a736605eb0515acf9a207 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 28 Jul 2021 08:36:50 +0200
Subject: [PATCH] Document problems with --local-files in oscap-ssh
Related to: https://github.com/OpenSCAP/openscap/pull/1769
Thanks @ggbecker for pointing this out.
---
utils/oscap-ssh.8 | 3 +++
1 file changed, 3 insertions(+)
diff --git a/utils/oscap-ssh.8 b/utils/oscap-ssh.8
index 416b1f3e5..05c80cd3c 100644
--- a/utils/oscap-ssh.8
+++ b/utils/oscap-ssh.8
@@ -67,6 +67,9 @@ Specific option for oscap-ssh (must be first argument):
oscap-ssh checks out the SSH_ADDITIONAL_OPTIONS environment variable, and pastes its contents into the command-line of ssh to the location where options are expected.
Supply the variable in form of a string that corresponds to a section of the ssh command-line and that consists of options you want to pass.
+.SS Using --local-files option
+The oscap-ssh command supports the --local-files option, but it isn't possible to pass './' and '../' as an argument. Use a full directory path instead.
+
.SH EXAMPLE USAGE
.SS Simple XCCDF evaluation
The following command evaluates a remote Fedora machine as root. HTML report is written out as report.html on the local machine. Can be executed from any machine that has ssh, scp and bash. The local machine does not need to have openscap installed.

97
SOURCES/openscap-1.3.6-test-rhbz1959570-pr-1788.patch Normal file
View File

@ -0,0 +1,97 @@
From 05faede8f6602b7b71d71fd965276225a986fb1f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 28 Jul 2021 13:06:25 +0200
Subject: [PATCH] Add a regression test for rhbz#1959570
The bug was a segmentation fault in filehash58 probe which happened
in openscap-1.3.3-6.el8_3.
The bug was fixed by https://github.com/OpenSCAP/openscap/pull/1779
and this patch adds a very small test.
---
tests/probes/filehash58/CMakeLists.txt | 1 +
.../probes/filehash58/rhbz1959570_segfault.sh | 19 +++++++++
.../rhbz1959570_segfault_reproducer.xml | 39 +++++++++++++++++++
3 files changed, 59 insertions(+)
create mode 100755 tests/probes/filehash58/rhbz1959570_segfault.sh
create mode 100644 tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
diff --git a/tests/probes/filehash58/CMakeLists.txt b/tests/probes/filehash58/CMakeLists.txt
index b26d8171fb..cdec0792eb 100644
--- a/tests/probes/filehash58/CMakeLists.txt
+++ b/tests/probes/filehash58/CMakeLists.txt
@@ -1,3 +1,4 @@
if(ENABLE_PROBES_INDEPENDENT)
add_oscap_test("test_probes_filehash58.sh")
+ add_oscap_test("rhbz1959570_segfault.sh")
endif()
diff --git a/tests/probes/filehash58/rhbz1959570_segfault.sh b/tests/probes/filehash58/rhbz1959570_segfault.sh
new file mode 100755
index 0000000000..0c32cc79f1
--- /dev/null
+++ b/tests/probes/filehash58/rhbz1959570_segfault.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+# Copyright 2021 Red Hat Inc., Durham, North Carolina.
+# All Rights Reserved.
+#
+# OpenSCAP Probes Test Suite.
+#
+# Authors:
+# Jan Černý, <jcerny@redhat.com>
+
+set -e -o pipefail
+. $builddir/tests/test_common.sh
+
+# Test Cases
+
+stderr="$(mktemp)"
+$OSCAP oval eval --id oval:x:def:1 "$srcdir/rhbz1959570_segfault_reproducer.xml" 2> "$stderr"
+[ ! -s "$stderr" ]
+rm "$stderr"
diff --git a/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml b/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
new file mode 100644
index 0000000000..4b3fc4863a
--- /dev/null
+++ b/tests/probes/filehash58/rhbz1959570_segfault_reproducer.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0"?>
+<oval-def:oval_definitions xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
+ <oval-def:generator>
+ <oval:product_name>jcerny</oval:product_name>
+ <oval:product_version>1</oval:product_version>
+ <oval:schema_version>5.11</oval:schema_version>
+ <oval:timestamp>2021-07-28T07:40:55</oval:timestamp>
+ </oval-def:generator>
+ <oval-def:definitions>
+ <oval-def:definition class="compliance" id="oval:x:def:1" version="1">
+ <oval-def:metadata>
+ <oval-def:title>title</oval-def:title>
+ <oval-def:description>description</oval-def:description>
+ </oval-def:metadata>
+ <oval-def:criteria>
+ <oval-def:criterion comment="comment" test_ref="oval:x:tst:1"/>
+ </oval-def:criteria>
+ </oval-def:definition>
+ </oval-def:definitions>
+ <oval-def:tests>
+ <ind:filehash58_test check="all" check_existence="all_exist" comment="comment" id="oval:x:tst:1" version="1">
+ <ind:object object_ref="oval:x:obj:1"/>
+ <ind:state state_ref="oval:x:ste:1"/>
+ </ind:filehash58_test>
+ </oval-def:tests>
+ <oval-def:objects>
+ <ind:filehash58_object id="oval:x:obj:1" version="1">
+ <ind:filepath>/etc/os-release</ind:filepath>
+ <ind:hash_type>SHA-256</ind:hash_type>
+ </ind:filehash58_object>
+ </oval-def:objects>
+ <oval-def:states>
+ <ind:filehash58_state id="oval:x:ste:1" version="1">
+ <ind:filepath>/etc/os-release</ind:filepath>
+ <ind:hash_type>SHA-256</ind:hash_type>
+ <ind:hash>6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af</ind:hash>
+ </ind:filehash58_state>
+ </oval-def:states>
+</oval-def:oval_definitions>

