From 7886738481ab3a8f9e0465a504eefc571cc108bb Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jun 09 2020 19:59:48 +0000 Subject: import openscap-1.3.3-1.el8 --- diff --git a/.gitignore b/.gitignore index fc9c1e0..b759384 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/openscap-1.3.2.tar.gz +SOURCES/openscap-1.3.3.tar.gz diff --git a/.openscap.metadata b/.openscap.metadata index 2413801..36498f3 100644 --- a/.openscap.metadata +++ b/.openscap.metadata @@ -1 +1 @@ -5fe71454faff8cdcbd0e13e7c7343daf04069ca9 SOURCES/openscap-1.3.2.tar.gz +6988d1ea7b86669d410ab5defc1be394cba5b017 SOURCES/openscap-1.3.3.tar.gz diff --git a/SOURCES/01-add-test-fix-type-anaconda.patch b/SOURCES/01-add-test-fix-type-anaconda.patch deleted file mode 100644 index a1c2b73..0000000 --- a/SOURCES/01-add-test-fix-type-anaconda.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 712000a675103393045fde191856ce1dd306f1ca Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 13 Jan 2020 17:28:09 +0100 -Subject: [PATCH] Add a test to check --fix-type Anaconda - -There should be 2 equal ways of generating Anaconda remediations: -"oscap xccdf generate fix --fix-type anaconda" and -"oscap xccdf generate fix --template urn:redhat:anaconda:pre" -Both commands should give the same output. -This tests a fix for https://bugzilla.redhat.com/show_bug.cgi?id=1736850 -introduced by b1448ec95a957a76eb8be6d439531c532d97ff3c ---- - .../API/XCCDF/unittests/test_report_anaconda_fixes.sh | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/tests/API/XCCDF/unittests/test_report_anaconda_fixes.sh b/tests/API/XCCDF/unittests/test_report_anaconda_fixes.sh -index d4e86e657..650f3d75b 100755 ---- a/tests/API/XCCDF/unittests/test_report_anaconda_fixes.sh -+++ b/tests/API/XCCDF/unittests/test_report_anaconda_fixes.sh -@@ -23,6 +23,16 @@ grep -v "$line1" $result | grep -v "$line2" | grep -v "$line3" - [ "`grep -v "$line1" $result | grep -v "$line2" | sed 's/\W//g'`"x == x ] - :> $result - -+# use --fix-type instead of URN template to generate the same fix -+$OSCAP xccdf generate fix --fix-type anaconda \ -+ --output $result $srcdir/${name}.xccdf.xml 2>&1 > $stderr -+[ -f $stderr ]; [ ! -s $stderr ]; :> $stderr -+grep "$line1" $result -+grep "$line2" $result -+grep -v "$line1" $result | grep -v "$line2" | grep -v "$line3" -+[ "`grep -v "$line1" $result | grep -v "$line2" | sed 's/\W//g'`"x == x ] -+:> $result -+ - $OSCAP xccdf generate fix --template urn:redhat:anaconda:pre \ - --profile xccdf_moc.elpmaxe.www_profile_1 \ - --output $result $srcdir/${name}.xccdf.xml 2>&1 > $stderr diff --git a/SOURCES/02-do-not-use-keyword-operator-as-a-function-parameter.patch b/SOURCES/02-do-not-use-keyword-operator-as-a-function-parameter.patch deleted file mode 100644 index e6dbdca..0000000 --- a/SOURCES/02-do-not-use-keyword-operator-as-a-function-parameter.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 0ba7c9423f64a88ceef50318f1a382059484f737 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 15 Jan 2020 13:54:45 +0100 -Subject: [PATCH] Do not use C++ keyword operator as a function parameter name -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This fixes SCAP Workbench build. - -Addressing: -[ 37%] Building CXX object CMakeFiles/scap-workbench.dir/scap-workbench_autogen/mocs_compilation.cpp.o -In file included from /usr/local/include/openscap/xccdf_policy.h:39, - from /home/jcerny/work/git/scap-workbench/include/TailoringDockWidgets.h:31, - from /home/jcerny/work/git/scap-workbench/build/scap-workbench_autogen/6YEA5652QU/moc_TailoringDockWidgets.cpp:10, - from /home/jcerny/work/git/scap-workbench/build/scap-workbench_autogen/mocs_compilation.cpp:18: -/usr/local/include/openscap/oval_definitions.h:1676:117: error: declaration of ‘operator,’ as parameter - 1676 | restriction *oval_variable_possible_restriction_new(oval_operator_t operator, const char *hint); - | ^ - -Fixes: #1462 ---- - src/OVAL/public/oval_definitions.