diff --git a/.gitignore b/.gitignore index 8e966a6..7097011 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/openscap-1.3.0.tar.gz +SOURCES/openscap-1.3.1.tar.gz diff --git a/.openscap.metadata b/.openscap.metadata index 04c832b..88ac4f6 100644 --- a/.openscap.metadata +++ b/.openscap.metadata @@ -1 +1 @@ -2270bbc8e399f4a1f7a450b394086ed2506a8abd SOURCES/openscap-1.3.0.tar.gz +4783aa3943d3ea99719bda0e6cbfbc96f5841a6f SOURCES/openscap-1.3.1.tar.gz diff --git a/SOURCES/add_rhel8_cpe.patch b/SOURCES/add_rhel8_cpe.patch deleted file mode 100644 index 63a70a8..0000000 --- a/SOURCES/add_rhel8_cpe.patch +++ /dev/null @@ -1,75 +0,0 @@ -From f600c0d3768d824be658c66ff49c34918d160f5a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Thu, 9 Aug 2018 04:20:42 -0400 -Subject: [PATCH] Add RHEL8 CPE to OpenSCAP CPE dictionary - ---- - cpe/openscap-cpe-dict.xml | 4 ++++ - cpe/openscap-cpe-oval.xml | 22 ++++++++++++++++++++++ - 2 files changed, 26 insertions(+) - -diff --git a/cpe/openscap-cpe-dict.xml b/cpe/openscap-cpe-dict.xml -index 6c44333bb..b97245b38 100644 ---- a/cpe/openscap-cpe-dict.xml -+++ b/cpe/openscap-cpe-dict.xml -@@ -17,6 +17,10 @@ - Red Hat Enterprise Linux 7 - oval:org.open-scap.cpe.rhel:def:7 - -+ -+ Red Hat Enterprise Linux 8 -+ oval:org.open-scap.cpe.rhel:def:8 -+ - - Oracle Linux 5 - oval:org.open-scap.cpe.ol:def:5 -diff --git a/cpe/openscap-cpe-oval.xml b/cpe/openscap-cpe-oval.xml -index bb338de7e..4be890041 100644 ---- a/cpe/openscap-cpe-oval.xml -+++ b/cpe/openscap-cpe-oval.xml -@@ -68,6 +68,19 @@ - - - -+ -+ -+ Red Hat Enterprise Linux 8 -+ -+ Red Hat Enterprise Linux 8 -+ -+ -+ The operating system installed on the system is Red Hat Enterprise Linux 8 -+ -+ -+ -+ -+ - - - Oracle Linux 5 -@@ -620,6 +633,11 @@ - - - -+ -+ -+ -+ - - -@@ -921,6 +939,10 @@ - ^redhat-release - ^7[^\d] - -+ -+ ^redhat-release -+ ^8[^\d] -+ - - ^centos-release - ^5 --- -2.17.0 - diff --git a/SOURCES/fix_oscap_ssh_sudo.patch b/SOURCES/fix_oscap_ssh_sudo.patch deleted file mode 100644 index 10e7c77..0000000 --- a/SOURCES/fix_oscap_ssh_sudo.patch +++ /dev/null @@ -1,33 +0,0 @@ -diff --git a/utils/oscap-ssh b/utils/oscap-ssh -index ee6eb9c81..6d60a369e 100755 ---- a/utils/oscap-ssh -+++ b/utils/oscap-ssh -@@ -115,6 +115,11 @@ function scp_retreive_from_temp_dir { - scp -o ControlPath="$MASTER_SOCKET" -P "$SSH_PORT" $SSH_ADDITIONAL_OPTIONS "$SSH_HOST:$REMOTE_TEMP_DIR/$1" "$2" - } - -+function first_argument_is_sudo { -+ [ "$1" == "sudo" ] || [ "$1" == "--sudo" ] -+ return $? -+} -+ - function sanity_check_arguments { - if [ $# -lt 1 ]; then - echo "No arguments provided." -@@ -123,7 +128,7 @@ function sanity_check_arguments { - elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then - usage - die -- elif [ "$1" == "sudo" ] || [ "$1" == "--sudo" ]; then -+ elif first_argument_is_sudo "$@"; then - OSCAP_SUDO="sudo" - # force pseudo-tty allocation so that users can type their password if necessary - SSH_TTY_ALLOCATION_OPTION="-t" -@@ -155,6 +160,7 @@ function check_oscap_arguments { - } - - sanity_check_arguments "$@" -+first_argument_is_sudo "$@" && shift - - SSH_HOST="$1" - SSH_PORT="$2" diff --git a/SOURCES/fix_procps_tests.patch b/SOURCES/fix_procps_tests.patch deleted file mode 100644 index d926da3..0000000 --- a/SOURCES/fix_procps_tests.