41
SOURCES/openscap-1.3.6-warning-local-files-pr-1826.patch Normal file
View File

@ -0,0 +1,41 @@
From ce74fde37771fa2cf6d947e5aaeebd9a197db50b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 9 Nov 2021 09:15:20 +0100
Subject: [PATCH] Print warning for local files
This will explicitely display users that they're using local
files instead of the remote resource.
See https://bugzilla.redhat.com/show_bug.cgi?id=1970529#c6
---
src/DS/sds.c | 4 +++-
tests/DS/test_ds_use_local_remote_resources.sh | 1 +
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/DS/sds.c b/src/DS/sds.c
index a26fdbb09..243b62968 100644
--- a/src/DS/sds.c
+++ b/src/DS/sds.c
@@ -407,7 +407,9 @@ static int _handle_disabled_downloads(struct ds_sds_session *session, const char
char *local_filepath = oscap_path_join(local_files, relative_filepath);
struct stat sb;
if (stat(local_filepath, &sb) == 0) {
- dI("Using local file '%s' instead of '%s'", local_filepath, xlink_href);
+ ds_sds_session_remote_resources_progress(session)(true,
+ "WARNING: Using local file '%s' instead of '%s'",
+ local_filepath, xlink_href);
struct oscap_source *source_file = oscap_source_new_from_file(local_filepath);
xmlDoc *doc = oscap_source_get_xmlDoc(source_file);
if (doc == NULL) {
diff --git a/tests/DS/test_ds_use_local_remote_resources.sh b/tests/DS/test_ds_use_local_remote_resources.sh
index 789dc8326..2feb47da1 100755
--- a/tests/DS/test_ds_use_local_remote_resources.sh
+++ b/tests/DS/test_ds_use_local_remote_resources.sh
@@ -24,6 +24,7 @@ $OSCAP xccdf eval --local-files "$tmpdir3" --profile "$PROFILE" --results "$resu
grep -q "WARNING: Datastream component 'scap_org.open-scap_cref_remote.oval.xml' points out to the remote 'https://www.example.com/security/data/oval/remote.oval.xml'. Use '--fetch-remote-resources' option to download it." "$stderr" && false
grep -q "WARNING: Skipping 'https://www.example.com/security/data/oval/remote.oval.xml' file which is referenced from datastream" "$stderr" && false
+grep -q "WARNING: Using local file '$tmpdir3/remote.oval.xml' instead of 'https://www.example.com/security/data/oval/remote.oval.xml'" "$stderr"
assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-pass"]/result[text()="pass"]'
# the remote_res rule is a multicheck with 2 oval definitions so it's twice here

