From 160b6f074d9944a87865ffdea735349d271fa6e8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 06 2018 18:39:28 +0000 Subject: import openscap-1.2.14-3.el7_4 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..741acb3 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/openscap-1.2.14.tar.gz diff --git a/.openscap.metadata b/.openscap.metadata new file mode 100644 index 0000000..850ff0f --- /dev/null +++ b/.openscap.metadata @@ -0,0 +1 @@ +6c2f4ff0bbbd6b80e6c99f15a2e0d052a1f9afe1 SOURCES/openscap-1.2.14.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/openscap-1.2.14-rpm-probes-not-applicable-PR-733.patch b/SOURCES/openscap-1.2.14-rpm-probes-not-applicable-PR-733.patch new file mode 100644 index 0000000..c5a4643 --- /dev/null +++ b/SOURCES/openscap-1.2.14-rpm-probes-not-applicable-PR-733.patch @@ -0,0 +1,473 @@ +From 61fef6cc090b097141cd45c1f783c4fe6b89efc5 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 5 May 2017 12:39:07 +0200 +Subject: [PATCH 1/9] Change rpmverifyfile error when init fails + +When rpmverifyfile probe_init() fails it is because RPM config files +were not found, and we expect "not applicable" in this case. +--- + src/OVAL/probes/unix/linux/rpmverifyfile.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile.c b/src/OVAL/probes/unix/linux/rpmverifyfile.c +index 0897b82c4..f0febdee9 100644 +--- a/src/OVAL/probes/unix/linux/rpmverifyfile.c ++++ b/src/OVAL/probes/unix/linux/rpmverifyfile.c +@@ -435,11 +435,10 @@ int probe_main (probe_ctx *ctx, void *arg) + uint64_t collect_flags = 0; + unsigned int i; + ++ /* ++ * If probe_init() failed it's because there was no rpm config files ++ */ + if (arg == NULL) { +- return PROBE_EINIT; +- } +- +- if (g_rpm.rpmts == NULL) { + probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); + return 0; + } + +From 71f41d635142297e299cc4877bd93ea896271e70 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 5 May 2017 12:42:26 +0200 +Subject: [PATCH 2/9] Fix rpmverifyfile probe fini when init fails + +When rpmverifyfile probe_init() fails g_rpm->rpmts and g_rpm->mutex are +not initialized +--- + src/OVAL/probes/unix/linux/rpmverifyfile.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile.c b/src/OVAL/probes/unix/linux/rpmverifyfile.c +index f0febdee9..968bb3807 100644 +--- a/src/OVAL/probes/unix/linux/rpmverifyfile.c ++++ b/src/OVAL/probes/unix/linux/rpmverifyfile.c +@@ -330,11 +330,18 @@ void probe_fini (void *ptr) + { + struct rpm_probe_global *r = (struct rpm_probe_global *)ptr; + +- rpmtsFree(r->rpmts); + rpmFreeCrypto(); + rpmFreeRpmrc(); + rpmFreeMacros(NULL); + rpmlogClose(); ++ ++ /* ++ * If probe_init() failed r->rpmts and r->mutex were not initialized ++ */ ++ if (r == NULL) ++ return; ++ ++ rpmtsFree(r->rpmts); + pthread_mutex_destroy (&(r->mutex)); + + return; + +From 4912ee36b3230c2f431150750c78380d4e149621 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 5 May 2017 12:48:00 +0200 +Subject: [PATCH 3/9] Change rpmverify error when init fails + +When rpmverify probe_init() fails it is because RPM config files +were not found, and we expect "not applicable" in this case. +--- + src/OVAL/probes/unix/linux/rpmverify.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/OVAL/probes/unix/linux/rpmverify.c b/src/OVAL/probes/unix/linux/rpmverify.c +index 5eb069d21..dd667a9f1 100644 +--- a/src/OVAL/probes/unix/linux/rpmverify.c ++++ b/src/OVAL/probes/unix/linux/rpmverify.c +@@ -321,10 +321,10 @@ int probe_main (probe_ctx *ctx, void *arg) + uint64_t collect_flags = 0; + unsigned int i; + ++ /* ++ * If probe_init() failed it's because there was no rpm config files ++ */ + if (arg == NULL) { +- return PROBE_EINIT; +- } +- if (g_rpm.rpmts == NULL) { + probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); + return 0; + } + +From b9c3afd67b2f86644a08375aaee822b72c077149 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 5 May 2017 12:49:04 +0200 +Subject: [PATCH 4/9] Fix rpmverify probe fini when init fails + +When rpmverify probe_init() fails g_rpm->rpmts and g_rpm->mutex are +not initialized. +--- + src/OVAL/probes/unix/linux/rpmverify.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/src/OVAL/probes/unix/linux/rpmverify.c b/src/OVAL/probes/unix/linux/rpmverify.c +index dd667a9f1..f1f32417e 100644 +--- a/src/OVAL/probes/unix/linux/rpmverify.c ++++ b/src/OVAL/probes/unix/linux/rpmverify.c +@@ -246,12 +246,19 @@ void probe_fini (void *ptr) + { + struct rpm_probe_global *r = (struct rpm_probe_global *)ptr; + +- rpmtsFree(r->rpmts); + rpmFreeCrypto(); +- rpmFreeRpmrc(); +- rpmFreeMacros(NULL); +- rpmlogClose(); +- pthread_mutex_destroy (&(r->mutex)); ++ rpmFreeRpmrc(); ++ rpmFreeMacros(NULL); ++ rpmlogClose(); ++ ++ /* ++ * If probe_init() failed r->rpmts and r->mutex were not initialized ++ */ ++ if (r == NULL) ++ return; ++ ++ rpmtsFree(r->rpmts); ++ pthread_mutex_destroy (&(r->mutex)); + + return; + } + +From 20893b46b6a813326dcc7a60f1b888da14ead3ac Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 5 May 2017 13:23:04 +0200 +Subject: [PATCH 5/9] Change rpminfo probe_init() fails + +rpminfo probe_init() can fail because regex compilation failed or +because RPM config files were not found, return error in the first +case and "not applicable" in the second. +--- + src/OVAL/probes/unix/linux/rpminfo.