rpms/openscap
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import openscap-1.3.3-5.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-11-03 06:56:57 -05:00 committed by Andrew Lukoshko
parent f4c4039c0e
commit f5190d61d5
16 changed files with 804 additions and 625 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/openscap-1.3.2.tar.gz SOURCES/openscap-1.3.3.tar.gz

2
.openscap.metadata
View File

@ -1 +1 @@
5fe71454faff8cdcbd0e13e7c7343daf04069ca9 SOURCES/openscap-1.3.2.tar.gz 6988d1ea7b86669d410ab5defc1be394cba5b017 SOURCES/openscap-1.3.3.tar.gz

36
SOURCES/01-add-test-fix-type-anaconda.patch
View File

@ -1,36 +0,0 @@
From 712000a675103393045fde191856ce1dd306f1ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 13 Jan 2020 17:28:09 +0100
Subject: [PATCH] Add a test to check --fix-type Anaconda
There should be 2 equal ways of generating Anaconda remediations:
"oscap xccdf generate fix --fix-type anaconda" and
"oscap xccdf generate fix --template urn:redhat:anaconda:pre"
Both commands should give the same output.
This tests a fix for https://bugzilla.redhat.com/show_bug.cgi?id=1736850
introduced by b1448ec95a957a76eb8be6d439531c532d97ff3c
---
.../API/XCCDF/unittests/test_report_anaconda_fixes.sh | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/tests/API/XCCDF/unittests/test_report_anaconda_fixes.sh b/tests/API/XCCDF/unittests/test_report_anaconda_fixes.sh
index d4e86e657..650f3d75b 100755
--- a/tests/API/XCCDF/unittests/test_report_anaconda_fixes.sh
+++ b/tests/API/XCCDF/unittests/test_report_anaconda_fixes.sh
@@ -23,6 +23,16 @@ grep -v "$line1" $result | grep -v "$line2" | grep -v "$line3"
[ "`grep -v "$line1" $result | grep -v "$line2" | sed 's/\W//g'`"x == x ]
:> $result
+# use --fix-type instead of URN template to generate the same fix
+$OSCAP xccdf generate fix --fix-type anaconda \
+ --output $result $srcdir/${name}.xccdf.xml 2>&1 > $stderr
+[ -f $stderr ]; [ ! -s $stderr ]; :> $stderr
+grep "$line1" $result
+grep "$line2" $result
+grep -v "$line1" $result | grep -v "$line2" | grep -v "$line3"
+[ "`grep -v "$line1" $result | grep -v "$line2" | sed 's/\W//g'`"x == x ]
+:> $result
+
$OSCAP xccdf generate fix --template urn:redhat:anaconda:pre \
--profile xccdf_moc.elpmaxe.www_profile_1 \
--output $result $srcdir/${name}.xccdf.xml 2>&1 > $stderr

38
SOURCES/02-do-not-use-keyword-operator-as-a-function-parameter.patch
View File

@ -1,38 +0,0 @@
From 0ba7c9423f64a88ceef50318f1a382059484f737 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 15 Jan 2020 13:54:45 +0100
Subject: [PATCH] Do not use C++ keyword operator as a function parameter name
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This fixes SCAP Workbench build.
Addressing:
[ 37%] Building CXX object CMakeFiles/scap-workbench.dir/scap-workbench_autogen/mocs_compilation.cpp.o
In file included from /usr/local/include/openscap/xccdf_policy.h:39,
from /home/jcerny/work/git/scap-workbench/include/TailoringDockWidgets.h:31,
from /home/jcerny/work/git/scap-workbench/build/scap-workbench_autogen/6YEA5652QU/moc_TailoringDockWidgets.cpp:10,
from /home/jcerny/work/git/scap-workbench/build/scap-workbench_autogen/mocs_compilation.cpp:18:
/usr/local/include/openscap/oval_definitions.h:1676:117: error: declaration of operator, as parameter
1676 | restriction *oval_variable_possible_restriction_new(oval_operator_t operator, const char *hint);
| ^
Fixes: #1462
---
src/OVAL/public/oval_definitions.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/OVAL/public/oval_definitions.h b/src/OVAL/public/oval_definitions.h
index ea9d3aaf8..b5fe77154 100644
--- a/src/OVAL/public/oval_definitions.h
+++ b/src/OVAL/public/oval_definitions.h
@@ -1669,7 +1669,7 @@ OSCAP_API void oval_variable_possible_value_iterator_free(struct oval_variable_p
* @param hint A short description of what the value means or represents.
* @memberof oval_variable_possible_restriction
*/
-OSCAP_API struct oval_variable_possible_restriction *oval_variable_possible_restriction_new(oval_operator_t operator, const char *hint);
+OSCAP_API struct oval_variable_possible_restriction *oval_variable_possible_restriction_new(oval_operator_t, const char *);
/**

48
SOURCES/03-fix-cmake-test-for-libcap-xattr-h.patch
View File

@ -1,48 +0,0 @@
From 3fbf36004eec55b9a88916559029332d7f356bae Mon Sep 17 00:00:00 2001
From: Gabe <redhatrises@gmail.com>
Date: Wed, 15 Jan 2020 15:02:32 -0700
Subject: [PATCH] Fix case where CMake couldn't find libacl or xattr.h
---
CMakeLists.txt | 2 +-
cmake/FindACL.cmake | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 720d8d8eb..fe20992a5 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -238,7 +238,7 @@ cmake_dependent_option(OPENSCAP_PROBE_INDEPENDENT_XMLFILECONTENT "Independent xm
# UNIX PROBES
cmake_dependent_option(OPENSCAP_PROBE_UNIX_DNSCACHE "Unix dnscache probe" ON "ENABLE_PROBES_UNIX" OFF)
cmake_dependent_option(OPENSCAP_PROBE_UNIX_FILE "Unix file probe" ON "ENABLE_PROBES_UNIX" OFF)
-cmake_dependent_option(OPENSCAP_PROBE_UNIX_FILEEXTENDEDATTRIBUTE "Unix fileextendedattribute probe" ON "ENABLE_PROBES_UNIX; (HAVE_SYS_XATTR_H OR HAVE_ATTR_XATTR_H)" OFF)
+cmake_dependent_option(OPENSCAP_PROBE_UNIX_FILEEXTENDEDATTRIBUTE "Unix fileextendedattribute probe" ON "ENABLE_PROBES_UNIX; HAVE_SYS_XATTR_H OR HAVE_ATTR_XATTR_H" OFF)
cmake_dependent_option(OPENSCAP_PROBE_UNIX_GCONF "Unix gconf probe" ON "ENABLE_PROBES_UNIX; GCONF_FOUND" OFF)
cmake_dependent_option(OPENSCAP_PROBE_UNIX_INTERFACE "Unix interface probe" ON "ENABLE_PROBES_UNIX" OFF)
cmake_dependent_option(OPENSCAP_PROBE_UNIX_PASSWORD "Unix password probe" ON "ENABLE_PROBES_UNIX" OFF)
diff --git a/cmake/FindACL.cmake b/cmake/FindACL.cmake
index 1753b0dd3..2d4a3027c 100644
--- a/cmake/FindACL.cmake
+++ b/cmake/FindACL.cmake
@@ -8,17 +8,17 @@
include(LibFindMacros)
# Use pkg-config to get hints about paths
-libfind_pkg_check_modules(ACL_PKGCONF acl)
+libfind_pkg_check_modules(ACL_PKGCONF libacl)
# Include dir
find_path(ACL_INCLUDE_DIR
- NAMES acl/libacl.h
+ NAMES "acl/libacl.h sys/libacl.h"
PATHS ${ACL_PKGCONF_INCLUDE_DIRS}
)
# Finally the library itself
find_library(ACL_LIBRARY
- NAMES acl
+ NAMES libacl
PATHS ${ACL_PKGCONF_LIBRARY_DIRS}
)