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh -index 073d332ee..4325612a3 100755 ---- a/tests/probes/sysctl/test_sysctl_probe_all.sh -+++ b/tests/probes/sysctl/test_sysctl_probe_all.sh -@@ -28,6 +28,16 @@ sysctl -aN --deprecated 2> /dev/null | tr "/" "." | sort -u > "$sysctlNames" - - grep unix-sys:name "$result" | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames" - -+# If procps_ver > 3.3.12 we need to filter *stable_secret and vm.stat_refresh -+# options from the sysctl output, for more details see -+# https://github.com/OpenSCAP/openscap/issues/1152. -+procps_ver=$(rpm -q procps-ng --qf="%{version}") -+lowest_ver=$(echo -e "3.3.12\n$procps_ver" | sort -V | head -n1) -+if [ "$procps_ver" != "$lowest_ver" ]; then -+ sed -i '/net.ipv6.conf.*stable_secret$/d' "$sysctlNames" -+ sed -i '/.*vm.stat_refresh/d' "$sysctlNames" -+fi -+ - diff "$sysctlNames" "$ourNames" - - # remove oscap error message related to permissions from stderr diff --git a/SOURCES/fix_unresolved_symbols_in_SCE_library.patch b/SOURCES/fix_unresolved_symbols_in_SCE_library.patch deleted file mode 100644 index e0643bb..0000000 --- a/SOURCES/fix_unresolved_symbols_in_SCE_library.patch +++ /dev/null @@ -1,35 +0,0 @@ -From ff1ca9b23d1437da34bb5ed86cb610ac6b5461e5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 15 Oct 2018 14:19:37 +0200 -Subject: [PATCH] Ensure there are no unresolved symbols in libopenscap_sce.so - -After installing the library to /usr/lib64/ oscap wasn't able to find -SCE plugin and SCE was not shown in list of plugins in `oscap -V`. That -was because the `libopenscap_sce.so` library could not be loaded because -it contained unresolved symbol `__oscap_seterr`. We need to add -`error.c` and its dependencies to make sure `ldd` doesn't report any -unresolved symbols. ---- - src/SCE/CMakeLists.txt | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/SCE/CMakeLists.txt b/src/SCE/CMakeLists.txt -index 1e0285804..e07c454d1 100644 ---- a/src/SCE/CMakeLists.txt -+++ b/src/SCE/CMakeLists.txt -@@ -3,9 +3,12 @@ file(GLOB_RECURSE SCE_PUBLIC_HEADERS "public/*.h") - - add_library(openscap_sce SHARED - ${SCE_SOURCES} -+ "${CMAKE_SOURCE_DIR}/src/common/error.c" -+ "${CMAKE_SOURCE_DIR}/src/common/err_queue.c" - "${CMAKE_SOURCE_DIR}/src/common/list.c" - "${CMAKE_SOURCE_DIR}/src/common/oscap_string.c" - "${CMAKE_SOURCE_DIR}/src/common/oscap_buffer.c" -+ "${CMAKE_SOURCE_DIR}/src/common/util.c" - ) - target_include_directories(openscap_sce PUBLIC public) - set_target_properties(openscap_sce PROPERTIES VERSION ${SONAME} SOVERSION ${SOVERSION}) --- -2.14.4 - diff --git a/SOURCES/manpage_update_modify.patch b/SOURCES/manpage_update_modify.patch deleted file mode 100644 index dfc839e..0000000 --- a/SOURCES/manpage_update_modify.patch +++ /dev/null @@ -1,119 +0,0 @@ -diff --git a/utils/oscap.8 b/utils/oscap.8 -index 2cec5e6c8..55110689e 100644 ---- a/utils/oscap.8 -+++ b/utils/oscap.8 -@@ -1,4 +1,4 @@ --.TH OSCAP "8" "March 2017" "Red Hat" "System Administration Utilities" -+.TH OSCAP "8" "October 2018" "Red Hat" "System Administration Utilities" - - .SH NAME - oscap \- OpenSCAP command line tool -@@ -15,7 +15,7 @@ OpenSCAP tool claims to provide capabilities of Authenticated Configuration Scan - .SH GENERAL OPTIONS - .TP - \fB\-V, -\-version\fR --Print supported SCAP specification, location of schema files, schematron files, CPE files, probes and supported OVAL objects. -+Print supported SCAP specifications, location of schema files, schematron files, CPE files, probes and supported OVAL objects. - Displays a list of inbuilt CPE names. - .TP - \fB\-h, \-\-help\fR -@@ -48,7 +48,7 @@ Common Vulnerabilities and Exposures - .TP - [\fIoptions\fR] any-scap-file.xml - .RS --This module prints information about SCAP content in a file specified on a command line. It determines SCAP content type, specification version, date of