|
|
160b6f |
From bb66711ed1151a5dfaa52a9ba4ad3658bdf546f7 Mon Sep 17 00:00:00 2001
|
|
|
160b6f |
From: Martin Preisler <mpreisle@redhat.com>
|
|
|
160b6f |
Date: Wed, 4 Jan 2017 16:41:31 -0500
|
|
|
160b6f |
Subject: [PATCH 1/9] Make WARNING the default verbosity level
|
|
|
160b6f |
|
|
|
160b6f |
---
|
|
|
160b6f |
src/common/debug.c | 2 +-
|
|
|
160b6f |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
160b6f |
|
|
|
160b6f |
diff --git a/src/common/debug.c b/src/common/debug.c
|
|
|
160b6f |
index bbcad4583..71d345a9d 100644
|
|
|
160b6f |
--- a/src/common/debug.c
|
|
|
160b6f |
+++ b/src/common/debug.c
|
|
|
160b6f |
@@ -85,7 +85,7 @@ oscap_verbosity_levels oscap_verbosity_level_from_cstr(const char *level_name)
|
|
|
160b6f |
bool oscap_set_verbose(const char *verbosity_level, const char *filename, bool is_probe)
|
|
|
160b6f |
{
|
|
|
160b6f |
if (verbosity_level == NULL) {
|
|
|
160b6f |
- return true;
|
|
|
160b6f |
+ verbosity_level = "WARNING";
|
|
|
160b6f |
}
|
|
|
160b6f |
__debuglog_level = oscap_verbosity_level_from_cstr(verbosity_level);
|
|
|
160b6f |
if (__debuglog_level == DBG_UNKNOWN) {
|
|
|
160b6f |
|
|
|
160b6f |
From 54d66d5db6ab4e3fc24c05e239b7a4c474e3b20e Mon Sep 17 00:00:00 2001
|
|
|
160b6f |
From: Martin Preisler <mpreisle@redhat.com>
|
|
|
160b6f |
Date: Wed, 1 Feb 2017 13:24:47 -0500
|
|
|
160b6f |
Subject: [PATCH 3/9] Changed a warning about parsing without benchmark
|
|
|
160b6f |
reference to info
|
|
|
160b6f |
|
|
|
160b6f |
It's not a serious warning and in many use-cases is expected.
|
|
|
160b6f |
---
|
|
|
160b6f |
src/XCCDF/tailoring.c | 2 +-
|
|
|
160b6f |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
160b6f |
|
|
|
160b6f |
diff --git a/src/XCCDF/tailoring.c b/src/XCCDF/tailoring.c
|
|
|
160b6f |
index dd2379e5f..4fe9e5d88 100644
|
|
|
160b6f |
--- a/src/XCCDF/tailoring.c
|
|
|
160b6f |
+++ b/src/XCCDF/tailoring.c
|
|
|
160b6f |
@@ -187,7 +187,7 @@ struct xccdf_tailoring *xccdf_tailoring_parse(xmlTextReaderPtr reader, struct xc
|
|
|
160b6f |
}
|
|
|
160b6f |
case XCCDFE_PROFILE: {
|
|
|
160b6f |
if (benchmark != NULL) {
|
|
|
160b6f |
- dW("Parsing Tailoring Profiles without reference to Benchmark");
|
|
|
160b6f |
+ dI("Parsing Tailoring Profiles without reference to Benchmark");
|
|
|
160b6f |
}
|
|
|
160b6f |
struct xccdf_item *item = xccdf_profile_parse(reader, benchmark);
|
|
|
160b6f |
if (!xccdf_tailoring_add_profile(tailoring, XPROFILE(item))) {
|
|
|
160b6f |
|
|
|
160b6f |
From 3ef6685ae05007f7328b9284c0fcb22732b38f00 Mon Sep 17 00:00:00 2001
|
|
|
160b6f |
From: Martin Preisler <mpreisle@redhat.com>
|
|
|
160b6f |
Date: Wed, 1 Feb 2017 14:00:54 -0500
|
|
|
160b6f |
Subject: [PATCH 4/9] Filter expected permission errors from stderr in
|
|
|
