import openscap-1.3.2-6.el8
This commit is contained in:
parent
10ef5bd5af
commit
f4c4039c0e
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/openscap-1.3.1.tar.gz
|
SOURCES/openscap-1.3.2.tar.gz
|
||||||
|
@ -1 +1 @@
|
|||||||
4783aa3943d3ea99719bda0e6cbfbc96f5841a6f SOURCES/openscap-1.3.1.tar.gz
|
5fe71454faff8cdcbd0e13e7c7343daf04069ca9 SOURCES/openscap-1.3.2.tar.gz
|
||||||
|
36
SOURCES/01-add-test-fix-type-anaconda.patch
Normal file
36
SOURCES/01-add-test-fix-type-anaconda.patch
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
From 712000a675103393045fde191856ce1dd306f1ca Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||||
|
Date: Mon, 13 Jan 2020 17:28:09 +0100
|
||||||
|
Subject: [PATCH] Add a test to check --fix-type Anaconda
|
||||||
|
|
||||||
|
There should be 2 equal ways of generating Anaconda remediations:
|
||||||
|
"oscap xccdf generate fix --fix-type anaconda" and
|
||||||
|
"oscap xccdf generate fix --template urn:redhat:anaconda:pre"
|
||||||
|
Both commands should give the same output.
|
||||||
|
This tests a fix for https://bugzilla.redhat.com/show_bug.cgi?id=1736850
|
||||||
|
introduced by b1448ec95a957a76eb8be6d439531c532d97ff3c
|
||||||
|
---
|
||||||
|
.../API/XCCDF/unittests/test_report_anaconda_fixes.sh | 10 ++++++++++
|
||||||
|
1 file changed, 10 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/tests/API/XCCDF/unittests/test_report_anaconda_fixes.sh b/tests/API/XCCDF/unittests/test_report_anaconda_fixes.sh
|
||||||
|
index d4e86e657..650f3d75b 100755
|
||||||
|
--- a/tests/API/XCCDF/unittests/test_report_anaconda_fixes.sh
|
||||||
|
+++ b/tests/API/XCCDF/unittests/test_report_anaconda_fixes.sh
|
||||||
|
@@ -23,6 +23,16 @@ grep -v "$line1" $result | grep -v "$line2" | grep -v "$line3"
|
||||||
|
[ "`grep -v "$line1" $result | grep -v "$line2" | sed 's/\W//g'`"x == x ]
|
||||||
|
:> $result
|
||||||
|
|
||||||
|
+# use --fix-type instead of URN template to generate the same fix
|
||||||
|
+$OSCAP xccdf generate fix --fix-type anaconda \
|
||||||
|
+ --output $result $srcdir/${name}.xccdf.xml 2>&1 > $stderr
|
||||||
|
+[ -f $stderr ]; [ ! -s $stderr ]; :> $stderr
|
||||||
|
+grep "$line1" $result
|
||||||
|
+grep "$line2" $result
|
||||||
|
+grep -v "$line1" $result | grep -v "$line2" | grep -v "$line3"
|
||||||
|
+[ "`grep -v "$line1" $result | grep -v "$line2" | sed 's/\W//g'`"x == x ]
|
||||||
|
+:> $result
|
||||||
|
+
|
||||||
|
$OSCAP xccdf generate fix --template urn:redhat:anaconda:pre \
|
||||||
|
--profile xccdf_moc.elpmaxe.www_profile_1 \
|
||||||
|
--output $result $srcdir/${name}.xccdf.xml 2>&1 > $stderr
|
@ -0,0 +1,38 @@
|
|||||||
|
From 0ba7c9423f64a88ceef50318f1a382059484f737 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||||
|
Date: Wed, 15 Jan 2020 13:54:45 +0100
|
||||||
|
Subject: [PATCH] Do not use C++ keyword operator as a function parameter name
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
This fixes SCAP Workbench build.
|
||||||
|
|
||||||
|
Addressing:
|
||||||
|
[ 37%] Building CXX object CMakeFiles/scap-workbench.dir/scap-workbench_autogen/mocs_compilation.cpp.o
|
||||||
|
In file included from /usr/local/include/openscap/xccdf_policy.h:39,
|
||||||
|
from /home/jcerny/work/git/scap-workbench/include/TailoringDockWidgets.h:31,
|
||||||
|
from /home/jcerny/work/git/scap-workbench/build/scap-workbench_autogen/6YEA5652QU/moc_TailoringDockWidgets.cpp:10,
|
||||||
|
from /home/jcerny/work/git/scap-workbench/build/scap-workbench_autogen/mocs_compilation.cpp:18:
|
||||||
|
/usr/local/include/openscap/oval_definitions.h:1676:117: error: declaration of ‘operator,’ as parameter
|
||||||
|
1676 | restriction *oval_variable_possible_restriction_new(oval_operator_t operator, const char *hint);
|
||||||
|
| ^
|
||||||
|
|
||||||
|
Fixes: #1462
|
||||||
|
---
|
||||||
|
src/OVAL/public/oval_definitions.h | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/OVAL/public/oval_definitions.h b/src/OVAL/public/oval_definitions.h
|
||||||
|
index ea9d3aaf8..b5fe77154 100644
|
||||||
|
--- a/src/OVAL/public/oval_definitions.h
|
||||||
|
+++ b/src/OVAL/public/oval_definitions.h
|
||||||
|
@@ -1669,7 +1669,7 @@ OSCAP_API void oval_variable_possible_value_iterator_free(struct oval_variable_p
|
||||||
|
* @param hint A short description of what the value means or represents.