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/src/OVAL/probes/unix/linux/rpminfo.c b/src/OVAL/probes/unix/linux/rpminfo.c +index f7f73a727..639030a52 100644 +--- a/src/OVAL/probes/unix/linux/rpminfo.c ++++ b/src/OVAL/probes/unix/linux/rpminfo.c +@@ -275,19 +275,20 @@ void *probe_init (void) + #ifdef HAVE_RPM46 + rpmlogSetCallback(rpmErrorCb, NULL); + #endif +- if (rpmReadConfigFiles ((const char *)NULL, (const char *)NULL) != 0) { +- dI("rpmReadConfigFiles failed: %u, %s.", errno, strerror (errno)); +- return (NULL); +- } +- +- g_rpm.rpmts = rpmtsCreate(); +- pthread_mutex_init (&(g_rpm.mutex), NULL); +- + if (regcomp(&g_keyid_regex, g_keyid_regex_string, REG_EXTENDED) != 0) { + dE("regcomp(%s) failed."); + return NULL; + } + ++ if (rpmReadConfigFiles ((const char *)NULL, (const char *)NULL) != 0) { ++ dI("rpmReadConfigFiles failed: %u, %s.", errno, strerror (errno)); ++ g_rpm.rpmts = NULL; ++ return ((void *)&g_rpm); ++ } ++ ++ g_rpm.rpmts = rpmtsCreate(); ++ pthread_mutex_init (&(g_rpm.mutex), NULL); ++ + return ((void *)&g_rpm); + } + +@@ -378,9 +379,16 @@ int probe_main (probe_ctx *ctx, void *arg) + struct rpminfo_req request_st; + struct rpminfo_rep *reply_st; + ++ /* ++ * arg is NULL if regex compilation failed ++ */ + if (arg == NULL) { + return PROBE_EINIT; + } ++ ++ /* ++ * There was no rpm config files ++ */ + if (g_rpm.rpmts == NULL) { + probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); + return 0; + +From 070ec7e9029f8221163fd3f07e242c244d0b3b65 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 5 May 2017 13:27:02 +0200 +Subject: [PATCH 6/9] Fix rpminfo probe fini when init fails + +When rpminfo probe_init() fails either the regex compilation failed +or RPM config files were not found. The probe_fini() should handle each +case differently. +--- + src/OVAL/probes/unix/linux/rpminfo.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/src/OVAL/probes/unix/linux/rpminfo.c b/src/OVAL/probes/unix/linux/rpminfo.c +index 639030a52..28cba15e0 100644 +--- a/src/OVAL/probes/unix/linux/rpminfo.c ++++ b/src/OVAL/probes/unix/linux/rpminfo.c +@@ -296,14 +296,22 @@ void probe_fini (void *ptr) + { + struct rpm_probe_global *r = (struct rpm_probe_global *)ptr; + +- rpmtsFree(r->rpmts); + rpmFreeCrypto(); +- rpmFreeRpmrc(); +- rpmFreeMacros(NULL); +- rpmlogClose(); +- pthread_mutex_destroy (&(r->mutex)); ++ rpmFreeRpmrc(); ++ rpmFreeMacros(NULL); ++ rpmlogClose(); ++ ++ if (r == NULL) ++ return; ++ + regfree(&g_keyid_regex); + ++ if (r->rpmts == NULL) ++ return; ++ ++ rpmtsFree(r->rpmts); ++ pthread_mutex_destroy (&(r->mutex)); ++ + return; + } + + +From 881461099ce42160079b9228c2080b072f1d4232 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 5 May 2017 13:30:42 +0200 +Subject: [PATCH 7/9] Change rpmverifypackage probe_init() fails + +rpmverifypackage probe_init() can fail because chroot failed or +because RPM config files were not found, return error in the first +case and "not applicable" in the second. +--- + src/OVAL/probes/unix/linux/rpmverifypackage.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage.c b/src/OVAL/probes/unix/linux/rpmverifypackage.c +index 34d7255ca..15e0e0d89 100644 +--- a/src/OVAL/probes/unix/linux/rpmverifypackage.c ++++ b/src/OVAL/probes/unix/linux/rpmverifypackage.c +@@ -336,7 +336,8 @@ void *probe_init (void) + + if (rpmReadConfigFiles (NULL, (const char *)NULL) != 0) { + dI("rpmReadConfigFiles failed: %u, %s.", errno, strerror (errno)); +- return (NULL); ++ g_rpm.rpm.rpmts = NULL; ++ return ((void *)&g_rpm); + } + + g_rpm.rpm.rpmts = rpmtsCreate(); +@@ -417,10 +418,16 @@ int probe_main (probe_ctx *ctx, void *arg) + uint64_t collect_flags = 0; + unsigned int i; + ++ /* ++ * arg is NULL if we were not able to chroot during probe_init() ++ */ + if (arg == NULL) { + return PROBE_EINIT; + } + ++ /* ++ * There was no rpm config files ++ */ + if (g_rpm.rpm.rpmts == NULL) { + probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); + return 0; + +From 7d4bfce2966dec8b4c1ff44edfa473e17a6aeaec Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 5 May 2017 13:38:12 +0200 +Subject: [PATCH 8/9] Fix rpmverifypackage probe fini when init fails + +rpmverifypackage probe_init() can fail during chroot or because +RPM config files were not found, return error in the first +case and "not applicable" in the second. +--- + src/OVAL/probes/unix/linux/rpmverifypackage.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage.c b/src/OVAL/probes/unix/linux/rpmverifypackage.c +index 15e0e0d89..43c47e308 100644 +--- a/src/OVAL/probes/unix/linux/rpmverifypackage.c ++++ b/src/OVAL/probes/unix/linux/rpmverifypackage.c +@@ -360,12 +360,29 @@ void probe_fini (void *ptr) + { + struct verifypackage_global *r = (struct verifypackage_global *)ptr; + +- rpmtsFree(r->rpm.rpmts); +- probe_chroot_free(&(r->chr)); + rpmFreeCrypto(); + rpmFreeRpmrc(); + rpmFreeMacros(NULL); + rpmlogClose(); ++ ++ /* ++ * This will be always set by probe_init(), lets free it ++ */ ++ probe_chroot_free(&g_rpm.chr); ++ ++ /* ++ * If r is null, probe_init() failed during chroot ++ */ ++ if (r == NULL) ++ return; ++ ++ /* ++ * If r->rpm.rpmts was not initialized the mutex was not as well ++ */ ++ if (r->rpm.rpmts == NULL) ++ return; ++ ++ rpmtsFree(r->rpm.rpmts); + pthread_mutex_destroy (&(r->rpm.mutex)); + + return; + +From 6fcc797c6f35b8ad72c9c6190e44f0bfa2b68673 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 12 May 2017 20:33:42 +0200 +Subject: [PATCH 9/9] Fix comment style + +--- + src/OVAL/probes/unix/linux/rpminfo.c | 8 ++------ + src/OVAL/probes/unix/linux/rpmverify.c | 8 ++------ + src/OVAL/probes/unix/linux/rpmverifyfile.c | 8 ++------ + src/OVAL/probes/unix/linux/rpmverifypackage.c | 20 +++++--------------- + 4 files changed, 11 insertions(+), 33 deletions(-) + +diff --git a/src/OVAL/probes/unix/linux/rpminfo.c b/src/OVAL/probes/unix/linux/rpminfo.c +index 28cba15e0..602cf4c91 100644 +--- a/src/OVAL/probes/unix/linux/rpminfo.c ++++ b/src/OVAL/probes/unix/linux/rpminfo.c +@@ -387,16 +387,12 @@ int probe_main (probe_ctx *ctx, void *arg) + struct rpminfo_req request_st; + struct rpminfo_rep *reply_st; + +- /* +- * arg is NULL if regex compilation failed +- */ ++ // arg is NULL if regex compilation failed + if (arg == NULL) { + return PROBE_EINIT; + } + +- /* +- * There was no rpm config files +- */ ++ // There was no rpm config files + if (g_rpm.rpmts == NULL) { + probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); + return 