creation, date of import and so on. Info module doesn't require any additional opperation switch. -+This module prints information about SCAP content in a file specified on a command line. It determines SCAP content type, specification version, date of creation, date of import and so on. Info module doesn't require any additional operation switch. - - For XCCDF or Datastream files, info module prints out IDs of incorporated profiles, components, and datastreams. These IDs can be used to specify the target for evaluation. Use options --profile, --xccdf-id (or --oval-id), and --datastream-id respectively. - .PP -@@ -118,7 +118,8 @@ Writes results to a given FILE in Asset Reporting Format. It is recommended to u - .TP - \fB\-\-stig-viewer FILE\fR - .RS --Writes XCCDF results into FILE in a format readable by DISA STIG Viewer. See \fIhttp://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx\f. -+Writes XCCDF results into FILE in a format readable by DISA STIG Viewer. See \fIhttp://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx\fR. -+This option should be used to generate results for DISA STIG Viewer older than 2.6. To use DISA STIG Viewer 2.6 or newer, use \fB\-\-results\fR instead. - .RE - .TP - \fB\-\-thin-results\fR -@@ -133,7 +134,7 @@ Don't provide system characteristics in OVAL/ARF result files. - .TP - \fB\-\-report FILE\fR - .RS --Write HTML report into FILE. You also have to specify --results for this feature to work. Please see --oval-results to enable additional information in the report. -+Write HTML report into FILE. Add \fB\-\-oval-results\fR to enable detailed information in the report. - .RE - .TP - \fB\-\-oval-results\fR -@@ -228,12 +233,13 @@ Writes results to a given FILE in Asset Reporting Format. It is recommended to u - .TP - \fB\-\-stig-viewer FILE\fR - .RS --Writes XCCDF results into FILE in a format readable by DISA STIG Viewer. See \fIhttp://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx\f. -+Writes XCCDF results into FILE in a format readable by DISA STIG Viewer. See \fIhttp://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx\fR. -+This option should be used to generate results for DISA STIG Viewer older than 2.6. To use DISA STIG Viewer 2.6 or newer, use \fB\-\-results\fR instead. - .RE - .TP - \fB\-\-report FILE\fR - .RS --Write HTML report into FILE. You also have to specify --results for this feature to work. -+Write HTML report into FILE. Add \fB\-\-oval-results\fR to enable detailed information in the report. - .RE - .TP - \fB\-\-oval-results\fR -@@ -250,6 +256,11 @@ After evaluation is finished, each loaded check engine plugin is asked to export - .RS - Generate OVAL Variables documents which contain external variables' values that were provided to the OVAL checking engine during evaluation. The filename format is '\fIoriginal-oval-definitions-filename\fR-\fIsession-index\fR.variables-\fIvariables-index\fR.xml'. - .RE -+.TP -+\fB\-\-progress\fR -+.RS -+Switch to sparse output suitable for progress reporting. Format of the output is "$rule_id:$result\\n". -+.RE - .RE - .TP - .B resolve\fR -o output-file xccdf-file -@@ -315,18 +326,21 @@ Available submodules: - .TP - .B \fBguide\fR [\fIoptions\fR] xccdf-file - .RS --Generate a formatted document containing a security guide from a XCCDF Benchmark. Unless the --output option is specified it will be written to the standard output. Without profile being set only groups (not rules) will be included in the output. -+Generate a HTML document containing a security guide from an XCCDF Benchmark. Unless the --output option is