|
||||||
|
* @memberof oval_variable_possible_restriction
|
||||||
|
*/
|
||||||
|
-OSCAP_API struct oval_variable_possible_restriction *oval_variable_possible_restriction_new(oval_operator_t operator, const char *hint);
|
||||||
|
+OSCAP_API struct oval_variable_possible_restriction *oval_variable_possible_restriction_new(oval_operator_t, const char *);
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
48
SOURCES/03-fix-cmake-test-for-libcap-xattr-h.patch
Normal file
48
SOURCES/03-fix-cmake-test-for-libcap-xattr-h.patch
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
From 3fbf36004eec55b9a88916559029332d7f356bae Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gabe <redhatrises@gmail.com>
|
||||||
|
Date: Wed, 15 Jan 2020 15:02:32 -0700
|
||||||
|
Subject: [PATCH] Fix case where CMake couldn't find libacl or xattr.h
|
||||||
|
|
||||||
|
---
|
||||||
|
CMakeLists.txt | 2 +-
|
||||||
|
cmake/FindACL.cmake | 6 +++---
|
||||||
|
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
||||||
|
index 720d8d8eb..fe20992a5 100644
|
||||||
|
--- a/CMakeLists.txt
|
||||||
|
+++ b/CMakeLists.txt
|
||||||
|
@@ -238,7 +238,7 @@ cmake_dependent_option(OPENSCAP_PROBE_INDEPENDENT_XMLFILECONTENT "Independent xm
|
||||||
|
# UNIX PROBES
|
||||||
|
cmake_dependent_option(OPENSCAP_PROBE_UNIX_DNSCACHE "Unix dnscache probe" ON "ENABLE_PROBES_UNIX" OFF)
|
||||||
|
cmake_dependent_option(OPENSCAP_PROBE_UNIX_FILE "Unix file probe" ON "ENABLE_PROBES_UNIX" OFF)
|
||||||
|
-cmake_dependent_option(OPENSCAP_PROBE_UNIX_FILEEXTENDEDATTRIBUTE "Unix fileextendedattribute probe" ON "ENABLE_PROBES_UNIX; (HAVE_SYS_XATTR_H OR HAVE_ATTR_XATTR_H)" OFF)
|
||||||
|
+cmake_dependent_option(OPENSCAP_PROBE_UNIX_FILEEXTENDEDATTRIBUTE "Unix fileextendedattribute probe" ON "ENABLE_PROBES_UNIX; HAVE_SYS_XATTR_H OR HAVE_ATTR_XATTR_H" OFF)
|
||||||
|
cmake_dependent_option(OPENSCAP_PROBE_UNIX_GCONF "Unix gconf probe" ON "ENABLE_PROBES_UNIX; GCONF_FOUND" OFF)
|
||||||
|
cmake_dependent_option(OPENSCAP_PROBE_UNIX_INTERFACE "Unix interface probe" ON "ENABLE_PROBES_UNIX" OFF)
|
||||||
|
cmake_dependent_option(OPENSCAP_PROBE_UNIX_PASSWORD "Unix password probe" ON "ENABLE_PROBES_UNIX" OFF)
|
||||||
|
diff --git a/cmake/FindACL.cmake b/cmake/FindACL.cmake
|
||||||
|
index 1753b0dd3..2d4a3027c 100644
|
||||||
|
--- a/cmake/FindACL.cmake
|
||||||
|
+++ b/cmake/FindACL.cmake
|
||||||
|
@@ -8,17 +8,17 @@
|
||||||
|
include(LibFindMacros)
|
||||||
|
|
||||||
|
# Use pkg-config to get hints about paths
|
||||||
|
-libfind_pkg_check_modules(ACL_PKGCONF acl)
|
||||||
|
+libfind_pkg_check_modules(ACL_PKGCONF libacl)
|
||||||
|
|
||||||
|
# Include dir
|
||||||
|
find_path(ACL_INCLUDE_DIR
|
||||||
|
- NAMES acl/libacl.h
|
||||||
|
+ NAMES "acl/libacl.h sys/libacl.h"
|
||||||
|
PATHS ${ACL_PKGCONF_INCLUDE_DIRS}
|
||||||
|
)
|
||||||
|
|
||||||
|
# Finally the library itself
|
||||||
|
find_library(ACL_LIBRARY
|
||||||
|
- NAMES acl
|
||||||
|
+ NAMES libacl
|
||||||
|
PATHS ${ACL_PKGCONF_LIBRARY_DIRS}
|
||||||
|
)
|
||||||
|
|
56
SOURCES/04-oscap-podman-detect-ambiguous-targets.patch
Normal file
56
SOURCES/04-oscap-podman-detect-ambiguous-targets.patch
Normal file
@ -0,0 +1,56 @@
|
|||||||
|
From 532a6c77f388d2e06ec12338df9ea97d955f5edc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matus Marhefka <mmarhefk@redhat.com>
|
||||||
|
Date: Thu, 16 Jan 2020 15:39:37 +0100
|
||||||
|
Subject: [PATCH] utils/oscap-podman: Detect ambiguous scan target
|
||||||
|
|
||||||
|
In case that a container image and a running container have the same
|
||||||
|
name, `oscap-podman` scans container image and a running container is
|
||||||
|
skipped. This might be unexpected and might cause a confusion for user.
|
||||||
|
Therefore, this commit adds a code which detects such situation and
|
||||||
|
rather informs user about ambiguous scan target and terminates.
|
||||||
|
In such cases the unique container image/container ID should be used
|
||||||
|
for specifying the target of the scan.
|
||||||
|
---
|
||||||
|
utils/oscap-podman | 23 ++++++++++++++++++-----
|
||||||
|
1 file changed, 18 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/utils/oscap-podman b/utils/oscap-podman
|
||||||
|
index 272afd988..32ec0cfcb 100755
|
||||||
|
--- a/utils/oscap-podman
|
||||||
|
+++ b/utils/oscap-podman
|
||||||
|
@@ -65,17 +65,30 @@ if grep -q "\-\-remediate" <<< "$@"; then
|
||||||
|
die
|
||||||
|
fi
|
||||||
|
|
||||||
|
+IMAGE_NAME=$(podman image exists "$1" \
|
||||||
|
+ && podman image inspect --format "{{.Id}} {{.RepoTags}}" "$1")
|
||||||
|
+CONTAINER_NAME=$(podman container exists "$1" \
|
||||||
|
+ && podman container inspect --format "{{.Id}} {{.Name}}" "$1")
|
||||||
|
+
|
||||||
|
+if [ -n "$IMAGE_NAME" ] && [ -n "$CONTAINER_NAME" ]; then
|
||||||
|
+ echo "Ambiguous target, container image and container with the same name detected: '$1'." >&2
