From bcc67fca24b7fddbaed14ca17a460aba99590d15 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 10 2018 05:30:09 +0000 Subject: import openscap-1.2.16-6.el7 --- diff --git a/.gitignore b/.gitignore index 741acb3..1a1ad46 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/openscap-1.2.14.tar.gz +SOURCES/openscap-1.2.16.tar.gz diff --git a/.openscap.metadata b/.openscap.metadata index 850ff0f..a24d358 100644 --- a/.openscap.metadata +++ b/.openscap.metadata @@ -1 +1 @@ -6c2f4ff0bbbd6b80e6c99f15a2e0d052a1f9afe1 SOURCES/openscap-1.2.14.tar.gz +3f87582250548ebfeb7b0f6d6cefb3c1c4c71388 SOURCES/openscap-1.2.16.tar.gz diff --git a/SOURCES/openscap-1.2.14-rpm-probes-not-applicable-PR-733.patch b/SOURCES/openscap-1.2.14-rpm-probes-not-applicable-PR-733.patch deleted file mode 100644 index c5a4643..0000000 --- a/SOURCES/openscap-1.2.14-rpm-probes-not-applicable-PR-733.patch +++ /dev/null @@ -1,473 +0,0 @@ -From 61fef6cc090b097141cd45c1f783c4fe6b89efc5 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 5 May 2017 12:39:07 +0200 -Subject: [PATCH 1/9] Change rpmverifyfile error when init fails - -When rpmverifyfile probe_init() fails it is because RPM config files -were not found, and we expect "not applicable" in this case. ---- - src/OVAL/probes/unix/linux/rpmverifyfile.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile.c b/src/OVAL/probes/unix/linux/rpmverifyfile.c -index 0897b82c4..f0febdee9 100644 ---- a/src/OVAL/probes/unix/linux/rpmverifyfile.c -+++ b/src/OVAL/probes/unix/linux/rpmverifyfile.c -@@ -435,11 +435,10 @@ int probe_main (probe_ctx *ctx, void *arg) - uint64_t collect_flags = 0; - unsigned int i; - -+ /* -+ * If probe_init() failed it's because there was no rpm config files -+ */ - if (arg == NULL) { -- return PROBE_EINIT; -- } -- -- if (g_rpm.rpmts == NULL) { - probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); - return 0; - } - -From 71f41d635142297e299cc4877bd93ea896271e70 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 5 May 2017 12:42:26 +0200 -Subject: [PATCH 2/9] Fix rpmverifyfile probe fini when init fails - -When rpmverifyfile probe_init() fails g_rpm->rpmts and g_rpm->mutex are -not initialized ---- - src/OVAL/probes/unix/linux/rpmverifyfile.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile.c b/src/OVAL/probes/unix/linux/rpmverifyfile.c -index f0febdee9..968bb3807 100644 ---- a/src/OVAL/probes/unix/linux/rpmverifyfile.c -+++ b/src/OVAL/probes/unix/linux/rpmverifyfile.c -@@ -330,11 +330,18 @@ void probe_fini (void *ptr) - { - struct rpm_probe_global *r = (struct rpm_probe_global *)ptr; - -- rpmtsFree(r->rpmts); - rpmFreeCrypto(); - rpmFreeRpmrc(); - rpmFreeMacros(NULL); - rpmlogClose(); -+ -+ /* -+ * If probe_init() failed r->rpmts and r->mutex were not initialized -+ */ -+ if (r == NULL) -+ return; -+ -+ rpmtsFree(r->rpmts); - pthread_mutex_destroy (&(r->mutex)); - - return; - -From 4912ee36b3230c2f431150750c78380d4e149621 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 5 May 2017 12:48:00 +0200 -Subject: [PATCH 3/9] Change rpmverify error when init fails - -When rpmverify probe_init() fails it is because RPM config files -were not found, and we expect "not applicable" in this case. ---- - src/OVAL/probes/unix/linux/rpmverify.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/OVAL/probes/unix/linux/rpmverify.c b/src/OVAL/probes/unix/linux/rpmverify.c -index 5eb069d21..dd667a9f1 100644 ---- a/src/OVAL/probes/unix/linux/rpmverify.c -+++ b/src/OVAL/probes/unix/linux/rpmverify.c -@@ -321,10 +321,10 @@ int probe_main (probe_ctx *ctx, void *arg) - uint64_t collect_flags = 0; - unsigned int i; - -+ /* -+ * If probe_init() failed it's because there was no rpm config files -+ */ - if (arg == NULL) { -- return PROBE_EINIT; -- } -- if (g_rpm.rpmts == NULL) { - probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); - return 0; - } - -From b9c3afd67b2f86644a08375aaee822b72c077149 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 5 May 2017 12:49:04 +0200 -Subject: [PATCH 4/9] Fix rpmverify probe fini when init fails - -When rpmverify probe_init() fails g_rpm->rpmts and g_rpm->mutex are -not initialized. ---- - src/OVAL/probes/unix/linux/rpmverify.c | 17 ++++++++++++----- - 1 file changed, 12 insertions(+), 5 deletions(-) - -diff --git a/src/OVAL/probes/unix/linux/rpmverify.c b/src/OVAL/probes/unix/linux/rpmverify.c -index dd667a9f1..f1f32417e 100644 ---- a/src/OVAL/probes/unix/linux/rpmverify.c -+++ b/src/OVAL/probes/unix/linux/rpmverify.c -@@ -246,12 +246,19 @@ void probe_fini (void *ptr) - { - struct rpm_probe_global *r = (struct rpm_probe_global *)ptr; - -- rpmtsFree(r->rpmts); - rpmFreeCrypto(); -- rpmFreeRpmrc(); -- rpmFreeMacros(NULL); -- rpmlogClose(); -- pthread_mutex_destroy (&(r->mutex)); -+ rpmFreeRpmrc(); -+ rpmFreeMacros(NULL); -+ rpmlogClose(); -+ -+ /* -+ * If probe_init() failed r->rpmts and r->mutex were not initialized -+ */ -+ if (r == NULL) -+ return; -+ -+ rpmtsFree(r->rpmts); -+ pthread_mutex_destroy (&(r->mutex)); - - return; - } - -From 20893b46b6a813326dcc7a60f1b888da14ead3ac Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 5 May 2017 13:23:04 +0200 -Subject: [PATCH 5/9] Change rpminfo probe_init() fails - -rpminfo probe_init() can fail because regex compilation failed or -because RPM config files were not found, return error in the first -case and "not applicable" in the second. ---- - src/OVAL/probes/unix/linux/rpminfo.c | 24 ++++++++++++++++-------- - 1 file changed, 16 insertions(+), 8 deletions(-) - -diff --git a/src/OVAL/probes/unix/linux/rpminfo.c b/src/OVAL/probes/unix/linux/rpminfo.c -index f7f73a727..639030a52 100644 ---- a/src/OVAL/probes/unix/linux/rpminfo.c -+++ b/src/OVAL/probes/unix/linux/rpminfo.c -@@ -275,19 +275,20 @@ void *probe_init (void) - #ifdef HAVE_RPM46 - rpmlogSetCallback(rpmErrorCb, NULL); - #endif -- if (rpmReadConfigFiles ((const char *)NULL, (const char *)NULL) != 0) { -- dI("rpmReadConfigFiles failed: %u, %s.", errno, strerror (errno)); -- return (NULL); -- } -- -- g_rpm.rpmts = rpmtsCreate(); -- pthread_mutex_init (&(g_rpm.mutex), NULL); -- - if (regcomp(&g_keyid_regex, g_keyid_regex_string, REG_EXTENDED) != 0) { - dE("regcomp(%s) failed."); - return NULL; - } - -+ if (rpmReadConfigFiles ((const char *)NULL, (const char *)NULL) != 0) { -+ dI("rpmReadConfigFiles failed: %u, %s.", errno, strerror (errno)); -+ g_rpm.rpmts = NULL; -+ return ((void *)&g_rpm); -+ } -+ -+ g_rpm.rpmts = rpmtsCreate(); -+ pthread_mutex_init (&(g_rpm.mutex), NULL); -+ - return ((void *)&g_rpm); - } - -@@ -378,9 +379,16 @@ int probe_main (probe_ctx *ctx, void *arg) - struct rpminfo_req request_st; - struct rpminfo_rep *reply_st; - -+ /* -+ * arg is NULL if regex compilation failed -+ */ - if (arg == NULL) { - return PROBE_EINIT; - } -+ -+ /* -+ * There was no rpm config files -+ */ - if (g_rpm.rpmts == NULL) { - probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); - return 0; - -From 070ec7e9029f8221163fd3f07e242c244d0b3b65 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 