31
SPECS/openscap.spec
View File

@ -1,6 +1,6 @@
Name: openscap Name: openscap
Version: 1.3.5 Version: 1.3.5
Release: 8%{?dist} Release: 13%{?dist}
Epoch: 1 Epoch: 1
Summary: Set of open source libraries enabling integration of the SCAP line of standards Summary: Set of open source libraries enabling integration of the SCAP line of standards
License: LGPLv2+ License: LGPLv2+
@ -16,6 +16,17 @@ Patch7: openscap-1.3.6-yamlfile-null-pr-1756.patch
Patch8: openscap-1.3.6-coverity-issues-pr-1748.patch Patch8: openscap-1.3.6-coverity-issues-pr-1748.patch
Patch9: openscap-1.3.6-coverity-issues-pr-1778.patch Patch9: openscap-1.3.6-coverity-issues-pr-1778.patch
Patch10: openscap-1.3.6-disable-sha1-md5-pr-1781.patch Patch10: openscap-1.3.6-disable-sha1-md5-pr-1781.patch
Patch11: openscap-1.3.6-http_error_fix-PR_1805.patch
Patch12: openscap-1.3.6-empty-proc-in-offline-pr-1812.patch
Patch13: openscap-1.3.6-initialize-crapi-once-pr-1779.patch
Patch14: openscap-1.3.6-test-rhbz1959570-pr-1788.patch
Patch15: openscap-1.3.6-blueprint-fix-pr-1749.patch
Patch16: openscap-1.3.6-blueprint-toml-pr-1810.patch
Patch17: openscap-1.3.6-local-files-pr-1769.patch
Patch18: openscap-1.3.6-oscap-ssh-local-files-pr-1786.patch
Patch19: openscap-1.3.6-alternative-hostname-pr-1806.patch
Patch20: openscap-1.3.6-memory-limit-pr-1827.patch
Patch21: openscap-1.3.6-warning-local-files-pr-1826.patch
BuildRequires: make BuildRequires: make
BuildRequires: cmake >= 2.6 BuildRequires: cmake >= 2.6
BuildRequires: gcc BuildRequires: gcc
@ -206,6 +217,24 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
%{_bindir}/oscap-run-sce-script %{_bindir}/oscap-run-sce-script
%changelog %changelog
* Fri Nov 19 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-13
- Print warning for local files
* Tue Nov 09 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-12
- Allow using local files instead of remote resources (rhbz#2015518)
- Add an alternative source of hostname (rhbz#2021509)
- Lower memory limits and improve their checking (rhbz#2022362)
* Thu Nov 04 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-11
- Initialize crypto API only once (rhbz#2020044)
- Add support for Blueprint remediations (rhbz#2020052)
* Mon Nov 01 2021 Evgenii Kolesnikov <ekolesni@redhat.com> - 1:1.3.5-10
- Fix process58 probe errors when scanning minimalist filesystem in offline mode (rhbz#2019054)
* Mon Nov 01 2021 Matej Tyc <matyc@redhat.com> - 1:1.3.5-9
- Fix bad handling of HTTP error code (rhbz#2002733)
* Fri Aug 27 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-8 * Fri Aug 27 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-8
- Revert Epoch removal - Revert Epoch removal