56
SOURCES/04-oscap-podman-detect-ambiguous-targets.patch
View File

@ -1,56 +0,0 @@
From 532a6c77f388d2e06ec12338df9ea97d955f5edc Mon Sep 17 00:00:00 2001
From: Matus Marhefka <mmarhefk@redhat.com>
Date: Thu, 16 Jan 2020 15:39:37 +0100
Subject: [PATCH] utils/oscap-podman: Detect ambiguous scan target
In case that a container image and a running container have the same
name, `oscap-podman` scans container image and a running container is
skipped. This might be unexpected and might cause a confusion for user.
Therefore, this commit adds a code which detects such situation and
rather informs user about ambiguous scan target and terminates.
In such cases the unique container image/container ID should be used
for specifying the target of the scan.
---
utils/oscap-podman | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/utils/oscap-podman b/utils/oscap-podman
index 272afd988..32ec0cfcb 100755
--- a/utils/oscap-podman
+++ b/utils/oscap-podman
@@ -65,17 +65,30 @@ if grep -q "\-\-remediate" <<< "$@"; then
die
fi
+IMAGE_NAME=$(podman image exists "$1" \
+ && podman image inspect --format "{{.Id}} {{.RepoTags}}" "$1")
+CONTAINER_NAME=$(podman container exists "$1" \
+ && podman container inspect --format "{{.Id}} {{.Name}}" "$1")
+
+if [ -n "$IMAGE_NAME" ] && [ -n "$CONTAINER_NAME" ]; then
+ echo "Ambiguous target, container image and container with the same name detected: '$1'." >&2
+ echo "Please rather use an unique ID to specify the target of the scan." >&2
+ die
+fi
+
# Check if the target of scan is image or container.
CLEANUP=0
-if podman images | grep -q $1; then
+if [ -n "$IMAGE_NAME" ]; then
ID=$(podman create $1) || die
- IMG_NAME=$(podman images --format "{{.ID}} ({{.Repository}}:{{.Tag}})" | grep -m1 $1)
- TARGET="podman-image://$IMG_NAME"
+ TARGET="podman-image://$IMAGE_NAME"
CLEANUP=1
-else
+elif [ -n "$CONTAINER_NAME" ]; then
# If the target was not found in images we suppose it is a container.
ID=$1
- TARGET="podman-container://$1"
+ TARGET="podman-container://$CONTAINER_NAME"
+else
+ echo "Target of the scan not found: '$1'." >&2
+ die
fi
# podman init creates required files such as: /run/.containerenv - we don't care about output and exit code

