diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4852ada --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/openscap-1.2.17.tar.gz diff --git a/.openscap.metadata b/.openscap.metadata new file mode 100644 index 0000000..12ce0bc --- /dev/null +++ b/.openscap.metadata @@ -0,0 +1 @@ +588676a56b6adf389140d6fdbc6a6685ef06e7b3 SOURCES/openscap-1.2.17.tar.gz diff --git a/SOURCES/add_oval_results_to_test.patch b/SOURCES/add_oval_results_to_test.patch new file mode 100644 index 0000000..0c9fedd --- /dev/null +++ b/SOURCES/add_oval_results_to_test.patch @@ -0,0 +1,32 @@ +From 293a2da756796cba8bcf3d9b7a153e685030594f Mon Sep 17 00:00:00 2001 +From: Matus Marhefka +Date: Mon, 27 May 2019 10:29:54 +0200 +Subject: [PATCH] Add --oval-results to the + ds_continue_without_remote_resources test + +--- + tests/DS/test_ds.sh | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tests/DS/test_ds.sh b/tests/DS/test_ds.sh +index 1383ad87a..43ea43797 100755 +--- a/tests/DS/test_ds.sh ++++ b/tests/DS/test_ds.sh +@@ -418,14 +418,15 @@ function test_ds_continue_without_remote_resources() { + local DS="${srcdir}/$1" + local PROFILE="$2" + local result=$(mktemp) ++ local oval_result="test_single_rule.oval.xml.result.xml" + +- $OSCAP xccdf eval --profile "$PROFILE" --results "$result" "$DS" ++ $OSCAP xccdf eval --oval-results --profile "$PROFILE" --results "$result" "$DS" + + assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-pass"]/result[text()="pass"]' + assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-remote_res"]/result[text()="notchecked"]' + assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-pass2"]/result[text()="pass"]' + +- rm -f "$result" ++ rm -f "$result" "$oval_result" + } + + diff --git a/SOURCES/add_scap_1_3_schema_and_detect_version.patch b/SOURCES/add_scap_1_3_schema_and_detect_version.patch new file mode 100644 index 0000000..413223e --- /dev/null +++ b/SOURCES/add_scap_1_3_schema_and_detect_version.patch @@ -0,0 +1,1576 @@ +From 5bf1556bc867401e664de67a0b2ccaa8e7c86ce4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 7 May 2019 12:33:31 +0200 +Subject: [PATCH 1/9] Add SCAP 1.3 source datastream schema + +Downloaded from +https://csrc.nist.gov/schema/scap/1.3/scap-source-data-stream_1.3.xsd +Converted the EOLs to Unix using `dos2unix` tool. +--- + schemas/Makefile.am | 3 + + .../sds/1.3/scap-source-data-stream_1.3.xsd | 230 ++++++++++++++++++ + 2 files changed, 233 insertions(+) + create mode 100644 schemas/sds/1.3/scap-source-data-stream_1.3.xsd + +diff --git a/schemas/Makefile.am b/schemas/Makefile.am +index 5a5cf015e..2ca4851e6 100644 +--- a/schemas/Makefile.am ++++ b/schemas/Makefile.am +@@ -15,6 +15,7 @@ xccdf11dir = $(pkgdatadir)/schemas/xccdf/1.1/ + xccdf11tailoringdir = $(pkgdatadir)/schemas/xccdf/1.1-tailoring/ + xccdf12dir = $(pkgdatadir)/schemas/xccdf/1.2/ + sds12dir = $(pkgdatadir)/schemas/sds/1.2/ ++sds13dir = $(pkgdatadir)/schemas/sds/1.3/ + arf11dir = $(pkgdatadir)/schemas/arf/1.1/ + ocil20dir = $(pkgdatadir)/schemas/ocil/2.0/ + cpe20dir = $(pkgdatadir)/schemas/cpe/2.0/ +@@ -46,6 +47,7 @@ xccdf11tailoring_DATA = $(wildcard $(srcdir)/xccdf/1.1-tailoring/*.xsd $(srcdir) + xccdf12_DATA = $(wildcard $(srcdir)/xccdf/1.2/*.xsd $(srcdir)/xccdf/1.2/*.dtd $(srcdir)/xccdf/1.2/*.xsl) + + sds12_DATA = $(wildcard $(srcdir)/sds/1.2/*.xsd $(srcdir)/sds/1.2/*.dtd) ++sds13_DATA = $(wildcard $(srcdir)/sds/1.3/*.xsd $(srcdir)/sds/1.3/*.dtd) + arf11_DATA = $(wildcard $(srcdir)/arf/1.1/*.xsd) + + ocil20_DATA = $(wildcard $(srcdir)/ocil/2.0/*.xsd $(srcdir)/sds/2.0/*.dtd) +@@ -77,6 +79,7 @@ EXTRA_DIST = \ + $(xccdf11tailoring_DATA) \ + $(xccdf12_DATA) \ + $(sds12_DATA) \ ++ $(sds13_DATA) \ + $(arf11_DATA) \ + $(ocil20_DATA) \ + $(cpe20_DATA) \ +diff --git a/schemas/sds/1.3/scap-source-data-stream_1.3.xsd b/schemas/sds/1.3/scap-source-data-stream_1.3.xsd +new file mode 100644 +index 000000000..4a933ba2e +--- /dev/null ++++ b/schemas/sds/1.3/scap-source-data-stream_1.3.xsd +@@ -0,0 +1,230 @@ ++ ++ ++ ++ ++ SCAP 1.3 Source Data Stream Collection ++ Adam Halbardier, David Waltermire ++ 1.3 ++ 2016-12-01 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Holds a collection of data streams and components. ++ ++ ++ ++ ++ ++ ++ ++ ++ A digital signature of a data stream. ++ ++ ++ ++ ++ ++ This MUST be a globally unique ID. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ The version of the requirements Schematron ruleset to which the instance ++ conforms. ++ ++ ++ ++ ++ ++ ++ An SCAP data stream containing pointers to all of the components composing the data ++ stream. ++ ++ ++ ++ ++ ++ Holds pointers to dictionary components. ++ ++ ++ ++ ++ Holds pointers to checklist components. ++ ++ ++ ++ ++ Holds pointers to check components. ++ ++ ++ ++ ++ Holds pointers to non-standard SCAP components captured as extended-component ++ elements. ++ ++ ++ ++ ++ ++ This MUST be a globally unique ID. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ The SCAP capability being expressed by this data stream. The type is expressed to allow for ++ future use of this schema while indicating the currently acceptable values. ++ ++ ++ ++ ++ ++ ++ ++ The version of SCAP expressed by this data stream. The type is expressed to allow for future ++ use of this schema while indicating the currently acceptable values. ++ ++ ++ ++ ++ ++ ++ ++ The time when the data stream was created or last modified. ++ ++ ++ ++ ++ ++ ++ A component that is used by an SCAP data stream. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ This MUST be a globally unique ID. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ The time when the component was created or last modified. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ A component that holds non-standard SCAP content. ++ ++ ++ ++ ++ ++ ++ ++ This MUST be a globally unique ID. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ The time when the component was created or last modified. ++ ++ ++ ++ ++ ++ ++ An XLink element that points to a component. ++ ++ ++ ++ ++ ++ ++ ++ This MUST be a globally unique ID. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + +From a005cfd40e2dd217e779102d6347384ec0e4a4d6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 7 May 2019 14:03:53 +0200 +Subject: [PATCH 2/9] Move OASIS XML Catalog schema to the common directory + +This way we can reuse the OASIS XML Catalog schema in +other schemas. +--- + schemas/{sds/1.2 => common}/catalog.xsd | 0 + schemas/sds/1.2/scap-source-data-stream_1.2.xsd | 2 +- + 2 files changed, 1 insertion(+), 1 deletion(-) + rename schemas/{sds/1.2 => common}/catalog.xsd (100%) + +diff --git a/schemas/sds/1.2/catalog.xsd b/schemas/common/catalog.xsd +similarity index 100% +rename from schemas/sds/1.2/catalog.xsd +rename to schemas/common/catalog.xsd +diff --git a/schemas/sds/1.2/scap-source-data-stream_1.2.xsd b/schemas/sds/1.2/scap-source-data-stream_1.2.xsd +index 606a92445..0dd91f010 100644 +--- a/schemas/sds/1.2/scap-source-data-stream_1.2.xsd ++++ b/schemas/sds/1.2/scap-source-data-stream_1.2.xsd +@@ -14,7 +14,7 @@ + + + +- ++ + + + + +From 61b89c3c9314be3f606bdb7f1b156a7a8359719e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 7 May 2019 14:08:53 +0200 +Subject: [PATCH 3/9] Move W3C Xlink schema to common directory + +This way the schema can be reused in multiple different schemas. +--- + .../arf/1.1/asset-reporting-format_1.1.0.xsd | 2 +- + schemas/{arf/1.1 => common}/xlink.xsd | 2 +- + .../sds/1.2/scap-source-data-stream_1.2.xsd | 2 +- + schemas/sds/1.2/xlink.xsd | 270 ------------------ + 4 files changed, 3 insertions(+), 273 deletions(-) + rename schemas/{arf/1.1 => common}/xlink.xsd (96%) + delete mode 100644 schemas/sds/1.2/xlink.xsd + +diff --git a/schemas/arf/1.1/asset-reporting-format_1.1.0.xsd b/schemas/arf/1.1/asset-reporting-format_1.1.0.xsd +index 3617e854f..7e60eb4f6 100644 +--- a/schemas/arf/1.1/asset-reporting-format_1.1.0.xsd ++++ b/schemas/arf/1.1/asset-reporting-format_1.1.0.xsd +@@ -104,7 +104,7 @@ + + + +- ++ + + + +diff --git a/schemas/arf/1.1/xlink.xsd b/schemas/common/xlink.xsd +similarity index 96% +rename from schemas/arf/1.1/xlink.xsd +rename to schemas/common/xlink.xsd +index ea77d428f..0b2645e90 100644 +--- a/schemas/arf/1.1/xlink.xsd ++++ b/schemas/common/xlink.xsd +@@ -24,7 +24,7 @@ constructs, e.g. + ]]> + + +- ++ + + + +diff --git a/schemas/sds/1.2/scap-source-data-stream_1.2.xsd b/schemas/sds/1.2/scap-source-data-stream_1.2.xsd +index 0dd91f010..72de4f98e 100644 +--- a/schemas/sds/1.2/scap-source-data-stream_1.2.xsd ++++ b/schemas/sds/1.2/scap-source-data-stream_1.2.xsd +@@ -15,7 +15,7 @@ + + + +- ++ + + + Holds a collection of data streams and components. +diff --git a/schemas/sds/1.2/xlink.xsd b/schemas/sds/1.2/xlink.xsd +deleted file mode 100644 +index ea77d428f..000000000 +--- a/schemas/sds/1.2/xlink.xsd ++++ /dev/null +@@ -1,270 +0,0 @@ +- +- +- +- +- This schema document provides attribute declarations and +-attribute group, complex type and simple type definitions which can be used in +-the construction of user schemas to define the structure of particular linking +-constructs, e.g. +- +- +- +- +- +- +- ... +- +- ... +- +- +- ... +-]]> +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- Intended for use as the type of user-declared elements to make them +- simple links. +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- Intended for use as the type of user-declared elements to make them +- extended links. +- Note that the elements referenced in the content model are all abstract. +- The intention is that by simply declaring elements with these as their +- substitutionGroup, all the right things will happen. +- +- +- +- +- +- +- +- +- +- +- +- +- +- xml:lang is not required, but provides much of the +- motivation for title elements in addition to attributes, and so +- is provided here for convenience. +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- label is not required, but locators have no particular +- XLink function if they are not labeled. +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- from and to have default behavior when values are missing +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- + +From 9aeca3c095e10e5aa4d19516283bafb4f7ac567a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 7 May 2019 14:15:18 +0200 +Subject: [PATCH 4/9] Use local XSDs in SCAP 1.3 source data stream schema + +Similar to acef6dd61270546aec9f2213f9b8d71ae9aab73b +--- + schemas/sds/1.3/scap-source-data-stream_1.3.xsd | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/schemas/sds/1.3/scap-source-data-stream_1.3.xsd b/schemas/sds/1.3/scap-source-data-stream_1.3.xsd +index 4a933ba2e..7d6e2b177 100644 +--- a/schemas/sds/1.3/scap-source-data-stream_1.3.xsd ++++ b/schemas/sds/1.3/scap-source-data-stream_1.3.xsd +@@ -14,18 +14,18 @@ + + + ++ schemaLocation="../../xccdf/1.2/xccdf_1.2.xsd"/> + ++ schemaLocation="../../oval/5.11.2/oval-definitions-schema.xsd"/> + ++ schemaLocation="../../cpe/2.3/cpe-dictionary_2.3.xsd"/> + ++ schemaLocation="../../ocil/2.0/ocil-2.0.xsd"/> + ++ schemaLocation="../../common/xmldsig-core-schema.xsd"/> + +- ++ schemaLocation="../../common/catalog.xsd"/> ++ + + + Holds a collection of data streams and components. + +From b967d10ca3af64539367c3c6280f6dbb9fc2fd64 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 9 May 2019 09:42:21 +0200 +Subject: [PATCH 5/9] Fix schematron-version attribute in test datastreams + +The data-stream-collection@schematron-version attribute +should conform to the SCAP version. +--- + tests/API/XCCDF/tailoring/simple-ds.xml | 2 +- + tests/API/XCCDF/unittests/test_xccdf_overrides.arf.xml | 2 +- + tests/DS/cpe_in_ds/sds.xml | 2 +- + tests/DS/ds_sds_index/sds.xml | 2 +- + tests/DS/ds_sds_index/sds_multiple.xml | 2 +- + tests/DS/eval_benchmark_id_conflict/sds.xml | 2 +- + tests/DS/eval_cpe/sds.xml | 2 +- + tests/DS/eval_invalid/sds-oval.xml | 2 +- + tests/DS/eval_invalid/sds.xml | 2 +- + tests/DS/eval_just_oval/sds.xml | 2 +- + tests/DS/eval_oval_id/sds.xml | 2 +- + tests/DS/eval_simple/sds.xml | 2 +- + tests/DS/eval_xccdf_id/sds-complex.xml | 2 +- + tests/DS/eval_xccdf_id/sds.xml | 2 +- + tests/DS/rds_index_simple/arf.xml | 2 +- + tests/DS/rds_simple/sds.xml | 2 +- + tests/DS/rds_split_simple/report-request.xml | 2 +- + tests/DS/rds_testresult/sds.xml | 2 +- + tests/DS/sds_external_xccdf/sds.ds.xml | 2 +- + tests/DS/sds_external_xccdf/xccdf.sds.xml | 2 +- + tests/DS/sds_tailoring/sds.ds.xml | 2 +- + tests/DS/signed/sds-signed-fake-x509.xml | 2 +- + tests/DS/signed/sds-signed.xml | 2 +- + tests/DS/validate/rds-invalid.xml | 2 +- + tests/DS/validate/rds-valid.xml | 2 +- + tests/DS/validate/sds-invalid-oval.xml | 2 +- + tests/DS/validate/sds-invalid-xccdf.xml | 2 +- + tests/DS/validate/sds-invalid.xml | 2 +- + tests/DS/validate/sds-valid.xml | 2 +- + tests/sce/test_sce_in_ds.xml | 2 +- + 30 files changed, 30 insertions(+), 30 deletions(-) + +diff --git a/tests/API/XCCDF/tailoring/simple-ds.xml b/tests/API/XCCDF/tailoring/simple-ds.xml +index a8092096c..e5e515a70 100644 +--- a/tests/API/XCCDF/tailoring/simple-ds.xml ++++ b/tests/API/XCCDF/tailoring/simple-ds.xml +@@ -1,5 +1,5 @@ + +- ++ + + + +diff --git a/tests/API/XCCDF/unittests/test_xccdf_overrides.arf.xml b/tests/API/XCCDF/unittests/test_xccdf_overrides.arf.xml +index 84dad69b9..3f0ca8ca8 100644 +--- a/tests/API/XCCDF/unittests/test_xccdf_overrides.arf.xml ++++ b/tests/API/XCCDF/unittests/test_xccdf_overrides.arf.xml +@@ -1,5 +1,5 @@ + +-collection1asset0 ++collection1asset0 + + python + 2.6.6 +diff --git a/tests/DS/cpe_in_ds/sds.xml b/tests/DS/cpe_in_ds/sds.xml +index dbc57605a..a77389703 100644 +--- a/tests/DS/cpe_in_ds/sds.xml ++++ b/tests/DS/cpe_in_ds/sds.xml +@@ -1,5 +1,5 @@ + +- ++ + + + +diff --git a/tests/DS/ds_sds_index/sds.xml b/tests/DS/ds_sds_index/sds.xml +index 0e438a39d..574046d24 100644 +--- a/tests/DS/ds_sds_index/sds.xml ++++ b/tests/DS/ds_sds_index/sds.xml +@@ -1,5 +1,5 @@ + +- ++ + + + +diff --git a/tests/DS/ds_sds_index/sds_multiple.xml b/tests/DS/ds_sds_index/sds_multiple.xml +index a24e6f385..069202331 100644 +--- a/tests/DS/ds_sds_index/sds_multiple.xml ++++ b/tests/DS/ds_sds_index/sds_multiple.xml +@@ -1,5 +1,5 @@ + +- ++ + + + +diff --git a/tests/DS/eval_benchmark_id_conflict/sds.xml b/tests/DS/eval_benchmark_id_conflict/sds.xml +index f3a075615..612eecb0c 100644 +--- a/tests/DS/eval_benchmark_id_conflict/sds.xml ++++ b/tests/DS/eval_benchmark_id_conflict/sds.xml +@@ -1,5 +1,5 @@ + +- ++ + + + +diff --git a/tests/DS/eval_cpe/sds.xml b/tests/DS/eval_cpe/sds.xml +index fa568690a..a73403f74 100644 +--- a/tests/DS/eval_cpe/sds.xml ++++ b/tests/DS/eval_cpe/sds.xml +@@ -1,5 +1,5 @@ + +- ++ + + + +diff --git a/tests/DS/eval_invalid/sds-oval.xml b/tests/DS/eval_invalid/sds-oval.xml +index d4e1b2900..e77e1aaea 100644 +--- a/tests/DS/eval_invalid/sds-oval.xml ++++ b/tests/DS/eval_invalid/sds-oval.xml +@@ -1,5 +1,5 @@ + +- ++ + + + +diff --git a/tests/DS/eval_invalid/sds.xml b/tests/DS/eval_invalid/sds.xml +index f9be5cb0c..e97592354 100644 +--- a/tests/DS/eval_invalid/sds.xml ++++ b/tests/DS/eval_invalid/sds.xml +@@ -1,3 +1,3 @@ + +- ++ + +diff --git a/tests/DS/eval_just_oval/sds.xml b/tests/DS/eval_just_oval/sds.xml +index 976c1d2ee..3093b1c4a 100644 +--- a/tests/DS/eval_just_oval/sds.xml ++++ b/tests/DS/eval_just_oval/sds.xml +@@ -1,5 +1,5 @@ + +- ++ + + + +diff --git a/tests/DS/eval_oval_id/sds.xml b/tests/DS/eval_oval_id/sds.xml +index 8380c68b8..ea72b4d3b 100644 +--- a/tests/DS/eval_oval_id/sds.xml ++++ b/tests/DS/eval_oval_id/sds.xml +@@ -1,5 +1,5 @@ + +- ++ + + + +diff --git a/tests/DS/eval_simple/sds.xml b/tests/DS/eval_simple/sds.xml +index d3c4a6a5d..826a72629 100644 +--- a/tests/DS/eval_simple/sds.xml ++++ b/tests/DS/eval_simple/sds.xml +@@ -1,5 +1,5 @@ + +- ++ + draft + Example of SCAP Security Guidance + This example security guidance has been created to demonstrate SCAP functionality +diff --git a/tests/DS/eval_xccdf_id/sds-complex.xml b/tests/DS/eval_xccdf_id/sds-complex.xml +index 5b69cd765..9ef6170e4 100644 +--- a/tests/DS/eval_xccdf_id/sds-complex.xml ++++ b/tests/DS/eval_xccdf_id/sds-complex.xml +@@ -1,5 +1,5 @@ + +- ++ + + +diff --git a/tests/DS/signed/sds-signed-fake-x509.xml b/tests/DS/signed/sds-signed-fake-x509.xml +index 0431a42ca..592bfb3c2 100644 +--- a/tests/DS/signed/sds-signed-fake-x509.xml ++++ b/tests/DS/signed/sds-signed-fake-x509.xml +@@ -1,5 +1,5 @@ + +- ++ + draft + Example of SCAP Security Guidance + This example security guidance has been created to demonstrate SCAP functionality +diff --git a/tests/DS/signed/sds-signed.xml b/tests/DS/signed/sds-signed.xml +index 1863e5f18..3e862dd82 100644 +--- a/tests/DS/signed/sds-signed.xml ++++ b/tests/DS/signed/sds-signed.xml +@@ -1,5 +1,5 @@ + +- ++ + draft + Example of SCAP Security Guidance + This example security guidance has been created to demonstrate SCAP functionality +diff --git a/tests/DS/validate/rds-invalid.xml b/tests/DS/validate/rds-invalid.xml +index 7351e0cb2..f98d13ada 100644 +--- a/tests/DS/validate/rds-invalid.xml ++++ b/tests/DS/validate/rds-invalid.xml +@@ -19,7 +19,7 @@ + xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" +- id="scap_cdf_collection_fedora.zip" schematron-version="1.0" ++ id="scap_cdf_collection_fedora.zip" schematron-version="1.2" + xsi:schemaLocation="http://scap.nist.gov/schema/scap/source/1.2 http://scap.nist.gov/schema/scap/1.2/scap-source-data-stream_1.2-draft.xsd"> + + +diff --git a/tests/DS/validate/rds-valid.xml b/tests/DS/validate/rds-valid.xml +index e08672a3a..22dadccbf 100644 +--- a/tests/DS/validate/rds-valid.xml ++++ b/tests/DS/validate/rds-valid.xml +@@ -20,7 +20,7 @@ + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + id="scap_cdf_collection_fedora.zip" +- schematron-version="1.0" ++ schematron-version="1.2" + xsi:schemaLocation="http://scap.nist.gov/schema/scap/source/1.2 http://scap.nist.gov/schema/scap/1.2/scap-source-data-stream_1.2-draft.xsd"> + + +diff --git a/tests/DS/validate/sds-invalid-oval.xml b/tests/DS/validate/sds-invalid-oval.xml +index c9ac98b48..e8be9abcf 100644 +--- a/tests/DS/validate/sds-invalid-oval.xml ++++ b/tests/DS/validate/sds-invalid-oval.xml +@@ -1,5 +1,5 @@ + +- ++ + draft + Example of SCAP Security Guidance + This example security guidance has been created to demonstrate SCAP functionality +diff --git a/tests/DS/validate/sds-invalid-xccdf.xml b/tests/DS/validate/sds-invalid-xccdf.xml +index 64df3a13d..cf3017070 100644 +--- a/tests/DS/validate/sds-invalid-xccdf.xml ++++ b/tests/DS/validate/sds-invalid-xccdf.xml +@@ -1,5 +1,5 @@ + +- ++ + Example of SCAP Security Guidance + This example security guidance has been created to demonstrate SCAP functionality + on Linux. +diff --git a/tests/DS/validate/sds-invalid.xml b/tests/DS/validate/sds-invalid.xml +index 3a7d67ca6..51a2ed03a 100644 +--- a/tests/DS/validate/sds-invalid.xml ++++ b/tests/DS/validate/sds-invalid.xml +@@ -1,5 +1,5 @@ + +- ++ + draft + Example of SCAP Security Guidance + This example security guidance has been created to demonstrate SCAP functionality +diff --git a/tests/DS/validate/sds-valid.xml b/tests/DS/validate/sds-valid.xml +index d3c4a6a5d..826a72629 100644 +--- a/tests/DS/validate/sds-valid.xml ++++ b/tests/DS/validate/sds-valid.xml +@@ -1,5 +1,5 @@ + +- ++ + draft + Example of SCAP Security Guidance + This example security guidance has been created to demonstrate SCAP functionality +diff --git a/tests/sce/test_sce_in_ds.xml b/tests/sce/test_sce_in_ds.xml +index 14e0876e6..62c45781c 100644 +--- a/tests/sce/test_sce_in_ds.xml ++++ b/tests/sce/test_sce_in_ds.xml +@@ -1,5 +1,5 @@ + +- ++ + + + + +From 190ca9d3db7049879be4308c5194f2406cc5f70b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 9 May 2019 09:44:06 +0200 +Subject: [PATCH 6/9] Detect source datastream version + +Instead of hard-coding SCAP 1.2, we will use +data-stream-collection@schematron-version attribute to detect the SCAP +version of datastream and we will choose the right XML schema +accordingly. So far, only 1.2 and 1.3 datastreams are supported. +--- + src/DS/sds.c | 26 ++++++++++++++++++++++++++ + src/DS/sds_priv.h | 4 ++++ + src/source/Makefile.am | 1 + + src/source/oscap_source.c | 3 ++- + src/source/validate.c | 1 + + 5 files changed, 34 insertions(+), 1 deletion(-) + +diff --git a/src/DS/sds.c b/src/DS/sds.c +index b7c33a2e5..c4271b26e 100644 +--- a/src/DS/sds.c ++++ b/src/DS/sds.c +@@ -1265,3 +1265,29 @@ int ds_sds_compose_from_xccdf(const char *xccdf_file, const char *target_datastr + xmlFreeDoc(doc); + return 0; + } ++ ++char *ds_sds_detect_version(xmlTextReader *reader) ++{ ++ /* find root element */ ++ while (xmlTextReaderRead(reader) == 1 && xmlTextReaderNodeType(reader) != XML_READER_TYPE_ELEMENT) ++ ; ++ ++ char *element_name = (char *) xmlTextReaderConstLocalName(reader); ++ if (!element_name) { ++ oscap_setxmlerr(xmlGetLastError()); ++ return NULL; ++ } ++ if (strcmp(element_name, "data-stream-collection")) { ++ oscap_seterr(OSCAP_EFAMILY_OSCAP, ++ "Expected root element name for SCAP source datastream is" \ ++ "'data-stream-collection' but actual root element name is '%s'.", ++ element_name); ++ return NULL; ++ } ++ char *schematron_version = (char *) xmlTextReaderGetAttribute(reader, BAD_CAST "schematron-version"); ++ if (!schematron_version) { ++ oscap_setxmlerr(xmlGetLastError()); ++ return NULL; ++ } ++ return schematron_version; ++} +diff --git a/src/DS/sds_priv.h b/src/DS/sds_priv.h +index 0ba2e8cb7..39c36da9f 100644 +--- a/src/DS/sds_priv.h ++++ b/src/DS/sds_priv.h +@@ -26,6 +26,7 @@ + #endif + + #include ++#include + #include "common/public/oscap.h" + #include "common/util.h" + #include "ds_sds_session.h" +@@ -45,5 +45,8 @@ + xmlDocPtr ds_sds_compose_xmlDoc_from_xccdf(const char *xccdf_file); + xmlDocPtr ds_sds_compose_xmlDoc_from_xccdf_source(struct oscap_source *xccdf_source); + ++char *ds_sds_detect_version(xmlTextReader *reader); ++ + OSCAP_HIDDEN_END; ++ + #endif +diff --git a/src/source/Makefile.am b/src/source/Makefile.am +index 446bf4596..ad37ba6f6 100644 +--- a/src/source/Makefile.am ++++ b/src/source/Makefile.am +@@ -19,6 +19,7 @@ liboscapsource_la_CPPFLAGS = \ + @xml2_CFLAGS@ @xslt_CFLAGS@ @exslt_CFLAGS@ \ + -I$(srcdir)/public \ + -I$(top_srcdir)/src \ ++ -I$(top_srcdir)/src/DS/public \ + -I$(top_srcdir)/src/CPE/public \ + -I$(top_srcdir)/src/OVAL/probes/SEAP/public \ + -I$(top_srcdir)/src/common/public +diff --git a/src/source/oscap_source.c b/src/source/oscap_source.c +index 3b7282ed3..228dc049b 100644 +--- a/src/source/oscap_source.c ++++ b/src/source/oscap_source.c +@@ -51,6 +51,7 @@ + #include "source/validate_priv.h" + #include "XCCDF/elements.h" + #include "XCCDF/public/xccdf_benchmark.h" ++#include "DS/sds_priv.h" + + typedef enum oscap_source_type { + OSCAP_SRC_FROM_USER_XML_FILE = 1, ///< The source originated from XML file supplied by user +@@ -360,7 +361,7 @@ const char *oscap_source_get_schema_version(struct oscap_source *source) + } + switch (oscap_source_get_scap_type(source)) { + case OSCAP_DOCUMENT_SDS: +- source->origin.version = oscap_strdup("1.2"); ++ source->origin.version = ds_sds_detect_version(reader); + break; + case OSCAP_DOCUMENT_ARF: + source->origin.version = oscap_strdup("1.1"); +diff --git a/src/source/validate.c b/src/source/validate.c +index 4c7aa98c4..730d44b2f 100644 +--- a/src/source/validate.c ++++ b/src/source/validate.c +@@ -220,6 +220,7 @@ struct oscap_schema_table_entry OSCAP_SCHEMAS_TABLE[] = { + {OSCAP_DOCUMENT_XCCDF_TAILORING, "1.2", "xccdf/1.2/xccdf_1.2.xsd"}, + {OSCAP_DOCUMENT_XCCDF_TAILORING, "1.1", "xccdf/1.1-tailoring/xccdf-1.1-tailoring.xsd"}, // unofficial openscap extension! + {OSCAP_DOCUMENT_SDS, "1.2", "sds/1.2/scap-source-data-stream_1.2.xsd"}, ++ {OSCAP_DOCUMENT_SDS, "1.3", "sds/1.3/scap-source-data-stream_1.3.xsd"}, + {OSCAP_DOCUMENT_ARF, "1.1", "arf/1.1/asset-reporting-format_1.1.0.xsd"}, + {OSCAP_DOCUMENT_CPE_DICTIONARY, "2.0", "cpe/2.0/cpe-dictionary_2.0.xsd"}, + {OSCAP_DOCUMENT_CPE_DICTIONARY, "2.1", "cpe/2.1/cpe-dictionary_2.1.xsd"}, + +From 8457c924957f16b43921ed488a0268d868d94ac4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 10 May 2019 09:48:46 +0200 +Subject: [PATCH 7/9] Add a simple test for oscap info + +This test tests if `oscap` is able to detect the version +of SCAP source datastream (if DS is SCAP 1.2 or 1.3). +--- + configure.ac | 1 + + tests/DS/Makefile.am | 2 +- + tests/DS/sds_detect_version/Makefile.am | 13 +++++ + tests/DS/sds_detect_version/scap-1.2-ds.xml | 51 +++++++++++++++++++ + tests/DS/sds_detect_version/scap-1.3-ds.xml | 51 +++++++++++++++++++ + .../sds_detect_version/test_detect_version.sh | 27 ++++++++++ + 7 files changed, 145 insertions(+), 1 deletion(-) + create mode 100644 tests/DS/sds_detect_version/Makefile.am + create mode 100644 tests/DS/sds_detect_version/scap-1.2-ds.xml + create mode 100644 tests/DS/sds_detect_version/scap-1.3-ds.xml + create mode 100755 tests/DS/sds_detect_version/test_detect_version.sh + +diff --git a/configure.ac b/configure.ac +index dd02507da..91fba1390 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1548,6 +1548,7 @@ AC_CONFIG_FILES([Makefile + src/DS/Makefile + tests/DS/Makefile + tests/DS/ds_sds_index/Makefile ++ tests/DS/sds_detect_version/Makefile + tests/DS/signed/Makefile + tests/DS/validate/Makefile + +diff --git a/tests/DS/Makefile.am b/tests/DS/Makefile.am +index ea742386d..e0f63348c 100644 +--- a/tests/DS/Makefile.am ++++ b/tests/DS/Makefile.am +@@ -60,4 +60,4 @@ EXTRA_DIST = test_ds.sh \ + sds_subdir/subdir/scap-fedora14-xccdf.xml \ + sds_tailoring/sds.ds.xml + +-SUBDIRS = ds_sds_index signed validate ++SUBDIRS = ds_sds_index signed validate sds_detect_version +diff --git a/tests/DS/sds_detect_version/Makefile.am b/tests/DS/sds_detect_version/Makefile.am +new file mode 100644 +index 000000000..087888742 +--- /dev/null ++++ b/tests/DS/sds_detect_version/Makefile.am +@@ -0,0 +1,13 @@ ++DISTCLEANFILES = *.log *.results oscap_debug.log.* ++CLEANFILES = *.log *.results oscap_debug.log.* ++ ++TESTS_ENVIRONMENT= \ ++ builddir=$(top_builddir) \ ++ OSCAP_FULL_VALIDATION=1 \ ++ $(top_builddir)/run ++ ++TESTS = test_detect_version.sh ++ ++EXTRA_DIST = test_detect_version.sh \ ++ scap-1.2-ds.xml \ ++ scap-1.3-ds.xml +diff --git a/tests/DS/sds_detect_version/scap-1.2-ds.xml b/tests/DS/sds_detect_version/scap-1.2-ds.xml +new file mode 100644 +index 000000000..12e4954ae +--- /dev/null ++++ b/tests/DS/sds_detect_version/scap-1.2-ds.xml +@@ -0,0 +1,51 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ combine_ovals.py from SCAP Security Guide ++ ssg: [0, 1, 44], python: 3.7.3 ++ 5.10 ++ 2019-05-10T06:18:18 ++ ++ ++ ++ ++ Red Hat Enterprise Linux 8 ++ ++ Red Hat Enterprise Linux 8 ++ ++ ++ The operating system installed on the system is ++ Red Hat Enterprise Linux 8 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ redhat-release ++ ++ ++ ++ ++ ^8.*$ ++ ++ ++ ++ ++ +diff --git a/tests/DS/sds_detect_version/scap-1.3-ds.xml b/tests/DS/sds_detect_version/scap-1.3-ds.xml +new file mode 100644 +index 000000000..5d4af29a3 +--- /dev/null ++++ b/tests/DS/sds_detect_version/scap-1.3-ds.xml +@@ -0,0 +1,51 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ combine_ovals.py from SCAP Security Guide ++ ssg: [0, 1, 44], python: 3.7.3 ++ 5.11 ++ 2019-05-10T06:18:18 ++ ++ ++ ++ ++ Red Hat Enterprise Linux 8 ++ ++ Red Hat Enterprise Linux 8 ++ ++ ++ The operating system installed on the system is ++ Red Hat Enterprise Linux 8 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ redhat-release ++ ++ ++ ++ ++ ^8.*$ ++ ++ ++ ++ ++ +diff --git a/tests/DS/sds_detect_version/test_detect_version.sh b/tests/DS/sds_detect_version/test_detect_version.sh +new file mode 100755 +index 000000000..607aac261 +--- /dev/null ++++ b/tests/DS/sds_detect_version/test_detect_version.sh +@@ -0,0 +1,27 @@ ++#!/bin/bash ++ ++# Copyright 2019 Red Hat Inc., Durham, North Carolina. ++# All Rights Reserved. ++# ++# OpenSCAP Test Suite ++# ++# Authors: ++# Jan Černý ++ ++. $builddir/tests/test_common.sh ++ ++set -e -o pipefail ++ ++function test_oscap_info { ++ version="$1" ++ stdout="$(mktemp)" ++ stderr="$(mktemp)" ++ $OSCAP info $srcdir/scap-$version-ds.xml > $stdout 2> $stderr ++ [ ! -s $stderr ] ++ grep -q "Version: $version" $stdout ++ rm $stdout ++ rm $stderr ++} ++ ++test_oscap_info "1.2" ++test_oscap_info "1.3" + +From 475b387ad359549645b9d7595eefdeea104cdf81 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 10 May 2019 10:11:59 +0200 +Subject: [PATCH 8/9] Add simple tests for validating SCAP 1.3 datastreams + +Tests if `oscap ds sds-validate` can validate SCAP 1.3 datastreams +against XML schema. The test uses a simple valid datastream and +a simple invalid datastream. +--- + tests/DS/validate/Makefile.am | 14 ++++---- + tests/DS/validate/all.sh | 2 ++ + tests/DS/validate/sds-1.3-invalid.xml | 48 +++++++++++++++++++++++++ + tests/DS/validate/sds-1.3-valid.xml | 51 +++++++++++++++++++++++++++ + 4 files changed, 109 insertions(+), 6 deletions(-) + create mode 100644 tests/DS/validate/sds-1.3-invalid.xml + create mode 100644 tests/DS/validate/sds-1.3-valid.xml + +diff --git a/tests/DS/validate/Makefile.am b/tests/DS/validate/Makefile.am +index 0ebe28559..6cca84f98 100644 +--- a/tests/DS/validate/Makefile.am ++++ b/tests/DS/validate/Makefile.am +@@ -9,9 +9,11 @@ TESTS_ENVIRONMENT= \ + TESTS = all.sh + + EXTRA_DIST = all.sh \ +- sds-valid.xml \ +- sds-invalid.xml \ +- sds-invalid-xccdf.xml \ +- sds-invalid-oval.xml \ +- rds-valid.xml \ +- rds-invalid.xml ++ rds-invalid.xml \ ++ rds-valid.xml \ ++ sds-1.3-invalid.xml \ ++ sds-1.3-valid.xml \ ++ sds-invalid-oval.xml \ ++ sds-invalid-xccdf.xml \ ++ sds-invalid.xml \ ++ sds-valid.xml +diff --git a/tests/DS/validate/all.sh b/tests/DS/validate/all.sh +index b6c2de011..8d5845dff 100755 +--- a/tests/DS/validate/all.sh ++++ b/tests/DS/validate/all.sh +@@ -18,7 +18,9 @@ function test_validation { + + test_init test_validation.log + test_run "valid-sds" test_validation sds sds-valid.xml 0 ++test_run "valid-1.3-sds" test_validation sds sds-1.3-valid.xml 0 + test_run "invalid-sds" test_validation sds sds-invalid.xml 1 ++test_run "invalid-1.3-sds" test_validation sds sds-1.3-invalid.xml 1 + test_run "invalid-xccdf-sds" test_validation sds sds-invalid-xccdf.xml 1 + test_run "invalid-oval-sds" test_validation sds sds-invalid-oval.xml 1 + +diff --git a/tests/DS/validate/sds-1.3-invalid.xml b/tests/DS/validate/sds-1.3-invalid.xml +new file mode 100644 +index 000000000..0f540925f +--- /dev/null ++++ b/tests/DS/validate/sds-1.3-invalid.xml +@@ -0,0 +1,48 @@ ++ ++ ++ ++ ++ ++ ++ ++ combine_ovals.py from SCAP Security Guide ++ ssg: [0, 1, 44], python: 3.7.3 ++ 5.11 ++ 2019-05-10T06:18:18 ++ ++ ++ ++ ++ Red Hat Enterprise Linux 8 ++ ++ Red Hat Enterprise Linux 8 ++ ++ ++ The operating system installed on the system is ++ Red Hat Enterprise Linux 8 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ redhat-release ++ ++ ++ ++ ++ ^8.*$ ++ ++ ++ ++ ++ +diff --git a/tests/DS/validate/sds-1.3-valid.xml b/tests/DS/validate/sds-1.3-valid.xml +new file mode 100644 +index 000000000..5d4af29a3 +--- /dev/null ++++ b/tests/DS/validate/sds-1.3-valid.xml +@@ -0,0 +1,51 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ combine_ovals.py from SCAP Security Guide ++ ssg: [0, 1, 44], python: 3.7.3 ++ 5.11 ++ 2019-05-10T06:18:18 ++ ++ ++ ++ ++ Red Hat Enterprise Linux 8 ++ ++ Red Hat Enterprise Linux 8 ++ ++ ++ The operating system installed on the system is ++ Red Hat Enterprise Linux 8 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ redhat-release ++ ++ ++ ++ ++ ^8.*$ ++ ++ ++ ++ ++ + +From 09d00acda9153c4012dca5a05ee226fc05ba2080 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 27 May 2019 10:58:47 +0200 +Subject: [PATCH 9/9] Change OVAL version to 5.11.2 + +The SCAP 1.3 source datastream schema imports OVAL 5.11.2. +--- + tests/DS/sds_detect_version/scap-1.3-ds.