|
||||||
|
+ echo "Please rather use an unique ID to specify the target of the scan." >&2
|
||||||
|
+ die
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
# Check if the target of scan is image or container.
|
||||||
|
CLEANUP=0
|
||||||
|
-if podman images | grep -q $1; then
|
||||||
|
+if [ -n "$IMAGE_NAME" ]; then
|
||||||
|
ID=$(podman create $1) || die
|
||||||
|
- IMG_NAME=$(podman images --format "{{.ID}} ({{.Repository}}:{{.Tag}})" | grep -m1 $1)
|
||||||
|
- TARGET="podman-image://$IMG_NAME"
|
||||||
|
+ TARGET="podman-image://$IMAGE_NAME"
|
||||||
|
CLEANUP=1
|
||||||
|
-else
|
||||||
|
+elif [ -n "$CONTAINER_NAME" ]; then
|
||||||
|
# If the target was not found in images we suppose it is a container.
|
||||||
|
ID=$1
|
||||||
|
- TARGET="podman-container://$1"
|
||||||
|
+ TARGET="podman-container://$CONTAINER_NAME"
|
||||||
|
+else
|
||||||
|
+ echo "Target of the scan not found: '$1'." >&2
|
||||||
|
+ die
|
||||||
|
fi
|
||||||
|
|
||||||
|
# podman init creates required files such as: /run/.containerenv - we don't care about output and exit code
|
389
SOURCES/openscap-1.3.2-covscan_ux_fix.patch
Normal file
389
SOURCES/openscap-1.3.2-covscan_ux_fix.patch
Normal file
@ -0,0 +1,389 @@
|
|||||||
|
From 47a2662bccb8e6f2f192acf46c26d862fe3bbcfb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Evgeny Kolesnikov <ekolesni@redhat.com>
|
||||||
|
Date: Fri, 17 Jan 2020 10:24:07 +0100
|
||||||
|
Subject: [PATCH 1/2] Covscan fixes
|
||||||
|
|
||||||
|
Error: FORWARD_NULL (CWE-476): [#def17]
|
||||||
|
xccdf_policy_remediate.c:383: var_compare_op: Comparing "rr" to null implies that "rr" might be null.
|
||||||
|
xccdf_policy_remediate.c:384: var_deref_model: Passing null pointer "rr" to "_rule_add_info_message", which dereferences it.
|
||||||
|
|
||||||
|
Error: FORWARD_NULL (CWE-476): [#def18]
|
||||||
|
test_fsdev_is_local_fs.c:35: assign_zero: Assigning: "ment.mnt_fsname" = "NULL".
|
||||||
|
test_fsdev_is_local_fs.c:37: var_deref_model: Passing "&ment" to "is_local_fs", which dereferences null "ment.mnt_fsname".
|
||||||
|
---
|
||||||
|
src/OVAL/probes/fsdev.c | 4 ++++
|
||||||
|
src/XCCDF_POLICY/xccdf_policy_remediate.c | 12 ++++++++++--
|
||||||
|
2 files changed, 14 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/OVAL/probes/fsdev.c b/src/OVAL/probes/fsdev.c
|
||||||
|
index bd8e52fbf..a6b36f5e0 100644
|
||||||
|
--- a/src/OVAL/probes/fsdev.c
|
||||||
|
+++ b/src/OVAL/probes/fsdev.c
|
||||||
|
@@ -97,6 +97,10 @@ static int is_local_fs(struct mntent *ment)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (ment->mnt_fsname == NULL) {
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
s = ment->mnt_fsname;
|
||||||
|
/* If the fsname begins with "//", it is probably CIFS. */
|
||||||
|
if (s[0] == '/' && s[1] == '/')
|
||||||
|
diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
|
||||||
|
index 389a7d1bd..f59737727 100644
|
||||||
|
--- a/src/XCCDF_POLICY/xccdf_policy_remediate.c
|
||||||
|
+++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c
|
||||||
|
@@ -380,7 +380,11 @@ static inline int _xccdf_fix_decode_xml(struct xccdf_fix *fix, char **result)
|
||||||
|
#if defined(unix) || defined(__unix__) || defined(__unix)
|
||||||
|
static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_fix *fix)
|
||||||
|
{
|
||||||
|
- if (fix == NULL || rr == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL)) {
|
||||||
|
+ if (rr == NULL) {
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (fix == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL)) {
|
||||||
|
_rule_add_info_message(rr, "No fix available.");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
@@ -481,7 +485,11 @@ static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_
|
||||||
|
#else
|
||||||
|
static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_fix *fix)
|
||||||
|
{
|
||||||
|
- if (fix == NULL || rr == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL)) {
|
||||||
|
+ if (rr == NULL) {
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (fix == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL)) {
|
||||||
|
_rule_add_info_message(rr, "No fix available.");
|
||||||
|
return 1;
|
||||||
|
} else {
|
||||||
|
|
||||||
|
From 7bccc09eabd30e0581cf0fdf4f20fa481db12e91 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Evgeny Kolesnikov <ekolesni@redhat.com>
|
||||||
|
Date: Fri, 17 Jan 2020 11:04:13 +0100
|
||||||
|
Subject: [PATCH 2/2] Covscan fixes (SHELLCHECK), small refactoring in Shell
|
||||||
|
wrappers
|
||||||
|
|
||||||
|
Error: SHELLCHECK_WARNING:
|
||||||
|
warning: die references arguments, but none are ever passed. [SC2120]
|
||||||
|
|
||||||
|
Error: SHELLCHECK_WARNING:
|
||||||
|
warning: Use 'cd ... || exit' or 'cd ... || return' in case cd fails. [SC2164]
|
||||||
|
|
||||||
|
Error: SHELLCHECK_WARNING:
|
||||||
|
warning: Declare and assign separately to avoid masking return values. [SC2155]
|
||||||
|
---
|
||||||
|
utils/oscap-chroot | 20 ++++++++++++--------
|
||||||
|
utils/oscap-podman | 42 +++++++++++++++++++++---------------------
|
||||||
|
utils/oscap-ssh | 39 ++++++++++++++++++++++-----------------
|
||||||
|
utils/oscap-vm | 19 +++++++++++--------
|
||||||
|
4 files changed, 66 insertions(+), 54 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/utils/oscap-chroot b/utils/oscap-chroot
|
||||||
|
index 6518d7a2c..318f55a91 100755
|
||||||
|
--- a/utils/oscap-chroot
|
||||||
|
+++ b/utils/oscap-chroot
|
||||||
|
@@ -25,6 +25,13 @@ function die()
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
+function invalid()
|
||||||
|
+{
|
||||||
|
+ echo -e "$*\n" >&2
|
||||||
|
+ usage
|
||||||
|
+ exit 1
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
function usage()
|
||||||
|
{
|
||||||
|
echo "oscap-chroot -- Tool for offline SCAP evaluation of filesystems mounted in arbitrary paths."