389
SOURCES/openscap-1.3.2-covscan_ux_fix.patch
View File

@ -1,389 +0,0 @@
From 47a2662bccb8e6f2f192acf46c26d862fe3bbcfb Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Fri, 17 Jan 2020 10:24:07 +0100
Subject: [PATCH 1/2] Covscan fixes
Error: FORWARD_NULL (CWE-476): [#def17]
xccdf_policy_remediate.c:383: var_compare_op: Comparing "rr" to null implies that "rr" might be null.
xccdf_policy_remediate.c:384: var_deref_model: Passing null pointer "rr" to "_rule_add_info_message", which dereferences it.
Error: FORWARD_NULL (CWE-476): [#def18]
test_fsdev_is_local_fs.c:35: assign_zero: Assigning: "ment.mnt_fsname" = "NULL".
test_fsdev_is_local_fs.c:37: var_deref_model: Passing "&ment" to "is_local_fs", which dereferences null "ment.mnt_fsname".
---
src/OVAL/probes/fsdev.c | 4 ++++
src/XCCDF_POLICY/xccdf_policy_remediate.c | 12 ++++++++++--
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/src/OVAL/probes/fsdev.c b/src/OVAL/probes/fsdev.c
index bd8e52fbf..a6b36f5e0 100644
--- a/src/OVAL/probes/fsdev.c
+++ b/src/OVAL/probes/fsdev.c
@@ -97,6 +97,10 @@ static int is_local_fs(struct mntent *ment)
return 0;
}
+ if (ment->mnt_fsname == NULL) {
+ return 0;
+ }
+
s = ment->mnt_fsname;
/* If the fsname begins with "//", it is probably CIFS. */
if (s[0] == '/' && s[1] == '/')
diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
index 389a7d1bd..f59737727 100644
--- a/src/XCCDF_POLICY/xccdf_policy_remediate.c
+++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c
@@ -380,7 +380,11 @@ static inline int _xccdf_fix_decode_xml(struct xccdf_fix *fix, char **result)
#if defined(unix) || defined(__unix__) || defined(__unix)
static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_fix *fix)
{
- if (fix == NULL || rr == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL)) {
+ if (rr == NULL) {
+ return 1;
+ }
+
+ if (fix == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL)) {
_rule_add_info_message(rr, "No fix available.");
return 1;
}
@@ -481,7 +485,11 @@ static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_
#else
static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_fix *fix)
{
- if (fix == NULL || rr == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL)) {
+ if (rr == NULL) {
+ return 1;
+ }
+
+ if (fix == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL)) {
_rule_add_info_message(rr, "No fix available.");
return 1;
} else {
From 7bccc09eabd30e0581cf0fdf4f20fa481db12e91 Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Fri, 17 Jan 2020 11:04:13 +0100
Subject: [PATCH 2/2] Covscan fixes (SHELLCHECK), small refactoring in Shell
wrappers
Error: SHELLCHECK_WARNING:
warning: die references arguments, but none are ever passed. [SC2120]
Error: SHELLCHECK_WARNING:
warning: Use 'cd ... || exit' or 'cd ... || return' in case cd fails. [SC2164]
Error: SHELLCHECK_WARNING:
warning: Declare and assign separately to avoid masking return values. [SC2155]
---
utils/oscap-chroot | 20 ++++++++++++--------
utils/oscap-podman | 42 +++++++++++++++++++++---------------------
utils/oscap-ssh | 39 ++++++++++++++++++++++-----------------
utils/oscap-vm | 19 +++++++++++--------
4 files changed, 66 insertions(+), 54 deletions(-)
diff --git a/utils/oscap-chroot b/utils/oscap-chroot
index 6518d7a2c..318f55a91 100755
--- a/utils/oscap-chroot
+++ b/utils/oscap-chroot
@@ -25,6 +25,13 @@ function die()
exit 1
}
+function invalid()
+{
+ echo -e "$*\n" >&2
+ usage
+ exit 1
+}
+
function usage()
{
echo "oscap-chroot -- Tool for offline SCAP evaluation of filesystems mounted in arbitrary paths."
@@ -74,26 +81,23 @@ function usage()
}
if [ $# -lt 1 ]; then
- echo "No arguments provided."
- usage
- die
+ invalid "No arguments provided."
elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
usage
- die
+ exit 0
elif [ "$#" -gt 1 ]; then
true
else
- echo "Invalid arguments provided."
- usage
- die
+ invalid "Invalid arguments provided."
fi
# Learn more at https://www.redhat.com/archives/open-scap-list/2013-July/msg00000.html
export OSCAP_PROBE_ROOT
-OSCAP_PROBE_ROOT="$(cd "$1"; pwd)"
+OSCAP_PROBE_ROOT="$(cd "$1" && pwd)" || die "Invalid CHROOT_PATH argument."
export OSCAP_EVALUATION_TARGET="chroot://$OSCAP_PROBE_ROOT"
shift 1
oscap "$@"
EXIT_CODE=$?
+
exit $EXIT_CODE
diff --git a/utils/oscap-podman b/utils/oscap-podman
index 32ec0cfcb..6b9f4a3de 100755
--- a/utils/oscap-podman
+++ b/utils/oscap-podman
@@ -16,13 +16,19 @@
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-
function die()
{
echo "$*" >&2
exit 1
}
+function invalid()
+{
+ echo -e "$*\n" >&2
+ usage
+ exit 1
+}
+
function usage()
{
echo "oscap-podman -- Tool for SCAP evaluation of Podman images and containers."
@@ -39,30 +45,24 @@ function usage()
OSCAP_BINARY=oscap
if [ $# -lt 1 ]; then
- echo "No arguments provided."
- usage
- die
+ invalid "No arguments provided."
elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
usage
- die
+ exit 0
elif [[ "$1" == --oscap=* ]] && [ $# -gt 2 ]; then
OSCAP_BINARY=${1#"--oscap="}
shift
elif [ "$#" -gt 1 ]; then
true
else
- echo "Invalid arguments provided."
- usage
- die
+ invalid "Invalid arguments provided."
fi
if [ $(id -u) -ne 0 ]; then
- echo "This script cannot run in rootless mode." >&2
- die
+ die "This script cannot run in rootless mode."
fi
if grep -q "\-\-remediate" <<< "$@"; then
- echo "This script does not support '--remediate' option." >&2
- die
+ die "This script does not support '--remediate' option."
fi
IMAGE_NAME=$(podman image exists "$1" \
@@ -72,14 +72,13 @@ CONTAINER_NAME=$(podman container exists "$1" \
if [ -n "$IMAGE_NAME" ] && [ -n "$CONTAINER_NAME" ]; then
echo "Ambiguous target, container image and container with the same name detected: '$1'." >&2
- echo "Please rather use an unique ID to specify the target of the scan." >&2
- die
+ die "Please rather use an unique ID to specify the target of the scan."
fi
# Check if the target of scan is image or container.
CLEANUP=0
if [ -n "$IMAGE_NAME" ]; then
- ID=$(podman create $1) || die
+ ID=$(podman create $1) || die "Unable to create a container."
TARGET="podman-image://$IMAGE_NAME"
CLEANUP=1
elif [ -n "$CONTAINER_NAME" ]; then
@@ -87,14 +86,13 @@ elif [ -n "$CONTAINER_NAME" ]; then
ID=$1
TARGET="podman-container://$CONTAINER_NAME"
else
- echo "Target of the scan not found: '$1'." >&2
- die
+ die "Target of the scan not found: '$1'."
fi
# podman init creates required files such as: /run/.containerenv - we don't care about output and exit code
podman init $ID &> /dev/null || true
-DIR=$(podman mount $ID) || die
+DIR=$(podman mount $ID) || die "Failed to mount."
if [ ! -f "$DIR/run/.containerenv" ]; then
# ubi8-init image does not create .containerenv when running podman init, but we need to make sure that the file is there
@@ -105,14 +103,16 @@ for VAR in `podman inspect $ID --format '{{join .Config.Env " "}}'`; do
eval "export OSCAP_OFFLINE_$VAR"
done
-export OSCAP_PROBE_ROOT="$(cd "$DIR"; pwd)"
+export OSCAP_PROBE_ROOT
+OSCAP_PROBE_ROOT="$(cd "$DIR" && pwd)" || die "Unable to change current directory to OSCAP_PROBE_ROOT (DIR)."
export OSCAP_EVALUATION_TARGET="$TARGET"
shift 1
$OSCAP_BINARY "$@"
EXIT_CODE=$?
-podman umount $ID > /dev/null || die
+
+podman umount $ID > /dev/null || die "Failed to unmount."
if [ $CLEANUP -eq 1 ]; then
- podman rm $ID > /dev/null || die
+ podman rm $ID > /dev/null || die "Failed to clean up."
fi
exit $EXIT_CODE
diff --git a/utils/oscap-ssh b/utils/oscap-ssh
index 08c8bcd2b..cd3600180 100755
--- a/utils/oscap-ssh
+++ b/utils/oscap-ssh
@@ -22,9 +22,12 @@ function die()
exit 1
}
-hash ssh 2> /dev/null || die "Cannot find ssh, please install the OpenSSH client."
-hash scp 2> /dev/null || die "Cannot find scp, please install the OpenSSH client."
-hash mktemp 2> /dev/null || die "Cannot find mktemp, please install coreutils."
+function invalid()
+{
+ echo -e "$*\n" >&2
+ usage
+ exit 1
+}
function usage()
{
@@ -87,10 +90,6 @@ function usage()
echo "See \`man oscap\` to learn more about semantics of these options."
}
-OSCAP_SUDO=""
-# SSH_ADDITIONAL_OPTIONS may be defined in the calling shell
-SSH_TTY_ALLOCATION_OPTION=""
-
# $1, $2, ... SSH options (pass them as separate arguments)
function ssh_execute_with_options {
ssh -o ControlPath="$MASTER_SOCKET" $SSH_ADDITIONAL_OPTIONS "$@" -p "$SSH_PORT" "$SSH_HOST"
@@ -118,22 +117,20 @@ function scp_retreive_from_temp_dir {
# Returns: String, where individual command components are double-quoted, so they are not interpreted by the shell.
# For example, an array ('-p' '(all)') will be transformed to "\"-p\" \"(all)\"", so after the shell expansion, it will end up as "-p" "(all)".
function command_array_to_string {
- eval "printf '\"%s\" ' \"\${$1[@]}\""
+ eval "printf '\"%s\" ' \"\${$1[@]}\""
}
function first_argument_is_sudo {
- [ "$1" == "sudo" ] || [ "$1" == "--sudo" ]
- return $?
+ [ "$1" == "sudo" ] || [ "$1" == "--sudo" ]
+ return $?
}
function sanity_check_arguments {
if [ $# -lt 1 ]; then
- echo "No arguments provided."
- usage
- die
+ invalid "No arguments provided."
elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
usage
- die
+ exit 0
elif first_argument_is_sudo "$@"; then
OSCAP_SUDO="sudo"
# force pseudo-tty allocation so that users can type their password if necessary
@@ -141,9 +138,7 @@ function sanity_check_arguments {
shift
fi
if [ $# -lt 2 ]; then
- echo "Missing ssh host and ssh port."
- usage
- die
+ invalid "Missing ssh host and ssh port."
fi
}
@@ -165,6 +160,16 @@ function check_oscap_arguments {
fi
}
+
+hash ssh 2> /dev/null || die "Cannot find ssh, please install the OpenSSH client."
+hash scp 2> /dev/null || die "Cannot find scp, please install the OpenSSH client."
+hash mktemp 2> /dev/null || die "Cannot find mktemp, please install coreutils."
+
+
+OSCAP_SUDO=""
+# SSH_ADDITIONAL_OPTIONS may be defined in the calling shell
+SSH_TTY_ALLOCATION_OPTION=""
+
sanity_check_arguments "$@"
first_argument_is_sudo "$@" && shift
diff --git a/utils/oscap-vm b/utils/oscap-vm
index 02f8c6396..6557eb3a7 100755
--- a/utils/oscap-vm
+++ b/utils/oscap-vm
@@ -22,6 +22,13 @@ function die()
exit 1
}
+function invalid()
+{
+ echo -e "$*\n" >&2
+ usage
+ exit 1
+}
+
function usage()
{
echo "oscap-vm -- Tool for offline SCAP evaluation of virtual machines."
@@ -76,12 +83,10 @@ function usage()
OSCAP_BINARY=oscap
if [ $# -lt 1 ]; then
- echo "No arguments provided."
- usage
- die
+ invalid "No arguments provided."
elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
usage
- die
+ exit 0
elif [[ "$1" == --oscap=* ]] && [ $# -gt 3 ]; then
OSCAP_BINARY=${1#"--oscap="}
shift
@@ -90,9 +95,7 @@ elif [ "$1" == "image" ] && [ $# -gt 2 ]; then
elif [ "$1" == "domain" ] && [ $# -gt 2 ]; then
true
else
- echo "Invalid arguments provided."
- usage
- die
+ invalid "Invalid arguments provided."
fi
hash guestmount 2> /dev/null || die "Cannot find guestmount, please install libguestfs utilities."
@@ -128,7 +131,7 @@ fi
# Learn more at https://www.redhat.com/archives/open-scap-list/2013-July/msg00000.html
export OSCAP_PROBE_ROOT
-OSCAP_PROBE_ROOT="$(cd "$MOUNTPOINT"; pwd)"
+OSCAP_PROBE_ROOT="$(cd "$MOUNTPOINT" && pwd)" || die "Unable to change current directory to OSCAP_PROBE_ROOT (MOUNTPOINT)."
export OSCAP_EVALUATION_TARGET="oscap-vm $1 $2"
shift 2

