From 0b628fc5ca9e33b613a5a89d0ef7db145124a605 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 24 2020 03:30:06 +0000 Subject: import openscap-1.3.2-9.el8 --- diff --git a/SOURCES/openscap-1.2.18-oscap-ssh-sudo.patch b/SOURCES/openscap-1.2.18-oscap-ssh-sudo.patch new file mode 100644 index 0000000..064bbdb --- /dev/null +++ b/SOURCES/openscap-1.2.18-oscap-ssh-sudo.patch @@ -0,0 +1,52 @@ +From f2d9ec9883a344daa67a80ad54e6652185346395 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= +Date: Fri, 14 Feb 2020 14:57:33 +0100 +Subject: [PATCH] Fixed oscap-ssh failing to retrieve the result files when + executing with --sudo + +Depending on the umask configuration of the target system, "sudo oscap" +may create the result files in temporary directory with 600 permissions, +which makes retrieving the log (as the regular user that ssh'ed to the +system) impossible: + +~~~ +$ oscap-ssh --sudo user@system 22 xccdf eval ... +[...] +oscap exit code: 0 +Copying back requested files... +scp: /tmp/tmp.0kfbPWEy6u/report.html: Permission denied +Failed to copy the HTML report back to local machine! +~~~ + +Scenario to reproduce the failure: set a default umask in /etc/sudoers: + +~~~ +Defaults umask = 0077 +~~~ + +The fix consists in changing the result files' ownership from "root" to +user's back, all while in the single sudo (using two sudo commands +wouldn't be nice since the user may get the password prompt twice, +depending on the sudo's configuration). +--- + utils/oscap-ssh | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/utils/oscap-ssh b/utils/oscap-ssh +index 658cc2ee4..bd2e209c4 100755 +--- a/utils/oscap-ssh ++++ b/utils/oscap-ssh +@@ -280,7 +280,12 @@ echo "Starting the evaluation..." + # changing directory because of --oval-results support. oval results files are + # dumped into PWD, and we can't be sure by the file names - we need controlled + # environment +-ssh_execute_with_command_and_options "cd $REMOTE_TEMP_DIR; $OSCAP_SUDO oscap $(command_array_to_string oscap_args)" "$SSH_TTY_ALLOCATION_OPTION" ++if [ -z "$OSCAP_SUDO" ]; then ++ ssh_execute_with_command_and_options "cd $REMOTE_TEMP_DIR; oscap $(command_array_to_string oscap_args)" "$SSH_TTY_ALLOCATION_OPTION" ++else ++ OSCAP_CMD="oscap $(command_array_to_string oscap_args); rc=\$?; chown \$SUDO_USER $REMOTE_TEMP_DIR/*; exit \$rc" ++ ssh_execute_with_command_and_options "cd $REMOTE_TEMP_DIR; $OSCAP_SUDO sh -c '$OSCAP_CMD'" "$SSH_TTY_ALLOCATION_OPTION" ++fi + OSCAP_EXIT_CODE=$? + echo "oscap exit code: $OSCAP_EXIT_CODE" + diff --git a/SOURCES/openscap-1.3.3-ansible-newlines.patch b/SOURCES/openscap-1.3.3-ansible-newlines.patch new file mode 100644 index 0000000..7e6b509 --- /dev/null +++ b/SOURCES/openscap-1.3.3-ansible-newlines.patch @@ -0,0 +1,156 @@ +diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c +index f59737727..19bb59f2e 100644 +--- a/src/XCCDF_POLICY/xccdf_policy_remediate.c ++++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c +@@ -139,11 +139,10 @@ static int _write_remediation_to_fd_and_free(int output_fd, const char* template + free(text); + return 1; + } +- +- if (_write_text_to_fd(output_fd, "\n") != 0) { +- free(text); +- return 1; +- } ++ } ++ if (_write_text_to_fd(output_fd, "\n") != 0) { ++ free(text); ++ return 1; + } + + if (next_delim != NULL) { +diff --git a/tests/API/XCCDF/unittests/CMakeLists.txt b/tests/API/XCCDF/unittests/CMakeLists.txt +index 2a56d3cdc..05ddea219 100644 +--- a/tests/API/XCCDF/unittests/CMakeLists.txt ++++ b/tests/API/XCCDF/unittests/CMakeLists.txt +@@ -18,6 +18,7 @@ if(PYTHONINTERP_FOUND) + add_oscap_test("all_python.sh") + endif() + ++add_oscap_test("test_ansible_yaml_block_scalar.sh") + add_oscap_test("test_xccdf_shall_pass1.sh") + add_oscap_test("test_xccdf_shall_pass2.sh") + add_oscap_test("test_xccdf_shall_pass3.sh") +diff --git a/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.playbook.yml b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.playbook.yml +new file mode 100644 +index 000000000..dd0276739 +--- /dev/null ++++ b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.playbook.yml +@@ -0,0 +1,37 @@ ++--- ++ ++ ++- hosts: all ++ vars: ++ tasks: ++ - name: Make sure contents of /etc/audit/rules.d/10-base-config.rules are as expected ++ copy: ++ dest: /etc/audit/rules.d/10-base-config.rules ++ content: |+ ++ ## First rule - delete all ++ -D ++ ++ ## Increase the buffers to survive stress events. ++ ## Make this bigger for busy systems ++ -b 8192 ++ ++ ## This determine how long to wait in burst of events ++ --backlog_wait_time 60000 ++ ++ ## Set failure mode to syslog ++ -f 1 ++ ++ ++ force: true ++ when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" ++ tags: ++ - audit_basic_configuration ++ - medium_severity ++ - restrict_strategy ++ - low_complexity ++ - low_disruption ++ - no_reboot_needed ++ - CCE-82462-3 ++ - NIST-800-53-AU-2(a) ++ ++ +diff --git a/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.sh b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.sh +new file mode 100755 +index 000000000..4ca5b3be5 +--- /dev/null ++++ b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.sh +@@ -0,0 +1,21 @@ ++#!/bin/bash ++. $builddir/tests/test_common.sh ++ ++set -e ++set -o pipefail ++ ++profile="xccdf_moc.elpmaxe.www_profile_standard" ++ ++name=$(basename $0 .sh) ++stderr=$(mktemp -t ${name}.err.XXXXXX) ++playbook=$(mktemp -t ${name}.yml.XXXXXX) ++playbook_without_header=$(mktemp -t ${name}.yml.XXXXXX) ++ ++# Generate an Ansible playbook from a profile in SDS file ++$OSCAP xccdf generate fix --profile $profile --fix-type ansible "$srcdir/$name.xccdf.xml" >$playbook 2>$stderr ++sed '/^#/d' $playbook > $playbook_without_header ++diff -u $playbook_without_header $srcdir/$name.playbook.yml ++[ -f $stderr ]; [ ! -s $stderr ]; rm $stderr ++ ++rm $playbook ++rm $playbook_without_header +diff --git a/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.xccdf.xml b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.xccdf.xml +new file mode 100644 +index 000000000..81b2adfd4 +--- /dev/null ++++ b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.xccdf.xml +@@ -0,0 +1,48 @@ ++ ++ ++ incomplete ++ Security Benchmark ++ A sample benchmark ++ 1.0 ++ ++ Standard System Security Profile ++ This profile contains rules to ensure standard security baseline of your system. ++