5 May 2017 13:27:02 +0200 -Subject: [PATCH 6/9] Fix rpminfo probe fini when init fails - -When rpminfo probe_init() fails either the regex compilation failed -or RPM config files were not found. The probe_fini() should handle each -case differently. ---- - src/OVAL/probes/unix/linux/rpminfo.c | 18 +++++++++++++----- - 1 file changed, 13 insertions(+), 5 deletions(-) - -diff --git a/src/OVAL/probes/unix/linux/rpminfo.c b/src/OVAL/probes/unix/linux/rpminfo.c -index 639030a52..28cba15e0 100644 ---- a/src/OVAL/probes/unix/linux/rpminfo.c -+++ b/src/OVAL/probes/unix/linux/rpminfo.c -@@ -296,14 +296,22 @@ void probe_fini (void *ptr) - { - struct rpm_probe_global *r = (struct rpm_probe_global *)ptr; - -- rpmtsFree(r->rpmts); - rpmFreeCrypto(); -- rpmFreeRpmrc(); -- rpmFreeMacros(NULL); -- rpmlogClose(); -- pthread_mutex_destroy (&(r->mutex)); -+ rpmFreeRpmrc(); -+ rpmFreeMacros(NULL); -+ rpmlogClose(); -+ -+ if (r == NULL) -+ return; -+ - regfree(&g_keyid_regex); - -+ if (r->rpmts == NULL) -+ return; -+ -+ rpmtsFree(r->rpmts); -+ pthread_mutex_destroy (&(r->mutex)); -+ - return; - } - - -From 881461099ce42160079b9228c2080b072f1d4232 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 5 May 2017 13:30:42 +0200 -Subject: [PATCH 7/9] Change rpmverifypackage probe_init() fails - -rpmverifypackage probe_init() can fail because chroot failed or -because RPM config files were not found, return error in the first -case and "not applicable" in the second. ---- - src/OVAL/probes/unix/linux/rpmverifypackage.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage.c b/src/OVAL/probes/unix/linux/rpmverifypackage.c -index 34d7255ca..15e0e0d89 100644 ---- a/src/OVAL/probes/unix/linux/rpmverifypackage.c -+++ b/src/OVAL/probes/unix/linux/rpmverifypackage.c -@@ -336,7 +336,8 @@ void *probe_init (void) - - if (rpmReadConfigFiles (NULL, (const char *)NULL) != 0) { - dI("rpmReadConfigFiles failed: %u, %s.", errno, strerror (errno)); -- return (NULL); -+ g_rpm.rpm.rpmts = NULL; -+ return ((void *)&g_rpm); - } - - g_rpm.rpm.rpmts = rpmtsCreate(); -@@ -417,10 +418,16 @@ int probe_main (probe_ctx *ctx, void *arg) - uint64_t collect_flags = 0; - unsigned int i; - -+ /* -+ * arg is NULL if we were not able to chroot during probe_init() -+ */ - if (arg == NULL) { - return PROBE_EINIT; - } - -+ /* -+ * There was no rpm config files -+ */ - if (g_rpm.rpm.rpmts == NULL) { - probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); - return 0; - -From 7d4bfce2966dec8b4c1ff44edfa473e17a6aeaec Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 5 May 2017 13:38:12 +0200 -Subject: [PATCH 8/9] Fix rpmverifypackage probe fini when init fails - -rpmverifypackage probe_init() can fail during chroot or because -RPM config files were not found, return error in the first -case and "not applicable" in the second. ---- - src/OVAL/probes/unix/linux/rpmverifypackage.c | 21 +++++++++++++++++++-- - 1 file changed, 19 insertions(+), 2 deletions(-) - -diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage.c b/src/OVAL/probes/unix/linux/rpmverifypackage.c -index 15e0e0d89..43c47e308 100644 ---- a/src/OVAL/probes/unix/linux/rpmverifypackage.c -+++ b/src/OVAL/probes/unix/linux/rpmverifypackage.c -@@ -360,12 +360,29 @@ void probe_fini (void *ptr) - { - struct verifypackage_global *r = (struct verifypackage_global *)ptr; - -- rpmtsFree(r->rpm.rpmts); -- probe_chroot_free(&(r->chr)); - rpmFreeCrypto(); - rpmFreeRpmrc(); - rpmFreeMacros(NULL); - rpmlogClose(); -+ -+ /* -+ * This will be always set by probe_init(), lets free it -+ */ -+ probe_chroot_free(&g_rpm.chr); -+ -+ /* -+ * If r is null, probe_init() failed during chroot -+ */ -+ if (r == NULL) -+ return; -+ -+ /* -+ * If r->rpm.rpmts was not initialized the mutex was not as well -+ */ -+ if (r->rpm.rpmts == NULL) -+ return; -+ -+ rpmtsFree(r->rpm.rpmts); - pthread_mutex_destroy (&(r->rpm.mutex)); - - return; - -From 6fcc797c6f35b8ad72c9c6190e44f0bfa2b68673 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 12 May 2017 20:33:42 +0200 -Subject: [PATCH 9/9] Fix comment style - ---- - src/OVAL/probes/unix/linux/rpminfo.c | 8 ++------ - src/OVAL/probes/unix/linux/rpmverify.c | 8 ++------ - src/OVAL/probes/unix/linux/rpmverifyfile.c | 8 ++------ - src/OVAL/probes/unix/linux/rpmverifypackage.c | 20 +++++--------------- - 4 files changed, 11 insertions(+), 33 deletions(-) - -diff --git a/src/OVAL/probes/unix/linux/rpminfo.c b/src/OVAL/probes/unix/linux/rpminfo.c -index 28cba15e0..602cf4c91 100644 ---- a/src/OVAL/probes/unix/linux/rpminfo.c -+++ b/src/OVAL/probes/unix/linux/rpminfo.c -@@ -387,16 +387,12 @@ int probe_main (probe_ctx *ctx, void *arg) - struct rpminfo_req request_st; - struct rpminfo_rep *reply_st; - -- /* -- * arg is NULL if regex compilation failed -- */ -+ // arg is NULL if regex compilation failed - if (arg == NULL) { - return PROBE_EINIT; - } - -- /* -- * There was no rpm config files -- */ -+ // There was no rpm config files - if (g_rpm.rpmts == NULL) { - probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); - return 0; -diff --git a/src/OVAL/probes/unix/linux/rpmverify.c b/src/OVAL/probes/unix/linux/rpmverify.c -index f1f32417e..6ef7da574 100644 ---- a/src/OVAL/probes/unix/linux/rpmverify.c -+++ b/src/OVAL/probes/unix/linux/rpmverify.c -@@ -251,9 +251,7 @@ void probe_fini (void *ptr) - rpmFreeMacros(NULL); - rpmlogClose(); - -- /* -- * If probe_init() failed r->rpmts and r->mutex were not initialized -- */ -+ // If probe_init() failed r->rpmts and r->mutex were not initialized - if (r == NULL) - return; - -@@ -328,9 +326,7 @@ int probe_main (probe_ctx *ctx, void *arg) - uint64_t collect_flags = 0; - unsigned int i; - -- /* -- * If probe_init() failed it's because there was no rpm config files -- */ -+ // If probe_init() failed it's because there was no rpm config files - if (arg == NULL) { - probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); - return 0; -diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile.c b/src/OVAL/probes/unix/linux/rpmverifyfile.c -index 968bb3807..763c03c9f 100644 ---- a/src/OVAL/probes/unix/linux/rpmverifyfile.c -+++ b/src/OVAL/probes/unix/linux/rpmverifyfile.c -@@ -335,9 +335,7 @@ void probe_fini (void *ptr) - rpmFreeMacros(NULL); - rpmlogClose(); - -- /* -- * If probe_init() failed r->rpmts and r->mutex were not initialized -- */ -+ // If probe_init() failed r->rpmts and r->mutex were not initialized - if (r == NULL) - return; - -@@ -442,9 +440,7 @@ int probe_main (probe_ctx *ctx, void *arg) - uint64_t collect_flags = 0; - unsigned int i; - -- /* -- * If probe_init() failed it's because there was no rpm config files -- */ -+ // If probe_init() failed it's because there was no rpm config files - if (arg == NULL) { - probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); - return 0; -diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage.c b/src/OVAL/probes/unix/linux/rpmverifypackage.c -index 43c47e308..3c0dd5003 100644 ---- a/src/OVAL/probes/unix/linux/rpmverifypackage.c -+++ b/src/OVAL/probes/unix/linux/rpmverifypackage.c -@@ -365,20 +365,14 @@ void probe_fini (void *ptr) - rpmFreeMacros(NULL); - rpmlogClose(); - -- /* -- * This will be always set by probe_init(), lets free it -- */ -+ // This will be always set by probe_init(), lets free it - probe_chroot_free(&g_rpm.chr); - -- /* -- * If r is null, probe_init() failed during chroot -- */ -+ // If r is null, probe_init() failed during chroot - if (r == NULL) - return; - -- /* -- * If r->rpm.rpmts was not initialized the mutex was not as well -- */ -+ // If r->rpm.rpmts was not initialized the mutex was not as well - if (r->rpm.rpmts == NULL) - return; - -@@ -435,16 +429,12 @@ int probe_main (probe_ctx *ctx, void *arg) - uint64_t collect_flags = 0; - unsigned int i; - -- /* -- * arg is NULL if we were not able to chroot during probe_init() -- */ -+ // arg is NULL if we were not able to chroot during probe_init() - if (arg == NULL) { - return PROBE_EINIT; - } - -- /* -- * There was no rpm config files -- */ -+ // There was no rpm config files - if (g_rpm.rpm.rpmts == NULL) { - probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); - return 0; diff --git a/SOURCES/openscap-1.2.14-sysctl-test-s390x-PR-726.patch b/SOURCES/openscap-1.2.14-sysctl-test-s390x-PR-726.patch deleted file mode 100644 index 9923391..0000000 --- a/SOURCES/openscap-1.2.14-sysctl-test-s390x-PR-726.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 83342658ceb4230c218b0b47046ca6bb8e239f62 Mon Sep 17 00:00:00 2001 -From: Marek Haicman -Date: Mon, 24 Apr 2017 10:05:59 +0200 -Subject: [PATCH] Fixing sysctl test on s390 architecture - ---- - tests/probes/sysctl/test_sysctl_probe_all.sh | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh -index 1b725231d..fa3539255 100755 ---- a/tests/probes/sysctl/test_sysctl_probe_all.sh -+++ b/tests/probes/sysctl/test_sysctl_probe_all.sh -@@ -22,7 +22,8 @@ $OSCAP oval eval --results $result $srcdir/test_sysctl_probe_all.oval.xml > /dev - - # sysctl has duplicities in output - # hide permission errors like: "sysctl: permission denied on key 'fs.protected_hardlinks'" --sysctl -aN --deprecated 2> /dev/null | sort -u > "$sysctlNames" -+# kernel parameters might use "/" and "." separators interchangeably - normalizing -+sysctl -aN --deprecated 2> /dev/null | tr "/" "." | sort -u > "$sysctlNames" - - grep unix-sys:name "$result" | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames" - diff --git a/SOURCES/openscap-1.2.14-warning-by-default-PR-630.patch b/SOURCES/openscap-1.2.14-warning-by-default-PR-630.patch deleted file mode 100644 index 28ab34b..0000000 --- a/SOURCES/openscap-1.2.14-warning-by-default-PR-630.patch +++ /dev/null @@ -1,281 +0,0 @@ -From bb66711ed1151a5dfaa52a9ba4ad3658bdf546f7 Mon Sep 17 00:00:00 2001 -From: Martin Preisler -Date: Wed, 4 Jan 2017 16:41:31 -0500 -Subject: [PATCH 1/9] Make WARNING the default verbosity level - ---- - src/common/debug.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/common/debug.c b/src/common/debug.c -index bbcad4583..71d345a9d 100644 ---- a/src/common/debug.c -+++ b/src/common/debug.c -@@ -85,7 +85,7 @@ oscap_verbosity_levels oscap_verbosity_level_from_cstr(const char *level_name) - bool oscap_set_verbose(const char *verbosity_level, const char *filename, bool is_probe) - { - if (verbosity_level == NULL) { -- return true; -+ verbosity_level = "WARNING"; - } - __debuglog_level = oscap_verbosity_level_from_cstr(verbosity_level); - if (__debuglog_level == DBG_UNKNOWN) { - -From 54d66d5db6ab4e3fc24c05e239b7a4c474e3b20e Mon Sep 17 00:00:00 2001 -From: Martin Preisler -Date: Wed, 1 Feb 2017 13:24:47 -0500 -Subject: [PATCH 3/9] Changed a warning about parsing without benchmark - reference to info - -It's not a serious warning and in many use-cases is expected. ---- - src/XCCDF/tailoring.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/XCCDF/tailoring.c b/src/XCCDF/tailoring.c -index dd2379e5f..4fe9e5d88 100644 ---- a/src/XCCDF/tailoring.c -+++ b/src/XCCDF/tailoring.c -@@ -187,7 +187,7 @@ struct xccdf_tailoring *xccdf_tailoring_parse(xmlTextReaderPtr reader, struct xc - } - case XCCDFE_PROFILE: { - if (benchmark != NULL) { -- dW("Parsing Tailoring Profiles without reference to Benchmark"); -+ dI("Parsing Tailoring Profiles without reference to Benchmark"); - } - struct xccdf_item *item = xccdf_profile_parse(reader, benchmark); - if (!xccdf_tailoring_add_profile(tailoring, XPROFILE(item))) { - -From 3ef6685ae05007f7328b9284c0fcb22732b38f00 Mon Sep 17 00:00:00 2001 -From: Martin Preisler -Date: Wed, 1 Feb 2017 14:00:54 -0500 -Subject: [PATCH 4/9] Filter expected permission errors from stderr in - test_sysctl_probe_all.sh - ---- - tests/probes/sysctl/test_sysctl_probe_all.sh | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh -index 1b725231d..8e763ac37 100755 ---- a/tests/probes/sysctl/test_sysctl_probe_all.sh -+++ b/tests/probes/sysctl/test_sysctl_probe_all.sh -@@ -28,6 +28,8 @@ grep unix-sys:name "$result" | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames" - - diff "$sysctlNames" "$ourNames" - -+# remove oscap error message related to permissions from stderr -+sed -i -E "/^E: lt-probe_sysctl: Can't read sysctl value from /d" "$stderr" - [ ! -s $stderr ] - - rm $stderr $result $ourNames $sysctlNames - -From 789486ee35410af0fc5739e2d68436470f2b3006 Mon Sep 17 00:00:00 2001 -From: Martin Preisler -Date: Wed, 1 Feb 2017 14:51:34 -0500 -Subject: [PATCH 5/9] Filter out the expected error in sql57 probe test - ---- - tests/probes/sql57/unsupported_engine.sh | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/tests/probes/sql57/unsupported_engine.sh b/tests/probes/sql57/unsupported_engine.sh -index f90d6c8b7..6243cff35 100755 ---- a/tests/probes/sql57/unsupported_engine.sh -+++ b/tests/probes/sql57/unsupported_engine.sh -@@ -10,6 +10,8 @@ echo "stderr file: $stderr" - - echo "Evaluating content." - $OSCAP oval eval --results $result $srcdir/${name}.oval.xml 2> $stderr -+# filter out the expected error in stderr -+sed -i -E "/^E: lt-probe_sql57: DB engine not supported: sqlserver/d" "$stderr" - [ -f $stderr ]; [ ! -s $stderr ]; rm $stderr - echo "Validating results." - #$OSCAP oval validate-xml --results --schematron $result - -From cdff2e8504c19f473cbe3b1c64f56b99f13106af Mon Sep 17 00:00:00 2001 -From: Martin Preisler -Date: Wed, 8 Feb 2017 15:04:17 -0500 -Subject: [PATCH 6/9] Do not output errors if check engine plugin auto-loading - fails - -If SCE is not installed it will fail in an expected way and it makes no -sense to clutter the error log with it. Explicit plugin loading via the -API will still fail with errors. ---- - src/XCCDF/public/xccdf_session.h | 3 +++ - src/XCCDF/xccdf_session.c | 11 ++++++++--- - src/XCCDF_POLICY/check_engine_plugin.c | 26 +++++++++++++++++--------- - src/XCCDF_POLICY/public/check_engine_plugin.h | 1 + - utils/oscap.c | 3 ++- - 5 files changed, 31 insertions(+), 13 deletions(-) - -diff --git a/src/XCCDF/public/xccdf_session.h b/src/XCCDF/public/xccdf_session.h -index e1473aebe..2f1bf87c1 100644 ---- a/src/XCCDF/public/xccdf_session.h -+++ b/src/XCCDF/public/xccdf_session.h -@@ -358,8 +358,11 @@ int xccdf_session_load_oval(struct xccdf_session *session); - * - * @memberof xccdf_session - * @param session XCCDF Session -+ * @param plugin_name Name of the plugin to load -+ * @param quiet If true we will not output errors if loading fails - * @returns zero on success - */ -+int xccdf_session_load_check_engine_plugin2(struct xccdf_session *session, const char* plugin_name, bool quiet); - int xccdf_session_load_check_engine_plugin(struct xccdf_session *session, const char* plugin_name); - - /** -diff --git a/src/XCCDF/xccdf_session.c b/src/XCCDF/xccdf_session.c -index 3474e265e..60ea38bae 100644 ---- a/src/XCCDF/xccdf_session.c -+++ b/src/XCCDF/xccdf_session.c -@@ -945,9 +945,9 @@ int xccdf_session_load_oval(struct xccdf_session *session) - return 0; - } - --int xccdf_session_load_check_engine_plugin(struct xccdf_session *session, const char *plugin_name) -+int xccdf_session_load_check_engine_plugin2(struct xccdf_session *session, const char *plugin_name, bool quiet) - { -- struct check_engine_plugin_def *plugin = check_engine_plugin_load(plugin_name); -+ struct check_engine_plugin_def *plugin = check_engine_plugin_load2(plugin_name, quiet); - - if (!plugin) - return -1; // error already set -@@ -964,6 +964,11 @@ int xccdf_session_load_check_engine_plugin(struct xccdf_session *session, const - } - } - -+int xccdf_session_load_check_engine_plugin(struct xccdf_session *session, const char *plugin_name) -+{ -+ return xccdf_session_load_check_engine_plugin2(session, plugin_name, false); -+} -+ - int xccdf_session_load_check_engine_plugins(struct xccdf_session *session) - { - xccdf_session_unload_check_engine_plugins(session); -@@ -973,7 +978,7 @@ int xccdf_session_load_check_engine_plugins(struct xccdf_session *session) - while (*known_plugins) { - // We do not report failure when a known plugin doesn't load properly, that's because they - // are optional and we don't know if it's not there or if it just failed to load. -- if (xccdf_session_load_check_engine_plugin(session, *known_plugins) != 0) -+ if (xccdf_session_load_check_engine_plugin2(session, *known_plugins, true) != 0) - oscap_clearerr(); - - known_plugins++; -diff --git a/src/XCCDF_POLICY/check_engine_plugin.c b/src/XCCDF_POLICY/check_engine_plugin.c -index af9791a46..ea9e821b6 100644 ---- a/src/XCCDF_POLICY/check_engine_plugin.c -+++ b/src/XCCDF_POLICY/check_engine_plugin.c -@@ -47,7 +47,7 @@ static void check_engine_plugin_def_free(struct check_engine_plugin_def *plugin) - oscap_free(plugin); - } - --struct check_engine_plugin_def *check_engine_plugin_load(const char* path) -+struct check_engine_plugin_def *check_engine_plugin_load2(const char* path, bool quiet) - { - struct check_engine_plugin_def *ret = check_engine_plugin_def_new(); - -@@ -61,9 +61,10 @@ struct check_engine_plugin_def *check_engine_plugin_load(const char* path) - if (!ret->module_handle) { - error = dlerror(); - -- oscap_seterr(OSCAP_EFAMILY_GLIBC, -- "Failed to load extra check engine from '%s'. Details: '%s'.", -- path, error); -+ if (!quiet) -+ oscap_seterr(OSCAP_EFAMILY_GLIBC, -+ "Failed to load extra check engine from '%s'. Details: '%s'.", -+ path, error); - - check_engine_plugin_def_free(ret); - return NULL; -@@ -73,9 +74,10 @@ struct check_engine_plugin_def *check_engine_plugin_load(const char* path) - *(void **)(&entry_fn) = dlsym(ret->module_handle, STRINGIZE(OPENSCAP_CHECK_ENGINE_PLUGIN_ENTRY)); - - if ((error = dlerror()) != NULL) { -- oscap_seterr(OSCAP_EFAMILY_GLIBC, -- "Failed to retrieve module entry '%s' from loaded extra check engine '%s'. Details: '%s'.", -- STRINGIZE(OPENSCAP_CHECK_ENGINE_PLUGIN_ENTRY), path, error); -+ if (!quiet) -+ oscap_seterr(OSCAP_EFAMILY_GLIBC, -+ "Failed to retrieve module entry '%s' from loaded extra check engine '%s'. Details: '%s'.", -+ STRINGIZE(OPENSCAP_CHECK_ENGINE_PLUGIN_ENTRY), path, error); - - dlclose(ret->module_handle); - check_engine_plugin_def_free(ret); -@@ -83,8 +85,9 @@ struct check_engine_plugin_def *check_engine_plugin_load(const char* path) - } - - if ((*entry_fn)(ret) != 0) { -- oscap_seterr(OSCAP_EFAMILY_GLIBC, -- "Failed to fill check_engine_plugin_def when loading check engine plugin '%s'.", path); -+ if (!quiet) -+ oscap_seterr(OSCAP_EFAMILY_GLIBC, -+ "Failed to fill check_engine_plugin_def when loading check engine plugin '%s'.", path); - - dlclose(ret->module_handle); - check_engine_plugin_def_free(ret); -@@ -94,6 +97,11 @@ struct check_engine_plugin_def *check_engine_plugin_load(const char* path) - return ret; - } - -+struct check_engine_plugin_def *check_engine_plugin_load(const char* path) -+{ -+ return check_engine_plugin_load2(path, false); -+} -+ - void check_engine_plugin_unload(struct check_engine_plugin_def *plugin) - { - if (!plugin->module_handle) { -diff --git a/src/XCCDF_POLICY/public/check_engine_plugin.h b/src/XCCDF_POLICY/public/check_engine_plugin.h -index 7878fe07f..4a992ae34 100644 ---- a/src/XCCDF_POLICY/public/check_engine_plugin.h -+++ b/src/XCCDF_POLICY/public/check_engine_plugin.h -@@ -52,6 +52,7 @@ struct check_engine_plugin_def - const char *(*get_capabilities_fn)(void**); - }; - -+struct check_engine_plugin_def *check_engine_plugin_load2(const char* path, bool quiet); - struct check_engine_plugin_def *check_engine_plugin_load(const char* path); - void check_engine_plugin_unload(struct check_engine_plugin_def *plugin); - -diff --git a/utils/oscap.c b/utils/oscap.c -index 7396101a8..1e966540c 100644 ---- a/utils/oscap.c -+++ b/utils/oscap.c -@@ -126,7 +126,8 @@ static int print_versions(const struct oscap_action *action) - const char * const *known_plugins = check_engine_plugin_get_known_plugins(); - bool known_plugin_found = false; - while (*known_plugins) { -- struct check_engine_plugin_def *plugin = check_engine_plugin_load(*known_plugins); -+ // try to load the plugin but output no errors if it fails (quiet=true) -+ struct check_engine_plugin_def *plugin = check_engine_plugin_load2(*known_plugins, true); - if (plugin) { - printf("%s (from %s)\n", check_engine_plugin_get_capabilities(plugin), *known_plugins); - check_engine_plugin_unload(plugin); - -From 703c1045aedf1f826f007a01cf8b387b525c1d55 Mon Sep 17 00:00:00 2001 -From: Martin Preisler -Date: Thu, 9 Feb 2017 13:54:53 -0500 -Subject: [PATCH 7/9] Filter out the expected warning in - test_remediation_subs_unresolved - ---- - tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh b/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh -index f48239d93..44ae2f772 100755 ---- a/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh -+++ b/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh -@@ -35,6 +35,8 @@ assert_exists 1 '//score[text()="0.000000"]' - ret=0 - $OSCAP xccdf eval --remediate --results $result $srcdir/${name}.xccdf.xml 2> $stderr || ret=$? - [ $ret -eq 2 ] -+# filter out the expected warning in stderr -+sed -i -E "/^W: oscap: The xccdf:rule-result\/xccdf:instance element was not found./d" "$stderr" - [ -f $stderr ]; [ ! -s $stderr ]; rm $stderr - - $OSCAP xccdf validate-xml $result - diff --git a/SOURCES/openscap-1.2.15-use-checklist-id-to-get-html-guide-PR-745.patch b/SOURCES/openscap-1.2.15-use-checklist-id-to-get-html-guide-PR-745.patch deleted file mode 100644 index be8157a..0000000 --- a/SOURCES/openscap-1.2.15-use-checklist-id-to-get-html-guide-PR-745.patch +++ /dev/null @@ -1,37 +0,0 @@ -From e8f6f67552b196b9d65fa40719e2ea00c87a9579 Mon Sep 17 00:00:00 2001 -From: Evgeni Golov -Date: Fri, 19 May 2017 17:34:59 +0200 -Subject: [PATCH] pass session->checklist_id to oscap_htable_get in - get_html_guide - -In b8defed we moved to using s->checklist_id instead of hard coding -xccdf.xml. However, this change was forgotten in -ds_sds_session_get_html_guide which leads to the following error when -trying to get the HTML guide: - - Internal error: Could not acquire handle to xccdf.xml source. - -This change migrates ds_sds_session_get_html_guide to also use -s->checklist_id and thus fixes the issue. - -Fixes: #744 ---- - src/DS/ds_sds_session.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/DS/ds_sds_session.c b/src/DS/ds_sds_session.c -index db7692a65..f14588e09 100644 ---- a/src/DS/ds_sds_session.c -+++ b/src/DS/ds_sds_session.c -@@ -352,9 +352,9 @@ char *ds_sds_session_get_html_guide(struct ds_sds_session *session, const char * - "profile_id", profile_id, - NULL - }; -- struct oscap_source *xccdf = oscap_htable_get(session->component_sources, "xccdf.xml"); -+ struct oscap_source *xccdf = oscap_htable_get(session->component_sources, session->checklist_id); - if (xccdf == NULL) { -- oscap_seterr(OSCAP_EFAMILY_OSCAP, "Internal error: Could not acquire handle to xccdf.xml source."); -+ oscap_seterr(OSCAP_EFAMILY_OSCAP, "Internal error: Could not acquire handle to '%s' source.", session->checklist_id); - return NULL; - } - return oscap_source_apply_xslt_path_mem(xccdf, "xccdf-guide.xsl", params, oscap_path_to_xslt()); diff --git a/SOURCES/openscap-1.2.17-align-bash-role-header-with-help.patch b/SOURCES/openscap-1.2.17-align-bash-role-header-with-help.patch new file mode 100644 index 0000000..53e6277 --- /dev/null +++ b/SOURCES/openscap-1.2.17-align-bash-role-header-with-help.patch @@ -0,0 +1,24 @@ +From 9b80b4a4ea4163f65004f2b16e65b8adcdf2b3dc Mon Sep 17 00:00:00 2001 +From: Marek Haicman +Date: Thu, 4 Jan 2018 00:29:26 +0100 +Subject: [PATCH] Make command in bash role header in line with --help + +Point is to make more explicit it's a placeholder name - using +the same name --help use might do the trick. +--- + src/XCCDF_POLICY/xccdf_policy_remediate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c +index fbbad8885..1a7d21ed7 100644 +--- a/src/XCCDF_POLICY/xccdf_policy_remediate.c ++++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c +@@ -846,7 +846,7 @@ static int _write_script_header_to_fd(struct xccdf_policy *policy, struct xccdf_ + "# Benchmark Version: %s\n#\n" + "# XCCDF Version: %s\n#\n" + "# This file was generated by OpenSCAP %s using:\n" +- "# $ oscap xccdf generate fix --profile %s%s%s sds.xml \n#\n" ++ "# $ oscap xccdf generate fix --profile %s%s%s xccdf-file.xml \n#\n" + "# This script is generated from an OpenSCAP profile without preliminary evaluation.\n" + "# It attempts to fix every selected rule, even if the system is already compliant.\n" + "#\n" diff --git a/SOURCES/openscap-1.2.17-oscap-docker-cleanup-temp-image.patch b/SOURCES/openscap-1.2.17-oscap-docker-cleanup-temp-image.patch new file mode 100644 index 0000000..a452d4f --- /dev/null +++ b/SOURCES/openscap-1.2.17-oscap-docker-cleanup-temp-image.patch @@ -0,0 +1,139 @@ +From eea0fd27e7bed6a225bbd6702960bcf394f19536 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Wed, 24 Jan 2018 17:39:04 +0100 +Subject: [PATCH 1/2] Modified the code that temp images are not forgotten. + +--- + utils/oscap_docker_python/oscap_docker_util.py | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/utils/oscap_docker_python/oscap_docker_util.py b/utils/oscap_docker_python/oscap_docker_util.py +index b06b6001a..b9a08a99c 100644 +--- a/utils/oscap_docker_python/oscap_docker_util.py ++++ b/utils/oscap_docker_python/oscap_docker_util.py +@@ -155,7 +155,8 @@ def oscap_chroot(self, chroot_path, target, *oscap_args): + sys.stderr.write(oscap_stderr.decode("utf-8") + "\n") + + # Clean up +- self._cleanup_by_path(chroot_path) ++ DM = DockerMount("/tmp") ++ self._cleanup_by_path(chroot_path, DM) + + sys.exit(1) + +@@ -186,18 +187,17 @@ def resolve_image(self, image): + # TODO + pass + +- def _cleanup_by_path(self, path): ++ def _cleanup_by_path(self, path, DM): + ''' + Cleans up the mounted chroot by umounting it and + removing the temporary directory + ''' + # Sometimes when this def is called, path will have 'rootfs' + # appended. If it does, strip it and proceed ++ _no_rootfs = path ++ if os.path.basename(path) == 'rootfs': ++ _no_rootfs = os.path.dirname(path) + +- _no_rootfs = os.path.dirname(path) if os.path.basename(path) == \ +- 'rootfs' else path +- +- DM = DockerMount("/tmp") + # umount chroot + DM.unmount_path(_no_rootfs) + +@@ -206,6 +206,10 @@ def _cleanup_by_path(self, path): + os.rmdir(_no_rootfs) + + ++def mount_image_filesystem(): ++ _tmp_mnt_dir = DM.mount(image) ++ ++ + class OscapScan(object): + def __init__(self, tmp_dir=tempfile.gettempdir(), mnt_dir=None, + hours_old=2): +@@ -276,7 +280,7 @@ def scan_cve(self, image, scan_args): + + finally: + # Clean up +- self.helper._cleanup_by_path(_tmp_mnt_dir) ++ self.helper._cleanup_by_path(_tmp_mnt_dir, DM) + self._remove_mnt_dir(mnt_dir) + + def scan(self, image, scan_args): +@@ -301,5 +305,5 @@ def scan(self, image, scan_args): + sys.stdout.write(self.helper._scan(chroot, image, scan_args)) + + # Clean up +- self.helper._cleanup_by_path(_tmp_mnt_dir) ++ self.helper._cleanup_by_path(_tmp_mnt_dir, DM) + self._remove_mnt_dir(mnt_dir) + +From 432ee1841003b57408e7a1040c6f317cc56a9071 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 25 Jan 2018 14:03:48 +0100 +Subject: [PATCH 2/2] Refactored error handling during scan. + +--- + utils/oscap_docker_python/oscap_docker_util.py | 24 +++++++++++------------- + 1 file changed, 11 insertions(+), 13 deletions(-) + +diff --git a/utils/oscap_docker_python/oscap_docker_util.py b/utils/oscap_docker_python/oscap_docker_util.py +index b9a08a99c..ca48d5846 100644 +--- a/utils/oscap_docker_python/oscap_docker_util.py ++++ b/utils/oscap_docker_python/oscap_docker_util.py +@@ -154,10 +154,6 @@ def oscap_chroot(self, chroot_path, target, *oscap_args): + sys.stderr.write("Command returned exit code {0}.