45
SOURCES/openscap-1.3.3-fix-cmake-findacl.patch
View File

@ -1,45 +0,0 @@
From 4982aa3da7ae00cd3656db7f47ac3706e85ab7d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 23 Jan 2020 16:24:37 +0100
Subject: [PATCH] Fix FindACL.cmake
find_path parameter `NAMES` values should be separated. According to
https://cmake.org/cmake/help/latest/command/find_path.html it should be:
`NAMES name1 [name2 ...]`
find_library parameter `NAMES` either should not contain `lib` or should
contain both `lib` and `.so.` The documentation at
https://cmake.org/cmake/help/latest/command/find_library.html says: Each
library name given to the `NAMES` option is first considered as a
library file name and then considered with platform-specific prefixes
(e.g. `lib`) and suffixes (e.g. `.so`).
This bug caused that even if cmake reported that libacl was found, the
library wasn't linked to the built `libopenscap.so`. Also,
`HAVE_ACL_EXTENDED_FILE`, `HAVE_ACL_LIBACL_H` and `HAVE_SYS_ACL_H` were
undefined in `config.h`, which caused some guarded pieces of code to not
compile, which means features missing.
---
cmake/FindACL.cmake | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/cmake/FindACL.cmake b/cmake/FindACL.cmake
index 2d4a3027c..a41f2c13a 100644
--- a/cmake/FindACL.cmake
+++ b/cmake/FindACL.cmake
@@ -12,13 +12,13 @@ libfind_pkg_check_modules(ACL_PKGCONF libacl)
# Include dir
find_path(ACL_INCLUDE_DIR
- NAMES "acl/libacl.h sys/libacl.h"
+ NAMES "acl/libacl.h" "sys/libacl.h"
PATHS ${ACL_PKGCONF_INCLUDE_DIRS}
)
# Finally the library itself
find_library(ACL_LIBRARY
- NAMES libacl
+ NAMES acl
PATHS ${ACL_PKGCONF_LIBRARY_DIRS}
)

70
SOURCES/openscap-1.3.4-add_compression_support-PR_1557.patch Normal file
View File

@ -0,0 +1,70 @@
From d8518b70b912aa55fc47400173bf6229e40b71d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0imon=20Luka=C5=A1=C3=ADk?= <isimluk@fedoraproject.org>
Date: Wed, 8 Jul 2020 15:17:31 +0200
Subject: [PATCH] Make a use of HTTP header content-encoding: gzip if available
When fetching remote resources, some servers/CDNs may be able to serve us
compressed http response even in cases when the original file is not compressed
XML. libcurl is able to process encoded html for us with no added maintenance
costs.
Attached please find a CURL log of fetching plain XML file from Red Hat CDN:
Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml
...
* Trying 104.90.105.254:443...
* Connected to www.redhat.com (104.90.105.254) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: businessCategory=Private Organization; jurisdictionC=US; jurisdictionST=Delaware; serialNumber=2945436; C=US; ST=North Carolina; L=Raleigh; O=Red Hat, Inc.; CN=www.redhat.com
* start date: Feb 24 00:00:00 2020 GMT
* expire date: May 24 12:00:00 2022 GMT
* subjectAltName: host "www.redhat.com" matched cert's "www.redhat.com"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x776c3b0)
> GET /security/data/oval/com.redhat.rhsa-RHEL7.xml HTTP/2
Host: www.redhat.com
accept: */*
accept-encoding: gzip
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< server: Apache
< last-modified: Wed, 08 Jul 2020 12:41:28 GMT
< etag: "7f694279-fca5e0-5a9ed6d376a08"
< accept-ranges: bytes
< content-type: text/xml
< content-encoding: gzip
< content-length: 1766376
< date: Wed, 08 Jul 2020 13:15:29 GMT
< vary: Accept-Encoding
< strict-transport-security: max-age=31536000
<
* Connection #0 to host www.redhat.com left intact
---
src/common/oscap_acquire.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c
index 60ab62c05..551da43f0 100644
--- a/src/common/oscap_acquire.c
+++ b/src/common/oscap_acquire.c
@@ -302,6 +302,7 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size)
curl_easy_setopt(curl, CURLOPT_URL, url);
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_to_memory_callback);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, buffer);
+ curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, "");
curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true);
CURLcode res = curl_easy_perform(curl);