specified it will be written to the standard output. Without profile being set only groups (not rules) will be included in the output. - .TP - \fB\-\-output FILE\fR - Write the guide to this file instead of standard output. - .TP - \fB\-\-hide-profile-info\fR - Information on chosen profile (e.g. rules selected by the profile) will be excluded from the document. -+.TP -+\fB\-\-benchmark-id ID\fR -+Selects a component ref from any datastream that references a component with XCCDF Benchmark such that its @id attribute matches given string exactly. - .RE - .TP - .B \fBreport\fR [\fIoptions\fR] xccdf-file - .RS --Generate a document containing results of a XCCDF Benchmark execution. Unless the --output option is specified it will be written to the standard output. ID of the TestResult element to visualise defaults to the most recent result (according to the end-time attribute). -+Generate a HTML document containing results of an XCCDF Benchmark execution. Unless the --output option is specified it will be written to the standard output. - .TP - \fB\-\-output FILE\fR - Write the report to this file instead of standard output. -@@ -417,19 +431,14 @@ Write OVAL Results into file. - Create human readable (HTML) report from OVAL Results. - .TP - \fB\-\-datastream-id ID\fR --.RS - Uses a datastream with that particular ID from the given datastream collection. If not given the first datastream is used. Only applies if you give source datastream in place of an OVAL file. --.RE - .TP - \fB\-\-oval-id ID\fR --.RS - Takes component ref with given ID from checks. This allows to select a particular OVAL component even in cases where there are 2 OVALs in one datastream. --.RE - .TP - \fB\-\-skip-valid\fR - Do not validate input/output files. - .TP --.RE - \fB\-\-fetch-remote-resources\fR - Allow download of remote components referenced from Datastream. - .RE diff --git a/SOURCES/manpage_update_remove.patch b/SOURCES/manpage_update_remove.patch deleted file mode 100644 index b7e41e2..0000000 --- a/SOURCES/manpage_update_remove.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/utils/oscap.8 b/utils/oscap.8 -index c7a67f5a9..123c0f97b 100644 ---- a/utils/oscap.8 -+++ b/utils/oscap.8 -@@ -337,9 +337,6 @@ Write the report to this file instead of standard output. - \fB\-\-result-id ID\fR - ID of the XCCDF TestResult from which the report will be generated. - .TP --\fB\-\-show \fIwhat\fR --Specify what result types shall be displayed in the result report. The default is to show everything except for rules with results notselected and notapplicable. The \fIwhat\fR part is a comma-separated list of result types to display in addition to the default. If result type is prefixed by a dash '-', it will be excluded from the results. If \fIwhat\fR is prefixed by an equality sign '=', a following list specifies exactly what rule types to include in the report. Result types are: pass, fixed, notchecked, notapplicable, notselected, informational, unknown, error, fail. --.TP - \fB\-\-oval-template \fItemplate-string\fR - To use the ability to include additional information from OVAL in xccdf result file, a template which will be used to obtain OVAL result file names has to be specified. The template can be either a filename or a string containing wildcard character (percent sign '%'). Wildcard will be replaced by the original OVAL definition file name as referenced from the XCCDF file. This way it is possible to obtain OVAL information even from XCCDF documents referencing several OVAL files. To use this option with results from an XCCDF evaluation, specify \fI%.result.xml\fR as a OVAL file name template. - .TP diff --git a/SOURCES/openscap-1.3.1-swig.patch b/SOURCES/openscap-1.3.1-swig.patch deleted file mode 100644 index be0f2da..0000000 --- a/SOURCES/openscap-1.3.1-swig.