160b6f |
test_sysctl_probe_all.sh
|
|
|
160b6f |
|
|
|
160b6f |
---
|
|
|
160b6f |
tests/probes/sysctl/test_sysctl_probe_all.sh | 2 ++
|
|
|
160b6f |
1 file changed, 2 insertions(+)
|
|
|
160b6f |
|
|
|
160b6f |
diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh
|
|
|
160b6f |
index 1b725231d..8e763ac37 100755
|
|
|
160b6f |
--- a/tests/probes/sysctl/test_sysctl_probe_all.sh
|
|
|
160b6f |
+++ b/tests/probes/sysctl/test_sysctl_probe_all.sh
|
|
|
160b6f |
@@ -28,6 +28,8 @@ grep unix-sys:name "$result" | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames"
|
|
|
160b6f |
|
|
|
160b6f |
diff "$sysctlNames" "$ourNames"
|
|
|
160b6f |
|
|
|
160b6f |
+# remove oscap error message related to permissions from stderr
|
|
|
160b6f |
+sed -i -E "/^E: lt-probe_sysctl: Can't read sysctl value from /d" "$stderr"
|
|
|
160b6f |
[ ! -s $stderr ]
|
|
|
160b6f |
|
|
|
160b6f |
rm $stderr $result $ourNames $sysctlNames
|
|
|
160b6f |
|
|
|
160b6f |
From 789486ee35410af0fc5739e2d68436470f2b3006 Mon Sep 17 00:00:00 2001
|
|
|
160b6f |
From: Martin Preisler <mpreisle@redhat.com>
|
|
|
160b6f |
Date: Wed, 1 Feb 2017 14:51:34 -0500
|
|
|
160b6f |
Subject: [PATCH 5/9] Filter out the expected error in sql57 probe test
|
|
|
160b6f |
|
|
|
160b6f |
---
|
|
|
160b6f |
tests/probes/sql57/unsupported_engine.sh | 2 ++
|
|
|
160b6f |
1 file changed, 2 insertions(+)
|
|
|
160b6f |
|
|
|
160b6f |
diff --git a/tests/probes/sql57/unsupported_engine.sh b/tests/probes/sql57/unsupported_engine.sh
|
|
|
160b6f |
index f90d6c8b7..6243cff35 100755
|
|
|
160b6f |
--- a/tests/probes/sql57/unsupported_engine.sh
|
|
|
160b6f |
+++ b/tests/probes/sql57/unsupported_engine.sh
|
|
|
160b6f |
@@ -10,6 +10,8 @@ echo "stderr file: $stderr"
|
|
|
160b6f |
|
|
|
160b6f |
echo "Evaluating content."
|
|
|
160b6f |
$OSCAP oval eval --results $result $srcdir/${name}.oval.xml 2> $stderr
|
|
|
160b6f |
+# filter out the expected error in stderr
|
|
|
160b6f |
+sed -i -E "/^E: lt-probe_sql57: DB engine not supported: sqlserver/d" "$stderr"
|
|
|
160b6f |
[ -f $stderr ]; [ ! -s $stderr ]; rm $stderr
|
|
|
160b6f |
echo "Validating results."
|
|
|
160b6f |
#$OSCAP oval validate-xml --results --schematron $result
|
|
|
160b6f |
|
|
|
160b6f |
From cdff2e8504c19f473cbe3b1c64f56b99f13106af Mon Sep 17 00:00:00 2001
|
|
|
160b6f |
From: Martin Preisler <mpreisle@redhat.com>
|
|
|
160b6f |
Date: Wed, 8 Feb 2017 15:04:17 -0500
|
|
|
160b6f |
Subject: [PATCH 6/9] Do not output errors if check engine plugin auto-loading
|
|
|
160b6f |
fails
|
|
|
160b6f |
|
|
|
160b6f |
If SCE is not installed it will fail in an expected way and it makes no
|
|
|
160b6f |
sense to clutter the error log with it. Explicit plugin loading via the
|
|
|
160b6f |
API will still fail with errors.