0; +diff --git a/src/OVAL/probes/unix/linux/rpmverify.c b/src/OVAL/probes/unix/linux/rpmverify.c +index f1f32417e..6ef7da574 100644 +--- a/src/OVAL/probes/unix/linux/rpmverify.c ++++ b/src/OVAL/probes/unix/linux/rpmverify.c +@@ -251,9 +251,7 @@ void probe_fini (void *ptr) + rpmFreeMacros(NULL); + rpmlogClose(); + +- /* +- * If probe_init() failed r->rpmts and r->mutex were not initialized +- */ ++ // If probe_init() failed r->rpmts and r->mutex were not initialized + if (r == NULL) + return; + +@@ -328,9 +326,7 @@ int probe_main (probe_ctx *ctx, void *arg) + uint64_t collect_flags = 0; + unsigned int i; + +- /* +- * If probe_init() failed it's because there was no rpm config files +- */ ++ // If probe_init() failed it's because there was no rpm config files + if (arg == NULL) { + probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); + return 0; +diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile.c b/src/OVAL/probes/unix/linux/rpmverifyfile.c +index 968bb3807..763c03c9f 100644 +--- a/src/OVAL/probes/unix/linux/rpmverifyfile.c ++++ b/src/OVAL/probes/unix/linux/rpmverifyfile.c +@@ -335,9 +335,7 @@ void probe_fini (void *ptr) + rpmFreeMacros(NULL); + rpmlogClose(); + +- /* +- * If probe_init() failed r->rpmts and r->mutex were not initialized +- */ ++ // If probe_init() failed r->rpmts and r->mutex were not initialized + if (r == NULL) + return; + +@@ -442,9 +440,7 @@ int probe_main (probe_ctx *ctx, void *arg) + uint64_t collect_flags = 0; + unsigned int i; + +- /* +- * If probe_init() failed it's because there was no rpm config files +- */ ++ // If probe_init() failed it's because there was no rpm config files + if (arg == NULL) { + probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); + return 0; +diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage.c b/src/OVAL/probes/unix/linux/rpmverifypackage.c +index 43c47e308..3c0dd5003 100644 +--- a/src/OVAL/probes/unix/linux/rpmverifypackage.c ++++ b/src/OVAL/probes/unix/linux/rpmverifypackage.c +@@ -365,20 +365,14 @@ void probe_fini (void *ptr) + rpmFreeMacros(NULL); + rpmlogClose(); + +- /* +- * This will be always set by probe_init(), lets free it +- */ ++ // This will be always set by probe_init(), lets free it + probe_chroot_free(&g_rpm.chr); + +- /* +- * If r is null, probe_init() failed during chroot +- */ ++ // If r is null, probe_init() failed during chroot + if (r == NULL) + return; + +- /* +- * If r->rpm.rpmts was not initialized the mutex was not as well +- */ ++ // If r->rpm.rpmts was not initialized the mutex was not as well + if (r->rpm.rpmts == NULL) + return; + +@@ -435,16 +429,12 @@ int probe_main (probe_ctx *ctx, void *arg) + uint64_t collect_flags = 0; + unsigned int i; + +- /* +- * arg is NULL if we were not able to chroot during probe_init() +- */ ++ // arg is NULL if we were not able to chroot during probe_init() + if (arg == NULL) { + return PROBE_EINIT; + } + +- /* +- * There was no rpm config files +- */ ++ // There was no rpm config files + if (g_rpm.rpm.rpmts == NULL) { + probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); + return 0; diff --git a/SOURCES/openscap-1.2.14-sysctl-test-s390x-PR-726.patch b/SOURCES/openscap-1.2.14-sysctl-test-s390x-PR-726.patch new file mode 100644 index 0000000..9923391 --- /dev/null +++ b/SOURCES/openscap-1.2.14-sysctl-test-s390x-PR-726.patch @@ -0,0 +1,23 @@ +From 83342658ceb4230c218b0b47046ca6bb8e239f62 Mon Sep 17 00:00:00 2001 +From: Marek Haicman +Date: Mon, 24 Apr 2017 10:05:59 +0200 +Subject: [PATCH] Fixing sysctl test on s390 architecture + +--- + tests/probes/sysctl/test_sysctl_probe_all.sh | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh +index 1b725231d..fa3539255 100755 +--- a/tests/probes/sysctl/test_sysctl_probe_all.sh ++++ b/tests/probes/sysctl/test_sysctl_probe_all.sh +@@ -22,7 +22,8 @@ $OSCAP oval eval --results $result $srcdir/test_sysctl_probe_all.oval.xml > /dev + + # sysctl has duplicities in output + # hide permission errors like: "sysctl: permission denied on key 'fs.protected_hardlinks'" +-sysctl -aN --deprecated 2> /dev/null | sort -u > "$sysctlNames" ++# kernel parameters might use "/" and "." separators interchangeably - normalizing ++sysctl -aN --deprecated 2> /dev/null | tr "/" "." | sort -u > "$sysctlNames" + + grep unix-sys:name "$result" | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames" + diff --git a/SOURCES/openscap-1.2.14-warning-by-default-PR-630.patch b/SOURCES/openscap-1.2.14-warning-by-default-PR-630.patch new file mode 100644 index 0000000..28ab34b --- /dev/null +++ b/SOURCES/openscap-1.2.14-warning-by-default-PR-630.patch @@ -0,0 +1,281 @@ +From bb66711ed1151a5dfaa52a9ba4ad3658bdf546f7 Mon Sep 17 00:00:00 2001 +From: Martin Preisler +Date: Wed, 4 Jan 2017 16:41:31 -0500 +Subject: [PATCH 1/9] Make WARNING the default verbosity level + +--- + src/common/debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/common/debug.c b/src/common/debug.c +index bbcad4583..71d345a9d 100644 +--- a/src/common/debug.c ++++ b/src/common/debug.c +@@ -85,7 +85,7 @@ oscap_verbosity_levels oscap_verbosity_level_from_cstr(const char *level_name) + bool oscap_set_verbose(const char *verbosity_level, const char *filename, bool is_probe) + { + if (verbosity_level == NULL) { +- return true; ++ verbosity_level = "WARNING"; + } + __debuglog_level = oscap_verbosity_level_from_cstr(verbosity_level); + if (__debuglog_level == DBG_UNKNOWN) { + +From 54d66d5db6ab4e3fc24c05e239b7a4c474e3b20e Mon Sep 17 00:00:00 2001 +From: Martin Preisler +Date: Wed, 1 Feb 2017 13:24:47 -0500 +Subject: [PATCH 3/9] Changed a warning about parsing without benchmark + reference to info + +It's not a serious warning and in many use-cases is expected. +--- + src/XCCDF/tailoring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/XCCDF/tailoring.c b/src/XCCDF/tailoring.c +index dd2379e5f..4fe9e5d88 100644 +--- a/src/XCCDF/tailoring.c ++++ b/src/XCCDF/tailoring.c +@@ -187,7 +187,7 @@ struct xccdf_tailoring *xccdf_tailoring_parse(xmlTextReaderPtr reader, struct xc + } + case XCCDFE_PROFILE: { + if (benchmark != NULL) { +- dW("Parsing Tailoring Profiles without reference to Benchmark"); ++ dI("Parsing Tailoring Profiles without reference to Benchmark"); + } + struct xccdf_item *item = xccdf_profile_parse(reader, benchmark); + if (!xccdf_tailoring_add_profile(tailoring, XPROFILE(item))) { + +From 3ef6685ae05007f7328b9284c0fcb22732b38f00 Mon Sep 17 00:00:00 2001 +From: Martin Preisler +Date: Wed, 1 Feb 2017 14:00:54 -0500 +Subject: [PATCH 4/9] Filter expected permission errors from stderr in + test_sysctl_probe_all.sh + +--- + tests/probes/sysctl/test_sysctl_probe_all.