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/DS/sds_detect_version/scap-1.3-ds.xml b/tests/DS/sds_detect_version/scap-1.3-ds.xml +index 5d4af29a3..2e4ff31b0 100644 +--- a/tests/DS/sds_detect_version/scap-1.3-ds.xml ++++ b/tests/DS/sds_detect_version/scap-1.3-ds.xml +@@ -10,7 +10,7 @@ + + combine_ovals.py from SCAP Security Guide + ssg: [0, 1, 44], python: 3.7.3 +- 5.11 ++ 5.11.2 + 2019-05-10T06:18:18 + + diff --git a/SOURCES/autofs_entries_in_mtab.patch b/SOURCES/autofs_entries_in_mtab.patch new file mode 100644 index 0000000..35a290b --- /dev/null +++ b/SOURCES/autofs_entries_in_mtab.patch @@ -0,0 +1,192 @@ +From 309f8230d67f229b6091876c3ace62370fb3d451 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 17 May 2019 10:25:08 +0200 +Subject: [PATCH 1/2] Handle autofs entries in /etc/mtab + +Some file systems can be mounted using autofs, which should be +considered during analysis of /etc/mtab.F or more details, +please see the comment introduced in this patch. +--- + src/OVAL/probes/fsdev.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/src/OVAL/probes/fsdev.c b/src/OVAL/probes/fsdev.c +index ca6304890..29250f2bf 100644 +--- a/src/OVAL/probes/fsdev.c ++++ b/src/OVAL/probes/fsdev.c +@@ -125,6 +125,20 @@ is_local_fs(struct mntent *ment) + #if 1 + char *s; + ++ /* ++ * When type of the filesystem is autofs, it means the mtab entry ++ * describes the autofs configuration, which means ment->mnt_fsname ++ * is a path to the relevant autofs map, eg. /etc/auto.misc. In this ++ * situation, the following code which analyses ment->mnt_type would ++ * not work. When the filesystem handled by autofs is mounted, there ++ * is another different entry in mtab which contains the real block ++ * special device or remote filesystem in ment->mnt_fsname, and that ++ * will be parsed in a different call of this function. ++ */ ++ if (!strcmp(ment->mnt_type, "autofs")) { ++ return 0; ++ } ++ + s = ment->mnt_fsname; + /* If the fsname begins with "//", it is probably CIFS. */ + if (s[0] == '/' && s[1] == '/') + +From fff58197d9747a08d0fc23914a31fefbe44f07ea Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 17 May 2019 16:16:23 +0200 +Subject: [PATCH 2/2] Test is_local_fs + +Adds a simple unit test that checks whether autofs entries in +/etc/mtab are not considered local. +--- + src/OVAL/probes/fsdev.c | 6 ++-- + src/OVAL/probes/public/fsdev.h | 14 ++++++++ + tests/API/probes/Makefile.am | 6 ++-- + tests/API/probes/all.sh | 1 + + tests/API/probes/test_fsdev_is_local_fs.c | 41 +++++++++++++++++++++++ + 5 files changed, 62 insertions(+), 6 deletions(-) + create mode 100644 tests/API/probes/test_fsdev_is_local_fs.c + +diff --git a/src/OVAL/probes/fsdev.c b/src/OVAL/probes/fsdev.c +index 29250f2bf..d455b39c4 100644 +--- a/src/OVAL/probes/fsdev.c ++++ b/src/OVAL/probes/fsdev.c +@@ -118,8 +118,7 @@ static int match_fs(const char *fsname, const char **fs_arr, size_t fs_cnt) + #define DEVID_ARRAY_ADD 8 + + #if defined(__linux__) +-static int +-is_local_fs(struct mntent *ment) ++int is_local_fs(struct mntent *ment) + { + // todo: would it be usefull to provide the choice during build-time? + #if 1 +@@ -169,8 +168,7 @@ is_local_fs(struct mntent *ment) + } + + #elif defined(_AIX) +-static int +-is_local_fs(struct mntent *ment) ++int is_local_fs(struct mntent *ment) + { + int i; + struct vfs_ent *e; +diff --git a/src/OVAL/probes/public/fsdev.h b/src/OVAL/probes/public/fsdev.h +index 382ec536b..aeb455df1 100644 +--- a/src/OVAL/probes/public/fsdev.h ++++ b/src/OVAL/probes/public/fsdev.h +@@ -36,6 +36,10 @@ + #include + #include + ++#if defined(__linux__) || defined(_AIX) ++#include ++#endif ++ + /** + * Filesystem device structure. + */ +@@ -88,5 +92,15 @@ int fsdev_path(fsdev_t * lfs, const char *path); + */ + int fsdev_fd(fsdev_t * lfs, int fd); + ++#if defined(__linux__) || defined(_AIX) ++/** ++ * Detemines whether a given mtab entry is a local file system. ++ * @param ment Structure returned by getmntent (see `man 3 getmntent`). ++ * @retval 1 if local ++ * @retval 0 otherwise ++ */ ++int is_local_fs(struct mntent *ment); ++#endif ++ + #endif /* FSDEV_H */ + /// @} +diff --git a/tests/API/probes/Makefile.am b/tests/API/probes/Makefile.am +index e26a47e63..70442bcc3 100644 +--- a/tests/API/probes/Makefile.am ++++ b/tests/API/probes/Makefile.am +@@ -26,14 +26,16 @@ TESTS_ENVIRONMENT = \ + $(top_builddir)/run + + TESTS = all.sh +-check_PROGRAMS = test_api_probes_smoke oval_fts_list ++check_PROGRAMS = test_api_probes_smoke oval_fts_list test_fsdev_is_local_fs + + test_api_probes_smoke_SOURCES = test_api_probes_smoke.c + oval_fts_list_CFLAGS= -I$(top_srcdir)/src/OVAL/probes + oval_fts_list_SOURCES= oval_fts_list.c ++test_fsdev_is_local_fs_SOURCES = test_fsdev_is_local_fs.c + + EXTRA_DIST += \ + all.sh \ + fts.sh \ + gentree.sh \ +- test_api_probes_smoke.c ++ test_api_probes_smoke.c \ ++ test_fsdev_is_local_fs.c +diff --git a/tests/API/probes/all.sh b/tests/API/probes/all.sh +index e0c35de88..46c680667 100755 +--- a/tests/API/probes/all.sh ++++ b/tests/API/probes/all.sh +@@ -7,6 +7,7 @@ test_init "test_api_probes.log" + if [ -z ${CUSTOM_OSCAP+x} ] ; then + test_run "fts test" $srcdir/fts.sh + test_run "probe api smoke test" ./test_api_probes_smoke ++ test_run "fsdev is_local_fs unit test" ./test_fsdev_is_local_fs + fi + + test_exit +diff --git a/tests/API/probes/test_fsdev_is_local_fs.c b/tests/API/probes/test_fsdev_is_local_fs.c +new file mode 100644 +index 000000000..bcc596442 +--- /dev/null ++++ b/tests/API/probes/test_fsdev_is_local_fs.c +@@ -0,0 +1,41 @@ ++/* ++ * Copyright 2019 Red Hat Inc., Durham, North Carolina. ++ * All Rights Reserved. ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++ * ++ * Authors: ++ * "Jan Černý" ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++#include ++#include ++#include "fsdev.h" ++ ++int main(int argc, char *argv[]) ++{ ++ struct mntent ment; ++ ment.mnt_type = "autofs"; ++ int ret = is_local_fs(&ment); ++ if (ret != 0) { ++ return 1; ++ } ++ return 0; ++} +\ No newline at end of file diff --git a/SOURCES/do_not_skip_fs_binfmt_misc.patch b/SOURCES/do_not_skip_fs_binfmt_misc.patch new file mode 100644 index 0000000..692b90e --- /dev/null +++ b/SOURCES/do_not_skip_fs_binfmt_misc.patch @@ -0,0 +1,33 @@ +From 7774511d5438e5bbfc0d0142b7656da0498e7126 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 29 May 2019 14:54:02 +0200 +Subject: [PATCH] Do not skip 'fs.binfmt_misc.status' by sysctl probe + +Directory /proc/sys/fs/binfmt_misc is a separate file system, +mounted by systemd-automout and is represented by an autofs +entry in /etc/mtab. /proc/sys/fs/binfmt_misc is mounted +on demand when accessed. If accessed the first time, we don't +have a way to determine the if the autofs is remote or local. +See 309f8230d67f229b6091876c3ace62370fb3d451. +However, we don't see a reason why not to traverse the whole +/proc/sys regardless the type of file systems mounted there. +--- + src/OVAL/probes/unix/sysctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/OVAL/probes/unix/sysctl.c b/src/OVAL/probes/unix/sysctl.c +index 3001bfd76..bc53b43fc 100644 +--- a/src/OVAL/probes/unix/sysctl.c ++++ b/src/OVAL/probes/unix/sysctl.c +@@ -76,7 +76,7 @@ int probe_main(probe_ctx *ctx, void *probe_arg) + */ + ent_attrs = probe_attr_creat("max_depth", r0 = SEXP_string_newf("%d", PROC_SYS_MAXDEPTH), + "recurse_direction", r1 = SEXP_string_new("down", 4), +- "recurse_file_system", r2 = SEXP_string_new("local", 7), ++ "recurse_file_system", r2 = SEXP_string_new("all", 3), + "recurse", r3 = SEXP_string_new("symlinks and directories", 24), + NULL); + bh_entity = probe_ent_creat1("behaviors", ent_attrs, NULL); +-- +2.20.1 + diff --git a/SOURCES/ds_session_without_remote_resources.patch b/SOURCES/ds_session_without_remote_resources.patch new file mode 100644 index 0000000..703d8da --- /dev/null +++ b/SOURCES/ds_session_without_remote_resources.patch @@ -0,0 +1,36 @@ +From bbcbffcf6f901cb67ca5645307d170a32504a491 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 30 Apr 2019 18:30:53 +0200 +Subject: [PATCH] Allow DS session to continue without remote resources + +--- + src/DS/sds.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/DS/sds.c b/src/DS/sds.c +index 2511e89d9..b7c33a2e5 100644 +--- a/src/DS/sds.c ++++ b/src/DS/sds.c +@@ -412,6 +412,7 @@ static int ds_sds_dump_component_by_href(struct ds_sds_session *session, char* x + } + + ds_sds_session_remote_resources_progress(session)(true, "WARNING: Skipping '%s' file which is referenced from datastream\n", url); ++ // -2 means that remote resources were not downloaded + return -2; + } + +@@ -444,8 +445,12 @@ int ds_sds_dump_component_ref_as(const xmlNodePtr component_ref, struct ds_sds_s + xmlFree(xlink_href); + xmlFree(cref_id); + +- if (ret != 0) { +- ++ if (ret == -2) { ++ // A remote component was not dumped ++ // It should be ok to continue without it ++ free(target_filename_dirname); ++ return 0; ++ } else if (ret != 0) { + free(target_filename_dirname); + return -1; + } diff --git a/SOURCES/extend_unit_test_for_is_local_fs.patch b/SOURCES/extend_unit_test_for_is_local_fs.patch new file mode 100644 index 0000000..532651d --- /dev/null +++ b/SOURCES/extend_unit_test_for_is_local_fs.patch @@ -0,0 +1,144 @@ +From 673f338641ca90b31f00e0787cdcbb5fb19a49a1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 23 May 2019 09:07:17 +0200 +Subject: [PATCH 1/2] Extend unit test for is_local_fs from fsdev.h + +The test uses a fake `mtab` file which contains 1 entry for a local +filesystem, 1 entry for a direct autofs map and 1 entry for a NFS +system mounted using autofs. By parsing the `mtab` file only 1 local +filesystem should be found. It will help us to test +https://github.com/OpenSCAP/openscap/pull/1329 +--- + tests/API/probes/Makefile.am | 2 ++ + tests/API/probes/fake_mtab | 3 ++ + tests/API/probes/test_fsdev_is_local_fs.c | 36 +++++++++++++++++++++-- + 3 files changed, 38 insertions(+), 3 deletions(-) + create mode 100644 tests/API/probes/fake_mtab + +diff --git a/tests/API/probes/Makefile.am b/tests/API/probes/Makefile.am +index 70442bcc3..459e5f3af 100644 +--- a/tests/API/probes/Makefile.am ++++ b/tests/API/probes/Makefile.am +@@ -1,4 +1,5 @@ + AM_CPPFLAGS = \ ++ -DDATADIR=\"$(srcdir)/\" \ + -I$(top_srcdir)/src \ + -I$(top_srcdir)/src/CCE/public \ + -I$(top_srcdir)/src/CPE/public \ +@@ -35,6 +36,7 @@ test_fsdev_is_local_fs_SOURCES = test_fsdev_is_local_fs.c + + EXTRA_DIST += \ + all.sh \ ++ fake_mtab \ + fts.sh \ + gentree.sh \ + test_api_probes_smoke.c \ +diff --git a/tests/API/probes/fake_mtab b/tests/API/probes/fake_mtab +new file mode 100644 +index 000000000..26d6918bb +--- /dev/null ++++ b/tests/API/probes/fake_mtab +@@ -0,0 +1,3 @@ ++/dev/mapper/fedora-root / ext4 rw,seclabel,relatime 0 0 ++/etc/mount.map /nfs/test autofs rw,relatime,fd=17,pgrp=11111,timeout=5,minproto=5,maxproto=5,direct,pipe_ino=1246883 0 0 ++192.168.122.231:/test /nfs/test nfs4 rw,relatime,vers=4.2,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.122.1,local_lock=none,addr=192.168.122.231 0 0 +diff --git a/tests/API/probes/test_fsdev_is_local_fs.c b/tests/API/probes/test_fsdev_is_local_fs.c +index bcc596442..143030070 100644 +--- a/tests/API/probes/test_fsdev_is_local_fs.c ++++ b/tests/API/probes/test_fsdev_is_local_fs.c +@@ -29,13 +29,43 @@ + #include + #include "fsdev.h" + +-int main(int argc, char *argv[]) ++static int test_single_call() + { + struct mntent ment; + ment.mnt_type = "autofs"; + int ret = is_local_fs(&ment); +- if (ret != 0) { ++ /* autofs entry is never considered local */ ++ return (ret == 0); ++} ++ ++static int test_multiple_calls() ++{ ++ /* fake mtab contains only 1 local filesystem */ ++ FILE *f = setmntent(DATADIR "fake_mtab", "r"); ++ if (f == NULL) { ++ fprintf(stderr, "fake_mtab could not be open\n"); ++ return 0; ++ } ++ struct mntent *ment; ++ unsigned int locals = 0; ++ while ((ment = getmntent(f)) != NULL) { ++ if (is_local_fs(ment)) { ++ locals++; ++ } ++ } ++ endmntent(f); ++ return (locals == 1); ++} ++ ++int main(int argc, char *argv[]) ++{ ++ if (!test_single_call()) { ++ fprintf(stderr, "test_single_call has failed\n"); ++ return 1; ++ } ++ if (!test_multiple_calls()) { ++ fprintf(stderr, "test_multiple_calls has failed\n"); + return 1; + } + return 0; +-} +\ No newline at end of file ++} + +From 4f8fcd1a85c6840895672b7912592cc9f3c92b01 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 24 May 2019 13:48:59 +0200 +Subject: [PATCH 2/2] Add more entries into fake mtab + +--- + tests/API/probes/fake_mtab | 4 ++++ + tests/API/probes/test_fsdev_is_local_fs.c | 7 +++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/tests/API/probes/fake_mtab b/tests/API/probes/fake_mtab +index 26d6918bb..94b1fe295 100644 +--- a/tests/API/probes/fake_mtab ++++ b/tests/API/probes/fake_mtab +@@ -1,3 +1,7 @@ + /dev/mapper/fedora-root / ext4 rw,seclabel,relatime 0 0 ++tmpfs /tmp tmpfs rw,seclabel,nosuid,nodev 0 0 + /etc/mount.map /nfs/test autofs rw,relatime,fd=17,pgrp=11111,timeout=5,minproto=5,maxproto=5,direct,pipe_ino=1246883 0 0 + 192.168.122.231:/test /nfs/test nfs4 rw,relatime,vers=4.2,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.122.1,local_lock=none,addr=192.168.122.231 0 0 ++/dev/mapper/fedora-home /home ext4 rw,seclabel,relatime 0 0 ++proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 ++//192.168.0.5/storage /media/movies cifs guest,uid=myuser,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm 0 0 +diff --git a/tests/API/probes/test_fsdev_is_local_fs.c b/tests/API/probes/test_fsdev_is_local_fs.c +index 143030070..e3b4691db 100644 +--- a/tests/API/probes/test_fsdev_is_local_fs.c ++++ b/tests/API/probes/test_fsdev_is_local_fs.c +@@ -40,7 +40,10 @@ static int test_single_call() + + static int test_multiple_calls() + { +- /* fake mtab contains only 1 local filesystem */ ++ /* ++ * fake mtab contains only 4 local filesystems: ++ * /, /tmp, /home and /proc ++ */ + FILE *f = setmntent(DATADIR "fake_mtab", "r"); + if (f == NULL) { + fprintf(stderr, "fake_mtab could not be open\n"); +@@ -54,7 +57,7 @@ static int test_multiple_calls() + } + } + endmntent(f); +- return (locals == 1); ++ return (locals == 4); + } + + int main(int argc, char *argv[]) diff --git a/SOURCES/fix_invalid_oval_in_test.patch b/SOURCES/fix_invalid_oval_in_test.patch new file mode 100644 index 0000000..2b9705c --- /dev/null +++ b/SOURCES/fix_invalid_oval_in_test.patch @@ -0,0 +1,51 @@ +From 919170300b1d05a807ad59c22ef6c4ab48c2f1c9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 21 May 2019 13:21:45 +0200 +Subject: [PATCH] Fix invalid OVAL in test ds_continue_without_remote_resources + +Addressing: +$ oscap ds sds-split remote_content_1.2.ds.xml /tmp/xxx +$ oscap oval validate --schematron /tmp/xxx/test_single_rule.oval.xml + +oval:x:obj:1 - referenced variable oval:x:var:1 not found. The var_ref entity must hold a variable id that exists in the document. +--- + .../remote_content_1.2.ds.xml | 7 +++++++ + .../remote_content_1.3.ds.xml | 7 +++++++ + 2 files changed, 14 insertions(+) + +diff --git a/tests/DS/ds_continue_without_remote_resources/remote_content_1.2.ds.xml b/tests/DS/ds_continue_without_remote_resources/remote_content_1.2.ds.xml +index 31d4fc770..503b688ec 100644 +--- a/tests/DS/ds_continue_without_remote_resources/remote_content_1.2.ds.xml ++++ b/tests/DS/ds_continue_without_remote_resources/remote_content_1.2.ds.xml +@@ -43,6 +43,13 @@ + oval:x:var:1 + + ++ ++ ++ ++ 100 ++ ++ ++ + + + +diff --git a/tests/DS/ds_continue_without_remote_resources/remote_content_1.3.ds.xml b/tests/DS/ds_continue_without_remote_resources/remote_content_1.3.ds.xml +index 3cf15f8df..bea285bc1 100644 +--- a/tests/DS/ds_continue_without_remote_resources/remote_content_1.3.ds.xml ++++ b/tests/DS/ds_continue_without_remote_resources/remote_content_1.3.ds.xml +@@ -45,6 +45,13 @@ + oval:x:var:1 + + ++ ++ ++ ++ 100 ++ ++ ++ + + + diff --git a/SOURCES/make_is_local_fs_static_again.patch b/SOURCES/make_is_local_fs_static_again.patch new file mode 100644 index 0000000..0029922 --- /dev/null +++ b/SOURCES/make_is_local_fs_static_again.patch @@ -0,0 +1,85 @@ +From 535c48739dc89efc76bfd267d3f39dca05cbebd1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 6 Jun 2019 09:14:20 +0200 +Subject: [PATCH] Make is_local_fs static again + +It isn't necessary to expose this function in public API. +The function has been accidentaly introduced to public API +in fff58197d9747a08d0fc23914a31fefbe44f07ea which hasn't +been released yet, so it can be safe to remove it. +--- + src/OVAL/probes/fsdev.c | 4 ++-- + src/OVAL/probes/public/fsdev.h | 10 ---------- + tests/API/probes/Makefile.am | 3 ++- + tests/API/probes/test_fsdev_is_local_fs.c | 1 + + 4 files changed, 5 insertions(+), 13 deletions(-) + +diff --git a/src/OVAL/probes/fsdev.c b/src/OVAL/probes/fsdev.c +index 9646cac80..f5f14ac2f 100644 +--- a/src/OVAL/probes/fsdev.c ++++ b/src/OVAL/probes/fsdev.c +@@ -79,7 +79,7 @@ static int fsdev_cmp(const void *a, const void *b) + #define DEVID_ARRAY_ADD 8 + + #if defined(__linux__) +-int is_local_fs(struct mntent *ment) ++static int is_local_fs(struct mntent *ment) + { + // todo: would it be usefull to provide the choice during build-time? + #if 1 +@@ -129,7 +129,7 @@ int is_local_fs(struct mntent *ment) + } + + #elif defined(_AIX) +-int is_local_fs(struct mntent *ment) ++static int is_local_fs(struct mntent *ment) + { + int i; + struct vfs_ent *e; +diff --git a/src/OVAL/probes/public/fsdev.h b/src/OVAL/probes/public/fsdev.h +index bbead1aee..29a0462c8 100644 +--- a/src/OVAL/probes/public/fsdev.h ++++ b/src/OVAL/probes/public/fsdev.h +@@ -86,15 +86,5 @@ int fsdev_path(fsdev_t * lfs, const char *path); + */ + int fsdev_fd(fsdev_t * lfs, int fd); + +-#if defined(__linux__) || defined(_AIX) +-/** +- * Detemines whether a given mtab entry is a local file system. +- * @param ment Structure returned by getmntent (see `man 3 getmntent`). +- * @retval 1 if local +- * @retval 0 otherwise +- */ +-int is_local_fs(struct mntent *ment); +-#endif +- + #endif /* FSDEV_H */ + /// @} +diff --git a/tests/API/probes/Makefile.am b/tests/API/probes/Makefile.am +index 459e5f3af..fa9c26b54 100644 +--- a/tests/API/probes/Makefile.am ++++ b/tests/API/probes/Makefile.am +@@ -5,8 +5,9 @@ AM_CPPFLAGS = \ + -I$(top_srcdir)/src/CPE/public \ + -I$(top_srcdir)/src/CVE/public \ + -I${top_srcdir}/src/CVSS/public \ +- -I$(top_srcdir)/src/OVAL/probes/SEAP/public \ ++ -I$(top_srcdir)/src/OVAL/probes \ + -I$(top_srcdir)/src/OVAL/probes/public \ ++ -I$(top_srcdir)/src/OVAL/probes/SEAP/public \ + -I$(top_srcdir)/src/OVAL/public \ + -I$(top_srcdir)/src/XCCDF/public \ + -I$(top_srcdir)/src/common/public \ +diff --git a/tests/API/probes/test_fsdev_is_local_fs.c b/tests/API/probes/test_fsdev_is_local_fs.c +index e3b4691db..085a02a31 100644 +--- a/tests/API/probes/test_fsdev_is_local_fs.c ++++ b/tests/API/probes/test_fsdev_is_local_fs.c +@@ -28,6 +28,7 @@ + #include + #include + #include "fsdev.h" ++#include "fsdev.c" + + static int test_single_call() + { diff --git a/SOURCES/openscap-1.2.17-filehash58_probe_test.patch b/SOURCES/openscap-1.2.17-filehash58_probe_test.patch new file mode 100644 index 0000000..025ed29 --- /dev/null +++ b/SOURCES/openscap-1.2.17-filehash58_probe_test.patch @@ -0,0 +1,131 @@ +diff --git a/tests/probes/filehash58/check_filehash_simple.xml b/tests/probes/filehash58/check_filehash_simple.xml +new file mode 100644 +index 000000000..2f6fa877e +--- /dev/null ++++ b/tests/probes/filehash58/check_filehash_simple.xml +@@ -0,0 +1,40 @@ ++ ++ ++ combine_ovals.py from SCAP Security Guide ++ ssg: [0, 1, 40], python: 3.6.5 ++ 5.11 ++ 2018-07-20T09:33:24 ++ ++ ++ ++ ++ Verify that hash of a file that should contain just "foo\n". ++ ++ Red Hat Enterprise Linux 7 ++ ++ This description in OVALs is mandatory, but the most important is to have description in XCCDF. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /oval-test ++ SHA-1 ++ ++ ++ ++ ++ SHA-1 ++ f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 ++ ++ ++ +diff -r -U3 op0/tests/probes/filehash58/Makefile.in op1/tests/probes/filehash58/Makefile.in +--- op0/tests/probes/filehash58/Makefile.in 2018-08-14 10:45:06.065438575 +0200 ++++ op1/tests/probes/filehash58/Makefile.in 2018-08-14 10:53:57.248937836 +0200 +@@ -1106,7 +1106,7 @@ + $(top_builddir)/run + + TESTS = test_probes_filehash58.sh +-EXTRA_DIST = test_probes_filehash58.sh test_probes_filehash58.xml.sh ++EXTRA_DIST = test_probes_filehash58.sh test_probes_filehash58.xml.sh check_filehash_simple.xml + all: all-am + + .SUFFIXES: +diff -r -U3 op0/tests/probes/filehash58/test_probes_filehash58.sh op1/tests/probes/filehash58/test_probes_filehash58.sh +--- op0/tests/probes/filehash58/test_probes_filehash58.sh 2018-08-14 10:36:09.914512125 +0200 ++++ op1/tests/probes/filehash58/test_probes_filehash58.sh 2018-08-14 10:53:32.366536647 +0200 +@@ -38,15 +38,69 @@ + ret_val=1 + fi + ++ # The file was created as a side-effect of test_probes_filehash58.xml.sh + [ $ret_val -eq 0 ] && rm -f /tmp/test_probes_filehash58.tmp + + return $ret_val + } + ++ ++# $1: The chroot directory ++function test_probes_filehash58_chroot { ++ ++ probecheck "filehash58" || return 255 ++ require "sha1sum" || return 255 ++ ++ local ret_val=0; ++ local DF="$srcdir/check_filehash_simple.xml" ++ ++ absolute_probe_root=$(cd "$1" && pwd) ++ ++ # oscap-chroot is not readily available during test run, so we use oscap + env var setting. ++ result_keyword=$(OSCAP_PROBE_ROOT="$absolute_probe_root" "$OSCAP" oval eval "$DF" | grep oval_test_has_hash | grep -o '\w*$') ++ ++ [ "$result_keyword" == "$2" ] && return 0 ++ # vvv This is more a test error than a failure or "warning" vvv ++ [ "$result_keyword" == "" ] && return 2 ++ return 1 ++} ++ ++ ++function test_probes_filehash58_chroot_pass { ++ local ret_val=0 ++ ++ mkdir -p pass ++ echo foo > pass/oval-test ++ ++ test_probes_filehash58_chroot pass true ++ ret_val=$? ++ rm -rf pass ++ ++ return $ret_val ++} ++ ++ ++function test_probes_filehash58_chroot_fail { ++ local ret_val=0 ++ ++ mkdir -p