|
|
|
160b6f |
---
|
|
|
160b6f |
src/XCCDF/public/xccdf_session.h | 3 +++
|
|
|
160b6f |
src/XCCDF/xccdf_session.c | 11 ++++++++---
|
|
|
160b6f |
src/XCCDF_POLICY/check_engine_plugin.c | 26 +++++++++++++++++---------
|
|
|
160b6f |
src/XCCDF_POLICY/public/check_engine_plugin.h | 1 +
|
|
|
160b6f |
utils/oscap.c | 3 ++-
|
|
|
160b6f |
5 files changed, 31 insertions(+), 13 deletions(-)
|
|
|
160b6f |
|
|
|
160b6f |
diff --git a/src/XCCDF/public/xccdf_session.h b/src/XCCDF/public/xccdf_session.h
|
|
|
160b6f |
index e1473aebe..2f1bf87c1 100644
|
|
|
160b6f |
--- a/src/XCCDF/public/xccdf_session.h
|
|
|
160b6f |
+++ b/src/XCCDF/public/xccdf_session.h
|
|
|
160b6f |
@@ -358,8 +358,11 @@ int xccdf_session_load_oval(struct xccdf_session *session);
|
|
|
160b6f |
*
|
|
|
160b6f |
* @memberof xccdf_session
|
|
|
160b6f |
* @param session XCCDF Session
|
|
|
160b6f |
+ * @param plugin_name Name of the plugin to load
|
|
|
160b6f |
+ * @param quiet If true we will not output errors if loading fails
|
|
|
160b6f |
* @returns zero on success
|
|
|
160b6f |
*/
|
|
|
160b6f |
+int xccdf_session_load_check_engine_plugin2(struct xccdf_session *session, const char* plugin_name, bool quiet);
|
|
|
160b6f |
int xccdf_session_load_check_engine_plugin(struct xccdf_session *session, const char* plugin_name);
|
|
|
160b6f |
|
|
|
160b6f |
/**
|
|
|
160b6f |
diff --git a/src/XCCDF/xccdf_session.c b/src/XCCDF/xccdf_session.c
|
|
|
160b6f |
index 3474e265e..60ea38bae 100644
|
|
|
160b6f |
--- a/src/XCCDF/xccdf_session.c
|
|
|
160b6f |
+++ b/src/XCCDF/xccdf_session.c
|
|
|
160b6f |
@@ -945,9 +945,9 @@ int xccdf_session_load_oval(struct xccdf_session *session)
|
|
|
160b6f |
return 0;
|
|
|
160b6f |
}
|
|
|
160b6f |
|
|
|
160b6f |
-int xccdf_session_load_check_engine_plugin(struct xccdf_session *session, const char *plugin_name)
|
|
|
160b6f |
+int xccdf_session_load_check_engine_plugin2(struct xccdf_session *session, const char *plugin_name, bool quiet)
|
|
|
160b6f |
{
|
|
|
160b6f |
- struct check_engine_plugin_def *plugin = check_engine_plugin_load(plugin_name);
|
|
|
160b6f |
+ struct check_engine_plugin_def *plugin = check_engine_plugin_load2(plugin_name, quiet);
|
|
|
160b6f |
|
|
|
160b6f |
if (!plugin)
|
|
|
160b6f |
return -1; // error already set
|
|
|
160b6f |
@@ -964,6 +964,11 @@ int xccdf_session_load_check_engine_plugin(struct xccdf_session *session, const
|
|
|
160b6f |
}
|
|
|
160b6f |
}
|
|
|
160b6f |
|
|
|
160b6f |
+int xccdf_session_load_check_engine_plugin(struct xccdf_session *session, const char *plugin_name)
|
|
|
160b6f |
+{
|
|
|
160b6f |
+ return xccdf_session_load_check_engine_plugin2(session, plugin_name, false);
|
|
|
160b6f |
+}
|
|
|
160b6f |
+
|
|
|
160b6f |
int xccdf_session_load_check_engine_plugins(struct xccdf_session *session)
|
|
|
160b6f |
{
|
|
|
160b6f |
xccdf_session_unload_check_engine_plugins(session);
|
|
|
160b6f |
@@ -973,7 +978,7 @@ int xccdf_session_load_check_engine_plugins(struct xccdf_session *session)
|
|
|
160b6f |
while (*known_plugins) {
|
|
|
160b6f |
// We do not report failure when a known plugin doesn't load properly, that's because they
|
|
|
160b6f |
// are optional and we don't know if it's not there or if it just failed to load.