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh +index 1b725231d..8e763ac37 100755 +--- a/tests/probes/sysctl/test_sysctl_probe_all.sh ++++ b/tests/probes/sysctl/test_sysctl_probe_all.sh +@@ -28,6 +28,8 @@ grep unix-sys:name "$result" | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames" + + diff "$sysctlNames" "$ourNames" + ++# remove oscap error message related to permissions from stderr ++sed -i -E "/^E: lt-probe_sysctl: Can't read sysctl value from /d" "$stderr" + [ ! -s $stderr ] + + rm $stderr $result $ourNames $sysctlNames + +From 789486ee35410af0fc5739e2d68436470f2b3006 Mon Sep 17 00:00:00 2001 +From: Martin Preisler +Date: Wed, 1 Feb 2017 14:51:34 -0500 +Subject: [PATCH 5/9] Filter out the expected error in sql57 probe test + +--- + tests/probes/sql57/unsupported_engine.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tests/probes/sql57/unsupported_engine.sh b/tests/probes/sql57/unsupported_engine.sh +index f90d6c8b7..6243cff35 100755 +--- a/tests/probes/sql57/unsupported_engine.sh ++++ b/tests/probes/sql57/unsupported_engine.sh +@@ -10,6 +10,8 @@ echo "stderr file: $stderr" + + echo "Evaluating content." + $OSCAP oval eval --results $result $srcdir/${name}.oval.xml 2> $stderr ++# filter out the expected error in stderr ++sed -i -E "/^E: lt-probe_sql57: DB engine not supported: sqlserver/d" "$stderr" + [ -f $stderr ]; [ ! -s $stderr ]; rm $stderr + echo "Validating results." + #$OSCAP oval validate-xml --results --schematron $result + +From cdff2e8504c19f473cbe3b1c64f56b99f13106af Mon Sep 17 00:00:00 2001 +From: Martin Preisler +Date: Wed, 8 Feb 2017 15:04:17 -0500 +Subject: [PATCH 6/9] Do not output errors if check engine plugin auto-loading + fails + +If SCE is not installed it will fail in an expected way and it makes no +sense to clutter the error log with it. Explicit plugin loading via the +API will still fail with errors. +--- + src/XCCDF/public/xccdf_session.h | 3 +++ + src/XCCDF/xccdf_session.c | 11 ++++++++--- + src/XCCDF_POLICY/check_engine_plugin.c | 26 +++++++++++++++++--------- + src/XCCDF_POLICY/public/check_engine_plugin.h | 1 + + utils/oscap.c | 3 ++- + 5 files changed, 31 insertions(+), 13 deletions(-) + +diff --git a/src/XCCDF/public/xccdf_session.h b/src/XCCDF/public/xccdf_session.h +index e1473aebe..2f1bf87c1 100644 +--- a/src/XCCDF/public/xccdf_session.h ++++ b/src/XCCDF/public/xccdf_session.h +@@ -358,8 +358,11 @@ int xccdf_session_load_oval(struct xccdf_session *session); + * + * @memberof xccdf_session + * @param session XCCDF Session ++ * @param plugin_name Name of the plugin to load ++ * @param quiet If true we will not output errors if loading fails + * @returns zero on success + */ ++int xccdf_session_load_check_engine_plugin2(struct xccdf_session *session, const char* plugin_name, bool quiet); + int xccdf_session_load_check_engine_plugin(struct xccdf_session *session, const char* plugin_name); + + /** +diff --git a/src/XCCDF/xccdf_session.c b/src/XCCDF/xccdf_session.c +index 3474e265e..60ea38bae 100644 +--- a/src/XCCDF/xccdf_session.c ++++ b/src/XCCDF/xccdf_session.c +@@ -945,9 +945,9 @@ int xccdf_session_load_oval(struct xccdf_session *session) + return 0; + } + +-int xccdf_session_load_check_engine_plugin(struct xccdf_session *session, const char *plugin_name) ++int xccdf_session_load_check_engine_plugin2(struct xccdf_session *session, const char *plugin_name, bool quiet) + { +- struct check_engine_plugin_def *plugin = check_engine_plugin_load(plugin_name); ++ struct check_engine_plugin_def *plugin = check_engine_plugin_load2(plugin_name, quiet); + + if (!plugin) + return -1; // error already set +@@ -964,6 +964,11 @@ int xccdf_session_load_check_engine_plugin(struct xccdf_session *session, const + } + } + ++int xccdf_session_load_check_engine_plugin(struct xccdf_session *session, const char *plugin_name) ++{ ++ return xccdf_session_load_check_engine_plugin2(session, plugin_name, false); ++} ++ + int xccdf_session_load_check_engine_plugins(struct xccdf_session *session) + { + xccdf_session_unload_check_engine_plugins(session); +@@ -973,7 +978,7 @@ int xccdf_session_load_check_engine_plugins(struct xccdf_session *session) + while (*known_plugins) { + // We do not report failure when a known plugin doesn't load properly, that's because they + // are optional and we don't know if it's not there or if it just failed to load. +- if (xccdf_session_load_check_engine_plugin(session, *known_plugins) != 0) ++ if (xccdf_session_load_check_engine_plugin2(session, *known_plugins, true) != 0) + oscap_clearerr(); + + known_plugins++; +diff --git a/src/XCCDF_POLICY/check_engine_plugin.c b/src/XCCDF_POLICY/check_engine_plugin.c +index af9791a46..ea9e821b6 100644 +--- a/src/XCCDF_POLICY/check_engine_plugin.c ++++ b/src/XCCDF_POLICY/check_engine_plugin.c +@@ -47,7 +47,7 @@ static void check_engine_plugin_def_free(struct check_engine_plugin_def *plugin) + oscap_free(plugin); + } + +-struct check_engine_plugin_def *check_engine_plugin_load(const char* path) ++struct check_engine_plugin_def *check_engine_plugin_load2(const char* path, bool quiet) + { + struct check_engine_plugin_def *ret = check_engine_plugin_def_new(); + +@@ -61,9 +61,10 @@ struct check_engine_plugin_def *check_engine_plugin_load(const char* path) + if (!ret->module_handle) { + error = dlerror(); + +- oscap_seterr(OSCAP_EFAMILY_GLIBC, +- "Failed to load extra check engine from '%s'. Details: '%s'.", +- path, error); ++ if (!quiet) ++ oscap_seterr(OSCAP_EFAMILY_GLIBC, ++ "Failed to load extra check engine from '%s'. Details: '%s'.", ++ path, error); + + check_engine_plugin_def_free(ret); + return NULL; +@@ -73,9 +74,10 @@ struct check_engine_plugin_def *check_engine_plugin_load(const char* path) + *(void **)(&entry_fn) = dlsym(ret->module_handle, STRINGIZE(OPENSCAP_CHECK_ENGINE_PLUGIN_ENTRY)); + + if ((error = dlerror()) != NULL) { +- oscap_seterr(OSCAP_EFAMILY_GLIBC, +- "Failed to retrieve module entry '%s' from loaded extra check engine '%s'. Details: '%s'.", +- STRINGIZE(OPENSCAP_CHECK_ENGINE_PLUGIN_ENTRY), path, error); ++ if (!quiet) ++ oscap_seterr(OSCAP_EFAMILY_GLIBC, ++ "Failed to retrieve module entry '%s' from loaded extra check engine '%s'. Details: '%s'.", ++ STRINGIZE(OPENSCAP_CHECK_ENGINE_PLUGIN_ENTRY), path, error); + + dlclose(ret->module_handle); + check_engine_plugin_def_free(ret); +@@ -83,8 +85,9 @@ struct check_engine_plugin_def *check_engine_plugin_load(const char* path) + } + + if ((*entry_fn)(ret) != 0) { +- oscap_seterr(OSCAP_EFAMILY_GLIBC, +- "Failed to fill check_engine_plugin_def when loading check engine plugin '%s'.", path); ++ if (!quiet) ++ oscap_seterr(OSCAP_EFAMILY_GLIBC, ++ "Failed to fill check_engine_plugin_def when loading check engine plugin '%s'.", path); + + dlclose(ret->module_handle); + check_engine_plugin_def_free(ret); +@@ -94,6 +97,11 @@ struct check_engine_plugin_def *check_engine_plugin_load(const char* path) + return ret; + } + ++struct check_engine_plugin_def *check_engine_plugin_load(const char* path) ++{ ++ return check_engine_plugin_load2(path, false); ++} ++ + void check_engine_plugin_unload(struct check_engine_plugin_def *plugin) + { + if (!plugin->module_handle) { +diff --git a/src/XCCDF_POLICY/public/check_engine_plugin.h b/src/XCCDF_POLICY/public/check_engine_plugin.h +index 7878fe07f..4a992ae34 100644 +--- a/src/XCCDF_POLICY/public/check_engine_plugin.h ++++ b/src/XCCDF_POLICY/public/check_engine_plugin.h +@@ -52,6 +52,7 @@ struct check_engine_plugin_def + const char *(*get_capabilities_fn)(void**); + }; + ++struct check_engine_plugin_def *check_engine_plugin_load2(const char* path, bool quiet); + struct check_engine_plugin_def *check_engine_plugin_load(const char* path); + void check_engine_plugin_unload(struct check_engine_plugin_def *plugin); + +diff --git a/utils/oscap.c b/utils/oscap.c +index 7396101a8..1e966540c 100644 +--- a/utils/oscap.c ++++ b/utils/oscap.c +@@ -126,7 +126,8 @@ static int print_versions(const struct oscap_action *action) + const char * const *known_plugins = check_engine_plugin_get_known_plugins(); + bool known_plugin_found = false; + while (*known_plugins) { +- struct check_engine_plugin_def *plugin = check_engine_plugin_load(*known_plugins); ++ // try to load the plugin but output no errors if it fails (quiet=true) ++ struct check_engine_plugin_def *plugin = check_engine_plugin_load2(*known_plugins, true); + if (plugin) { + printf("%s (from %s)\n", check_engine_plugin_get_capabilities(plugin), *known_plugins); + check_engine_plugin_unload(plugin); + +From 703c1045aedf1f826f007a01cf8b387b525c1d55 Mon Sep 17 00:00:00 2001 +From: Martin Preisler +Date: Thu, 9 Feb 2017 13:54:53 -0500 +Subject: [PATCH 7/9] Filter out the expected warning in + test_remediation_subs_unresolved + +--- + tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh b/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh +index f48239d93..44ae2f772 100755 +--- a/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh ++++ b/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh +@@ -35,6 +35,8 @@ assert_exists 1 '//score[text()="0.000000"]' + ret=0 + $OSCAP xccdf eval --remediate --results $result $srcdir/${name}.xccdf.xml 2> $stderr || ret=$? + [ $ret -eq 2 ] ++# filter out the expected warning in stderr ++sed -i -E "/^W: oscap: The xccdf:rule-result\/xccdf:instance element was not found./d" "$stderr" + [ -f $stderr ]; [ ! -s $stderr ]; rm $stderr + + $OSCAP xccdf validate-xml $result + diff --git a/SOURCES/openscap-1.2.15-use-checklist-id-to-get-html-guide-PR-745.patch b/SOURCES/openscap-1.2.15-use-checklist-id-to-get-html-guide-PR-745.patch new file mode 100644 index 0000000..be8157a --- /dev/null +++ b/SOURCES/openscap-1.2.15-use-checklist-id-to-get-html-guide-PR-745.patch @@ -0,0 +1,37 @@ +From e8f6f67552b196b9d65fa40719e2ea00c87a9579 Mon Sep 17 00:00:00 2001 +From: Evgeni Golov +Date: Fri, 19 May 2017 17:34:59 +0200 +Subject: [PATCH] pass session->checklist_id to oscap_htable_get in + get_html_guide + +In b8defed we moved to using s->checklist_id instead of hard coding +xccdf.xml. However, this change was forgotten in +ds_sds_session_get_html_guide which leads to the following error when +trying to get the HTML guide: + + Internal error: Could not acquire handle to xccdf.xml source. + +This change migrates ds_sds_session_get_html_guide to also use +s->checklist_id and thus fixes the issue. + +Fixes: #744 +--- + src/DS/ds_sds_session.