168
SOURCES/openscap-1.3.4-add_compression_test-PR_1564.patch Normal file
View File

@ -0,0 +1,168 @@
From 12ccadd9f9cd30143b3af6feced58f8da636e9d2 Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Mon, 20 Jul 2020 07:45:05 +0200
Subject: [PATCH] Add test for cURL "Accept-Encoding" header
---
tests/CMakeLists.txt | 1 +
tests/curl/CMakeLists.txt | 1 +
tests/curl/ds.xml | 99 ++++++++++++++++++++++++++++++++
tests/curl/test_curl_encoding.sh | 23 ++++++++
4 files changed, 124 insertions(+)
create mode 100644 tests/curl/CMakeLists.txt
create mode 100644 tests/curl/ds.xml
create mode 100755 tests/curl/test_curl_encoding.sh
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index b7ca6cd79..6948cd260 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -26,6 +26,7 @@ add_subdirectory("API")
add_subdirectory("bindings")
add_subdirectory("bz2")
add_subdirectory("codestyle")
+add_subdirectory("curl")
add_subdirectory("CPE")
add_subdirectory("DS")
add_subdirectory("mitre")
diff --git a/tests/curl/CMakeLists.txt b/tests/curl/CMakeLists.txt
new file mode 100644
index 000000000..9c3d90d74
--- /dev/null
+++ b/tests/curl/CMakeLists.txt
@@ -0,0 +1 @@
+add_oscap_test("test_curl_encoding.sh")
diff --git a/tests/curl/ds.xml b/tests/curl/ds.xml
new file mode 100644
index 000000000..f33cb475d
--- /dev/null
+++ b/tests/curl/ds.xml
@@ -0,0 +1,99 @@
+<?xml version="1.0" encoding="utf-8"?>
+<ds:data-stream-collection xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" id="scap_org.open-scap_collection_from_xccdf_test_single_rule.xccdf.xml" schematron-version="1.3">
+<ds:data-stream id="scap_org.open-scap_datastream_from_xccdf_test_single_rule.xccdf.xml" scap-version="1.3" use-case="OTHER">
+ <ds:checklists>
+ <ds:component-ref id="scap_org.open-scap_cref_test_single_rule.xccdf.xml" xlink:href="#scap_org.open-scap_comp_test_single_rule.xccdf.xml">
+ <cat:catalog>
+ <cat:uri name="test_single_rule.oval.xml" uri="#scap_org.open-scap_cref_test_single_rule.oval.xml"/>
+ <cat:uri name="security-data-oval.xml.bz2" uri="#scap_org.open-scap_cref_security-data-oval.xml.bz2"/>
+ </cat:catalog>
+ </ds:component-ref>
+ </ds:checklists>
+ <ds:checks>
+ <ds:component-ref id="scap_org.open-scap_cref_test_single_rule.oval.xml" xlink:href="#scap_org.open-scap_comp_test_single_rule.oval.xml"/>
+<!--
+ <ds:component-ref id="scap_org.open-scap_cref_security-data-oval.xml.bz2" xlink:href="https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml"/>
+-->
+ <ds:component-ref id="scap_org.open-scap_cref_security-data-oval.xml.bz2" xlink:href="https://github.com/"/>
+ </ds:checks>
+</ds:data-stream>
+
+<ds:component id="scap_org.open-scap_comp_test_single_rule.oval.xml" timestamp="2017-06-09T07:07:38">
+<oval_definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:win-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd">
+ <generator>
+ <oval:schema_version>5.11</oval:schema_version>
+ <oval:timestamp>2009-01-12T10:41:00-05:00</oval:timestamp>
+ </generator>
+
+ <definitions>
+ <definition class="compliance" id="oval:test-pass:def:1" version="1">
+ <metadata>
+ <title>PASS</title>
+ <description>pass</description>
+ </metadata>
+ <criteria>
+ <criterion comment="PASS test" test_ref="oval:x:tst:1"/>
+ </criteria>
+ </definition>
+ </definitions>
+
+ <tests>
+ <variable_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:x:tst:1" check="all" comment="always pass" version="1">
+ <object object_ref="oval:x:obj:1"/>
+ </variable_test>
+ </tests>
+
+ <objects>
+ <variable_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:x:obj:1" version="1" comment="x">
+ <var_ref>oval:x:var:1</var_ref>
+ </variable_object>
+ </objects>
+
+ <variables>
+ <constant_variable id="oval:x:var:1" version="1" comment="x" datatype="int">
+ <value>100</value>
+ </constant_variable>
+ </variables>
+
+</oval_definitions>
+</ds:component>
+
+<ds:component id="scap_org.open-scap_comp_test_single_rule.xccdf.xml" timestamp="2017-06-09T09:15:45">
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_com.example.www_benchmark_dummy" xml:lang="en-US">
+ <status>accepted</status>
+ <version>1.0</version>
+
+ <Profile id="xccdf_com.example.www_profile_test_remote_res">
+ <title>xccdf_test_profile</title>
+ <description>This profile is for testing.</description>
+ <select idref="xccdf_com.example.www_rule_test-pass" selected="true"/>
+ <select idref="xccdf_com.example.www_rule_test-remote_res" selected="true"/>
+ </Profile>
+
+ <Value id="xccdf_com.example.www_value_val1" type="number" operator="equals" interactive="0">
+ <title>test value</title>
+ <description>foo</description>
+ <value selector="bar_1">50</value>
+ <value selector="bar_2">100</value>
+ </Value>
+ <Rule selected="true" id="xccdf_com.example.www_rule_test-pass">
+ <title>This rule always pass</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref href="test_single_rule.oval.xml" name="oval:test-pass:def:1"/>
+ </check>
+ </Rule>
+ <Rule selected="true" id="xccdf_com.example.www_rule_test-remote_res">
+ <title>This rule checks remote resource</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" multi-check="true">
+ <check-content-ref href="security-data-oval.xml.bz2"/>
+ </check>
+ </Rule>
+ <Rule selected="true" id="xccdf_com.example.www_rule_test-pass2">
+ <title>This rule always pass</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref href="test_single_rule.oval.xml" name="oval:test-pass:def:1"/>
+ </check>
+ </Rule>
+</Benchmark>
+</ds:component>
+</ds:data-stream-collection>
diff --git a/tests/curl/test_curl_encoding.sh b/tests/curl/test_curl_encoding.sh
new file mode 100755
index 000000000..6d82f9569
--- /dev/null
+++ b/tests/curl/test_curl_encoding.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -e -o pipefail
+
+. $builddir/tests/test_common.sh
+
+function curl_accept_encoding {
+ local DF="${srcdir}/ds.xml"
+ local RF="results.xml"
+ local LOG="verbose.log"
+
+ $OSCAP xccdf --verbose=DEVEL eval --fetch-remote-resources --results $RF $DF 2>$LOG || echo "OK"
+
+ grep -P "Accept-Encoding.*gzip" $LOG
+
+ return 0
+}
+
+test_init
+
+test_run "cURL: Accept-Encoding" curl_accept_encoding
+
+test_exit

76
SOURCES/openscap-1.3.4-add_compression_tracing-PR_1561.patch Normal file
View File

@ -0,0 +1,76 @@
From aab536acdd4b08e2e8c3d4ac43981dfcaf1cc9f8 Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Mon, 13 Jul 2020 14:09:52 +0200
Subject: [PATCH] Add CURLOPT_TRANSFER_ENCODING, enable CURLOPT_VERBOSE with
CURLOPT_DEBUGFUNCTION
Adds a request for compressed Transfer Encoding in the outgoing
HTTP request. If the server supports this and so desires, it can
respond with the HTTP response sent using a compressed
Transfer-Encoding that will be automatically uncompressed by
libcurl on reception.
The CURLOPT_DEBUGFUNCTION callback is used for printing headers and
connection information on VERBOSE level (dD).
---
src/common/oscap_acquire.c | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c
index 551da43f0..666f4f5c9 100644
--- a/src/common/oscap_acquire.c
+++ b/src/common/oscap_acquire.c
@@ -49,6 +49,7 @@
#include "common/_error.h"
#include "oscap_string.h"
#include "oscap_helpers.h"
+#include "debug_priv.h"
#ifndef OSCAP_TEMP_DIR
#define OSCAP_TEMP_DIR "/tmp"
@@ -288,6 +289,34 @@ oscap_acquire_url_to_filename(const char *url)
return filename;
}
+static int _curl_trace(CURL *handle, curl_infotype type, char *data, size_t size, void *userp)
+{
+ const char *title;
+
+ switch (type) {
+ case CURLINFO_TEXT:
+ title = "== cURL info";
+ break;
+ case CURLINFO_HEADER_OUT:
+ title = "=> cURL header (out)";
+ break;
+ case CURLINFO_HEADER_IN:
+ title = "<= cURL header (in)";
+ break;
+ case CURLINFO_DATA_OUT:
+ case CURLINFO_SSL_DATA_OUT:
+ case CURLINFO_DATA_IN:
+ case CURLINFO_SSL_DATA_IN:
+ default:
+ return 0;
+ break;
+ }
+
+ dD("%s: %s", title, data);
+
+ return 0;
+}
+
char* oscap_acquire_url_download(const char *url, size_t* memory_size)
{
CURL *curl;
@@ -303,7 +332,10 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size)
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_to_memory_callback);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, buffer);
curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, "");
+ curl_easy_setopt(curl, CURLOPT_TRANSFER_ENCODING, true);
curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true);
+ curl_easy_setopt(curl, CURLOPT_VERBOSE, true);
+ curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, _curl_trace);
CURLcode res = curl_easy_perform(curl);
curl_easy_cleanup(curl);