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/swig/openscap.i b/swig/openscap.i -index ffe0bb87a..ed1dab36c 100644 ---- a/swig/openscap.i -+++ b/swig/openscap.i -@@ -87,7 +87,6 @@ - } - $1[i] = 0; - } else { -- free($1); - PyErr_SetString(PyExc_TypeError,"not a list"); - SWIG_fail; - } diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec index 4e9af61..2651c93 100644 --- a/SPECS/openscap.spec +++ b/SPECS/openscap.spec @@ -1,18 +1,11 @@ Name: openscap -Version: 1.3.0 -Release: 7%{?dist} +Version: 1.3.1 +Release: 1%{?dist} Summary: Set of open source libraries enabling integration of the SCAP line of standards Group: System Environment/Libraries License: LGPLv2+ URL: http://www.open-scap.org/ Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz -Patch1: add_rhel8_cpe.patch -Patch2: openscap-1.3.1-swig.patch -Patch3: fix_oscap_ssh_sudo.patch -Patch4: fix_procps_tests.patch -Patch5: manpage_update_modify.patch -Patch6: manpage_update_remove.patch -Patch7: fix_unresolved_symbols_in_SCE_library.patch BuildRequires: cmake >= 2.6 BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser BuildRequires: rpm-devel @@ -114,13 +107,6 @@ for developing applications that use %{name}-engine-sce. %prep %setup -q -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 mkdir build %build @@ -129,6 +115,7 @@ cd build -DENABLE_DOCS=ON \ -DENABLE_OSCAP_UTIL_DOCKER=OFF \ -DENABLE_OSCAP_UTIL_CHROOT=OFF \ + -DENABLE_OSCAP_UTIL_PODMAN=OFF \ -DENABLE_OSCAP_UTIL_VM=OFF \ .. make %{?_smp_mflags} @@ -185,7 +172,7 @@ rm -rf $RPM_BUILD_ROOT %files scanner %{_mandir}/man8/oscap.8.gz %{_bindir}/oscap -# RHEL-8.0.0 will not support oscap-chroot. Future releases may include this. Note: remove double % when enabling command. +# RHEL-8.1.0 will not support oscap-chroot. Future releases may include this. Note: remove double % when enabling command. #%%{_mandir}/man8/oscap-chroot.8.gz #%%{_bindir}/oscap-chroot %{_sysconfdir}/bash_completion.d @@ -194,7 +181,9 @@ rm -rf $RPM_BUILD_ROOT %doc docs/oscap-scan.cron %{_mandir}/man8/oscap-ssh.8.gz %{_bindir}/oscap-ssh -# RHEL-8.0.0 will not support oscap-vm. Future releases may include this. Note: remove double % when enabling command. +# RHEL-8.1.0 will not support oscap-vm and oscap-podman. Future releases may include this. Note: remove double % when enabling command. +#%%{_mandir}/man8/oscap-podman.8.gz +#%%{_bindir}/oscap/oscap-podman #%%{_mandir}/man8/oscap-vm.8.gz #%%{_bindir}/oscap/oscap-vm %{_mandir}/man8/scap-as-rpm.8.gz @@ -204,6 +193,16 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libopenscap_sce.so.* %changelog +* Fri Jun 14 2019 Evgeny Kolesnikov - 1.3.1-1 +- Bumped the package release number + +* Thu Jun 13 2019 Evgeny Kolesnikov - 1.3.1-0 +- Upgrade to the latest upstream release (rhbz#1718826) +- Support for SCAP 1.3 Source Datastreams (evaluating, XML schemas, validation) (rhbz#1709429) +- Tailoring files are included in ARF result files +- Remote filesystems mounted using `autofs` direct maps are not recognized as local filesystems (rhbz#1655943) +- Offline scan utilizing rpmverifyfile probe fails in fchdir and aborts (rhbz#1636431) + * Wed Jan 16 2019 Gabriel Becker - 1.3.0-7 - Removed oscap-vm binary and manpage files from build as they will not be supported by RHEL-8.0.0. - Explicitly specify which files should be in openscap-utils subpackage.