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/OVAL/public/oval_definitions.h b/src/OVAL/public/oval_definitions.h -index ea9d3aaf8..b5fe77154 100644 ---- a/src/OVAL/public/oval_definitions.h -+++ b/src/OVAL/public/oval_definitions.h -@@ -1669,7 +1669,7 @@ OSCAP_API void oval_variable_possible_value_iterator_free(struct oval_variable_p - * @param hint A short description of what the value means or represents. - * @memberof oval_variable_possible_restriction - */ --OSCAP_API struct oval_variable_possible_restriction *oval_variable_possible_restriction_new(oval_operator_t operator, const char *hint); -+OSCAP_API struct oval_variable_possible_restriction *oval_variable_possible_restriction_new(oval_operator_t, const char *); - - - /** diff --git a/SOURCES/03-fix-cmake-test-for-libcap-xattr-h.patch b/SOURCES/03-fix-cmake-test-for-libcap-xattr-h.patch deleted file mode 100644 index 6ea2560..0000000 --- a/SOURCES/03-fix-cmake-test-for-libcap-xattr-h.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 3fbf36004eec55b9a88916559029332d7f356bae Mon Sep 17 00:00:00 2001 -From: Gabe -Date: Wed, 15 Jan 2020 15:02:32 -0700 -Subject: [PATCH] Fix case where CMake couldn't find libacl or xattr.h - ---- - CMakeLists.txt | 2 +- - cmake/FindACL.cmake | 6 +++--- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 720d8d8eb..fe20992a5 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -238,7 +238,7 @@ cmake_dependent_option(OPENSCAP_PROBE_INDEPENDENT_XMLFILECONTENT "Independent xm - # UNIX PROBES - cmake_dependent_option(OPENSCAP_PROBE_UNIX_DNSCACHE "Unix dnscache probe" ON "ENABLE_PROBES_UNIX" OFF) - cmake_dependent_option(OPENSCAP_PROBE_UNIX_FILE "Unix file probe" ON "ENABLE_PROBES_UNIX" OFF) --cmake_dependent_option(OPENSCAP_PROBE_UNIX_FILEEXTENDEDATTRIBUTE "Unix fileextendedattribute probe" ON "ENABLE_PROBES_UNIX; (HAVE_SYS_XATTR_H OR HAVE_ATTR_XATTR_H)" OFF) -+cmake_dependent_option(OPENSCAP_PROBE_UNIX_FILEEXTENDEDATTRIBUTE "Unix fileextendedattribute probe" ON "ENABLE_PROBES_UNIX; HAVE_SYS_XATTR_H OR HAVE_ATTR_XATTR_H" OFF) - cmake_dependent_option(OPENSCAP_PROBE_UNIX_GCONF "Unix gconf probe" ON "ENABLE_PROBES_UNIX; GCONF_FOUND" OFF) - cmake_dependent_option(OPENSCAP_PROBE_UNIX_INTERFACE "Unix interface probe" ON "ENABLE_PROBES_UNIX" OFF) - cmake_dependent_option(OPENSCAP_PROBE_UNIX_PASSWORD "Unix password probe" ON "ENABLE_PROBES_UNIX" OFF) -diff --git a/cmake/FindACL.cmake b/cmake/FindACL.cmake -index 1753b0dd3..2d4a3027c 100644 ---- a/cmake/FindACL.cmake -+++ b/cmake/FindACL.cmake -@@ -8,17 +8,17 @@ - include(LibFindMacros) - - # Use pkg-config to get hints about paths --libfind_pkg_check_modules(ACL_PKGCONF acl) -+libfind_pkg_check_modules(ACL_PKGCONF libacl) - - # Include dir - find_path(ACL_INCLUDE_DIR -- NAMES acl/libacl.h -+ NAMES "acl/libacl.h sys/libacl.h" - PATHS ${ACL_PKGCONF_INCLUDE_DIRS} - ) - - # Finally the library itself - find_library(ACL_LIBRARY -- NAMES acl -+ NAMES libacl - PATHS ${ACL_PKGCONF_LIBRARY_DIRS} - ) - diff --git a/SOURCES/04-oscap-podman-detect-ambiguous-targets.patch b/SOURCES/04-oscap-podman-detect-ambiguous-targets.patch deleted file mode 100644 index ed3b9ff..0000000 --- a/SOURCES/04-oscap-podman-detect-ambiguous-targets.