|
||||||
|
@@ -74,26 +81,23 @@ function usage()
|
||||||
|
}
|
||||||
|
|
||||||
|
if [ $# -lt 1 ]; then
|
||||||
|
- echo "No arguments provided."
|
||||||
|
- usage
|
||||||
|
- die
|
||||||
|
+ invalid "No arguments provided."
|
||||||
|
elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
|
||||||
|
usage
|
||||||
|
- die
|
||||||
|
+ exit 0
|
||||||
|
elif [ "$#" -gt 1 ]; then
|
||||||
|
true
|
||||||
|
else
|
||||||
|
- echo "Invalid arguments provided."
|
||||||
|
- usage
|
||||||
|
- die
|
||||||
|
+ invalid "Invalid arguments provided."
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Learn more at https://www.redhat.com/archives/open-scap-list/2013-July/msg00000.html
|
||||||
|
export OSCAP_PROBE_ROOT
|
||||||
|
-OSCAP_PROBE_ROOT="$(cd "$1"; pwd)"
|
||||||
|
+OSCAP_PROBE_ROOT="$(cd "$1" && pwd)" || die "Invalid CHROOT_PATH argument."
|
||||||
|
export OSCAP_EVALUATION_TARGET="chroot://$OSCAP_PROBE_ROOT"
|
||||||
|
shift 1
|
||||||
|
|
||||||
|
oscap "$@"
|
||||||
|
EXIT_CODE=$?
|
||||||
|
+
|
||||||
|
exit $EXIT_CODE
|
||||||
|
diff --git a/utils/oscap-podman b/utils/oscap-podman
|
||||||
|
index 32ec0cfcb..6b9f4a3de 100755
|
||||||
|
--- a/utils/oscap-podman
|
||||||
|
+++ b/utils/oscap-podman
|
||||||
|
@@ -16,13 +16,19 @@
|
||||||
|
# License along with this library; if not, write to the Free Software
|
||||||
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||||
|
|
||||||
|
-
|
||||||
|
function die()
|
||||||
|
{
|
||||||
|
echo "$*" >&2
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
+function invalid()
|
||||||
|
+{
|
||||||
|
+ echo -e "$*\n" >&2
|
||||||
|
+ usage
|
||||||
|
+ exit 1
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
function usage()
|
||||||
|
{
|
||||||
|
echo "oscap-podman -- Tool for SCAP evaluation of Podman images and containers."
|
||||||
|
@@ -39,30 +45,24 @@ function usage()
|
||||||
|
OSCAP_BINARY=oscap
|
||||||
|
|
||||||
|
if [ $# -lt 1 ]; then
|
||||||
|
- echo "No arguments provided."
|
||||||
|
- usage
|
||||||
|
- die
|
||||||
|
+ invalid "No arguments provided."
|
||||||
|
elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
|
||||||
|
usage
|
||||||
|
- die
|
||||||
|
+ exit 0
|
||||||
|
elif [[ "$1" == --oscap=* ]] && [ $# -gt 2 ]; then
|
||||||
|
OSCAP_BINARY=${1#"--oscap="}
|
||||||
|
shift
|
||||||
|
elif [ "$#" -gt 1 ]; then
|
||||||
|
true
|
||||||
|
else
|
||||||
|
- echo "Invalid arguments provided."
|
||||||
|
- usage
|
||||||
|
- die
|
||||||
|
+ invalid "Invalid arguments provided."
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ $(id -u) -ne 0 ]; then
|
||||||
|
- echo "This script cannot run in rootless mode." >&2
|
||||||
|
- die
|
||||||
|
+ die "This script cannot run in rootless mode."
|
||||||
|
fi
|
||||||
|
if grep -q "\-\-remediate" <<< "$@"; then
|
||||||
|
- echo "This script does not support '--remediate' option." >&2
|
||||||
|
- die
|
||||||
|
+ die "This script does not support '--remediate' option."
|
||||||
|
fi
|
||||||
|
|
||||||
|
IMAGE_NAME=$(podman image exists "$1" \
|
||||||
|
@@ -72,14 +72,13 @@ CONTAINER_NAME=$(podman container exists "$1" \
|
||||||
|
|
||||||
|
if [ -n "$IMAGE_NAME" ] && [ -n "$CONTAINER_NAME" ]; then
|
||||||
|
echo "Ambiguous target, container image and container with the same name detected: '$1'." >&2
|
||||||
|
- echo "Please rather use an unique ID to specify the target of the scan." >&2
|
||||||
|
- die
|
||||||
|
+ die "Please rather use an unique ID to specify the target of the scan."