\n".format(oscap_process.returncode)) + sys.stderr.write(oscap_stderr.decode("utf-8") + "\n") + +- # Clean up +- DM = DockerMount("/tmp") +- self._cleanup_by_path(chroot_path, DM) +- + sys.exit(1) + + sys.stderr.write(oscap_stderr.decode("utf-8") + "\n") +@@ -207,7 +203,7 @@ def _cleanup_by_path(self, path, DM): + + + def mount_image_filesystem(): +- _tmp_mnt_dir = DM.mount(image) ++ _tmp_mnt_dir = DM.mount(image) + + + class OscapScan(object): +@@ -261,9 +257,9 @@ def scan_cve(self, image, scan_args): + sys.stderr.write(str(e) + "\n") + return None + +- chroot = self._find_chroot_path(_tmp_mnt_dir) +- + try: ++ chroot = self._find_chroot_path(_tmp_mnt_dir) ++ + # Figure out which RHEL dist is in the chroot + dist = self.helper._get_dist(chroot, image) + +@@ -299,11 +295,13 @@ def scan(self, image, scan_args): + sys.stderr.write(str(e) + "\n") + return None + +- chroot = self._find_chroot_path(_tmp_mnt_dir) ++ try: ++ chroot = self._find_chroot_path(_tmp_mnt_dir) + +- # Scan the chroot +- sys.stdout.write(self.helper._scan(chroot, image, scan_args)) ++ # Scan the chroot ++ sys.stdout.write(self.helper._scan(chroot, image, scan_args)) + +- # Clean up +- self.helper._cleanup_by_path(_tmp_mnt_dir, DM) +- self._remove_mnt_dir(mnt_dir) ++ finally: ++ # Clean up ++ self.helper._cleanup_by_path(_tmp_mnt_dir, DM) ++ self._remove_mnt_dir(mnt_dir) diff --git a/SOURCES/openscap-1.2.17-revert-warnings-by-default.patch b/SOURCES/openscap-1.2.17-revert-warnings-by-default.patch new file mode 100644 index 0000000..90d5af7 --- /dev/null +++ b/SOURCES/openscap-1.2.17-revert-warnings-by-default.patch @@ -0,0 +1,265 @@ +From b93c8a3ec57a5fd18868de3a1abfda488fa0013d Mon Sep 17 00:00:00 2001 +From: Jan Cerny +Date: Tue, 23 Jan 2018 17:19:46 +0100 +Subject: [PATCH] Revert "Merge pull request #630 from + mpreisler/warning_default_verbose_level" + +This reverts commit 91feb5cc9658598db8e2b374b92ddae5f8577762, reversing +changes made to ef57380289a6548ea7abb6627fa1fd4845000bf8. +--- + src/XCCDF/public/xccdf_session.h | 3 --- + src/XCCDF/tailoring.c | 2 +- + src/XCCDF/xccdf_session.c | 11 +++------ + src/XCCDF_POLICY/check_engine_plugin.c | 26 ++++++++-------------- + src/XCCDF_POLICY/public/check_engine_plugin.h | 1 - + src/common/debug.c | 2 +- + tests/API/OVAL/unittests/test_external_variable.sh | 6 +---- + .../OVAL/unittests/test_object_component_type.sh | 2 ++ + .../unittests/test_remediation_subs_unresolved.sh | 2 -- + tests/probes/sql57/unsupported_engine.sh | 2 -- + tests/probes/sysctl/test_sysctl_probe_all.sh | 2 -- + utils/oscap.c | 3 +-- + 12 files changed, 18 insertions(+), 44 deletions(-) + +diff --git a/src/XCCDF/public/xccdf_session.h b/src/XCCDF/public/xccdf_session.h +index f9992399..6b6e09e7 100644 +--- a/src/XCCDF/public/xccdf_session.h ++++ b/src/XCCDF/public/xccdf_session.h +@@ -414,11 +414,8 @@ int xccdf_session_load_oval(struct xccdf_session *session); + * + * @memberof xccdf_session + * @param session XCCDF Session +- * @param plugin_name Name of the plugin to load +- * @param quiet If true we will not output errors if loading fails + * @returns zero on success + */ +-int xccdf_session_load_check_engine_plugin2(struct xccdf_session *session, const char* plugin_name, bool quiet); + int xccdf_session_load_check_engine_plugin(struct xccdf_session *session, const char* plugin_name); + + /** +diff --git a/src/XCCDF/tailoring.c b/src/XCCDF/tailoring.c +index 62661040..51b05f9e 100644 +--- a/src/XCCDF/tailoring.c ++++ b/src/XCCDF/tailoring.c +@@ -187,7 +187,7 @@ struct xccdf_tailoring *xccdf_tailoring_parse(xmlTextReaderPtr reader, struct xc + } + case XCCDFE_PROFILE: { + if (benchmark != NULL) { +- dI("Parsing Tailoring Profiles without reference to Benchmark"); ++ dW("Parsing Tailoring Profiles without reference to Benchmark"); + } + struct xccdf_item *item = xccdf_profile_parse(reader, benchmark); + if (!xccdf_tailoring_add_profile(tailoring, XPROFILE(item))) { +diff --git a/src/XCCDF/xccdf_session.c b/src/XCCDF/xccdf_session.c +index ccb95821..7b1a6df5 100644 +--- a/src/XCCDF/xccdf_session.c ++++ b/src/XCCDF/xccdf_session.c +@@ -1072,9 +1072,9 @@ int xccdf_session_load_oval(struct xccdf_session *session) + return 0; + } + +-int xccdf_session_load_check_engine_plugin2(struct xccdf_session *session, const char *plugin_name, bool quiet) ++int xccdf_session_load_check_engine_plugin(struct xccdf_session *session, const char *plugin_name) + { +- struct check_engine_plugin_def *plugin = check_engine_plugin_load2(plugin_name, quiet); ++ struct check_engine_plugin_def *plugin = check_engine_plugin_load(plugin_name); + + if (!plugin) + return -1; // error already set +@@ -1091,11 +1091,6 @@ int xccdf_session_load_check_engine_plugin2(struct xccdf_session *session, const + } + } + +-int xccdf_session_load_check_engine_plugin(struct xccdf_session *session, const char *plugin_name) +-{ +- return xccdf_session_load_check_engine_plugin2(session, plugin_name, false); +-} +- + int xccdf_session_load_check_engine_plugins(struct xccdf_session *session) + { + xccdf_session_unload_check_engine_plugins(session); +@@ -1105,7 +1100,7 @@ int xccdf_session_load_check_engine_plugins(struct xccdf_session *session) + while (*known_plugins) { + // We do not report failure when a known plugin doesn't load properly, that's because they + // are optional and we don't know if it's not there or if it just failed to load. +- if (xccdf_session_load_check_engine_plugin2(session, *known_plugins, true) != 0) ++ if (xccdf_session_load_check_engine_plugin(session, *known_plugins) != 0) + oscap_clearerr(); + + known_plugins++; +diff --git a/src/XCCDF_POLICY/check_engine_plugin.c b/src/XCCDF_POLICY/check_engine_plugin.c +index d36f4cd9..9f3024c5 100644 +--- a/src/XCCDF_POLICY/check_engine_plugin.c ++++ b/src/XCCDF_POLICY/check_engine_plugin.c +@@ -47,7 +47,7 @@ static void check_engine_plugin_def_free(struct check_engine_plugin_def *plugin) + free(plugin); + } + +-struct check_engine_plugin_def *check_engine_plugin_load2(const char* path, bool quiet) ++struct check_engine_plugin_def *check_engine_plugin_load(const char* path) + { + struct check_engine_plugin_def *ret = check_engine_plugin_def_new(); + +@@ -61,10 +61,9 @@ struct check_engine_plugin_def *check_engine_plugin_load2(const char* path, bool + if (!ret->module_handle) { + error = dlerror(); + +- if (!quiet) +- oscap_seterr(OSCAP_EFAMILY_GLIBC, +- "Failed to load extra check engine from '%s'. Details: '%s'.", +- path, error); ++ oscap_seterr(OSCAP_EFAMILY_GLIBC, ++ "Failed to load extra check engine from '%s'. Details: '%s'.", ++ path, error); + + check_engine_plugin_def_free(ret); + return NULL; +@@ -74,10 +73,9 @@ struct check_engine_plugin_def *check_engine_plugin_load2(const char* path, bool + *(void **)(&entry_fn) = dlsym(ret->module_handle, STRINGIZE(OPENSCAP_CHECK_ENGINE_PLUGIN_ENTRY)); + + if ((error = dlerror()) != NULL) { +- if (!quiet) +- oscap_seterr(OSCAP_EFAMILY_GLIBC, +- "Failed to retrieve module entry '%s' from loaded extra check engine '%s'. Details: '%s'.", +- STRINGIZE(OPENSCAP_CHECK_ENGINE_PLUGIN_ENTRY), path, error); ++ oscap_seterr(OSCAP_EFAMILY_GLIBC, ++ "Failed to retrieve module entry '%s' from loaded extra check engine '%s'. Details: '%s'.", ++ STRINGIZE(OPENSCAP_CHECK_ENGINE_PLUGIN_ENTRY), path, error); + + dlclose(ret->module_handle); + check_engine_plugin_def_free(ret); +@@ -85,9 +83,8 @@ struct check_engine_plugin_def *check_engine_plugin_load2(const char* path, bool + } + + if ((*entry_fn)(ret) != 0) { +- if (!quiet) +- oscap_seterr(OSCAP_EFAMILY_GLIBC, +- "Failed to fill check_engine_plugin_def when loading check engine plugin '%s'.", path); ++ oscap_seterr(OSCAP_EFAMILY_GLIBC, ++ "Failed to fill check_engine_plugin_def when loading check engine plugin '%s'.", path); + + dlclose(ret->module_handle); + check_engine_plugin_def_free(ret); +@@ -97,11 +94,6 @@ struct check_engine_plugin_def *check_engine_plugin_load2(const char* path, bool + return ret; + } + +-struct check_engine_plugin_def *check_engine_plugin_load(const char* path) +-{ +- return check_engine_plugin_load2(path, false); +-} +- + void check_engine_plugin_unload(struct check_engine_plugin_def *plugin) + { + if (!plugin->module_handle) { +diff --git a/src/XCCDF_POLICY/public/check_engine_plugin.h b/src/XCCDF_POLICY/public/check_engine_plugin.h +index 4a992ae3..7878fe07 100644 +--- a/src/XCCDF_POLICY/public/check_engine_plugin.h ++++ b/src/XCCDF_POLICY/public/check_engine_plugin.h +@@ -52,7 +52,6 @@ struct check_engine_plugin_def + const char *(*get_capabilities_fn)(void**); + }; + +-struct check_engine_plugin_def *check_engine_plugin_load2(const char* path, bool quiet); + struct check_engine_plugin_def *check_engine_plugin_load(const char* path); + void check_engine_plugin_unload(struct check_engine_plugin_def *plugin); + +diff --git a/src/common/debug.c b/src/common/debug.c +index 80731b0f..cb1f9290 100644 +--- a/src/common/debug.c ++++ b/src/common/debug.c +@@ -86,7 +86,7 @@ oscap_verbosity_levels oscap_verbosity_level_from_cstr(const char *level_name) + bool oscap_set_verbose(const char *verbosity_level, const char *filename, bool is_probe) + { + if (verbosity_level == NULL) { +- verbosity_level = "WARNING"; ++ return true; + } + __debuglog_level = oscap_verbosity_level_from_cstr(verbosity_level); + if (__debuglog_level == DBG_UNKNOWN) { +diff --git a/tests/API/OVAL/unittests/test_external_variable.sh b/tests/API/OVAL/unittests/test_external_variable.sh +index 8f6a2e8c..e23dd556 100755 +--- a/tests/API/OVAL/unittests/test_external_variable.sh ++++ b/tests/API/OVAL/unittests/test_external_variable.sh +@@ -9,11 +9,7 @@ stderr=$(mktemp ${name}.err.XXXXXX) + echo "stderr file: $stderr" + + $OSCAP oval eval --results $result --variables $srcdir/external_variables.xml $srcdir/$name.oval.xml 2> $stderr +-# filter out the expected warnings in stderr +- +-sed -i -E "/^W: oscap:[ ]+Referenced variable has no values \(oval:x:var:[13689]\)/d" "$stderr" +-[ -f $stderr ]; [ ! -s $stderr ]; rm $stderr +- ++[ ! -s $stderr ] && rm $stderr + [ -s $result ] + + assert_exists 10 '/oval_results/oval_definitions/variables/external_variable' +diff --git a/tests/API/OVAL/unittests/test_object_component_type.sh b/tests/API/OVAL/unittests/test_object_component_type.sh +index f9189c08..30c84a44 100755 +--- a/tests/API/OVAL/unittests/test_object_component_type.sh ++++ b/tests/API/OVAL/unittests/test_object_component_type.sh +@@ -8,6 +8,8 @@ set -o pipefail + $OSCAP oval eval $srcdir/test_object_component_type.oval.xml 2> $stderr || ret=$? + [ $ret -eq 1 ] + ++stderr_line_count=`cat $stderr | wc -l` ++[ $stderr_line_count -eq 2 ] + grep -q "Entity [']something_bogus['] has not been found in textfilecontent_item (id: [0-9]\+) specified by object [']oval:oscap:obj:10[']." $stderr + grep -q "Expected record data type, but found string data type in subexpression entity in textfilecontent_item (id: [0-9]\+) specified by object [']oval:oscap:obj:10[']." $stderr + +diff --git a/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh b/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh +index 44ae2f77..f48239d9 100755 +--- a/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh ++++ b/tests/API/XCCDF/unittests/test_remediation_subs_unresolved.sh +@@ -35,8 +35,6 @@ assert_exists 1 '//score[text()="0.000000"]' + ret=0 + $OSCAP xccdf eval --remediate --results $result $srcdir/${name}.xccdf.xml 2> $stderr || ret=$? + [ $ret -eq 2 ] +-# filter out the expected warning in stderr +-sed -i -E "/^W: oscap: The xccdf:rule-result\/xccdf:instance element was not found./d" "$stderr" + [ -f $stderr ]; [ ! -s $stderr ]; rm $stderr + + $OSCAP xccdf validate-xml $result +diff --git a/tests/probes/sql57/unsupported_engine.sh b/tests/probes/sql57/unsupported_engine.sh +index 6243cff3..f90d6c8b 100755 +--- a/tests/probes/sql57/unsupported_engine.sh ++++ b/tests/probes/sql57/unsupported_engine.sh +@@ -10,8 +10,6 @@ echo "stderr file: $stderr" + + echo "Evaluating content." + $OSCAP oval eval --results $result $srcdir/${name}.oval.xml 2> $stderr +-# filter out the expected error in stderr +-sed -i -E "/^E: lt-probe_sql57: DB engine not supported: sqlserver/d" "$stderr" + [ -f $stderr ]; [ ! -s $stderr ]; rm $stderr + echo "Validating results." + #$OSCAP oval validate-xml --results --schematron $result +diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh +index 435eaf5d..fa353925 100755 +--- a/tests/probes/sysctl/test_sysctl_probe_all.sh ++++ b/tests/probes/sysctl/test_sysctl_probe_all.sh +@@ -29,8 +29,6 @@ grep unix-sys:name "$result" | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames" + + diff "$sysctlNames" "$ourNames" + +-# remove oscap error message related to permissions from stderr +-sed -i -E "/^E: lt-probe_sysctl: Can't read sysctl value from /d" "$stderr" + [ ! -s $stderr ] + + rm $stderr $result $ourNames $sysctlNames +diff --git a/utils/oscap.c b/utils/oscap.c +index 9d3386fd..1f22c49b 100644 +--- a/utils/oscap.c ++++ b/utils/oscap.c +@@ -130,8 +130,7 @@ static int print_versions(const struct oscap_action *action) + const char * const *known_plugins = check_engine_plugin_get_known_plugins(); + bool known_plugin_found = false; + while (*known_plugins) { +- // try to load the plugin but output no errors if it fails (quiet=true) +- struct check_engine_plugin_def *plugin = check_engine_plugin_load2(*known_plugins, true); ++ struct check_engine_plugin_def *plugin = check_engine_plugin_load(*known_plugins); + if (plugin) { + printf("%s (from %s)\n", check_engine_plugin_get_capabilities(plugin), *known_plugins); + check_engine_plugin_unload(plugin); +-- +2.14.3 + diff --git a/SOURCES/openscap-1.2.17-updated-bash-completion.patch b/SOURCES/openscap-1.2.17-updated-bash-completion.patch new file mode 100644 index 0000000..a5ee8a3 --- /dev/null +++ b/SOURCES/openscap-1.2.17-updated-bash-completion.patch @@ -0,0 +1,32 @@ +From c3d14137500991e6eae629110cb9c71b1fadc5de Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 1 Dec 2017 15:35:44 +0100 +Subject: [PATCH] Updated bash completion. + +Just included updated 'info' and 'xccdf eval'. +--- + dist/bash_completion.d/oscap | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/dist/bash_completion.d/oscap b/dist/bash_completion.d/oscap +index 640eb26bb..ff6677327 100644 +--- a/dist/bash_completion.d/oscap ++++ b/dist/bash_completion.d/oscap +@@ -31,7 +31,7 @@ function _oscap { + opts[oscap:oval:analyse]="--variables --directives --verbose --verbose-log-file" + opts[oscap:oval:collect]="--variables --verbose --verbose-log-file" + opts[oscap:oval:generate:report]="-o --output" +- opts[oscap:xccdf:eval]="--skip-valid --datastream-id --xccdf-id --profile --results --results-arf --report --oval-results --export-variables --fetch-remote-resources --remediate --cpe --verbose --verbose-log-file" ++ opts[oscap:xccdf:eval]="--benchmark-id --check-engine-results --cpe --datastream-id --export-variables --fetch-remote-resources --oval-results --profile --progress --remediate --report --results --results-arf --rule --sce-results --skip-valid --stig-viewer --tailoring-file --tailoring-id --thin-results --verbose --verbose-log-file --without-syschar --xccdf-id" + opts[oscap:xccdf:validate]="--schematron" + opts[oscap:xccdf:export-oval-variables]="--datastream-id --xccdf-id --profile --skip-valid --fetch-remote-resources --cpe" + opts[oscap:xccdf:remediate]="--result-id --skip-valid --fetch-remote-resources --results --results-arf --report --oval-results --export-variables --cpe" +@@ -48,7 +48,7 @@ function _oscap { + opts[oscap:ds:rds-split]="--report-id --skip-valid" + opts[oscap:cvss:score]="" + opts[oscap:cvss:describe]="" +- opts[oscap:info]="--fetch-remote-resources" ++ opts[oscap:info]="--fetch-remote-resources --profile --profiles" + + # local variables + local std cmd i prev diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec index 26a2e03..ff28bb1 100644 --- a/SPECS/openscap.spec +++ b/SPECS/openscap.spec @@ -5,18 +5,17 @@ restorecon -R /usr/bin/oscap /usr/libexec/openscap; \ Name: openscap -Version: 1.2.14 -Release: 3%{?dist} +Version: 1.2.16 +Release: 6%{?dist} Summary: Set of open source libraries enabling integration of the SCAP line of standards Group: System Environment/Libraries License: LGPLv2+ URL: http://www.open-scap.org/ -Source0: http://fedorahosted.org/releases/o/p/openscap/%{name}-%{version}.tar.gz -Patch0: openscap-1.2.14-rpm-probes-not-applicable-PR-733.patch -Patch1: openscap-1.2.14-sysctl-test-s390x-PR-726.patch -# We are reverting the patch below, not applying it! The patch has been modified to remove line count changes, we got rid of line count checking in 1.2.14 -Patch2: openscap-1.2.14-warning-by-default-PR-630.patch -Patch3: openscap-1.2.15-use-checklist-id-to-get-html-guide-PR-745.patch +Source0: https://github.com/OpenSCAP/openscap/releases/download/%{version}/%{name}-%{version}.tar.gz +Patch0: openscap-1.2.17-updated-bash-completion.patch +Patch1: openscap-1.2.17-align-bash-role-header-with-help.patch +Patch2: openscap-1.2.17-revert-warnings-by-default.patch +Patch3: openscap-1.2.17-oscap-docker-cleanup-temp-image.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: swig libxml2-devel libxslt-devel perl-XML-Parser BuildRequires: rpm-devel @@ -77,7 +76,7 @@ Summary: OpenSCAP Utilities Group: Applications/System Requires: %{name}%{?_isa} = %{version}-%{release} Requires: rpmdevtools rpm-build -Requires: %{name}-scanner%{?_isa} = %{version}-%{release} +Requires: %{name}-containers = %{version}-%{release} %description utils The %{name}-utils package contains command-line tools build on top @@ -118,11 +117,22 @@ Requires: pkgconfig The %{name}-engine-sce-devel package contains libraries and header files for developing applications that use %{name}-engine-sce. +%package containers +Summary: Utils for scanning containers +Group: Applications/System +Requires: %{name} = %{version}-%{release} +Requires: %{name}-scanner +BuildArch: noarch + +%description containers +Tool for scanning Atomic containers. + + %prep %setup -q %patch0 -p1 %patch1 -p1 -%patch2 -p1 -R +%patch2 -p1 %patch3 -p1 %build @@ -241,8 +251,10 @@ rm -rf $RPM_BUILD_ROOT %{_includedir}/openscap/sce_engine_api.h %files scanner -%{_mandir}/man8/oscap.8.gz %{_bindir}/oscap +%{_mandir}/man8/oscap.8.gz +%{_bindir}/oscap-chroot +%{_mandir}/man8/oscap-chroot.8.gz %{_sysconfdir}/bash_completion.d %files utils @@ -250,9 +262,12 @@ rm -rf $RPM_BUILD_ROOT %doc docs/oscap-scan.cron %{_mandir}/man8/* %exclude %{_mandir}/man8/oscap.8.gz +%exclude %{_mandir}/man8/oscap-docker.8.gz +%exclude %{_mandir}/man8/oscap-chroot.8.gz %{_bindir}/* %exclude %{_bindir}/oscap -%{python_sitelib}/oscap_docker_python/* +%exclude %{_bindir}/oscap-docker +%exclude %{_bindir}/oscap-chroot %files extra-probes @@ -262,9 +277,60 @@ rm -rf $RPM_BUILD_ROOT %files engine-sce %{_libdir}/libopenscap_sce.so.* +%files containers +%defattr(-,root,root,-) +%{_bindir}/oscap-docker +%{_mandir}/man8/oscap-docker.8.gz +%{python_sitelib}/oscap_docker_python/* + + %changelog -* Wed Feb 21 2018 Watson Yuuma Sato - 1.2.14-3 -- Use checklist ID instead of hardcoded value to get HTML guide (#1545584) +* Tue Feb 06 2018 Watson Yuuma Sato - 1.2.16-6 +- Cleanup temporary images created by oscap-docker (#1454637) + +* Tue Jan 23 2018 Jan Černý - 1.2.16-5 +- Revert warnings by default in oscap tool (#1537089) + +* Mon Jan 15 2018 Watson Yuuma Sato - 1.2.16-4 +- Fix requirement on openscap-containers + +* Tue Jan 09 2018 Watson Yuuma Sato - 1.2.16-3 +- Update bash completion (#1505517) +- Align bash role header with output of help command (#1439813) + +* Mon Nov 20 2017 Matěj Týč - 1.2.16-2 +- moved oscap-docker to newly created openscap-containers. +- moved man of oscap-chroot to oscap-scanner. + +* Tue Nov 14 2017 Matěj Týč - 1.2.16-1 +- upgrade to the latest upstream release +- moved oscap-chroot to openscap-scanner because it's a thin wrapper script with no dependencies + +* Mon Aug 28 2017 Jan Černý - 1.2.15-1 +- upgrade to the latest upstream release +- short profile names can be used instead of long IDs +- new option --rule allows to evaluate only a single rule +- new option --fix-type in "oscap xccdf generate fix" allows choosing + remediation script type without typing long URL +- "oscap info" shows profile titles +- OVAL details in HTML report are easier to read +- HTML report is smaller because unselected rules are removed +- HTML report supports NIST 800-171 and CJIS +- remediation scripts contain headers with useful information (#1439813) +- remediation scripts report progress when they run +- basic support for Oracle Linux (CPEs, runlevels) +- remediation scripts can be generated from datastreams that contain + multiple XCCDF benchmarks +- basic support for OVAL 5.11.2 (only schemas, no features) +- enabled offline RPM database in rpminfo probe +- added Fedora 28 CPE +- fixed oscap-docker with Docker >= 2.0 +- fixed behavior of sysctl probe to be consistent with sysctl tool +- fixed generating remediation scripts +- severity of tailored rules is not discarded +- fixed errors in RPM probes initialization +- oscap-docker shows all warnings reported by oscap +- fixed pkgconfig file * Fri May 19 2017 Martin Preisler - 1.2.14-2 - RPM probes to return not applicable on non-rpm systems (#1447629)