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 532a6c77f388d2e06ec12338df9ea97d955f5edc Mon Sep 17 00:00:00 2001 -From: Matus Marhefka -Date: Thu, 16 Jan 2020 15:39:37 +0100 -Subject: [PATCH] utils/oscap-podman: Detect ambiguous scan target - -In case that a container image and a running container have the same -name, `oscap-podman` scans container image and a running container is -skipped. This might be unexpected and might cause a confusion for user. -Therefore, this commit adds a code which detects such situation and -rather informs user about ambiguous scan target and terminates. -In such cases the unique container image/container ID should be used -for specifying the target of the scan. ---- - utils/oscap-podman | 23 ++++++++++++++++++----- - 1 file changed, 18 insertions(+), 5 deletions(-) - -diff --git a/utils/oscap-podman b/utils/oscap-podman -index 272afd988..32ec0cfcb 100755 ---- a/utils/oscap-podman -+++ b/utils/oscap-podman -@@ -65,17 +65,30 @@ if grep -q "\-\-remediate" <<< "$@"; then - die - fi - -+IMAGE_NAME=$(podman image exists "$1" \ -+ && podman image inspect --format "{{.Id}} {{.RepoTags}}" "$1") -+CONTAINER_NAME=$(podman container exists "$1" \ -+ && podman container inspect --format "{{.Id}} {{.Name}}" "$1") -+ -+if [ -n "$IMAGE_NAME" ] && [ -n "$CONTAINER_NAME" ]; then -+ echo "Ambiguous target, container image and container with the same name detected: '$1'." >&2 -+ echo "Please rather use an unique ID to specify the target of the scan." >&2 -+ die -+fi -+ - # Check if the target of scan is image or container. - CLEANUP=0 --if podman images | grep -q $1; then -+if [ -n "$IMAGE_NAME" ]; then - ID=$(podman create $1) || die -- IMG_NAME=$(podman images --format "{{.ID}} ({{.Repository}}:{{.Tag}})" | grep -m1 $1) -- TARGET="podman-image://$IMG_NAME" -+ TARGET="podman-image://$IMAGE_NAME" - CLEANUP=1 --else -+elif [ -n "$CONTAINER_NAME" ]; then - # If the target was not found in images we suppose it is a container. - ID=$1 -- TARGET="podman-container://$1" -+ TARGET="podman-container://$CONTAINER_NAME" -+else -+ echo "Target of the scan not found: '$1'." >&2 -+ die - fi - - # podman init creates required files such as: /run/.containerenv - we don't care about output and exit code diff --git a/SOURCES/openscap-1.2.18-oscap-ssh-sudo.patch b/SOURCES/openscap-1.2.18-oscap-ssh-sudo.patch deleted file mode 100644 index 064bbdb..0000000 --- a/SOURCES/openscap-1.2.18-oscap-ssh-sudo.patch +++ /dev/null @@ -1,52 +0,0 @@ -From f2d9ec9883a344daa67a80ad54e6652185346395 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Renaud=20M=C3=A9trich?= -Date: Fri, 14 Feb 2020 14:57:33 +0100 -Subject: [PATCH] Fixed oscap-ssh failing to retrieve the result files when - executing with --sudo - -Depending on the umask configuration of the target system, "sudo oscap" -may create the result files in temporary directory with 600 permissions, -which makes retrieving the log (as the regular user that ssh'ed to the -system) impossible: - -~~~ -$ oscap-ssh --sudo user@system 22 xccdf eval ... -[...] -oscap exit code: 0 -Copying back requested files... -scp: /tmp/tmp.0kfbPWEy6u/report.html: Permission denied -Failed to copy the HTML report back to local