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Check if the target of scan is image or container.
|
||||||
|
CLEANUP=0
|
||||||
|
if [ -n "$IMAGE_NAME" ]; then
|
||||||
|
- ID=$(podman create $1) || die
|
||||||
|
+ ID=$(podman create $1) || die "Unable to create a container."
|
||||||
|
TARGET="podman-image://$IMAGE_NAME"
|
||||||
|
CLEANUP=1
|
||||||
|
elif [ -n "$CONTAINER_NAME" ]; then
|
||||||
|
@@ -87,14 +86,13 @@ elif [ -n "$CONTAINER_NAME" ]; then
|
||||||
|
ID=$1
|
||||||
|
TARGET="podman-container://$CONTAINER_NAME"
|
||||||
|
else
|
||||||
|
- echo "Target of the scan not found: '$1'." >&2
|
||||||
|
- die
|
||||||
|
+ die "Target of the scan not found: '$1'."
|
||||||
|
fi
|
||||||
|
|
||||||
|
# podman init creates required files such as: /run/.containerenv - we don't care about output and exit code
|
||||||
|
podman init $ID &> /dev/null || true
|
||||||
|
|
||||||
|
-DIR=$(podman mount $ID) || die
|
||||||
|
+DIR=$(podman mount $ID) || die "Failed to mount."
|
||||||
|
|
||||||
|
if [ ! -f "$DIR/run/.containerenv" ]; then
|
||||||
|
# ubi8-init image does not create .containerenv when running podman init, but we need to make sure that the file is there
|
||||||
|
@@ -105,14 +103,16 @@ for VAR in `podman inspect $ID --format '{{join .Config.Env " "}}'`; do
|
||||||
|
eval "export OSCAP_OFFLINE_$VAR"
|
||||||
|
done
|
||||||
|
|
||||||
|
-export OSCAP_PROBE_ROOT="$(cd "$DIR"; pwd)"
|
||||||
|
+export OSCAP_PROBE_ROOT
|
||||||
|
+OSCAP_PROBE_ROOT="$(cd "$DIR" && pwd)" || die "Unable to change current directory to OSCAP_PROBE_ROOT (DIR)."
|
||||||
|
export OSCAP_EVALUATION_TARGET="$TARGET"
|
||||||
|
shift 1
|
||||||
|
|
||||||
|
$OSCAP_BINARY "$@"
|
||||||
|
EXIT_CODE=$?
|
||||||
|
-podman umount $ID > /dev/null || die
|
||||||
|
+
|
||||||
|
+podman umount $ID > /dev/null || die "Failed to unmount."
|
||||||
|
if [ $CLEANUP -eq 1 ]; then
|
||||||
|
- podman rm $ID > /dev/null || die
|
||||||
|
+ podman rm $ID > /dev/null || die "Failed to clean up."
|
||||||
|
fi
|
||||||
|
exit $EXIT_CODE
|
||||||
|
diff --git a/utils/oscap-ssh b/utils/oscap-ssh
|
||||||
|
index 08c8bcd2b..cd3600180 100755
|
||||||
|
--- a/utils/oscap-ssh
|
||||||
|
+++ b/utils/oscap-ssh
|
||||||
|
@@ -22,9 +22,12 @@ function die()
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
-hash ssh 2> /dev/null || die "Cannot find ssh, please install the OpenSSH client."
|
||||||
|
-hash scp 2> /dev/null || die "Cannot find scp, please install the OpenSSH client."
|
||||||
|
-hash mktemp 2> /dev/null || die "Cannot find mktemp, please install coreutils."
|
||||||
|
+function invalid()
|
||||||
|
+{
|
||||||
|
+ echo -e "$*\n" >&2
|
||||||
|
+ usage
|
||||||
|
+ exit 1
|
||||||
|
+}
|
||||||
|
|
||||||
|
function usage()
|
||||||
|
{
|
||||||
|
@@ -87,10 +90,6 @@ function usage()
|
||||||
|
echo "See \`man oscap\` to learn more about semantics of these options."
|
||||||
|
}
|
||||||
|
|
||||||
|
-OSCAP_SUDO=""
|
||||||
|
-# SSH_ADDITIONAL_OPTIONS may be defined in the calling shell
|
||||||
|
-SSH_TTY_ALLOCATION_OPTION=""
|
||||||
|
-
|
||||||
|
# $1, $2, ... SSH options (pass them as separate arguments)
|
||||||
|
function ssh_execute_with_options {
|
||||||
|
ssh -o ControlPath="$MASTER_SOCKET" $SSH_ADDITIONAL_OPTIONS "$@" -p "$SSH_PORT" "$SSH_HOST"
|
||||||
|
@@ -118,22 +117,20 @@ function scp_retreive_from_temp_dir {
|
||||||
|
# Returns: String, where individual command components are double-quoted, so they are not interpreted by the shell.
|
||||||
|
# For example, an array ('-p' '(all)') will be transformed to "\"-p\" \"(all)\"", so after the shell expansion, it will end up as "-p" "(all)".
|
||||||
|
function command_array_to_string {
|
||||||
|
- eval "printf '\"%s\" ' \"\${$1[@]}\""
|
||||||
|
+ eval "printf '\"%s\" ' \"\${$1[@]}\""
|
||||||
|
}
|
||||||
|
|
||||||
|
function first_argument_is_sudo {
|
||||||
|
- [ "$1" == "sudo" ] || [ "$1" == "--sudo" ]
|
||||||
|
- return $?
|
||||||
|
+ [ "$1" == "sudo" ] || [ "$1" == "--sudo" ]
|
||||||
|
+ return $?
|
||||||
|
}
|
||||||
|
|
||||||
|
function sanity_check_arguments {
|
||||||
|
if [ $# -lt 1 ]; then
|
||||||
|
- echo "No arguments provided."
|
||||||
|
- usage
|
||||||
|
- die
|
||||||
|
+ invalid "No arguments provided."
|
||||||
|
elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
|
||||||
|
usage
|
||||||
|
- die
|
||||||
|
+ exit 0
|
||||||
|
elif first_argument_is_sudo "$@"; then
|
||||||
|
OSCAP_SUDO="sudo"
|
||||||
|
# force pseudo-tty allocation so that users can type their password if necessary
|
||||||
|
@@ -141,9 +138,7 @@ function sanity_check_arguments {
|
||||||
|
shift
|
||||||
|
fi
|
||||||
|
if [ $# -lt 2 ]; then
|
||||||
|
- echo "Missing ssh host and ssh port."
|
||||||
|
- usage
|
||||||
|
- die
|
||||||
|
+ invalid "Missing ssh host and ssh port."