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/DS/ds_sds_session.c b/src/DS/ds_sds_session.c +index db7692a65..f14588e09 100644 +--- a/src/DS/ds_sds_session.c ++++ b/src/DS/ds_sds_session.c +@@ -352,9 +352,9 @@ char *ds_sds_session_get_html_guide(struct ds_sds_session *session, const char * + "profile_id", profile_id, + NULL + }; +- struct oscap_source *xccdf = oscap_htable_get(session->component_sources, "xccdf.xml"); ++ struct oscap_source *xccdf = oscap_htable_get(session->component_sources, session->checklist_id); + if (xccdf == NULL) { +- oscap_seterr(OSCAP_EFAMILY_OSCAP, "Internal error: Could not acquire handle to xccdf.xml source."); ++ oscap_seterr(OSCAP_EFAMILY_OSCAP, "Internal error: Could not acquire handle to '%s' source.", session->checklist_id); + return NULL; + } + return oscap_source_apply_xslt_path_mem(xccdf, "xccdf-guide.xsl", params, oscap_path_to_xslt()); diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec new file mode 100644 index 0000000..26a2e03 --- /dev/null +++ b/SPECS/openscap.spec @@ -0,0 +1,579 @@ +%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} +%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} + +%define relabel_files() \ +restorecon -R /usr/bin/oscap /usr/libexec/openscap; \ + +Name: openscap +Version: 1.2.14 +Release: 3%{?dist} +Summary: Set of open source libraries enabling integration of the SCAP line of standards +Group: System Environment/Libraries +License: LGPLv2+ +URL: http://www.open-scap.org/ +Source0: http://fedorahosted.org/releases/o/p/openscap/%{name}-%{version}.tar.gz +Patch0: openscap-1.2.14-rpm-probes-not-applicable-PR-733.patch +Patch1: openscap-1.2.14-sysctl-test-s390x-PR-726.patch +# We are reverting the patch below, not applying it! The patch has been modified to remove line count changes, we got rid of line count checking in 1.2.14 +Patch2: openscap-1.2.14-warning-by-default-PR-630.patch +Patch3: openscap-1.2.15-use-checklist-id-to-get-html-guide-PR-745.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: swig libxml2-devel libxslt-devel perl-XML-Parser +BuildRequires: rpm-devel +BuildRequires: libgcrypt-devel +BuildRequires: pcre-devel +BuildRequires: libacl-devel +BuildRequires: libselinux-devel libcap-devel +BuildRequires: libblkid-devel +BuildRequires: bzip2-devel +%if %{?_with_check:1}%{!?_with_check:0} +BuildRequires: perl-XML-XPath +%endif +Requires(post): /sbin/ldconfig +Requires(postun): /sbin/ldconfig + +%description +OpenSCAP is a set of open source libraries providing an easier path +for integration of the SCAP line of standards. SCAP is a line of standards +managed by NIST with the goal of providing a standard language +for the expression of Computer Network Defense related information. + +%package devel +Summary: Development files for %{name} +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: libxml2-devel +Requires: pkgconfig + +%description devel +The %{name}-devel package contains libraries and header files for +developing applications that use %{name}. + +%package python +Summary: Python bindings for %{name} +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} +BuildRequires: python-devel + +%description python +The %{name}-python package contains the bindings so that %{name} +libraries can be used by python. + +%package scanner +Summary: OpenSCAP Scanner Tool (oscap) +Group: Applications/System +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: libcurl >= 7.12.0 +BuildRequires: libcurl-devel >= 7.12.0 +Obsoletes: openscap-selinux + +%description scanner +The %{name}-scanner package contains oscap command-line tool. The oscap +is configuration and vulnerability scanner, capable of performing +compliance checking using SCAP content. + +%package utils +Summary: OpenSCAP Utilities +Group: Applications/System +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: rpmdevtools rpm-build +Requires: %{name}-scanner%{?_isa} = %{version}-%{release} + +%description utils +The %{name}-utils package contains command-line tools build on top +of OpenSCAP library. Historically, openscap-utils included oscap +tool which is now separated to %{name}-scanner sub-package. + + +%package extra-probes +Summary: SCAP probes +Group: Applications/System +Requires: %{name}%{?_isa} = %{version}-%{release} +BuildRequires: openldap-devel +BuildRequires: GConf2-devel +#BuildRequires: opendbx - for sql + +%description extra-probes +The %{name}-extra-probes package contains additional probes that are not +commonly used and require additional dependencies. + +%package engine-sce +Summary: Script Check Engine plug-in for OpenSCAP +Group: Applications/System +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description engine-sce +The Script Check Engine is non-standard extension to SCAP protocol. This +engine allows content authors to avoid OVAL language and write their assessment +commands using a scripting language (Bash, Perl, Python, Ruby, ...). + +%package engine-sce-devel +Summary: Development files for %{name}-engine-sce +Group: Development/Libraries +Requires: %{name}-devel%{?_isa} = %{version}-%{release} +Requires: %{name}-engine-sce%{?_isa} = %{version}-%{release} +Requires: pkgconfig + +%description engine-sce-devel +The %{name}-engine-sce-devel package contains libraries and header files +for developing applications that use %{name}-engine-sce. + +%prep +%setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 -R +%patch3 -p1 + +%build +%ifarch sparc64 +#sparc64 need big PIE +export CFLAGS="$RPM_OPT_FLAGS -fPIE" +export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" +%else +export CFLAGS="$RPM_OPT_FLAGS -fpie" +export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" +%endif + +%configure --enable-sce + +make %{?_smp_mflags} +# Remove shebang from bash-completion script +sed -i '/^#!.*bin/,+1 d' dist/bash_completion.d/oscap + +%check +#to run make check use "--with check" +%if %{?_with_check:1}%{!?