94
SOURCES/openscap-1.3.4-detect_remote_file_systems-PR_1573.patch Normal file
View File

@ -0,0 +1,94 @@
diff --git a/src/OVAL/probes/fsdev.c b/src/OVAL/probes/fsdev.c
index 82356d5e0..983675098 100644
--- a/src/OVAL/probes/fsdev.c
+++ b/src/OVAL/probes/fsdev.c
@@ -62,6 +62,7 @@
#endif
#include "fsdev.h"
+#include "common/util.h"
/**
* Compare two dev_t variables.
@@ -79,10 +80,6 @@ static int fsdev_cmp(const void *a, const void *b)
#if defined(OS_LINUX)
static int is_local_fs(struct mntent *ment)
{
-// todo: would it be usefull to provide the choice during build-time?
-#if 1
- char *s;
-
/*
* When type of the filesystem is autofs, it means the mtab entry
* describes the autofs configuration, which means ment->mnt_fsname
@@ -97,37 +94,42 @@ static int is_local_fs(struct mntent *ment)
return 0;
}
- if (ment->mnt_fsname == NULL) {
- return 0;
- }
-
- s = ment->mnt_fsname;
- /* If the fsname begins with "//", it is probably CIFS. */
- if (s[0] == '/' && s[1] == '/')
- return 0;
-
- /* If there's a ':' in the fsname and it occurs before any
- * '/', then this is probably NFS and the file system is
- * considered "remote".
+ /*
+ * The following code is inspired by systemd, function fstype_is_network:
+ * https://github.com/systemd/systemd/blob/21fd6bc263f49b57867d90d2e1f9f255e5509134/src/basic/mountpoint-util.c#L290
*/
- s = strpbrk(s, "/:");
- if (s && *s == ':')
- return 0;
+ const char *fstype = ment->mnt_type;
+ if (oscap_str_startswith(fstype, "fuse.")) {
+ fstype += strlen("fuse.");
+ }
+ const char *network_fs[] = {
+ "afs",
+ "ceph",
+ "cifs",
+ "smb3",
+ "smbfs",
+ "sshfs",
+ "ncpfs",
+ "ncp",
+ "nfs",
+ "nfs4",
+ "gfs",
+ "gfs2",
+ "glusterfs",
+ "gpfs",
+ "pvfs2", /* OrangeFS */
+ "ocfs2",
+ "lustre",
+ "davfs",
+ NULL
+ };
+ for (int i = 0; network_fs[i]; i++) {
+ if (!strcmp(network_fs[i], fstype)) {
+ return 0;
+ }
+ }
return 1;
-#else
- struct stat st;
-
- /* If the file system is not backed-up by a real file, it is
- considered remote. A notable exception is "tmpfs" to allow
- traversal of /tmp et al. */
- if (strcmp(ment->mnt_fsname, "tmpfs") != 0
- && (stat(ment->mnt_fsname, &st) != 0
- || !(S_ISBLK(st.st_mode))))
- return 0;
- else
- return 1;
-#endif
}
#elif defined(OS_AIX)

59
SOURCES/openscap-1.3.4-fix-environmentvariable58-regression.patch Normal file
View File

@ -0,0 +1,59 @@
diff --git a/src/OVAL/probes/independent/environmentvariable58_probe.c b/src/OVAL/probes/independent/environmentvariable58_probe.c
index 552ce6700..77233aeeb 100644
--- a/src/OVAL/probes/independent/environmentvariable58_probe.c
+++ b/src/OVAL/probes/independent/environmentvariable58_probe.c
@@ -96,32 +96,32 @@ static int read_environment(SEXP_t *pid_ent, SEXP_t *name_ent, probe_ctx *ctx)
ssize_t buffer_used;
size_t buffer_size;
+ const char *extra_vars = getenv("OSCAP_CONTAINER_VARS");
+ if (extra_vars && *extra_vars) {
+ char *vars = strdup(extra_vars);
+ char *tok, *eq_chr, *str, *strp;
+
+ for (str = vars; ; str = NULL) {
+ tok = strtok_r(str, "\n", &strp);
+ if (tok == NULL)
+ break;
+ eq_chr = strchr(tok, '=');
+ if (eq_chr == NULL)
+ continue;
+ PROBE_ENT_I32VAL(pid_ent, pid, pid = -1;, pid = 0;);
+ collect_variable(tok, eq_chr - tok, pid, name_ent, ctx);
+ }
+
+ free(vars);
+ return 0;
+ }
+
const char *prefix = getenv("OSCAP_PROBE_ROOT");
snprintf(path, PATH_MAX, "%s/proc", prefix ? prefix : "");
d = opendir(path);
if (d == NULL) {
- const char *extra_vars = getenv("OSCAP_CONTAINER_VARS");
- if (!extra_vars) {
- dE("Can't read %s/proc: errno=%d, %s.", prefix ? prefix : "", errno, strerror(errno));
- return PROBE_EACCESS;
- } else {
- char *vars = strdup(extra_vars);
- char *tok, *eq_chr, *str, *strp;
-
- for (str = vars; ; str = NULL) {
- tok = strtok_r(str, "\n", &strp);
- if (tok == NULL)
- break;
- eq_chr = strchr(tok, '=');
- if (eq_chr == NULL)
- continue;
- PROBE_ENT_I32VAL(pid_ent, pid, pid = -1;, pid = 0;);
- collect_variable(tok, eq_chr - tok, pid, name_ent, ctx);
- }
-
- free(vars);
- return 0;
- }
+ dE("Can't read %s/proc: errno=%d, %s.", prefix ? prefix : "", errno, strerror(errno));
+ return PROBE_EACCESS;
}
if ((buffer = realloc(NULL, BUFFER_SIZE)) == NULL) {