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -165,6 +160,16 @@ function check_oscap_arguments {
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
+
|
||||||
|
+hash ssh 2> /dev/null || die "Cannot find ssh, please install the OpenSSH client."
|
||||||
|
+hash scp 2> /dev/null || die "Cannot find scp, please install the OpenSSH client."
|
||||||
|
+hash mktemp 2> /dev/null || die "Cannot find mktemp, please install coreutils."
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+OSCAP_SUDO=""
|
||||||
|
+# SSH_ADDITIONAL_OPTIONS may be defined in the calling shell
|
||||||
|
+SSH_TTY_ALLOCATION_OPTION=""
|
||||||
|
+
|
||||||
|
sanity_check_arguments "$@"
|
||||||
|
first_argument_is_sudo "$@" && shift
|
||||||
|
|
||||||
|
diff --git a/utils/oscap-vm b/utils/oscap-vm
|
||||||
|
index 02f8c6396..6557eb3a7 100755
|
||||||
|
--- a/utils/oscap-vm
|
||||||
|
+++ b/utils/oscap-vm
|
||||||
|
@@ -22,6 +22,13 @@ function die()
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
+function invalid()
|
||||||
|
+{
|
||||||
|
+ echo -e "$*\n" >&2
|
||||||
|
+ usage
|
||||||
|
+ exit 1
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
function usage()
|
||||||
|
{
|
||||||
|
echo "oscap-vm -- Tool for offline SCAP evaluation of virtual machines."
|
||||||
|
@@ -76,12 +83,10 @@ function usage()
|
||||||
|
OSCAP_BINARY=oscap
|
||||||
|
|
||||||
|
if [ $# -lt 1 ]; then
|
||||||
|
- echo "No arguments provided."
|
||||||
|
- usage
|
||||||
|
- die
|
||||||
|
+ invalid "No arguments provided."
|
||||||
|
elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
|
||||||
|
usage
|
||||||
|
- die
|
||||||
|
+ exit 0
|
||||||
|
elif [[ "$1" == --oscap=* ]] && [ $# -gt 3 ]; then
|
||||||
|
OSCAP_BINARY=${1#"--oscap="}
|
||||||
|
shift
|
||||||
|
@@ -90,9 +95,7 @@ elif [ "$1" == "image" ] && [ $# -gt 2 ]; then
|
||||||
|
elif [ "$1" == "domain" ] && [ $# -gt 2 ]; then
|
||||||
|
true
|
||||||
|
else
|
||||||
|
- echo "Invalid arguments provided."
|
||||||
|
- usage
|
||||||
|
- die
|
||||||
|
+ invalid "Invalid arguments provided."
|
||||||
|
fi
|
||||||
|
|
||||||
|
hash guestmount 2> /dev/null || die "Cannot find guestmount, please install libguestfs utilities."
|
||||||
|
@@ -128,7 +131,7 @@ fi
|
||||||
|
|
||||||
|
# Learn more at https://www.redhat.com/archives/open-scap-list/2013-July/msg00000.html
|
||||||
|
export OSCAP_PROBE_ROOT
|
||||||
|
-OSCAP_PROBE_ROOT="$(cd "$MOUNTPOINT"; pwd)"
|
||||||
|
+OSCAP_PROBE_ROOT="$(cd "$MOUNTPOINT" && pwd)" || die "Unable to change current directory to OSCAP_PROBE_ROOT (MOUNTPOINT)."
|
||||||
|
export OSCAP_EVALUATION_TARGET="oscap-vm $1 $2"
|
||||||
|
shift 2
|
||||||
|
|
45
SOURCES/openscap-1.3.3-fix-cmake-findacl.patch
Normal file
45
SOURCES/openscap-1.3.3-fix-cmake-findacl.patch
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
From 4982aa3da7ae00cd3656db7f47ac3706e85ab7d4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||||
|
Date: Thu, 23 Jan 2020 16:24:37 +0100
|
||||||
|
Subject: [PATCH] Fix FindACL.cmake
|
||||||
|
|
||||||
|
find_path parameter `NAMES` values should be separated. According to
|
||||||
|
https://cmake.org/cmake/help/latest/command/find_path.html it should be:
|
||||||
|
`NAMES name1 [name2 ...]`
|
||||||
|
|
||||||
|
find_library parameter `NAMES` either should not contain `lib` or should
|
||||||
|
contain both `lib` and `.so.` The documentation at
|
||||||
|
https://cmake.org/cmake/help/latest/command/find_library.html says: Each
|
||||||
|
library name given to the `NAMES` option is first considered as a
|
||||||
|
library file name and then considered with platform-specific prefixes
|
||||||
|
(e.g. `lib`) and suffixes (e.g. `.so`).
|
||||||
|
|
||||||
|
This bug caused that even if cmake reported that libacl was found, the
|
||||||
|
library wasn't linked to the built `libopenscap.so`. Also,
|
||||||
|
`HAVE_ACL_EXTENDED_FILE`, `HAVE_ACL_LIBACL_H` and `HAVE_SYS_ACL_H` were
|
||||||
|
undefined in `config.h`, which caused some guarded pieces of code to not
|
||||||
|
compile, which means features missing.