|
|
|
160b6f |
- if (xccdf_session_load_check_engine_plugin(session, *known_plugins) != 0)
|
|
|
160b6f |
+ if (xccdf_session_load_check_engine_plugin2(session, *known_plugins, true) != 0)
|
|
|
160b6f |
oscap_clearerr();
|
|
|
160b6f |
|
|
|
160b6f |
known_plugins++;
|
|
|
160b6f |
diff --git a/src/XCCDF_POLICY/check_engine_plugin.c b/src/XCCDF_POLICY/check_engine_plugin.c
|
|
|
160b6f |
index af9791a46..ea9e821b6 100644
|
|
|
160b6f |
--- a/src/XCCDF_POLICY/check_engine_plugin.c
|
|
|
160b6f |
+++ b/src/XCCDF_POLICY/check_engine_plugin.c
|
|
|
160b6f |
@@ -47,7 +47,7 @@ static void check_engine_plugin_def_free(struct check_engine_plugin_def *plugin)
|
|
|
160b6f |
oscap_free(plugin);
|
|
|
160b6f |
}
|
|
|
160b6f |
|
|
|
160b6f |
-struct check_engine_plugin_def *check_engine_plugin_load(const char* path)
|
|
|
160b6f |
+struct check_engine_plugin_def *check_engine_plugin_load2(const char* path, bool quiet)
|
|
|
160b6f |
{
|
|
|
160b6f |
struct check_engine_plugin_def *ret = check_engine_plugin_def_new();
|
|
|
160b6f |
|
|
|
160b6f |
@@ -61,9 +61,10 @@ struct check_engine_plugin_def *check_engine_plugin_load(const char* path)
|
|
|
160b6f |
if (!ret->module_handle) {
|
|
|
160b6f |
error = dlerror();
|
|
|
160b6f |
|
|
|
160b6f |
- oscap_seterr(OSCAP_EFAMILY_GLIBC,
|
|
|
160b6f |
- "Failed to load extra check engine from '%s'. Details: '%s'.",
|
|
|
160b6f |
- path, error);
|
|
|
160b6f |
+ if (!quiet)
|
|
|
160b6f |
+ oscap_seterr(OSCAP_EFAMILY_GLIBC,
|
|
|
160b6f |
+ "Failed to load extra check engine from '%s'. Details: '%s'.",
|
|
|
160b6f |
+ path, error);
|
|
|
160b6f |
|
|
|
160b6f |
check_engine_plugin_def_free(ret);
|
|
|
160b6f |
return NULL;
|
|
|
160b6f |
@@ -73,9 +74,10 @@ struct check_engine_plugin_def *check_engine_plugin_load(const char* path)
|
|
|
160b6f |
*(void **)(&entry_fn) = dlsym(ret->module_handle, STRINGIZE(OPENSCAP_CHECK_ENGINE_PLUGIN_ENTRY));
|
|
|
160b6f |
|
|
|
160b6f |
if ((error = dlerror()) != NULL) {
|
|
|
160b6f |
- oscap_seterr(OSCAP_EFAMILY_GLIBC,
|
|
|
160b6f |
- "Failed to retrieve module entry '%s' from loaded extra check engine '%s'. Details: '%s'.",
|
|
|
160b6f |
- STRINGIZE(OPENSCAP_CHECK_ENGINE_PLUGIN_ENTRY), path, error);
|
|
|
160b6f |
+ if (!quiet)
|
|
|
160b6f |
+ oscap_seterr(OSCAP_EFAMILY_GLIBC,
|
|
|
160b6f |
+ "Failed to retrieve module entry '%s' from loaded extra check engine '%s'. Details: '%s'.",
|
|
|
160b6f |
+ STRINGIZE(OPENSCAP_CHECK_ENGINE_PLUGIN_ENTRY), path, error);
|
|
|
160b6f |
|
|
|
160b6f |
dlclose(ret->module_handle);
|
|
|
160b6f |
check_engine_plugin_def_free(ret);
|
|
|
160b6f |
@@ -83,8 +85,9 @@ struct check_engine_plugin_def *check_engine_plugin_load(const char* path)
|
|
|
160b6f |
}
|
|
|
160b6f |
|
|
|
160b6f |
if ((*entry_fn)(ret) != 0) {
|
|
|
160b6f |
- oscap_seterr(OSCAP_EFAMILY_GLIBC,
|
|
|
160b6f |
- "Failed to fill check_engine_plugin_def when loading check engine plugin '%s'.", path);
|
|
|
160b6f |
+ if (!quiet)
|
|
|
160b6f |
+ oscap_seterr(OSCAP_EFAMILY_GLIBC,
|
|
|
160b6f |
+ "Failed to fill check_engine_plugin_def when loading check engine plugin '%s'.", path);
|
|
|
160b6f |
|
|
|
160b6f |
dlclose(ret->module_handle);
|
|
|
160b6f |
check_engine_plugin_def_free(ret);
|
|
|
160b6f |
@@ -94,6 +97,11 @@ struct check_engine_plugin_def *check_engine_plugin_load(const char* path)
|
|
|
160b6f |
return ret;
|
|
|
160b6f |
}
|
|
|
160b6f |
|
|
|
160b6f |