_with_check:0} +make check +%endif + +%install +rm -rf $RPM_BUILD_ROOT + +make install INSTALL='install -p' DESTDIR=$RPM_BUILD_ROOT + +# remove content for another OS +rm $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-rhel6-oval.xml +rm $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-rhel6-xccdf.xml +rm $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-fedora14-oval.xml +rm $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-fedora14-xccdf.xml + +# Remove sectool SCE content which is not distributed along RHEL7 +rm $RPM_BUILD_ROOT/%{_datadir}/openscap/sectool-sce/sectool-xccdf.xml +rm $RPM_BUILD_ROOT/%{_datadir}/openscap/sectool-sce/*.sh +rmdir $RPM_BUILD_ROOT/%{_datadir}/openscap/sectool-sce + +# bash-completion script +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/bash_completion.d +install -pm 644 dist/bash_completion.d/oscap $RPM_BUILD_ROOT%{_sysconfdir}/bash_completion.d/oscap + +find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' + +%clean +rm -rf $RPM_BUILD_ROOT + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%files +%defattr(-,root,root,-) +%doc AUTHORS COPYING ChangeLog NEWS README.md +%{_libdir}/libopenscap.so.* +%{_libexecdir}/openscap/probe_dnscache +%{_libexecdir}/openscap/probe_environmentvariable +%{_libexecdir}/openscap/probe_environmentvariable58 +%{_libexecdir}/openscap/probe_family +%{_libexecdir}/openscap/probe_file +%{_libexecdir}/openscap/probe_fileextendedattribute +%{_libexecdir}/openscap/probe_filehash +%{_libexecdir}/openscap/probe_filehash58 +%{_libexecdir}/openscap/probe_iflisteners +%{_libexecdir}/openscap/probe_inetlisteningservers +%{_libexecdir}/openscap/probe_interface +%{_libexecdir}/openscap/probe_partition +%{_libexecdir}/openscap/probe_password +%{_libexecdir}/openscap/probe_process +%{_libexecdir}/openscap/probe_process58 +%{_libexecdir}/openscap/probe_routingtable +%{_libexecdir}/openscap/probe_rpminfo +%{_libexecdir}/openscap/probe_rpmverify +%{_libexecdir}/openscap/probe_rpmverifyfile +%{_libexecdir}/openscap/probe_rpmverifypackage +%{_libexecdir}/openscap/probe_runlevel +%{_libexecdir}/openscap/probe_selinuxboolean +%{_libexecdir}/openscap/probe_selinuxsecuritycontext +%{_libexecdir}/openscap/probe_shadow +%{_libexecdir}/openscap/probe_symlink +%{_libexecdir}/openscap/probe_sysctl +%{_libexecdir}/openscap/probe_system_info +%{_libexecdir}/openscap/probe_systemdunitdependency +%{_libexecdir}/openscap/probe_systemdunitproperty +%{_libexecdir}/openscap/probe_textfilecontent +%{_libexecdir}/openscap/probe_textfilecontent54 +%{_libexecdir}/openscap/probe_uname +%{_libexecdir}/openscap/probe_variable +%{_libexecdir}/openscap/probe_xinetd +%{_libexecdir}/openscap/probe_xmlfilecontent +%dir %{_datadir}/openscap +%dir %{_datadir}/openscap/schemas +%dir %{_datadir}/openscap/xsl +%dir %{_datadir}/openscap/cpe +%{_datadir}/openscap/schemas/* +%{_datadir}/openscap/xsl/* +%{_datadir}/openscap/cpe/* + +%files python +%defattr(-,root,root,-) +%{python_sitearch}/* + +%files devel +%defattr(-,root,root,-) +%doc docs/{html,examples}/ +%{_libdir}/libopenscap.so +%{_libdir}/pkgconfig/*.pc +%{_includedir}/openscap +%exclude %{_includedir}/openscap/sce_engine_api.h + +%files engine-sce-devel +%defattr(-,root,root,-) +%{_libdir}/libopenscap_sce.so +%{_includedir}/openscap/sce_engine_api.h + +%files scanner +%{_mandir}/man8/oscap.8.gz +%{_bindir}/oscap +%{_sysconfdir}/bash_completion.d + +%files utils +%defattr(-,root,root,-) +%doc docs/oscap-scan.cron +%{_mandir}/man8/* +%exclude %{_mandir}/man8/oscap.8.gz +%{_bindir}/* +%exclude %{_bindir}/oscap +%{python_sitelib}/oscap_docker_python/* + + +%files extra-probes +%{_libexecdir}/openscap/probe_ldap57 +%{_libexecdir}/openscap/probe_gconf + +%files engine-sce +%{_libdir}/libopenscap_sce.so.* + +%changelog +* Wed Feb 21 2018 Watson Yuuma Sato - 1.2.14-3 +- Use checklist ID instead of hardcoded value to get HTML guide (#1545584) + +* Fri May 19 2017 Martin Preisler - 1.2.14-2 +- RPM probes to return not applicable on non-rpm systems (#1447629) +- fixed sysctl tests on s390x architecture (#1447649) +- Revert warning by default in oscap tool, our message categories are not ready for it (#1447341) + +* Tue Mar 21 2017 Jan Černý - 1.2.14-1 +- Upgrade to the latest upstream release +- Detailed information about ARF files in 'oscap info' +- Generating remediation scripts from ARF +- HTML report UX improvements +- Fixed CPE dictionary to identify RHEVH as RHEL7 (#1420038) +- Fixed systemd probes crashes inside containers (#1431186) +- Fixed output on terminals with white background (#1365911) +- Error handling in oscap-vm (#1391754) +- Fixed SCE stderr stalling (#1420811) +- Fixed absolute filepath parsing in OVAL (#1312831, #1312824) +- Fixed segmentation faults in RPM probes (#1414303, #1414312) +- Fixed missing header in result-oriented Ansible remediations + +* Thu Jan 05 2017 Martin Preisler - 1.2.13-1 +- Upgrade to the latest upstream release +- Added --thin-results CLI override to oscap xccdf eval +- Added --without-syschar CLI override to oscap xccdf eval +- Remediations are not filtered by applicability +- Fixed segmentation faults in XCCDF and OVAL processing +- Added a warning on generating an ARF from XCCDF 1.1 + +* Wed Nov 16 2016 Martin Preisler - 1.2.12-1 +- Upgrade to the latest upstream release +- improved HTML report by referencing links +- fixed validity errors in ARF files +- fixed CVE parsing +- fixed injecting xccdf:check-content-ref references in ARF results +- fixed oscap-docker incompliance reporting (#1387248) +- fixed oscap-docker man page (#1387166) + +* Mon Nov 14 2016 Martin Preisler - 1.2.11-1 +- upgrade to the latest upstream release + +* Mon Sep 05 2016 Jan Černý - 1.2.10-2 +- fix oscap-docker to follow the proxy settings (#1351952) + +* Thu Jun 30 2016 Jan Černý - 1.2.10-1 +- upgrade to the latest upstream release + +* Tue May 31 2016 Martin Preisler - 1.2.9-7 +- fixed dates in the changelog +- changed Release to 7 to avoid conflicts + +* Tue May 31 2016 Martin Preisler - 1.2.9-4 +- worked around a change in behavior in argparse between different versions of python2 (#1278147) + +* Thu May 05 2016 Martin Preisler - 1.2.9-3 +- fixed loading SDS session multiple times (#1250072) + +* Tue Apr 26 2016 Jan Černý - 1.2.9-2 +- fix specfile + +* Mon Apr 25 2016 Jan Černý - 1.2.9-1 +- upgrade to the latest upstream release + +* Fri Jul 24 2015 Martin Preisler - 1.2.5-3 +- add a patch for scap-as-rpm to generate SRPM correctly (#1242893) + +* Fri Jul 24 2015 Martin Preisler - 1.2.5-2 +- add a patch to support RHSA identifiers in HTML report and guide (#1243808) + +* Mon Jul 06 2015 Šimon Lukašík - 1.2.5-1 +- upgrade to the latest upstream release + +* Mon Jun 22 2015 Šimon Lukašík - 1.2.4-1 +- upgrade to the latest upstream release +- drop openscap-selinux sub-package + +* Tue Jan 20 2015 Šimon Lukašík - 1.1.1-3 +- USGCB, schematron: var_ref missing when var_check exported (#1182242) + +* Thu Jan 08 2015 Šimon Lukašík - 1.1.1-2 +- STIG-generated results contain var_ref without var_check (#1159289) +- Probes failed to stop by USR1 signal as specified (#1165139) + +* Fri Sep 26 2014 Šimon Lukašík - 1.1.1-1 +- upgrade to the latest upstream release + +* Wed Sep 03 2014 Šimon Lukašík - 1.1.0-1 +- upgrade +- introduce openscap-scanner sub-package (#1115105) + +* Fri Jan 24 2014 Daniel Mach - 1.0.3-2 +- Mass rebuild 2014-01-24 + +* Tue Jan 14 2014 Šimon Lukašík - 1.0.3-1 +- upgrade +- This upstream release addresses: #1052142 + +* Fri Jan 10 2014 Šimon Lukašík - 1.0.2-1 +- upgrade +- This upstream release addresses: #1018291, #1029879, #1026833 + +* Fri Dec 27 2013 Daniel Mach - 1.0.1-2 +- Mass rebuild 2013-12-27 + +* Thu Nov 28 2013 Šimon Lukašík - 1.0.1-1 +- upgrade + +* Tue Nov 26 2013 Šimon Lukašík - 1.0.0-3 +- expand LT_CURRENT_MINUS_AGE correctly + +* Thu Nov 21 2013 Šimon Lukašík - 1.0.0-2 +- dlopen libopenscap_sce.so.{current-age} explicitly + That allows for SCE to work without openscap-engine-sce-devel + +* Tue Nov 19 2013 Šimon Lukašík - 1.0.0-1 +- upgrade +- package openscap-engine-sce-devel separately + +* Fri Nov 15 2013 Šimon Lukašík - 0.9.13-7 +- do not obsolete openscap-conten just drop it (#1028706) + scap-security-guide will bring the Obsoletes tag + +* Thu Nov 14 2013 Šimon Lukašík - 0.9.13-6 +- only non-noarch packages should be requiring specific architecture + +* Sat Nov 09 2013 Šimon Lukašík 0.9.13-5 +- specify architecture when requiring base package + +* Fri Nov 08 2013 Šimon Lukašík 0.9.13-4 +- specify dependency between engine and devel sub-package + +* Fri Nov 08 2013 Šimon Lukašík 0.9.13-3 +- correct openscap-utils dependencies + +* Fri Nov 08 2013 Šimon Lukašík 0.9.13-2 +- drop openscap-content package (use scap-security-guide instead) + +* Fri Nov 08 2013 Šimon Lukašík 0.9.13-1 +- upgrade + +* Thu Sep 26 2013 Šimon Lukašík 0.9.12-2 +- Start building SQL probes for Fedora + +* Wed Sep 11 2013 Šimon Lukašík 0.9.12-1 +- upgrade + +* Thu Jul 18 2013 Petr Lautrbach 0.9.11-1 +- upgrade + +* Mon Jul 15 2013 Petr Lautrbach 0.9.10-1 +- upgrade + +* Mon Jun 17 2013 Petr Lautrbach 0.9.8-1 +- upgrade + +* Fri Apr 26 2013 Petr Lautrbach 0.9.7-1 +- upgrade +- add openscap-selinux sub-package + +* Wed Apr 24 2013 Petr Lautrbach 0.9.6-1 +- upgrade + +* Wed Mar 20 2013 Petr Lautrbach 0.9.5-1 +- upgrade + +* Mon Mar 04 2013 Petr Lautrbach 0.9.4.1-1 +- upgrade + +* Tue Feb 26 2013 Petr Lautrbach 0.9.4-1 +- upgrade + +* Thu Feb 14 2013 Fedora Release Engineering - 0.9.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Dec 17 2012 Petr Lautrbach 0.9.3-1 +- upgrade + +* Wed Nov 21 2012 Petr Lautrbach 0.9.2-1 +- upgrade + +* Mon Oct 22 2012 Petr Lautrbach 0.9.1-1 +- upgrade + +* Tue Sep 25 2012 Peter Vrabec 0.9.0-1 +- upgrade + +* Mon Aug 27 2012 Petr Lautrbach 0.8.5-1 +- upgrade + +* Tue Aug 07 2012 Petr Lautrbach 0.8.4-1 +- upgrade + +* Tue Jul 31 2012 Petr Lautrbach 0.8.3-2 +- fix Profile and @hidden issue + +* Mon Jul 30 2012 Petr Lautrbach 0.8.3-1 +- upgrade + +* Fri Jul 20 2012 Fedora Release Engineering - 0.8.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Jun 08 2012 Petr Pisar - 0.8.2-2 +- Perl 5.16 rebuild + +* Fri Mar 30 2012 Petr Lautrbach 0.8.2-1 +- upgrade + +* Tue Feb 21 2012 Peter Vrabec 0.8.1-1 +- upgrade + +* Fri Feb 10 2012 Petr Pisar - 0.8.0-3 +- Rebuild against PCRE 8.30 + +* Fri Jan 13 2012 Fedora Release Engineering - 0.8.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Oct 11 2011 Peter Vrabec 0.8.0-1 +- upgrade + +* Mon Jul 25 2011 Peter Vrabec 0.7.4-1 +- upgrade + +* Thu Jul 21 2011 Petr Sabata - 0.7.3-3 +- Perl mass rebuild + +* Wed Jul 20 2011 Petr Sabata - 0.7.3-2 +- Perl mass rebuild + +* Fri Jun 24 2011 Peter Vrabec 0.7.3-1 +- upgrade + +* Fri Jun 17 2011 Marcela Mašláňová - 0.7.2-3 +- Perl mass rebuild + +* Fri Jun 10 2011 Marcela Mašláňová - 0.7.2-2 +- Perl 5.14 mass rebuild + +* Wed Apr 20 2011 Peter Vrabec 0.7.2-1 +- upgrade + +* Fri Mar 11 2011 Peter Vrabec 0.7.1-1 +- upgrade + +* Thu Feb 10 2011 Peter Vrabec 0.7.0-1 +- upgrade + +* Tue Feb 08 2011 Fedora Release Engineering - 0.6.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Jan 31 2011 Peter Vrabec 0.6.8-1 +- upgrade + +* Fri Jan 14 2011 Peter Vrabec 0.6.7-1 +- upgrade + +* Wed Oct 20 2010 Peter Vrabec 0.6.4-1 +- upgrade + +* Tue Sep 14 2010 Peter Vrabec 0.6.3-1 +- upgrade + +* Fri Aug 27 2010 Peter Vrabec 0.6.2-1 +- upgrade + +* Wed Jul 14 2010 Peter Vrabec 0.6.0-1 +- upgrade + +* Wed May 26 2010 Peter Vrabec 0.5.11-1 +- upgrade + +* Fri May 07 2010 Peter Vrabec 0.5.10-1 +- upgrade + +* Fri Apr 16 2010 Peter Vrabec 0.5.9-1 +- upgrade + +* Fri Feb 26 2010 Peter Vrabec 0.5.7-1 +- upgrade +- new utils package + +* Mon Jan 04 2010 Peter Vrabec 0.5.6-1 +- upgrade + +* Tue Sep 29 2009 Peter Vrabec 0.5.3-1 +- upgrade + +* Wed Aug 19 2009 Peter Vrabec 0.5.2-1 +- upgrade + +* Mon Aug 03 2009 Peter Vrabec 0.5.1-2 +- add rpm-devel requirement + +* Mon Aug 03 2009 Peter Vrabec 0.5.1-1 +- upgrade + +* Thu Apr 30 2009 Peter Vrabec 0.3.3-1 +- upgrade + +* Thu Apr 23 2009 Peter Vrabec 0.3.2-1 +- upgrade + +* Sun Mar 29 2009 Peter Vrabec 0.1.4-1 +- upgrade + +* Fri Mar 27 2009 Peter Vrabec 0.1.3-2 +- spec file fixes (#491892) + +* Tue Mar 24 2009 Peter Vrabec 0.1.3-1 +- upgrade + +* Thu Jan 15 2009 Tomas Heinrich 0.1.1-1 +- Initial rpm +