|
||||||
|
---
|
||||||
|
cmake/FindACL.cmake | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/cmake/FindACL.cmake b/cmake/FindACL.cmake
|
||||||
|
index 2d4a3027c..a41f2c13a 100644
|
||||||
|
--- a/cmake/FindACL.cmake
|
||||||
|
+++ b/cmake/FindACL.cmake
|
||||||
|
@@ -12,13 +12,13 @@ libfind_pkg_check_modules(ACL_PKGCONF libacl)
|
||||||
|
|
||||||
|
# Include dir
|
||||||
|
find_path(ACL_INCLUDE_DIR
|
||||||
|
- NAMES "acl/libacl.h sys/libacl.h"
|
||||||
|
+ NAMES "acl/libacl.h" "sys/libacl.h"
|
||||||
|
PATHS ${ACL_PKGCONF_INCLUDE_DIRS}
|
||||||
|
)
|
||||||
|
|
||||||
|
# Finally the library itself
|
||||||
|
find_library(ACL_LIBRARY
|
||||||
|
- NAMES libacl
|
||||||
|
+ NAMES acl
|
||||||
|
PATHS ${ACL_PKGCONF_LIBRARY_DIRS}
|
||||||
|
)
|
||||||
|
|
@ -1,28 +1,51 @@
|
|||||||
Name: openscap
|
Name: openscap
|
||||||
Version: 1.3.1
|
Version: 1.3.2
|
||||||
Release: 1%{?dist}
|
Release: 6%{?dist}
|
||||||
Summary: Set of open source libraries enabling integration of the SCAP line of standards
|
Summary: Set of open source libraries enabling integration of the SCAP line of standards
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
URL: http://www.open-scap.org/
|
URL: http://www.open-scap.org/
|
||||||
Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
|
Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
|
||||||
|
# PATCHES FOR 1.3.2
|
||||||
|
Patch1: 01-add-test-fix-type-anaconda.patch
|
||||||
|
Patch2: 02-do-not-use-keyword-operator-as-a-function-parameter.patch
|
||||||
|
Patch3: 03-fix-cmake-test-for-libcap-xattr-h.patch
|
||||||
|
Patch4: 04-oscap-podman-detect-ambiguous-targets.patch
|
||||||
|
Patch5: openscap-1.3.2-covscan_ux_fix.patch
|
||||||
|
Patch6: openscap-1.3.3-fix-cmake-findacl.patch
|
||||||
|
# END PATCHES FOR 1.3.2
|
||||||
BuildRequires: cmake >= 2.6
|
BuildRequires: cmake >= 2.6
|
||||||
BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser
|
BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser
|
||||||
BuildRequires: rpm-devel
|
BuildRequires: rpm-devel
|
||||||
BuildRequires: libgcrypt-devel
|
BuildRequires: libgcrypt-devel
|
||||||
BuildRequires: pcre-devel
|
BuildRequires: pcre-devel
|
||||||
BuildRequires: libacl-devel
|
BuildRequires: libacl-devel
|
||||||
BuildRequires: libselinux-devel libcap-devel
|
BuildRequires: libselinux-devel
|
||||||
|
BuildRequires: libcap-devel
|
||||||
BuildRequires: libblkid-devel
|
BuildRequires: libblkid-devel
|
||||||
BuildRequires: bzip2-devel
|
BuildRequires: bzip2-devel
|
||||||
BuildRequires: asciidoc
|
BuildRequires: asciidoc
|
||||||
BuildRequires: openldap-devel
|
BuildRequires: openldap-devel
|
||||||
BuildRequires: GConf2-devel
|
BuildRequires: GConf2-devel
|
||||||
|
BuildRequires: glib2-devel
|
||||||
BuildRequires: dbus-devel
|
BuildRequires: dbus-devel
|
||||||
%if %{?_with_check:1}%{!?_with_check:0}
|
%if %{?_with_check:1}%{!?_with_check:0}
|
||||||
BuildRequires: perl-XML-XPath
|
BuildRequires: perl-XML-XPath
|
||||||
BuildRequires: bzip2
|
BuildRequires: bzip2
|
||||||
%endif
|
%endif
|
||||||
|
Requires: bash
|
||||||
|
Requires: bzip2-libs
|
||||||
|
Requires: dbus
|
||||||
|
Requires: GConf2
|
||||||
|
Requires: glib2
|
||||||
|
Requires: libacl
|
||||||
|
Requires: libblkid
|
||||||
|
Requires: libcap
|
||||||
|
Requires: libselinux
|
||||||
|
Requires: openldap
|
||||||
|
Requires: popt
|
||||||
|
# RHEL8 has procps-ng, which provides procps
|
||||||
|
Requires: procps
|
||||||
Requires(post): /sbin/ldconfig
|
Requires(post): /sbin/ldconfig
|
||||||
Requires(postun): /sbin/ldconfig
|
Requires(postun): /sbin/ldconfig
|
||||||
Obsoletes: python2-openscap
|
Obsoletes: python2-openscap
|
||||||
@ -78,6 +101,7 @@ Group: Applications/System
|
|||||||
Requires: %{name}%{?_isa} = %{version}-%{release}
|
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||||
Requires: rpmdevtools rpm-build
|
Requires: rpmdevtools rpm-build
|
||||||
Requires: %{name}-scanner%{?_isa} = %{version}-%{release}
|
Requires: %{name}-scanner%{?_isa} = %{version}-%{release}
|
||||||
|
Requires: bash
|
||||||
|
|
||||||
%description utils
|
%description utils
|
||||||
The %{name}-utils package contains command-line tools build on top
|
The %{name}-utils package contains command-line tools build on top
|
||||||
@ -107,6 +131,12 @@ for developing applications that use %{name}-engine-sce.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
%patch1 -p1
|
||||||
|
%patch2 -p1
|
||||||
|
%patch3 -p1
|
||||||
|
%patch4 -p1
|
||||||
|
%patch5 -p1
|
||||||
|
%patch6 -p1
|
||||||
mkdir build
|
mkdir build
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -114,9 +144,9 @@ cd build
|
|||||||
%cmake -DENABLE_PERL=OFF \
|
%cmake -DENABLE_PERL=OFF \
|
||||||
-DENABLE_DOCS=ON \
|
-DENABLE_DOCS=ON \
|
||||||
-DENABLE_OSCAP_UTIL_DOCKER=OFF \
|
-DENABLE_OSCAP_UTIL_DOCKER=OFF \
|
||||||
-DENABLE_OSCAP_UTIL_CHROOT=OFF \
|
-DENABLE_OSCAP_UTIL_CHROOT=ON \
|
||||||
-DENABLE_OSCAP_UTIL_PODMAN=OFF \
|
-DENABLE_OSCAP_UTIL_PODMAN=ON \
|
||||||
-DENABLE_OSCAP_UTIL_VM=OFF \
|
-DENABLE_OSCAP_UTIL_VM=ON \
|
||||||
..
|
..