+struct check_engine_plugin_def *check_engine_plugin_load(const char* path)
|
|
|
160b6f |
+{
|
|
|
160b6f |
+ return check_engine_plugin_load2(path, false);
|
|
|
160b6f |
+}
|
|
|
160b6f |
+
|
|
|
160b6f |
void check_engine_plugin_unload(struct check_engine_plugin_def *plugin)
|
|
|
160b6f |
{
|
|
|
160b6f |
if (!plugin->module_handle) {
|
|
|
160b6f |
diff --git a/src/XCCDF_POLICY/public/check_engine_plugin.h b/src/XCCDF_POLICY/public/check_engine_plugin.h
|
|
|
160b6f |
index 7878fe07f..4a992ae34 100644
|
|
|
160b6f |
--- a/src/XCCDF_POLICY/public/check_engine_plugin.h
|
|
|
160b6f |
+++ b/src/XCCDF_POLICY/public/check_engine_plugin.h
|
|
|
160b6f |
@@ -52,6 +52,7 @@ struct check_engine_plugin_def
|
|
|
160b6f |
const char *(*get_capabilities_fn)(void**);
|
|
|
160b6f |
};
|
|
|
160b6f |
|
|
|
160b6f |
+struct check_engine_plugin_def *check_engine_plugin_load2(const char* path, bool quiet);
|
|
|
160b6f |
struct check_engine_plugin_def *check_engine_plugin_load(const char* path);
|
|
|
160b6f |
void check_engine_plugin_unload(struct check_engine_plugin_def *plugin);
|
|
|
160b6f |
|
|
|
160b6f |
diff --git a/utils/oscap.c b/utils/oscap.c
|
|
|
160b6f |
index 7396101a8..1e966540c 100644
|
|
|
160b6f |
--- a/utils/oscap.c
|
|
|
160b6f |
+++ b/utils/oscap.c
|
|
|
160b6f |
@@ -126,7 +126,8 @@ static int print_versions(const struct oscap_action *action)
|
|
|
160b6f |
const char * const *known_plugins = check_engine_plugin_get_known_plugins();
|
|
|
160b6f |
bool known_plugin_found = false;
|
|
|
160b6f |
while (*known_plugins) {
|
|
|
160b6f |
- struct check_engine_plugin_def *plugin = check_engine_plugin_load(*known_plugins);
|
|
|
160b6f |
+ // try to load the plugin but output no errors if it fails (quiet=true)
|
|
|
160b6f |
+ struct check_engine_plugin_def *plugin = check_engine_plugin_load2(*known_plugins, true);
|
|
|
160b6f |
if (plugin) {
|
|
|
160b6f |
printf("%s (from %s)\n", check_engine_plugin_get_capabilities(plugin), *known_plugins);
|
|
|
160b6f |
check_engine_plugin_unload(plugin);
|
|
|
160b6f |
|
|
|
160b6f |
From 703c1045aedf1f826f007a01cf8b387b525c1d55 Mon Sep 17 00:00:00 2001
|
|
|
160b6f |
From: Martin Preisler <mpreisle@redhat.com>
|
|
|
160b6f |
Date: Thu, 9 Feb 2017 13:54:53 -0500
|
|
|
160b6f |
Subject: [PATCH 7/9] Filter out the expected warning in
|
|
|
160b6f |
test_remediation_subs_unresolved
|
|
|
160b6f |
|
|
|
160b6f |
---
|
|
|
160b6f |
tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh | 2 ++
|
|
|
160b6f |
1 file changed, 2 insertions(+)
|
|
|
160b6f |
|
|
|
160b6f |
diff --git a/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh b/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh
|
|
|
160b6f |
index f48239d93..44ae2f772 100755
|
|
|
160b6f |
--- a/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh
|
|
|
160b6f |
+++ b/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh
|
|
|
160b6f |
@@ -35,6 +35,8 @@ assert_exists 1 '//score[text()="0.000000"]'
|
|
|
160b6f |
ret=0
|
|
|
160b6f |
$OSCAP xccdf eval --remediate --results $result $srcdir/${name}.xccdf.xml 2> $stderr || ret=$?
|
|
|
160b6f |
[ $ret -eq 2 ]
|
|
|
160b6f |
+# filter out the expected warning in stderr
|
|
|
160b6f |
+sed -i -E "/^W: oscap: The xccdf:rule-result\/xccdf:instance element was not found./d" "$stderr"
|
|
|
160b6f |
[ -f $stderr ]; [ ! -s $stderr ]; rm $stderr
|
|
|
160b6f |
|
|
|
160b6f |
$OSCAP xccdf validate-xml $result
|
|
|
160b6f |
|