fail ++ echo bar > fail/oval-test ++ ++ test_probes_filehash58_chroot fail false ++ ret_val=$? ++ rm -rf fail ++ ++ return $ret_val ++} ++ + # Testing. + + test_init "test_probes_filehash58.log" + + test_run "test_probes_filehash58" test_probes_filehash58 + ++test_run "test_probes_filehash58_chroot_fail" test_probes_filehash58_chroot_fail ++ ++test_run "test_probes_filehash58_chroot_pass" test_probes_filehash58_chroot_pass ++ + test_exit diff --git a/SOURCES/oval_5_11_2_parsing_issues.patch b/SOURCES/oval_5_11_2_parsing_issues.patch new file mode 100644 index 0000000..5fa016f --- /dev/null +++ b/SOURCES/oval_5_11_2_parsing_issues.patch @@ -0,0 +1,164 @@ +From 3d081a4345b2b4f838e5e9fb4fab78b1bad717a9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 22 May 2019 15:03:52 +0200 +Subject: [PATCH] Resolve parsing issues with OVAL 5.11.2 schemas + +Similar to 8ba623120fc9f479285f9d6032cb925db420011d but for OVAL 5.11.2. +The missing namespace imports have already been fixed in +32d4d9be295084f95bfbaec07ea84373b3b4aeb7. Addressing: +``` +File '/root/openscap/schemas/oval/5.11.2/oval-definitions-schema.xsd' +line 1446: local union type: A type, derived by list or union, must have +the simple ur-type definition as base type, not +'{http://oval.mitre.org/XMLSchema/oval-definitions-5}(NULL)'. +File '/root/openscap/schemas/oval/5.11.2/oval-definitions-schema.xsd' +line 1459: local union type: A type, derived by list or union, must have +the simple ur-type definition as base type, not +'{http://oval.mitre.org/XMLSchema/oval-definitions-5}(NULL)'. +File '/root/openscap/schemas/oval/5.11.2/oval-definitions-schema.xsd' +line 1472: local union type: A type, derived by list or union, must have +the simple ur-type definition as base type, not +'{http://oval.mitre.org/XMLSchema/oval-definitions-5}(NULL)'. +File '/root/openscap/schemas/oval/5.11.2/oval-definitions-schema.xsd' +line 1485: local union type: A type, derived by list or union, must have +the simple ur-type definition as base type, not +'{http://oval.mitre.org/XMLSchema/oval-definitions-5}(NULL)'. +File '/root/openscap/schemas/oval/5.11.2/oval-definitions-schema.xsd' +line 1652: local union type: A type, derived by list or union, must have +the simple ur-type definition as base type, not +'{http://oval.mitre.org/XMLSchema/oval-definitions-5}(NULL)'. +File '/root/openscap/schemas/oval/5.11.2/oval-definitions-schema.xsd' +line 1665: local union type: A type, derived by list or union, must have +the simple ur-type definition as base type, not +'{http://oval.mitre.org/XMLSchema/oval-definitions-5}(NULL)'. +File '/root/openscap/schemas/oval/5.11.2/oval-definitions-schema.xsd' +line 1678: local union type: A type, derived by list or union, must have +the simple ur-type definition as base type, not +'{http://oval.mitre.org/XMLSchema/oval-definitions-5}(NULL)'. +File '/root/openscap/schemas/oval/5.11.2/oval-definitions-schema.xsd' +line 1691: local union type: A type, derived by list or union, must have +the simple ur-type definition as base type, not +'{http://oval.mitre.org/XMLSchema/oval-definitions-5}(NULL)'. +OpenSCAP Error: Could not parse XML schema [validate.c:113] +``` +--- + schemas/oval/5.11.2/oval-definitions-schema.xsd | 16 ++++++++-------- + .../oval-system-characteristics-schema.xsd | 8 ++++---- + 2 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/schemas/oval/5.11.2/oval-definitions-schema.xsd b/schemas/oval/5.11.2/oval-definitions-schema.xsd +index 9aa338603..42c238e1e 100644 +--- a/schemas/oval/5.11.2/oval-definitions-schema.xsd ++++ b/schemas/oval/5.11.2/oval-definitions-schema.xsd +@@ -1450,7 +1450,7 @@ + + + +- ++ + + + +@@ -1463,7 +1463,7 @@ + + + +- ++ + + + +@@ -1476,7 +1476,7 @@ + + + +- ++ + + + +@@ -1489,7 +1489,7 @@ + + + +- ++ + + + +@@ -1656,7 +1656,7 @@ + + + +- ++ + + + +@@ -1669,7 +1669,7 @@ + + + +- ++ + + + +@@ -1682,7 +1682,7 @@ + + + +- ++ + + + +@@ -1695,7 +1695,7 @@ + + + +- ++ + + + +diff --git a/schemas/oval/5.11.2/oval-system-characteristics-schema.xsd b/schemas/oval/5.11.2/oval-system-characteristics-schema.xsd +index 030274c4a..c71de366a 100644 +--- a/schemas/oval/5.11.2/oval-system-characteristics-schema.xsd ++++ b/schemas/oval/5.11.2/oval-system-characteristics-schema.xsd +@@ -493,7 +493,7 @@ + + + +- ++ + + + +@@ -506,7 +506,7 @@ + + + +- ++ + + + +@@ -519,7 +519,7 @@ + + + +- ++ + + + +@@ -532,7 +532,7 @@ + + + +- ++ + + + diff --git a/SOURCES/test_ds_session_without_remote_resources.patch b/SOURCES/test_ds_session_without_remote_resources.patch new file mode 100644 index 0000000..2d45912 --- /dev/null +++ b/SOURCES/test_ds_session_without_remote_resources.patch @@ -0,0 +1,255 @@ +From 8645604c8e5285c5b5bec538a50d3b4f6b13c9a5 Mon Sep 17 00:00:00 2001 +From: Matus Marhefka +Date: Tue, 14 May 2019 15:38:50 +0200 +Subject: [PATCH] Add test for DS session and SCAP 1.3 remote resources + +* Test for PR#1324 which verifies that DS session does not quit + when SCAP 1.3 content contains remote component but + `--fetch-remote-resources` option is not provided. The test is + also extended to verify that scans utilizing SCAP 1.2 and 1.3 + datastreams produce the same results. +--- + tests/DS/Makefile.am | 2 + + .../remote_content_1.2.ds.xml | 87 ++++++++++++++++++ + .../remote_content_1.3.ds.xml | 89 +++++++++++++++++++ + tests/DS/test_ds.sh | 17 ++++ + 4 files changed, 195 insertions(+) + create mode 100644 tests/DS/ds_continue_without_remote_resources/remote_content_1.2.ds.xml + create mode 100644 tests/DS/ds_continue_without_remote_resources/remote_content_1.3.ds.xml + +diff --git a/tests/DS/Makefile.am b/tests/DS/Makefile.am +index 616f24d24..ea742386d 100644 +--- a/tests/DS/Makefile.am ++++ b/tests/DS/Makefile.am +@@ -11,6 +11,8 @@ TESTS_ENVIRONMENT= \ + TESTS = test_ds.sh + + EXTRA_DIST = test_ds.sh \ ++ ds_continue_without_remote_resources/remote_content_1.2.ds.xml \ ++ ds_continue_without_remote_resources/remote_content_1.3.ds.xml \ + eval_invalid/sds.xml \ + eval_invalid/sds-oval.xml \ + eval_simple/sds.xml \ +diff --git a/tests/DS/ds_continue_without_remote_resources/remote_content_1.2.ds.xml b/tests/DS/ds_continue_without_remote_resources/remote_content_1.2.ds.xml +new file mode 100644 +index 000000000..31d4fc770 +--- /dev/null ++++ b/tests/DS/ds_continue_without_remote_resources/remote_content_1.2.ds.xml +@@ -0,0 +1,87 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ 5.10 ++ 2009-01-12T10:41:00-05:00 ++ ++ ++ ++ ++ ++ PASS ++ pass ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ oval:x:var:1 ++ ++ ++ ++ ++ ++ ++ ++ accepted ++ 1.0 ++ ++ ++ xccdf_test_profile ++ This profile is for testing. ++ ++ ++ ++ ++ test value ++ foo ++ 50 ++ 100 ++ ++ ++ This rule always pass ++ ++ ++ ++ ++ ++ This rule checks remote resource ++ ++ ++ ++ ++ ++ This rule always pass ++ ++ ++ ++ ++ ++ ++ +diff --git a/tests/DS/ds_continue_without_remote_resources/remote_content_1.3.ds.xml b/tests/DS/ds_continue_without_remote_resources/remote_content_1.3.ds.xml +new file mode 100644 +index 000000000..3cf15f8df +--- /dev/null ++++ b/tests/DS/ds_continue_without_remote_resources/remote_content_1.3.ds.xml +@@ -0,0 +1,89 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ 5.11 ++ 2009-01-12T10:41:00-05:00 ++ ++ ++ ++ ++ ++ PASS ++ pass ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ oval:x:var:1 ++ ++ ++ ++ ++ ++ ++ ++ accepted ++ 1.0 ++ ++ ++ xccdf_test_profile ++ This profile is for testing. ++ ++ ++ ++ ++ test value ++ foo ++ 50 ++ 100 ++ ++ ++ This rule always pass ++ ++ ++ ++ ++ ++ This rule checks remote resource ++ ++ ++ ++ ++ ++ This rule always pass ++ ++ ++ ++ ++ ++ ++ +diff --git a/tests/DS/test_ds.sh b/tests/DS/test_ds.sh +index 22cafe6c9..1383ad87a 100755 +--- a/tests/DS/test_ds.sh ++++ b/tests/DS/test_ds.sh +@@ -414,6 +414,21 @@ function test_sds_tailoring { + rm -f "$result" + } + ++function test_ds_continue_without_remote_resources() { ++ local DS="${srcdir}/$1" ++ local PROFILE="$2" ++ local result=$(mktemp) ++ ++ $OSCAP xccdf eval --profile "$PROFILE" --results "$result" "$DS" ++ ++ assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-pass"]/result[text()="pass"]' ++ assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-remote_res"]/result[text()="notchecked"]' ++ assert_exists 1 '//rule-result[@idref="xccdf_com.example.www_rule_test-pass2"]/result[text()="pass"]' ++ ++ rm -f "$result" ++} ++ ++ + # Testing. + test_init "test_ds.log" + +@@ -454,6 +469,8 @@ test_run "rds_split_simple" test_rds_split rds_split_simple report-request.xml r + + test_run "test_eval_complex" test_eval_complex + test_run "sds_add_multiple_oval_twice_in_row" sds_add_multiple_twice ++test_run "test_ds_1_2_continue_without_remote_resources" test_ds_continue_without_remote_resources ds_continue_without_remote_resources/remote_content_1.2.ds.xml xccdf_com.example.www_profile_test_remote_res ++test_run "test_ds_1_3_continue_without_remote_resources" test_ds_continue_without_remote_resources ds_continue_without_remote_resources/remote_content_1.3.ds.xml xccdf_com.example.www_profile_test_remote_res + + test_exit + diff --git a/SOURCES/textfilecontent54_behaviors_ignored.patch b/SOURCES/textfilecontent54_behaviors_ignored.patch new file mode 100644 index 0000000..2d576aa --- /dev/null +++ b/SOURCES/textfilecontent54_behaviors_ignored.patch @@ -0,0 +1,58 @@ +From 7d31c404ab6c90d19c378aaefdd70baf1a62f142 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 18 Mar 2019 16:35:45 +0100 +Subject: [PATCH] Don't ignore file behaviors if filepath is specified + +The effect of the code removed by this patch is that the +max_depth, recurse, recurse_direction and recurse_file_system +attributes of the behaviors element are completely ignored +and reset to their default values if filepath element is specified +in the textfilecontent54_object. This is against OVAL specification +and it is inconsistent with file probe, from where a similar +code has been removed in 93d5f1416f232d6fa21fe8f2ad771d003749ea7b. +--- + .../probes/independent/textfilecontent54.c | 31 ------------------- + 1 file changed, 31 deletions(-) + +diff --git a/src/OVAL/probes/independent/textfilecontent54.c b/src/OVAL/probes/independent/textfilecontent54.c +index fc0f944e5..5f5890e15 100644 +--- a/src/OVAL/probes/independent/textfilecontent54.c ++++ b/src/OVAL/probes/independent/textfilecontent54.c +@@ -415,37 +415,6 @@ int probe_main(probe_ctx *ctx, void *arg) + m_val = "1"; + */ + +- /* reset filebehavior attributes if 'filepath' entity is used */ +- if (filepath_ent != NULL && bh_ent != NULL) { +- SEXP_t *r1, *r2, *r3; +- r1 = r2 = r3 = NULL; +- if (probe_ent_attrexists(bh_ent, "ignore_case")) { +- r1 = probe_ent_getattrval(bh_ent, "ignore_case"); +- } +- if (probe_ent_attrexists(bh_ent, "multiline")) { +- r2 = probe_ent_getattrval(bh_ent, "multiline"); +- } +- if (probe_ent_attrexists(bh_ent, "singleline")) { +- r3 = probe_ent_getattrval(bh_ent, "singleline"); +- } +- r0 = SEXP_list_new(NULL); +- SEXP_free(bh_ent); +- bh_ent = probe_ent_creat1("behaviors", r0, NULL); +- SEXP_free(r0); +- if (r1) { +- probe_ent_attr_add(bh_ent, "ignore_case", r1); +- SEXP_free(r1); +- } +- if (r2) { +- probe_ent_attr_add(bh_ent, "multiline", r2); +- SEXP_free(r2); +- } +- if (r3) { +- probe_ent_attr_add(bh_ent, "singleline", r3); +- SEXP_free(r3); +- } +- } +- + probe_tfc54behaviors_canonicalize(&bh_ent); + + pfd.instance_ent = inst_ent; diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec new file mode 100644 index 0000000..0808baa --- /dev/null +++ b/SPECS/openscap.spec @@ -0,0 +1,684 @@ +%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} +%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} + +%define relabel_files() \ +restorecon -R /usr/bin/oscap /usr/libexec/openscap; \ + +Name: openscap +Version: 1.2.17 +Release: 4%{?dist} +Summary: Set of open source libraries enabling integration of the SCAP line of standards +Group: System Environment/Libraries +License: LGPLv2+ +URL: http://www.open-scap.org/ +Source0: https://github.com/OpenSCAP/openscap/releases/download/%{version}/%{name}-%{version}.tar.gz +Patch1: openscap-1.2.17-filehash58_probe_test.patch +Patch2: textfilecontent54_behaviors_ignored.patch +Patch3: autofs_entries_in_mtab.patch +Patch4: extend_unit_test_for_is_local_fs.patch +Patch5: ds_session_without_remote_resources.patch +Patch6: test_ds_session_without_remote_resources.patch +Patch7: fix_invalid_oval_in_test.patch +Patch8: oval_5_11_2_parsing_issues.patch +Patch9: add_scap_1_3_schema_and_detect_version.patch +Patch10: add_oval_results_to_test.patch +Patch11: do_not_skip_fs_binfmt_misc.patch +Patch12: make_is_local_fs_static_again.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: swig libxml2-devel libxslt-devel perl-XML-Parser +BuildRequires: rpm-devel +BuildRequires: libgcrypt-devel +BuildRequires: pcre-devel +BuildRequires: libacl-devel +BuildRequires: libselinux-devel libcap-devel +BuildRequires: libblkid-devel +BuildRequires: bzip2-devel +BuildRequires: libtool +%if %{?_with_check:1}%{!?_with_check:0} +BuildRequires: perl-XML-XPath +%endif +Requires(post): /sbin/ldconfig +Requires(postun): /sbin/ldconfig + +%description +OpenSCAP is a set of open source libraries providing an easier path +for integration of the SCAP line of standards. SCAP is a line of standards +managed by NIST with the goal of providing a standard language +for the expression of Computer Network Defense related information. + +%package devel +Summary: Development files for %{name} +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: libxml2-devel +Requires: pkgconfig + +%description devel +The %{name}-devel package contains libraries and header files for +developing applications that use %{name}. + +%package python +Summary: Python bindings for %{name} +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} +BuildRequires: python-devel + +%description python +The %{name}-python package contains the bindings so that %{name} +libraries can be used by python. + +%package scanner +Summary: OpenSCAP Scanner Tool (oscap) +Group: Applications/System +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: libcurl >= 7.12.0 +BuildRequires: libcurl-devel >= 7.12.0 +Obsoletes: openscap-selinux + +%description scanner +The %{name}-scanner package contains oscap command-line tool. The oscap +is configuration and vulnerability scanner, capable of performing +compliance checking using SCAP content. + +%package utils +Summary: OpenSCAP Utilities +Group: Applications/System +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: rpmdevtools rpm-build +Requires: %{name}-containers = %{version}-%{release} + +%description utils +The %{name}-utils package contains command-line tools build on top +of OpenSCAP library. Historically, openscap-utils included oscap +tool which is now separated to %{name}-scanner sub-package. + + +%package extra-probes +Summary: SCAP probes +Group: Applications/System +Requires: %{name}%{?_isa} = %{version}-%{release} +BuildRequires: openldap-devel +BuildRequires: GConf2-devel +#BuildRequires: opendbx - for sql + +%description extra-probes +The %{name}-extra-probes package contains additional probes that are not +commonly used and require additional dependencies. + +%package engine-sce +Summary: Script Check Engine plug-in for OpenSCAP +Group: Applications/System +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description engine-sce +The Script Check Engine is non-standard extension to SCAP protocol. This +engine allows content authors to avoid OVAL language and write their assessment +commands using a scripting language (Bash, Perl, Python, Ruby, ...). + +%package engine-sce-devel +Summary: Development files for %{name}-engine-sce +Group: Development/Libraries +Requires: %{name}-devel%{?_isa} = %{version}-%{release} +Requires: %{name}-engine-sce%{?_isa} = %{version}-%{release} +Requires: pkgconfig + +%description engine-sce-devel +The %{name}-engine-sce-devel package contains libraries and header files +for developing applications that use %{name}-engine-sce. + +%package containers +Summary: Utils for scanning containers +Group: Applications/System +Requires: %{name} = %{version}-%{release} +Requires: %{name}-scanner +BuildArch: noarch + +%description containers +Tool for scanning Atomic containers. + + +%prep +%setup -q +%patch1 -p1 -b .filehash58_probe_test +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 + +%build +%ifarch sparc64 +#sparc64 need big PIE +export CFLAGS="$RPM_OPT_FLAGS -fPIE" +export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" +%else +export CFLAGS="$RPM_OPT_FLAGS -fpie" +export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" +%endif + +autoreconf -is +%configure --enable-sce + +make %{?_smp_mflags} +# Remove shebang from bash-completion script +sed -i '/^#!.*bin/,+1 d' dist/bash_completion.d/oscap +# Change permissions of test_detect_version.sh +# Please remove it after rebase to OpenSCAP 1.2.18 or newer. +chmod 755 tests/DS/sds_detect_version/test_detect_version.sh + +%check +#to run make check use "--with check" +%if %{?_with_check:1}%{!?_with_check:0} +make check +%endif + +%install +rm -rf $RPM_BUILD_ROOT + +make install INSTALL='install -p' DESTDIR=$RPM_BUILD_ROOT + +# remove content for another OS +rm $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-rhel6-oval.xml +rm $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-rhel6-xccdf.xml +rm $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-fedora14-oval.xml +rm $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-fedora14-xccdf.xml + +# Remove sectool SCE content which is not distributed along RHEL7 +rm $RPM_BUILD_ROOT/%{_datadir}/openscap/sectool-sce/sectool-xccdf.xml +rm $RPM_BUILD_ROOT/%{_datadir}/openscap/sectool-sce/*.sh +rmdir $RPM_BUILD_ROOT/%{_datadir}/openscap/sectool-sce + +# bash-completion script +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/bash_completion.d +install -pm 644 dist/bash_completion.d/oscap $RPM_BUILD_ROOT%{_sysconfdir}/bash_completion.d/oscap + +find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' + +%clean +rm -rf $RPM_BUILD_ROOT + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%files +%defattr(-,root,root,-) +%doc AUTHORS COPYING ChangeLog NEWS README.md +%{_libdir}/libopenscap.so.* +%{_libexecdir}/openscap/probe_dnscache +%{_libexecdir}/openscap/probe_environmentvariable +%{_libexecdir}/openscap/probe_environmentvariable58 +%{_libexecdir}/openscap/probe_family +%{_libexecdir}/openscap/probe_file +%{_libexecdir}/openscap/probe_fileextendedattribute +%{_libexecdir}/openscap/probe_filehash +%{_libexecdir}/openscap/probe_filehash58 +%{_libexecdir}/openscap/probe_iflisteners +%{_libexecdir}/openscap/probe_inetlisteningservers +%{_libexecdir}/openscap/probe_interface +%{_libexecdir}/openscap/probe_partition +%{_libexecdir}/openscap/probe_password +%{_libexecdir}/openscap/probe_process +%{_libexecdir}/openscap/probe_process58 +%{_libexecdir}/openscap/probe_routingtable +%{_libexecdir}/openscap/probe_rpminfo +%{_libexecdir}/openscap/probe_rpmverify +%{_libexecdir}/openscap/probe_rpmverifyfile +%{_libexecdir}/openscap/probe_rpmverifypackage +%{_libexecdir}/openscap/probe_runlevel +%{_libexecdir}/openscap/probe_selinuxboolean +%{_libexecdir}/openscap/probe_selinuxsecuritycontext +%{_libexecdir}/openscap/probe_shadow +%{_libexecdir}/openscap/probe_symlink +%{_libexecdir}/openscap/probe_sysctl +%{_libexecdir}/openscap/probe_system_info +%{_libexecdir}/openscap/probe_systemdunitdependency +%{_libexecdir}/openscap/probe_systemdunitproperty +%{_libexecdir}/openscap/probe_textfilecontent +%{_libexecdir}/openscap/probe_textfilecontent54 +%{_libexecdir}/openscap/probe_uname +%{_libexecdir}/openscap/probe_variable +%{_libexecdir}/openscap/probe_xinetd +%{_libexecdir}/openscap/probe_xmlfilecontent +%dir %{_datadir}/openscap +%dir %{_datadir}/openscap/schemas +%dir %{_datadir}/openscap/xsl +%dir %{_datadir}/openscap/cpe +%{_datadir}/openscap/schemas/* +%{_datadir}/openscap/xsl/* +%{_datadir}/openscap/cpe/* + +%files python +%defattr(-,root,root,-) +%{python_sitearch}/* + +%files devel +%defattr(-,root,root,-) +%doc docs/{html,examples}/ +%{_libdir}/libopenscap.so +%{_libdir}/pkgconfig/*.pc +%{_includedir}/openscap +%exclude %{_includedir}/openscap/sce_engine_api.h + +%files engine-sce-devel +%defattr(-,root,root,-) +%{_libdir}/libopenscap_sce.so +%{_includedir}/openscap/sce_engine_api.h + +%files scanner +%{_bindir}/oscap +%{_mandir}/man8/oscap.8.gz +%{_bindir}/oscap-chroot +%{_mandir}/man8/oscap-chroot.8.gz +%{_sysconfdir}/bash_completion.d + +%files utils +%defattr(-,root,root,-) +%doc docs/oscap-scan.cron +%{_mandir}/man8/* +%exclude %{_mandir}/man8/oscap.8.gz +%exclude %{_mandir}/man8/oscap-docker.8.gz +%exclude %{_mandir}/man8/oscap-chroot.8.gz +%{_bindir}/* +%exclude %{_bindir}/oscap +%exclude %{_bindir}/oscap-docker +%exclude %{_bindir}/oscap-chroot + + +%files extra-probes +%{_libexecdir}/openscap/probe_ldap57 +%{_libexecdir}/openscap/probe_gconf + +%files engine-sce +%{_libdir}/libopenscap_sce.so.