|
||||||
make %{?_smp_mflags}
|
make %{?_smp_mflags}
|
||||||
make docs
|
make docs
|
||||||
@ -172,27 +202,67 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%files scanner
|
%files scanner
|
||||||
%{_mandir}/man8/oscap.8.gz
|
%{_mandir}/man8/oscap.8.gz
|
||||||
%{_bindir}/oscap
|
%{_bindir}/oscap
|
||||||
# RHEL-8.1.0 will not support oscap-chroot. Future releases may include this. Note: remove double % when enabling command.
|
%{_mandir}/man8/oscap-chroot.8.gz
|
||||||
#%%{_mandir}/man8/oscap-chroot.8.gz
|
%{_bindir}/oscap-chroot
|
||||||
#%%{_bindir}/oscap-chroot
|
|
||||||
%{_sysconfdir}/bash_completion.d
|
%{_sysconfdir}/bash_completion.d
|
||||||
|
|
||||||
%files utils
|
%files utils
|
||||||
%doc docs/oscap-scan.cron
|
%doc docs/oscap-scan.cron
|
||||||
%{_mandir}/man8/oscap-ssh.8.gz
|
%{_mandir}/man8/oscap-ssh.8.gz
|
||||||
%{_bindir}/oscap-ssh
|
%{_bindir}/oscap-ssh
|
||||||
# RHEL-8.1.0 will not support oscap-vm and oscap-podman. Future releases may include this. Note: remove double % when enabling command.
|
%{_mandir}/man8/oscap-podman.8.gz
|
||||||
#%%{_mandir}/man8/oscap-podman.8.gz
|
%{_bindir}/oscap-podman
|
||||||
#%%{_bindir}/oscap/oscap-podman
|
%{_mandir}/man8/oscap-vm.8.gz
|
||||||
#%%{_mandir}/man8/oscap-vm.8.gz
|
%{_bindir}/oscap-vm
|
||||||
#%%{_bindir}/oscap/oscap-vm
|
|
||||||
%{_mandir}/man8/scap-as-rpm.8.gz
|
%{_mandir}/man8/scap-as-rpm.8.gz
|
||||||
%{_bindir}/scap-as-rpm
|
%{_bindir}/scap-as-rpm
|
||||||
|
|
||||||
%files engine-sce
|
%files engine-sce
|
||||||
%{_libdir}/libopenscap_sce.so.*
|
%{_libdir}/libopenscap_sce.so.*
|
||||||
|
%{_bindir}/oscap-run-sce-script
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jan 23 2020 Jan Černý <jcerny@redhat.com> - 1.3.2-6
|
||||||
|
- Fix FindACL.cmake
|
||||||
|
|
||||||
|
* Tue Jan 21 2020 Matěj Týč <matyc@redhat.com> - 1.3.2-5
|
||||||
|
- Added more exhaustive package dependencies.
|
||||||
|
- Added the covscan/UX patch.
|
||||||
|
|
||||||
|
* Mon Jan 20 2020 Evgeny Kolesnikov <ekolesni@redhat.com> - 1.3.2-4
|
||||||
|
- Added patch: utils/oscap-podman: Detect ambiguous scan target
|
||||||
|
|
||||||
|
* Mon Jan 20 2020 Evgeny Kolesnikov <ekolesni@redhat.com> - 1.3.2-3
|
||||||
|
- Refined requirements
|
||||||
|
|
||||||
|
* Sun Jan 19 2020 Evgeny Kolesnikov <ekolesni@redhat.com> - 1.3.2-2
|
||||||
|
- Added patch: Fix case where CMake couldn't find libacl or xattr.h
|
||||||
|
|
||||||
|
* Wed Jan 15 2020 Evgeny Kolesnikov <ekolesni@redhat.com> - 1.3.2-1
|
||||||
|
- Upgrade to the latest upstream release (rhbz#1778296)
|
||||||
|
- Offline mode support for environmentvariable58 probe (rhbz#1493614)
|
||||||
|
- The oscap-docker wrapper is available without Atomic
|
||||||
|
- Improved support of multi-check rules (report, remediations, console output) (rhbz#1771438)
|
||||||
|
- Improved HTML report look and feel, including printed version (rhbz#1640839)
|
||||||
|
- Less clutter in verbose mode output; some warnings and errors demoted to verbose mode levels
|
||||||
|
- Probe rpmverifyfile uses and returns canonical paths (rhbz#1776308)
|
||||||
|
- Improved a11y of HTML reports and guides (rhbz#1767382)
|
||||||
|
- Fixes and improvements for SWIG Python bindings (rhbz#1753603)
|
||||||
|
- #1403 fixed: Scanner would not apply remediation for multicheck rules (verbosity)
|
||||||
|
- Fixed URL link mechanism for Red Hat Errata
|
||||||
|
- New STIG Viewer URI: public.cyber.mil
|
||||||
|
- Probe selinuxsecuritycontext would not check if SELinux is enabled
|
||||||
|
- Scanner would provide information about unsupported OVAL objects
|
||||||
|
- Added more tests for offline mode (probes, remediation) (rhbz#1618489)
|
||||||
|
- #528 fixed: Eval SCE script when /tmp is in mode noexec
|
||||||
|
- #1173, RHBZ#1603347 fixed: Double chdir/chroot in probe rpmverifypackage (rhbz#1636431)
|
||||||
|
|
||||||
|
* Wed Dec 18 2019 Vojtech Polasek <vpolasek@redhat.com> - 1.3.1-3
|
||||||
|
- put back openscap-chroot, openscap-podman and openscap-vm files
|
||||||
|
|
||||||
|
* Fri Nov 01 2019 Vojtech Polasek <vpolasek@redhat.com> - 1.3.1-2
|
||||||
|
- Fixed XSLT template making rule details in reports accessible for screenreader users (#1767382)
|
||||||
|
|
||||||
* Fri Jun 14 2019 Evgeny Kolesnikov <ekolesni@redhat.com> - 1.3.1-1
|
* Fri Jun 14 2019 Evgeny Kolesnikov <ekolesni@redhat.com> - 1.3.1-1
|
||||||
- Bumped the package release number
|
- Bumped the package release number
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user