177
SOURCES/openscap-1.3.4-fix-no-more-recursion.patch Normal file
View File

@ -0,0 +1,177 @@
From c8fc880a672afbfdbd384dc6afa4b7fbdd666b73 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 27 May 2020 10:38:56 +0200
Subject: [PATCH 1/3] Add a regression test for RHBZ#1686370
There is a non-optimal behavior of file probe. It happens when file path
is specified using a variable with 2 values with `operation="equals"`
and `var_check="all"`. The probe recurses into a file system tree even
if it's obvious that it won't find any match. If one of values is a big
tree (for example `/`) it eventually runs out of memory and crashes. The
OVAL doesn't make sense because it's impossible that a single file would
have 2 different paths. But despite that it's a valid OVAL document.
The test is expected to fail because the bug hasn't been fixed.
---
tests/probes/file/CMakeLists.txt | 1 +
.../test_probes_file_multiple_file_paths.sh | 39 +++++++++++++++++
.../test_probes_file_multiple_file_paths.xml | 42 +++++++++++++++++++
3 files changed, 82 insertions(+)
create mode 100755 tests/probes/file/test_probes_file_multiple_file_paths.sh
create mode 100644 tests/probes/file/test_probes_file_multiple_file_paths.xml
diff --git a/tests/probes/file/CMakeLists.txt b/tests/probes/file/CMakeLists.txt
index 12718603f..35b4c1169 100644
--- a/tests/probes/file/CMakeLists.txt
+++ b/tests/probes/file/CMakeLists.txt
@@ -1,3 +1,4 @@
if(ENABLE_PROBES_UNIX)
add_oscap_test("test_probes_file.sh")
+ add_oscap_test("test_probes_file_multiple_file_paths.sh")
endif()
diff --git a/tests/probes/file/test_probes_file_multiple_file_paths.sh b/tests/probes/file/test_probes_file_multiple_file_paths.sh
new file mode 100755
index 000000000..1cececbb0
--- /dev/null
+++ b/tests/probes/file/test_probes_file_multiple_file_paths.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+set -e -o pipefail
+
+. $builddir/tests/test_common.sh
+
+probecheck "file" || exit 255
+which strace || exit 255
+
+function check_strace_output {
+ strace_log="$1"
+ grep -q "/tmp/numbers/1" $strace_log && return 1
+ grep -q "/tmp/numbers/1/2" $strace_log && return 1
+ grep -q "/tmp/numbers/1/2/3" $strace_log && return 1
+ grep -q "/tmp/numbers/1/2/3/4" $strace_log && return 1
+ grep -q "/tmp/numbers/1/2/3/4/5" $strace_log && return 1
+ grep -q "/tmp/numbers/1/2/3/4/5/6" $strace_log && return 1
+ grep -q "/tmp/letters/a" $strace_log && return 1
+ grep -q "/tmp/letters/a/b" $strace_log && return 1
+ grep -q "/tmp/letters/a/b/c" $strace_log && return 1
+ grep -q "/tmp/letters/a/b/c/d" $strace_log && return 1
+ grep -q "/tmp/letters/a/b/c/d/e" $strace_log && return 1
+ grep -q "/tmp/letters/a/b/c/d/e/f" $strace_log && return 1
+ return 0
+}
+
+rm -rf /tmp/numbers
+mkdir -p /tmp/numbers/1/2/3/4/5/6
+rm -rf /tmp/letters
+mkdir -p /tmp/letters/a/b/c/d/e/f
+strace_log=$(mktemp)
+strace -f -e openat -o $strace_log $OSCAP oval eval --results results.xml "$srcdir/test_probes_file_multiple_file_paths.xml"
+ret=0
+check_strace_output $strace_log || ret=$?
+rm -f $strace_log
+rm -f results.xml
+rm -rf /tmp/numbers
+rm -rf /tmp/letters
+exit $ret
diff --git a/tests/probes/file/test_probes_file_multiple_file_paths.xml b/tests/probes/file/test_probes_file_multiple_file_paths.xml
new file mode 100644
index 000000000..893a3fe97
--- /dev/null
+++ b/tests/probes/file/test_probes_file_multiple_file_paths.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0"?>
+<oval_definitions xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
+ <generator>
+ <oval:schema_version>5.10</oval:schema_version>
+ <oval:timestamp>0001-01-01T00:00:00+00:00</oval:timestamp>
+ </generator>
+
+ <definitions>
+ <definition class="compliance" version="1" id="oval:x:def:1">
+ <metadata>
+ <title>Specify a file path using variable with two values</title>
+ <description>x</description>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ </metadata>
+ <criteria operator="AND">
+ <criterion comment="Check multiple paths" test_ref="oval:x:tst:1"/>
+ </criteria>
+ </definition>
+ </definitions>
+
+ <tests>
+ <file_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:x:tst:1" version="1" comment="Verify all paths exist" check_existence="all_exist" check="all">
+ <object object_ref="oval:x:obj:1"/>
+ </file_test>
+ </tests>
+
+ <objects>
+ <file_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:x:obj:1" version="1" comment="uses var_check=all together with operation=equals">
+ <path datatype="string" var_ref="oval:x:var:1" var_check="all" operation="equals"/>
+ <filename xsi:nil="true" datatype="string"/>
+ </file_object>
+ </objects>
+
+ <variables>
+ <constant_variable datatype="string" comment="2 file paths" version="1" id="oval:x:var:1">
+ <value>/tmp/numbers</value>
+ <value>/tmp/letters</value>
+ </constant_variable>
+ </variables>
+</oval_definitions>
From 569e0013ca83adef233ddecc78a052db9b3ccc5c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 2 Jun 2020 15:11:37 +0200
Subject: [PATCH 2/3] Add strace to the list of test dependencies
---
docs/developer/developer.adoc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/developer/developer.adoc b/docs/developer/developer.adoc
index 823a1504e..0f01ace74 100644
--- a/docs/developer/developer.adoc
+++ b/docs/developer/developer.adoc
@@ -152,7 +152,7 @@ After building the library you might want to run library self-checks. To do
that you need to have these additional packages installed:
----
-wget lua which procps-ng initscripts chkconfig sendmail bzip2 rpm-build
+wget lua which procps-ng initscripts chkconfig sendmail bzip2 rpm-build strace
----
On Ubuntu 18.04, also install:
From a47604bf30c6574e570abde4fd01488ba120f82d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 17 Jun 2020 11:00:02 +0200
Subject: [PATCH 3/3] Terminate matching to prevent recursion
Fixes: RHBZ#1686370
---
src/OVAL/probes/oval_fts.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/OVAL/probes/oval_fts.c b/src/OVAL/probes/oval_fts.c
index 696997942..2b7314c38 100644
--- a/src/OVAL/probes/oval_fts.c
+++ b/src/OVAL/probes/oval_fts.c
@@ -1029,6 +1029,15 @@ static FTSENT *oval_fts_read_match_path(OVAL_FTS *ofts)
if (ores == OVAL_RESULT_TRUE)
break;
+ if (ofts->ofts_path_op == OVAL_OPERATION_EQUALS) {
+ /* At this point the comparison result isn't OVAL_RESULT_TRUE. Since
+ we passed the exact path (from filepath or path elements) to
+ fts_open() we surely know that we can't find other items that would
+ be equal. Therefore we can terminate the matching. This can happen
+ if the filepath or path element references a variable that has
+ multiple different values. */
+ return NULL;
+ }
} /* for (;;) */
/*

103
SOURCES/openscap-1.3.4-rpmverifyfile_leak-PR_1565.patch Normal file
View File

@ -0,0 +1,103 @@
From 4ef60df7edfdd7a49a565494142f86d93f9268b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 31 Jul 2020 10:38:17 +0200
Subject: [PATCH] Plug a memory leak
==12029== at 0x483A809: malloc (vg_replace_malloc.c:307)
==12029== by 0x51F1386: realpath@@GLIBC_2.3 (in /usr/lib64/libc-2.31.so)
==12029== by 0x489F8CA: oscap_realpath (util.c:251)
==12029== by 0x495E6EF: rpmverify_collect (rpmverifyfile_probe.c:248)
==12029== by 0x495F461: rpmverifyfile_probe_main (rpmverifyfile_probe.c:543)
==12029== by 0x4935598: probe_worker (worker.c:1090)
==12029== by 0x4932F10: probe_worker_runfn (worker.c:81)
==12029== by 0x4CDA431: start_thread (in /usr/lib64/libpthread-2.31.so)
==12029== by 0x52A8912: clone (in /usr/lib64/libc-2.31.so)
==12029== at 0x483CCE8: realloc (vg_replace_malloc.c:834)
==12029== by 0x4D9DCD8: rrealloc (in /usr/lib64/librpmio.so.9.0.1)
==12029== by 0x4D25B88: headerFormat (in /usr/lib64/librpm.so.9.0.1)
==12029== by 0x495E467: rpmverify_collect (rpmverifyfile_probe.c:230)
==12029== by 0x495F461: rpmverifyfile_probe_main
(rpmverifyfile_probe.c:543)
==12029== by 0x4935598: probe_worker (worker.c:1090)
==12029== by 0x4932F10: probe_worker_runfn (worker.c:81)
==12029== by 0x4CDA431: start_thread (in
/usr/lib64/libpthread-2.31.so)
==12029== by 0x52A8912: clone (in /usr/lib64/libc-2.31.so)
Resolves: RHBZ#1861301
---
.../probes/unix/linux/rpmverifyfile_probe.c | 24 ++++++++++++++-----
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
index c86818e72..57d69f552 100644
--- a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
+++ b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
@@ -61,10 +61,10 @@
struct rpmverify_res {
char *name; /**< package name */
- const char *epoch;
- const char *version;
- const char *release;
- const char *arch;
+ char *epoch;
+ char *version;
+ char *release;
+ char *arch;
char *file; /**< filepath */
char extended_name[1024];
rpmVerifyAttrs vflags; /**< rpm verify flags */
@@ -272,14 +272,14 @@ static int rpmverify_collect(probe_ctx *ctx,
free(current_file_realpath);
continue;
}
- res.file = current_file_realpath ? current_file_realpath : strdup(current_file);
+ res.file = current_file_realpath ? oscap_strdup(current_file_realpath) : oscap_strdup(current_file);
break;
case OVAL_OPERATION_PATTERN_MATCH:
ret = pcre_exec(re, NULL, current_file, strlen(current_file), 0, 0, NULL, 0);
switch(ret) {
case 0: /* match */
- res.file = strdup(current_file);
+ res.file = oscap_strdup(current_file);
break;
case -1:
/* mismatch */
@@ -299,12 +299,18 @@ static int rpmverify_collect(probe_ctx *ctx,
free(current_file_realpath);
goto ret;
}
+ free(current_file_realpath);
if (rpmVerifyFile(g_rpm->rpmts, fi, &res.vflags, omit) != 0)
res.vflags = RPMVERIFY_FAILURES;
if (callback(ctx, &res) != 0) {
ret = 0;
+ free(res.name);
+ free(res.epoch);
+ free(res.version);
+ free(res.release);
+ free(res.arch);
free(res.file);
goto ret;
}
@@ -313,6 +319,12 @@ static int rpmverify_collect(probe_ctx *ctx,
rpmfiFree(fi);
}
+
+ free(res.name);
+ free(res.epoch);
+ free(res.version);
+ free(res.release);
+ free(res.arch);
}
match = rpmdbFreeIterator (match);
--
2.26.2