* + +%files containers +%defattr(-,root,root,-) +%{_bindir}/oscap-docker +%{_mandir}/man8/oscap-docker.8.gz +%{python_sitelib}/oscap_docker_python/* + + +%changelog +* Thu Jun 06 2019 Jan Černý - 1.2.17-4 +- Make is_local_fs static again to avoid API changes between releases + +* Mon May 27 2019 Jan Černý - 1.2.17-3 +- Fix unwanted recursion into mounted remote filesystems (#1655943) +- Evaluate SCAP 1.3 datastreams without downloading remote data (#1709423) + +* Tue Aug 14 2018 Matěj Týč - 1.2.17-2 +- Patched to include tests for filehash58 probe. + +* Wed Jul 11 2018 Matěj Týč - 1.2.17-1 +- Rebased to the 1.2.17 upstream release (#1564900). +- Fixed the offline scanning (#1547107, #1556988). +- HTML Guide user experience improvements. +- New options in HTML report "Group By" menu. +- oscap-ssh supports --oval-results. +- For more news, see https://github.com/OpenSCAP/openscap/releases/tag/1.2.17 + +* Tue Feb 06 2018 Watson Yuuma Sato - 1.2.16-6 +- Cleanup temporary images created by oscap-docker (#1454637) + +* Tue Jan 23 2018 Jan Černý - 1.2.16-5 +- Revert warnings by default in oscap tool (#1537089) + +* Mon Jan 15 2018 Watson Yuuma Sato - 1.2.16-4 +- Fix requirement on openscap-containers + +* Tue Jan 09 2018 Watson Yuuma Sato - 1.2.16-3 +- Update bash completion (#1505517) +- Align bash role header with output of help command (#1439813) + +* Mon Nov 20 2017 Matěj Týč - 1.2.16-2 +- moved oscap-docker to newly created openscap-containers. +- moved man of oscap-chroot to oscap-scanner. + +* Tue Nov 14 2017 Matěj Týč - 1.2.16-1 +- upgrade to the latest upstream release +- moved oscap-chroot to openscap-scanner because it's a thin wrapper script with no dependencies + +* Mon Aug 28 2017 Jan Černý - 1.2.15-1 +- upgrade to the latest upstream release +- short profile names can be used instead of long IDs +- new option --rule allows to evaluate only a single rule +- new option --fix-type in "oscap xccdf generate fix" allows choosing + remediation script type without typing long URL +- "oscap info" shows profile titles +- OVAL details in HTML report are easier to read +- HTML report is smaller because unselected rules are removed +- HTML report supports NIST 800-171 and CJIS +- remediation scripts contain headers with useful information (#1439813) +- remediation scripts report progress when they run +- basic support for Oracle Linux (CPEs, runlevels) +- remediation scripts can be generated from datastreams that contain + multiple XCCDF benchmarks +- basic support for OVAL 5.11.2 (only schemas, no features) +- enabled offline RPM database in rpminfo probe +- added Fedora 28 CPE +- fixed oscap-docker with Docker >= 2.0 +- fixed behavior of sysctl probe to be consistent with sysctl tool +- fixed generating remediation scripts +- severity of tailored rules is not discarded +- fixed errors in RPM probes initialization +- oscap-docker shows all warnings reported by oscap +- fixed pkgconfig file + +* Fri May 19 2017 Martin Preisler - 1.2.14-2 +- RPM probes to return not applicable on non-rpm systems (#1447629) +- fixed sysctl tests on s390x architecture (#1447649) +- Revert warning by default in oscap tool, our message categories are not ready for it (#1447341) + +* Tue Mar 21 2017 Jan Černý - 1.2.14-1 +- Upgrade to the latest upstream release +- Detailed information about ARF files in 'oscap info' +- Generating remediation scripts from ARF +- HTML report UX improvements +- Fixed CPE dictionary to identify RHEVH as RHEL7 (#1420038) +- Fixed systemd probes crashes inside containers (#1431186) +- Fixed output on terminals with white background (#1365911) +- Error handling in oscap-vm (#1391754) +- Fixed SCE stderr stalling (#1420811) +- Fixed absolute filepath parsing in OVAL (#1312831, #1312824) +- Fixed segmentation faults in RPM probes (#1414303, #1414312) +- Fixed missing header in result-oriented Ansible remediations + +* Thu Jan 05 2017 Martin Preisler - 1.2.13-1 +- Upgrade to the latest upstream release +- Added --thin-results CLI override to oscap xccdf eval +- Added --without-syschar CLI override to oscap xccdf eval +- Remediations are not filtered by applicability +- Fixed segmentation faults in XCCDF and OVAL processing +- Added a warning on generating an ARF from XCCDF 1.1 + +* Wed Nov 16 2016 Martin Preisler - 1.2.12-1 +- Upgrade to the latest upstream release +- improved HTML report by referencing links +- fixed validity errors in ARF files +- fixed CVE parsing +- fixed injecting xccdf:check-content-ref references in ARF results +- fixed oscap-docker incompliance reporting (#1387248) +- fixed oscap-docker man page (#1387166) + +* Mon Nov 14 2016 Martin Preisler - 1.2.11-1 +- upgrade to the latest upstream release + +* Mon Sep 05 2016 Jan Černý - 1.2.10-2 +- fix oscap-docker to follow the proxy settings (#1351952) + +* Thu Jun 30 2016 Jan Černý - 1.2.10-1 +- upgrade to the latest upstream release + +* Tue May 31 2016 Martin Preisler - 1.2.9-7 +- fixed dates in the changelog +- changed Release to 7 to avoid conflicts + +* Tue May 31 2016 Martin Preisler - 1.2.9-4 +- worked around a change in behavior in argparse between different versions of python2 (#1278147) + +* Thu May 05 2016 Martin Preisler - 1.2.9-3 +- fixed loading SDS session multiple times (#1250072) + +* Tue Apr 26 2016 Jan Černý - 1.2.9-2 +- fix specfile + +* Mon Apr 25 2016 Jan Černý - 1.2.9-1 +- upgrade to the latest upstream release + +* Fri Jul 24 2015 Martin Preisler - 1.2.5-3 +- add a patch for scap-as-rpm to generate SRPM correctly (#1242893) + +* Fri Jul 24 2015 Martin Preisler - 1.2.5-2 +- add a patch to support RHSA identifiers in HTML report and guide (#1243808) + +* Mon Jul 06 2015 Šimon Lukašík - 1.2.5-1 +- upgrade to the latest upstream release + +* Mon Jun 22 2015 Šimon Lukašík - 1.2.4-1 +- upgrade to the latest upstream release +- drop openscap-selinux sub-package + +* Tue Jan 20 2015 Šimon Lukašík - 1.1.1-3 +- USGCB, schematron: var_ref missing when var_check exported (#1182242) + +* Thu Jan 08 2015 Šimon Lukašík - 1.1.1-2 +- STIG-generated results contain var_ref without var_check (#1159289) +- Probes failed to stop by USR1 signal as specified (#1165139) + +* Fri Sep 26 2014 Šimon Lukašík - 1.1.1-1 +- upgrade to the latest upstream release + +* Wed Sep 03 2014 Šimon Lukašík - 1.1.0-1 +- upgrade +- introduce openscap-scanner sub-package (#1115105) + +* Fri Jan 24 2014 Daniel Mach - 1.0.3-2 +- Mass rebuild 2014-01-24 + +* Tue Jan 14 2014 Šimon Lukašík - 1.0.3-1 +- upgrade +- This upstream release addresses: #1052142 + +* Fri Jan 10 2014 Šimon Lukašík - 1.0.2-1 +- upgrade +- This upstream release addresses: #1018291, #1029879, #1026833 + +* Fri Dec 27 2013 Daniel Mach - 1.0.1-2 +- Mass rebuild 2013-12-27 + +* Thu Nov 28 2013 Šimon Lukašík - 1.0.1-1 +- upgrade + +* Tue Nov 26 2013 Šimon Lukašík - 1.0.0-3 +- expand LT_CURRENT_MINUS_AGE correctly + +* Thu Nov 21 2013 Šimon Lukašík - 1.0.0-2 +- dlopen libopenscap_sce.so.{current-age} explicitly + That allows for SCE to work without openscap-engine-sce-devel + +* Tue Nov 19 2013 Šimon Lukašík - 1.0.0-1 +- upgrade +- package openscap-engine-sce-devel separately + +* Fri Nov 15 2013 Šimon Lukašík - 0.9.13-7 +- do not obsolete openscap-conten just drop it (#1028706) + scap-security-guide will bring the Obsoletes tag + +* Thu Nov 14 2013 Šimon Lukašík - 0.9.13-6 +- only non-noarch packages should be requiring specific architecture + +* Sat Nov 09 2013 Šimon Lukašík 0.9.13-5 +- specify architecture when requiring base package + +* Fri Nov 08 2013 Šimon Lukašík 0.9.13-4 +- specify dependency between engine and devel sub-package + +* Fri Nov 08 2013 Šimon Lukašík 0.9.13-3 +- correct openscap-utils dependencies + +* Fri Nov 08 2013 Šimon Lukašík 0.9.13-2 +- drop openscap-content package (use scap-security-guide instead) + +* Fri Nov 08 2013 Šimon Lukašík 0.9.13-1 +- upgrade + +* Thu Sep 26 2013 Šimon Lukašík 0.9.12-2 +- Start building SQL probes for Fedora + +* Wed Sep 11 2013 Šimon Lukašík 0.9.12-1 +- upgrade + +* Thu Jul 18 2013 Petr Lautrbach 0.9.11-1 +- upgrade + +* Mon Jul 15 2013 Petr Lautrbach 0.9.10-1 +- upgrade + +* Mon Jun 17 2013 Petr Lautrbach 0.9.8-1 +- upgrade + +* Fri Apr 26 2013 Petr Lautrbach 0.9.7-1 +- upgrade +- add openscap-selinux sub-package + +* Wed Apr 24 2013 Petr Lautrbach 0.9.6-1 +- upgrade + +* Wed Mar 20 2013 Petr Lautrbach 0.9.5-1 +- upgrade + +* Mon Mar 04 2013 Petr Lautrbach 0.9.4.1-1 +- upgrade + +* Tue Feb 26 2013 Petr Lautrbach 0.9.4-1 +- upgrade + +* Thu Feb 14 2013 Fedora Release Engineering - 0.9.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Dec 17 2012 Petr Lautrbach 0.9.3-1 +- upgrade + +* Wed Nov 21 2012 Petr Lautrbach 0.9.2-1 +- upgrade + +* Mon Oct 22 2012 Petr Lautrbach 0.9.1-1 +- upgrade + +* Tue Sep 25 2012 Peter Vrabec 0.9.0-1 +- upgrade + +* Mon Aug 27 2012 Petr Lautrbach 0.8.5-1 +- upgrade + +* Tue Aug 07 2012 Petr Lautrbach 0.8.4-1 +- upgrade + +* Tue Jul 31 2012 Petr Lautrbach 0.8.3-2 +- fix Profile and @hidden issue + +* Mon Jul 30 2012 Petr Lautrbach 0.8.3-1 +- upgrade + +* Fri Jul 20 2012 Fedora Release Engineering - 0.8.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Jun 08 2012 Petr Pisar - 0.8.2-2 +- Perl 5.16 rebuild + +* Fri Mar 30 2012 Petr Lautrbach 0.8.2-1 +- upgrade + +* Tue Feb 21 2012 Peter Vrabec 0.8.1-1 +- upgrade + +* Fri Feb 10 2012 Petr Pisar - 0.8.0-3 +- Rebuild against PCRE 8.30 + +* Fri Jan 13 2012 Fedora Release Engineering - 0.8.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Oct 11 2011 Peter Vrabec 0.8.0-1 +- upgrade + +* Mon Jul 25 2011 Peter Vrabec 0.7.4-1 +- upgrade + +* Thu Jul 21 2011 Petr Sabata - 0.7.3-3 +- Perl mass rebuild + +* Wed Jul 20 2011 Petr Sabata - 0.7.3-2 +- Perl mass rebuild + +* Fri Jun 24 2011 Peter Vrabec 0.7.3-1 +- upgrade + +* Fri Jun 17 2011 Marcela Mašláňová - 0.7.2-3 +- Perl mass rebuild + +* Fri Jun 10 2011 Marcela Mašláňová - 0.7.2-2 +- Perl 5.14 mass rebuild + +* Wed Apr 20 2011 Peter Vrabec 0.7.2-1 +- upgrade + +* Fri Mar 11 2011 Peter Vrabec 0.7.1-1 +- upgrade + +* Thu Feb 10 2011 Peter Vrabec 0.7.0-1 +- upgrade + +* Tue Feb 08 2011 Fedora Release Engineering - 0.6.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Jan 31 2011 Peter Vrabec 0.6.8-1 +- upgrade + +* Fri Jan 14 2011 Peter Vrabec 0.6.7-1 +- upgrade + +* Wed Oct 20 2010 Peter Vrabec 0.6.4-1 +- upgrade + +* Tue Sep 14 2010 Peter Vrabec 0.6.3-1 +- upgrade + +* Fri Aug 27 2010 Peter Vrabec 0.6.2-1 +- upgrade + +* Wed Jul 14 2010 Peter Vrabec 0.6.0-1 +- upgrade + +* Wed May 26 2010 Peter Vrabec 0.5.11-1 +- upgrade + +* Fri May 07 2010 Peter Vrabec 0.5.10-1 +- upgrade + +* Fri Apr 16 2010 Peter Vrabec 0.5.9-1 +- upgrade + +* Fri Feb 26 2010 Peter Vrabec 0.5.7-1 +- upgrade +- new utils package + +* Mon Jan 04 2010 Peter Vrabec 0.5.6-1 +- upgrade + +* Tue Sep 29 2009 Peter Vrabec 0.5.3-1 +- upgrade + +* Wed Aug 19 2009 Peter Vrabec 0.5.2-1 +- upgrade + +* Mon Aug 03 2009 Peter Vrabec 0.5.1-2 +- add rpm-devel requirement + +* Mon Aug 03 2009 Peter Vrabec 0.5.1-1 +- upgrade + +* Thu Apr 30 2009 Peter Vrabec 0.3.3-1 +- upgrade + +* Thu Apr 23 2009 Peter Vrabec 0.3.2-1 +- upgrade + +* Sun Mar 29 2009 Peter Vrabec 0.1.4-1 +- upgrade + +* Fri Mar 27 2009 Peter Vrabec 0.1.3-2 +- spec file fixes (#491892) + +* Tue Mar 24 2009 Peter Vrabec 0.1.3-1 +- upgrade + +* Thu Jan 15 2009 Tomas Heinrich 0.1.1-1 +- Initial rpm +