machine! -~~~ - -Scenario to reproduce the failure: set a default umask in /etc/sudoers: - -~~~ -Defaults umask = 0077 -~~~ - -The fix consists in changing the result files' ownership from "root" to -user's back, all while in the single sudo (using two sudo commands -wouldn't be nice since the user may get the password prompt twice, -depending on the sudo's configuration). ---- - utils/oscap-ssh | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/utils/oscap-ssh b/utils/oscap-ssh -index 658cc2ee4..bd2e209c4 100755 ---- a/utils/oscap-ssh -+++ b/utils/oscap-ssh -@@ -280,7 +280,12 @@ echo "Starting the evaluation..." - # changing directory because of --oval-results support. oval results files are - # dumped into PWD, and we can't be sure by the file names - we need controlled - # environment --ssh_execute_with_command_and_options "cd $REMOTE_TEMP_DIR; $OSCAP_SUDO oscap $(command_array_to_string oscap_args)" "$SSH_TTY_ALLOCATION_OPTION" -+if [ -z "$OSCAP_SUDO" ]; then -+ ssh_execute_with_command_and_options "cd $REMOTE_TEMP_DIR; oscap $(command_array_to_string oscap_args)" "$SSH_TTY_ALLOCATION_OPTION" -+else -+ OSCAP_CMD="oscap $(command_array_to_string oscap_args); rc=\$?; chown \$SUDO_USER $REMOTE_TEMP_DIR/*; exit \$rc" -+ ssh_execute_with_command_and_options "cd $REMOTE_TEMP_DIR; $OSCAP_SUDO sh -c '$OSCAP_CMD'" "$SSH_TTY_ALLOCATION_OPTION" -+fi - OSCAP_EXIT_CODE=$? - echo "oscap exit code: $OSCAP_EXIT_CODE" - diff --git a/SOURCES/openscap-1.3.2-covscan_ux_fix.patch b/SOURCES/openscap-1.3.2-covscan_ux_fix.patch deleted file mode 100644 index 637aaf6..0000000 --- a/SOURCES/openscap-1.3.2-covscan_ux_fix.patch +++ /dev/null @@ -1,389 +0,0 @@ -From 47a2662bccb8e6f2f192acf46c26d862fe3bbcfb Mon Sep 17 00:00:00 2001 -From: Evgeny Kolesnikov -Date: Fri, 17 Jan 2020 10:24:07 +0100 -Subject: [PATCH 1/2] Covscan fixes - -Error: FORWARD_NULL (CWE-476): [#def17] -xccdf_policy_remediate.c:383: var_compare_op: Comparing "rr" to null implies that "rr" might be null. -xccdf_policy_remediate.c:384: var_deref_model: Passing null pointer "rr" to "_rule_add_info_message", which dereferences it. - -Error: FORWARD_NULL (CWE-476): [#def18] -test_fsdev_is_local_fs.c:35: assign_zero: Assigning: "ment.mnt_fsname" = "NULL". -test_fsdev_is_local_fs.c:37: var_deref_model: Passing "&ment" to "is_local_fs", which dereferences null "ment.mnt_fsname". ---- - src/OVAL/probes/fsdev.c | 4 ++++ - src/XCCDF_POLICY/xccdf_policy_remediate.c | 12 ++++++++++-- - 2 files changed, 14 insertions(+), 2 deletions(-) - -diff --git a/src/OVAL/probes/fsdev.c b/src/OVAL/probes/fsdev.c -index bd8e52fbf..a6b36f5e0 100644 ---- a/src/OVAL/probes/fsdev.c -+++ b/src/OVAL/probes/fsdev.c -@@ -97,6 +97,10 @@ static int is_local_fs(struct mntent *ment) - return 0; - } - -+ if (ment->mnt_fsname == NULL) { -+ return 0; -+ } -+ - s = ment->mnt_fsname; - /* If the fsname begins with "//", it is probably CIFS. */ - if (s[0] == '/' && s[1] == '/') -diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c -index 389a7d1bd..f59737727 100644 ---- a/src/XCCDF_POLICY/xccdf_policy_remediate.c -+++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c -@@ -380,7 +380,11 @@ static inline int _xccdf_fix_decode_xml(struct xccdf_fix *fix, char **result) - #if defined(unix) || defined(__unix__) || defined(__unix) - static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_fix *fix) - { -- if (fix == NULL || rr == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL)) { -+ if (rr == NULL) { -+ return 1; -+ } -+ -+ if (fix == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL)) { - _rule_add_info_message(rr, "No fix available."); - return 1; - } -@@ -481,7 +485,11 @@ static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_ - #else - static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_fix *fix) - { -- if (fix == NULL || rr == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL)) { -+ if (rr == NULL) { -+ return 1; -+ } -+ -+ if (fix == NULL || oscap_streq(xccdf_fix_get_content(fix), NULL)) { - _rule_add_info_message(rr, "No fix available."); - return 1; - } else { - -From 7bccc09eabd30e0581cf0fdf4f20fa481db12e91 Mon Sep 17 00:00:00 2001 -From: Evgeny Kolesnikov -Date: Fri, 17 Jan 2020 11:04:13 +0100 -Subject: [PATCH 2/2] Covscan fixes (SHELLCHECK), small refactoring in Shell - wrappers - -Error: SHELLCHECK_WARNING: -warning: die references arguments, but none are ever passed. [SC2120] - -Error: SHELLCHECK_WARNING: -warning: Use 'cd ... || exit' or 'cd ... || return' in case cd fails. [SC2164] - -Error: SHELLCHECK_WARNING: -warning: Declare and assign separately to avoid masking return values. [SC2155] ---- - utils/oscap-chroot | 20 ++++++++++++-------- - utils/oscap-podman | 42 +++++++++++++++++++++--------------------- - utils/oscap-ssh | 39 ++++++++++++++++++++++----------------- - utils/oscap-vm | 19 +++++++++++-------- - 4 files changed, 66 insertions(+), 54 deletions(-) - -diff --git a/utils/oscap-chroot b/utils/oscap-chroot -index 6518d7a2c..318f55a91 100755 ---- a/utils/oscap-chroot -+++ b/utils/oscap-chroot -@@ -25,6 +25,13 @@ function die() - exit 1 - } - -+function invalid() -+{ -+ echo -e "$*\n" >&2 -+ usage -+ exit 1 -+} -+ - function usage() - { - echo "oscap-chroot -- Tool for offline SCAP evaluation of filesystems mounted in arbitrary paths." -@@ -74,26 +81,23 @@ function usage() - } - - if [ $# -lt 1 ]; then -- echo "No arguments provided." -- usage -- die -+ invalid "No arguments provided." - elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then - usage -- die -+ exit 0 - elif [ "$#" -gt 1 ]; then - true - else -- echo "Invalid arguments provided." -- usage -- die -+ invalid "Invalid arguments provided." - fi - - # Learn more at https://www.redhat.com/archives/open-scap-list/2013-July/msg00000.html - export OSCAP_PROBE_ROOT --OSCAP_PROBE_ROOT="$(cd "$1"; pwd)" -+OSCAP_PROBE_ROOT="$(cd "$1" && pwd)" || die "Invalid CHROOT_PATH argument." - export OSCAP_EVALUATION_TARGET="chroot://$OSCAP_PROBE_ROOT" - shift 1 - - oscap "$@" - EXIT_CODE=$? -+ - exit $EXIT_CODE -diff --git a/utils/oscap-podman b/utils/oscap-podman -index 32ec0cfcb..6b9f4a3de 100755 ---- a/utils/oscap-podman -+++ b/utils/oscap-podman -@@ -16,13 +16,19 @@ - # License along with this library; if not, write to the Free Software - # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - -- - function die() - { - echo "$*" >&2 - exit 1 - } - -+function invalid() -+{ -+ echo -e "$*\n" >&2 -+ usage -+ exit 1 -+} -+ - function usage() - { - echo "oscap-podman -- Tool for SCAP evaluation of Podman images and containers." -@@ -39,30 +45,24 @@ function usage() - OSCAP_BINARY=oscap - - if [ $# -lt 1 ]; then -- echo "No arguments provided." -- usage -- die -+ invalid "No arguments provided." - elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then - usage -- die -+ exit 0 - elif [[ "$1" == --oscap=* ]] && [ $# -gt 2 ]; then - OSCAP_BINARY=${1#"--oscap="} - shift - elif [ "$#" -gt 1 ]; then - true - else -- echo "Invalid arguments provided." -- usage -- die -+ invalid "Invalid arguments provided." - fi - - if [ $(id -u) -ne 0 ]; then -- echo "This script cannot run in rootless mode." >&2 -- die -+ die "This script cannot run in rootless mode." - fi - if grep -q "\-\-remediate" <<< "$@"; then -- echo "This script does not support '--remediate' option." >&2 -- die -+ die "This script does not support '--remediate' option." - fi - - IMAGE_NAME=$(podman image exists "$1" \ -@@ -72,14 +72,13 @@ CONTAINER_NAME=$(podman container exists "$1" \ - - if [ -n "$IMAGE_NAME" ] && [ -n "$CONTAINER_NAME" ]; then - echo "Ambiguous target, container image and container with the same name detected: '$1'." >&2 -- echo "Please rather use an unique ID to specify the target of the scan." >&2 -- die -+ die "Please rather use an unique ID to specify the target of the scan." - fi - - # Check if the target of scan is image or container. - CLEANUP=0 - if [ -n "$IMAGE_NAME" ]; then -- ID=$(podman create $1) || die -+ ID=$(podman create $1) || die "Unable to create a container." - TARGET="podman-image://$IMAGE_NAME" - CLEANUP=1 - elif [ -n "$CONTAINER_NAME" ]; then -@@ -87,14 +86,13 @@ elif [ -n "$CONTAINER_NAME" ]; then - ID=$1 - TARGET="podman-container://$CONTAINER_NAME" - else -- echo "Target of the scan not found: '$1'." >&2 -- die -+ die "Target of the scan not found: '$1'." - fi - - # podman init creates required files such as: /run/.containerenv - we don't care about output and exit code - podman init $ID &> /dev/null || true - --DIR=$(podman mount $ID) || die -+DIR=$(podman mount $ID) || die "Failed to mount." - - if [ ! -f "$DIR/run/.containerenv" ]; then - # ubi8-init image does not create .containerenv when running podman init, but we need to make sure that the file is there -@@ -105,14 +103,16 @@ for VAR in `podman inspect $ID --format '{{join .Config.Env " "}}'`; do - eval "export OSCAP_OFFLINE_$VAR" - done - --export OSCAP_PROBE_ROOT="$(cd "$DIR"; pwd)" -+export OSCAP_PROBE_ROOT -+OSCAP_PROBE_ROOT="$(cd "$DIR" && pwd)" || die "Unable to change current directory to OSCAP_PROBE_ROOT (DIR)." - export OSCAP_EVALUATION_TARGET="$TARGET" - shift 1 - - $OSCAP_BINARY "$@" - EXIT_CODE=$? --podman umount $ID > /dev/null || die -+ -+podman umount $ID > /dev/null || die "Failed to unmount." - if [ $CLEANUP -eq 1 ]; then -- podman rm $ID > /dev/null || die -+ podman rm $ID > /dev/null || die "Failed to clean up." - fi - exit $EXIT_CODE -diff --git a/utils/oscap-ssh b/utils/oscap-ssh -index 08c8bcd2b..cd3600180 100755 ---- a/utils/oscap-ssh -+++ b/utils/oscap-ssh -@@ -22,9 +22,12 @@ function die() - exit 1 - } - --hash ssh 2> /dev/null || die "Cannot find ssh, please install the OpenSSH client." --hash scp 2> /dev/null || die "Cannot find scp, please install the OpenSSH client." --hash mktemp 2> /dev/null || die "Cannot find mktemp, please install coreutils." -+function invalid() -+{ -+ echo -e "$*\n" >&2 -+ usage -+ exit 1 -+} - - function usage() - { -@@ -87,10 +90,6 @@ function usage() - echo "See \`man oscap\` to learn more about semantics of these options." - } - --OSCAP_SUDO="" --# SSH_ADDITIONAL_OPTIONS may be defined in the calling shell --SSH_TTY_ALLOCATION_OPTION="" -- - # $1, $2, ... SSH options (pass them as separate arguments) - function ssh_execute_with_options { - ssh -o ControlPath="$MASTER_SOCKET" $SSH_ADDITIONAL_OPTIONS "$@" -p "$SSH_PORT" "$SSH_HOST" -@@ -118,22 +117,20 @@ function scp_retreive_from_temp_dir { - # Returns: String, where individual command components are double-quoted, so they are not interpreted by the shell. - # For example, an array ('-p' '(all)') will be transformed to "\"-p\" \"(all)\"", so after the shell expansion, it will end up as "-p" "(all)". - function command_array_to_string { -- eval "printf '\"%s\" ' \"\${$1[@]}\"" -+ eval "printf '\"%s\" ' \"\${$1[@]}\"" - } - - function first_argument_is_sudo { -- [ "$1" == "sudo" ] || [ "$1" == "--sudo" ] -- return $? -+ [ "$1" == "sudo" ] || [ "$1" == "--sudo" ] -+ return $? - } - - function sanity_check_arguments { - if [ $# -lt 1 ]; then -- echo "No arguments provided." -- usage -- die -+ invalid "No arguments provided." - elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then - usage -- die -+ exit 0 - elif first_argument_is_sudo "$@"; then - OSCAP_SUDO="sudo" - # force pseudo-tty allocation so that users can type their password if necessary -@@ -141,9 +138,7 @@ function sanity_check_arguments { - shift - fi - if [ $# -lt 2 ]; then -- echo "Missing ssh host and ssh port." -- usage -- die -+ invalid "Missing ssh host and ssh port." - fi - } - -@@ -165,6 +160,16 @@ function check_oscap_arguments { - fi - } - -+ -+hash ssh 2> /dev/null || die "Cannot find ssh, please install the OpenSSH client." -+hash scp 2> /dev/null || die "Cannot find scp, please install the OpenSSH client." -+hash mktemp 2> /dev/null || die "Cannot find mktemp, please install coreutils." -+ -+ -+OSCAP_SUDO="" -+# SSH_ADDITIONAL_OPTIONS may be defined in the calling shell -+SSH_TTY_ALLOCATION_OPTION="" -+ - sanity_check_arguments "$@" - first_argument_is_sudo "$@" && shift - -diff --git a/utils/oscap-vm b/utils/oscap-vm -index 02f8c6396..6557eb3a7 100755 ---- a/utils/oscap-vm -+++ b/utils/oscap-vm -@@ -22,6 +22,13 @@ function die() - exit 1 - } - -+function invalid() -+{ -+ echo -e "$*\n" >&2 -+ usage -+ exit 1 -+} -+ - function usage() - { - echo "oscap-vm -- Tool for offline SCAP evaluation of virtual machines." -@@ -76,12 +83,10 @@ function usage() - OSCAP_BINARY=oscap - - if [ $# -lt 1 ]; then -- echo "No arguments provided." -- usage -- die -+ invalid "No arguments provided." - elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then - usage -- die -+ exit 0 - elif [[ "$1" == --oscap=* ]] && [ $# -gt 3 ]; then - OSCAP_BINARY=${1#"--oscap="} - shift -@@ -90,9 +95,7 @@ elif [ "$1" == "image" ] && [ $# -gt 2 ]; then - elif [ "$1" == "domain" ] && [ $# -gt 2 ]; then - true - else -- echo "Invalid arguments provided." -- usage -- die -+ invalid "Invalid arguments provided." - fi - - hash guestmount 2> /dev/null || die "Cannot find guestmount, please install libguestfs utilities." -@@ -128,7 +131,7 @@ fi - - # Learn more at https://www.redhat.com/archives/open-scap-list/2013-July/msg00000.html - export OSCAP_PROBE_ROOT --OSCAP_PROBE_ROOT="$(cd "$MOUNTPOINT"; pwd)" -+OSCAP_PROBE_ROOT="$(cd "$MOUNTPOINT" && pwd)" || die "Unable to change current directory to OSCAP_PROBE_ROOT (MOUNTPOINT)." - export OSCAP_EVALUATION_TARGET="oscap-vm $1 $2" - shift 2 - diff --git a/SOURCES/openscap-1.3.3-ansible-newlines.patch b/SOURCES/openscap-1.3.3-ansible-newlines.patch deleted file mode 100644 index 7e6b509..0000000 --- a/SOURCES/openscap-1.3.3-ansible-newlines.patch +++ /dev/null @@ -1,156 +0,0 @@ -diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c -index f59737727..19bb59f2e 100644 ---- a/src/XCCDF_POLICY/xccdf_policy_remediate.c -+++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c -@@ -139,11 +139,10 @@ static int _write_remediation_to_fd_and_free(int output_fd, const char* template - free(text); - return 1; - } -- -- if (_write_text_to_fd(output_fd, "\n") != 0) { -- free(text); -- return 1; -- } -+ } -+ if (_write_text_to_fd(output_fd, "\n") != 0) { -+ free(text); -+ return 1; - } - - if (next_delim != NULL) { -diff --git a/tests/API/XCCDF/unittests/CMakeLists.txt b/tests/API/XCCDF/unittests/CMakeLists.txt -index 2a56d3cdc..05ddea219 100644 ---- a/tests/API/XCCDF/unittests/CMakeLists.txt -+++ b/tests/API/XCCDF/unittests/CMakeLists.txt -@@ -18,6 +18,7 @@ if(PYTHONINTERP_FOUND) - add_oscap_test("all_python.sh") - endif() - -+add_oscap_test("test_ansible_yaml_block_scalar.sh") - add_oscap_test("test_xccdf_shall_pass1.sh") - add_oscap_test("test_xccdf_shall_pass2.sh") - add_oscap_test("test_xccdf_shall_pass3.sh") -diff --git a/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.playbook.yml b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.playbook.yml -new file mode 100644 -index 000000000..dd0276739 ---- /dev/null -+++ b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.playbook.yml -@@ -0,0 +1,37 @@ -+--- -+ -+ -+- hosts: all -+ vars: -+ tasks: -+ - name: Make sure contents of /etc/audit/rules.d/10-base-config.rules are as expected -+ copy: -+ dest: /etc/audit/rules.d/10-base-config.rules -+ content: |+ -+ ## First rule - delete all -+ -D -+ -+ ## Increase the buffers to survive stress events. -+ ## Make this bigger for busy systems -+ -b 8192 -+ -+ ## This determine how long to wait in burst of events -+ --backlog_wait_time 60000 -+ -+ ## Set failure mode to syslog -+ -f 1 -+ -+ -+ force: true -+ when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" -+ tags: -+ - audit_basic_configuration -+ - medium_severity -+ - restrict_strategy -+ - low_complexity -+ - low_disruption -+ - no_reboot_needed -+ - CCE-82462-3 -+ - NIST-800-53-AU-2(a) -+ -+ -diff --git a/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.sh b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.sh -new file mode 100755 -index 000000000..4ca5b3be5 ---- /dev/null -+++ b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.sh -@@ -0,0 +1,21 @@ -+#!/bin/bash -+. $builddir/tests/test_common.sh -+ -+set -e -+set -o pipefail -+ -+profile="xccdf_moc.elpmaxe.www_profile_standard" -+ -+name=$(basename $0 .sh) -+stderr=$(mktemp -t ${name}.err.XXXXXX) -+playbook=$(mktemp -t ${name}.yml.XXXXXX) -+playbook_without_header=$(mktemp -t ${name}.yml.XXXXXX) -+ -+# Generate an Ansible playbook from a profile in SDS file -+$OSCAP xccdf generate fix --profile $profile --fix-type ansible "$srcdir/$name.xccdf.xml" >$playbook 2>$stderr -+sed '/^#/d' $playbook > $playbook_without_header -+diff -u $playbook_without_header $srcdir/$name.playbook.yml -+[ -f $stderr ]; [ ! -s $stderr ]; rm $stderr -+ -+rm $playbook -+rm $playbook_without_header -diff --git a/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.xccdf.xml b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.xccdf.xml -new file mode 100644 -index 000000000..81b2adfd4 ---- /dev/null -+++ b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.xccdf.xml -@@ -0,0 +1,48 @@ -+ -+ -+ incomplete -+ Security Benchmark -+ A sample benchmark -+ 1.0 -+ -+ Standard System Security Profile -+ This profile contains rules to ensure standard security baseline of your system. -+