66
SPECS/openscap.spec
View File

@ -1,19 +1,19 @@
Name: openscap Name: openscap
Version: 1.3.2 Version: 1.3.3
Release: 6%{?dist} Release: 5%{?dist}
Summary: Set of open source libraries enabling integration of the SCAP line of standards Summary: Set of open source libraries enabling integration of the SCAP line of standards
Group: System Environment/Libraries Group: System Environment/Libraries
License: LGPLv2+ License: LGPLv2+
URL: http://www.open-scap.org/ URL: http://www.open-scap.org/
Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
# PATCHES FOR 1.3.2 Patch1: openscap-1.3.4-fix-environmentvariable58-regression.patch
Patch1: 01-add-test-fix-type-anaconda.patch Patch2: openscap-1.3.4-fix-no-more-recursion.patch
Patch2: 02-do-not-use-keyword-operator-as-a-function-parameter.patch Patch3: openscap-1.3.4-add_compression_support-PR_1557.patch
Patch3: 03-fix-cmake-test-for-libcap-xattr-h.patch Patch4: openscap-1.3.4-add_compression_test-PR_1564.patch
Patch4: 04-oscap-podman-detect-ambiguous-targets.patch Patch5: openscap-1.3.4-add_compression_tracing-PR_1561.patch
Patch5: openscap-1.3.2-covscan_ux_fix.patch Patch6: openscap-1.3.4-rpmverifyfile_leak-PR_1565.patch
Patch6: openscap-1.3.3-fix-cmake-findacl.patch Patch7: openscap-1.3.4-detect_remote_file_systems-PR_1573.patch
# END PATCHES FOR 1.3.2
BuildRequires: cmake >= 2.6 BuildRequires: cmake >= 2.6
BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser
BuildRequires: rpm-devel BuildRequires: rpm-devel
@ -29,6 +29,7 @@ BuildRequires: openldap-devel
BuildRequires: GConf2-devel BuildRequires: GConf2-devel
BuildRequires: glib2-devel BuildRequires: glib2-devel
BuildRequires: dbus-devel BuildRequires: dbus-devel
BuildRequires: libyaml-devel
%if %{?_with_check:1}%{!?_with_check:0} %if %{?_with_check:1}%{!?_with_check:0}
BuildRequires: perl-XML-XPath BuildRequires: perl-XML-XPath
BuildRequires: bzip2 BuildRequires: bzip2
@ -36,6 +37,7 @@ BuildRequires: bzip2
Requires: bash Requires: bash
Requires: bzip2-libs Requires: bzip2-libs
Requires: dbus Requires: dbus
Requires: libyaml
Requires: GConf2 Requires: GConf2
Requires: glib2 Requires: glib2
Requires: libacl Requires: libacl
@ -137,6 +139,7 @@ for developing applications that use %{name}-engine-sce.
%patch4 -p1 %patch4 -p1
%patch5 -p1 %patch5 -p1
%patch6 -p1 %patch6 -p1
%patch7 -p1
mkdir build mkdir build
%build %build
@ -216,12 +219,54 @@ rm -rf $RPM_BUILD_ROOT
%{_bindir}/oscap-vm %{_bindir}/oscap-vm
%{_mandir}/man8/scap-as-rpm.8.gz %{_mandir}/man8/scap-as-rpm.8.gz
%{_bindir}/scap-as-rpm %{_bindir}/scap-as-rpm
%{_mandir}/man8/autotailor.8.gz
%{_bindir}/autotailor
%files engine-sce %files engine-sce
%{_libdir}/libopenscap_sce.so.* %{_libdir}/libopenscap_sce.so.*
%{_bindir}/oscap-run-sce-script %{_bindir}/oscap-run-sce-script
%changelog %changelog
* Wed Aug 19 2020 Jan Černý <jcerny@redhat.com> - 1.3.3-5
- Detect remote file systems correctly (RHBZ#1870087)
* Mon Aug 03 2020 Jan Černý <jcerny@redhat.com> - 1.3.3-4
- Fix memory leaks in rpmverifyfile probe (RHBZ#1861301)
* Tue Jul 21 2020 Matěj Týč <matyc@redhat.com> - 1.3.3-3
- Added support for fetching remote content with compression (RHBZ#1855708)
* Thu Jun 25 2020 Matěj Týč <matyc@redhat.com> - 1.3.3-2
- Prevent unwanted recursion that could crash the scanner (RHBZ#1686370)
* Mon May 04 2020 Evgeny Kolesnikov <ekolesni@redhat.com> - 1.3.3-1
- Upgrade to the latest upstream release (rhbz#1829761)
- Added a Python script that can be used for CLI tailoring (autotailor)
- Added timezone to XCCDF TestResult start/end time
- Added yamlfilecontent independent probe (proposal/draft implementation)
- Added ability to generate `machineconfig` fix
- Introduced `urn:xccdf:fix:script:kubernetes` fix type in XCCDF
- Fixed filepath pattern matching in offline mode in textfilecontent58 probe
- Fixed #170: The rpmverifyfile probe can't verify files from '/bin' directory
- Fixed #1512: Severity refinement lost in generated guide
- Fixed #1453: Pointer lost in Swig API
- The data system_info probe return for offline and online modes is consistent and actual
- Evaluation Characteristics of the XCCDF report are now consistent with OVAL entities
from system_info probe
* Fri Mar 27 2020 Jan Černý <jcerny@redhat.com> - 1.3.2-9
- Generate HTML guides from tailored profiles (RHBZ#1743835)
* Wed Mar 18 2020 Jan Černý <jcerny@redhat.com> - 1.3.2-8
- Fix tests for rpmverifyfileprobe (RHBZ#1814726)
* Thu Mar 12 2020 Jan Černý <jcerny@redhat.com> - 1.3.2-7
- Fix segmentation fault in systemdunitdependency_probe (RHBZ#1793050)
- Fix crash in textfilecontent probe (RHBZ#1686467)
- Do not drop empty lines from Ansible remediations (RHBZ#1795563)
- Fix oscap-ssh --sudo (RHBZ#1803116)
- Remove useless warnings (RHBZ#1764139)
* Thu Jan 23 2020 Jan Černý <jcerny@redhat.com> - 1.3.2-6 * Thu Jan 23 2020 Jan Černý <jcerny@redhat.com> - 1.3.2-6
- Fix FindACL.cmake - Fix FindACL.cmake
@ -702,4 +747,3 @@ rm -rf $RPM_BUILD_ROOT
* Thu Jan 15 2009 Tomas Heinrich <theinric@redhat.com> 0.1.1-1 * Thu Jan 15 2009 Tomas Heinrich <theinric@redhat.com> 0.1.1-1
- Initial rpm - Initial rpm