commit f6ea68c88b4017478ab16f1152f1ee1b6e2dc155e74c1aad9c785231a7cee7a5 Author: Adrian Schröter Date: Wed Oct 23 11:56:23 2024 +0200 Sync from SUSE:SLFO:Main openscap revision 40146bd45416b7e2f251b95bad72118f diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/0001-Add-openSUSE-cpe-links.patch b/0001-Add-openSUSE-cpe-links.patch new file mode 100644 index 0000000..1909de4 --- /dev/null +++ b/0001-Add-openSUSE-cpe-links.patch @@ -0,0 +1,220 @@ +From 48685f390b865f6edd7df8dba955c03dff6045e8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Klaus=20K=C3=A4mpf?= +Date: Tue, 28 Mar 2023 12:02:43 +0200 +Subject: [PATCH 1/5] Add openSUSE cpe links + +--- + cpe/openscap-cpe-dict.xml | 24 +++++++ + cpe/openscap-cpe-oval.xml | 127 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 151 insertions(+) + +Index: openscap-1.3.10/cpe/openscap-cpe-dict.xml +=================================================================== +--- openscap-1.3.10.orig/cpe/openscap-cpe-dict.xml ++++ openscap-1.3.10/cpe/openscap-cpe-dict.xml +@@ -53,4 +53,32 @@ + Fedora 35 + oval:org.open-scap.cpe.fedora:def:35 + ++ ++ openSUSE Leap 15.1 ++ oval:org.open-scap.cpe.opensuse:def:151 ++ ++ ++ openSUSE Leap 15.2 ++ oval:org.open-scap.cpe.opensuse:def:152 ++ ++ ++ openSUSE Leap 15.3 ++ oval:org.open-scap.cpe.opensuse:def:153 ++ ++ ++ openSUSE Leap 15.4 ++ oval:org.open-scap.cpe.opensuse:def:154 ++ ++ ++ openSUSE Leap 15.5 ++ oval:org.open-scap.cpe.opensuse:def:155 ++ ++ ++ openSUSE Leap 15.6 ++ oval:org.open-scap.cpe.opensuse:def:156 ++ ++ ++ openSUSE Tumbleweed ++ oval:org.open-scap.cpe.opensuse:def:9999 ++ + +Index: openscap-1.3.10/cpe/openscap-cpe-oval.xml +=================================================================== +--- openscap-1.3.10.orig/cpe/openscap-cpe-oval.xml ++++ openscap-1.3.10/cpe/openscap-cpe-oval.xml +@@ -690,6 +690,97 @@ + + + ++ ++ ++ openSUSE Leap 15.1 ++ ++ openSUSE Leap 15.1 ++ ++ ++ The operating system installed on the system is openSUSE Leap 15.1 ++ ++ ++ ++ ++ ++ ++ ++ openSUSE Leap 15.2 ++ ++ openSUSE Leap 15.2 ++ ++ ++ The operating system installed on the system is openSUSE Leap 15.2 ++ ++ ++ ++ ++ ++ ++ ++ openSUSE Leap 15.3 ++ ++ openSUSE Leap 15.3 ++ ++ ++ The operating system installed on the system is openSUSE Leap 15.3 ++ ++ ++ ++ ++ ++ ++ ++ openSUSE Leap 15.4 ++ ++ openSUSE Leap 15.4 ++ ++ ++ The operating system installed on the system is openSUSE Leap 15.4 ++ ++ ++ ++ ++ ++ ++ ++ openSUSE Leap 15.5 ++ ++ openSUSE Leap 15.5 ++ ++ ++ The operating system installed on the system is openSUSE Leap 15.5 ++ ++ ++ ++ ++ ++ ++ ++ openSUSE Leap 15.6 ++ ++ openSUSE Leap 15.6 ++ ++ ++ The operating system installed on the system is openSUSE Leap 15.6 ++ ++ ++ ++ ++ ++ ++ ++ openSUSE Tumbleweed ++ ++ openSUSE Tumbleweed ++ ++ ++ The operating system installed on the system is openSUSE Tumbleweed ++ ++ ++ ++ ++ + + + Wind River Linux +@@ -1087,6 +1178,41 @@ + + + ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + +@@ -1415,6 +1541,28 @@ + + ^15.0$ + ++ ++ ^15.1$ ++ ++ ++ ^15.2$ ++ ++ ++ ^15.3$ ++ ++ ++ ^15.4$ ++ ++ ++ ^15.5$ ++ ++ ++ ^15.6$ ++ ++ ++ ++ ^\d{8}$ ++ + +Date: Tue, 28 Mar 2023 12:04:28 +0200 +Subject: [PATCH 2/5] Add SUSE cpe links + +--- + cpe/openscap-cpe-dict.xml | 16 +++++++++++++++ + cpe/openscap-cpe-oval.xml | 42 +++++++++++++++++++++++++++++++++++++++ + 2 files changed, 58 insertions(+) + +diff --git a/cpe/openscap-cpe-dict.xml b/cpe/openscap-cpe-dict.xml +index cf52bee..85917a8 100644 +--- a/cpe/openscap-cpe-dict.xml ++++ b/cpe/openscap-cpe-dict.xml +@@ -77,4 +77,20 @@ + openSUSE Tumbleweed + oval:org.open-scap.cpe.opensuse:def:9999 + ++ ++ SUSE Linux Enterprise Server 12 ++ oval:org.open-scap.cpe.sles:def:12 ++ ++ ++ SUSE Linux Enterprise Desktop 12 ++ oval:org.open-scap.cpe.sled:def:12 ++ ++ ++ SUSE Linux Enterprise Server 15 ++ oval:org.open-scap.cpe.sles:def:15 ++ ++ ++ SUSE Linux Enterprise Desktop 15 ++ oval:org.open-scap.cpe.sled:def:15 ++ + +diff --git a/cpe/openscap-cpe-oval.xml b/cpe/openscap-cpe-oval.xml +index a402c7f..531297b 100644 +--- a/cpe/openscap-cpe-oval.xml ++++ b/cpe/openscap-cpe-oval.xml +@@ -768,6 +768,32 @@ + + + ++ ++ ++ SUSE Linux Enterprise Server 15 ++ ++ SUSE Linux Enterprise Server 15 ++ ++ ++ The operating system installed on the system is SUSE Linux Enterprise Server 15 ++ ++ ++ ++ ++ ++ ++ ++ SUSE Linux Enterprise Desktop 15 ++ ++ SUSE Linux Enterprise Desktop 15 ++ ++ ++ The operating system installed on the system is SUSE Linux Enterprise Desktop 15 ++ ++ ++ ++ ++ + + + Wind River Linux +@@ -1110,6 +1136,11 @@ + + + ++ ++ ++ ++ + + +@@ -1125,6 +1156,11 @@ + + + ++ ++ ++ ++ + + +@@ -1490,6 +1526,9 @@ + + ^12($|[^\d]) + ++ ++ ^15($|[^\d]) ++ + + ^10($|[^\d]) + +@@ -1499,6 +1538,9 @@ + + ^12($|[^\d]) + ++ ++ ^15($|[^\d]) ++ + + ^openSUSE-release + +-- +2.40.0 + diff --git a/0003-Use-openSUSE-SUSE-cpe-links.patch b/0003-Use-openSUSE-SUSE-cpe-links.patch new file mode 100644 index 0000000..2ed5913 --- /dev/null +++ b/0003-Use-openSUSE-SUSE-cpe-links.patch @@ -0,0 +1,100 @@ +From 815356039b16d5abba9cdebc07c23aa967947ef3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Klaus=20K=C3=A4mpf?= +Date: Tue, 28 Mar 2023 12:05:37 +0200 +Subject: [PATCH 3/5] Use openSUSE/SUSE cpe links + +--- + utils/oscap_docker_python/get_cve_input.py | 21 ++++++++++--- + .../oscap_docker_common.py | 31 ++++++++++++++++++- + 2 files changed, 46 insertions(+), 6 deletions(-) + +diff --git a/utils/oscap_docker_python/get_cve_input.py b/utils/oscap_docker_python/get_cve_input.py +index 6d77bdb..bb38e77 100644 +--- a/utils/oscap_docker_python/get_cve_input.py ++++ b/utils/oscap_docker_python/get_cve_input.py +@@ -31,9 +31,12 @@ class getInputCVE(object): + + hdr = {'User-agent': 'Mozilla/5.0'} + hdr2 = [('User-agent', 'Mozilla/5.0')] +- url = "https://www.redhat.com/security/data/oval/" +- dist_cve_name = "com.redhat.rhsa-RHEL{0}.xml.bz2" +- dists = [5, 6, 7] ++ rhel_url = "https://www.redhat.com/security/data/oval/" ++ rhel_dist_cve_name = "com.redhat.rhsa-RHEL{0}.xml.bz2" ++ rhel_dists = [5, 6, 7] ++ suse_url = "https://ftp.suse.com/pub/projects/security/oval/" ++ suse_dist_cve_name = "suse.linux.enterprise.{0}.xml" ++ suse_dists = [12, 15] + remote_pattern = '%a, %d %b %Y %H:%M:%S %Z' + + def __init__(self, fs_dest, DEBUG=False): +@@ -46,10 +49,18 @@ class getInputCVE(object): + Given a distribution number (i.e. 7), it will fetch the + distribution specific data file if upstream has a newer + input file. Returns the path of file. ++ We just hack that SUSE has versions above 10 to mean SUSE + ''' +- cve_file = self.dist_cve_name.format(dist) ++ if dist == "12" or dist == "15": ++ cve_file = self.suse_dist_cve_name.format(dist) ++ dist_url = urllib.parse.urljoin(self.suse_url, cve_file) ++ else: ++ cve_file = self.rhel_dist_cve_name.format(dist) ++ dist_url = urllib.parse.urljoin(self.rhel_url, cve_file) ++ ++ # stderr.write("URL {0} cve_file {1}\n".format(dist_url,cve_file)) + dest_file = join(self.dest, cve_file) +- dist_url = urllib.parse.urljoin(self.url, cve_file) ++ + if self._is_cache_same(dest_file, dist_url): + return dest_file + +diff --git a/utils/oscap_docker_python/oscap_docker_common.py b/utils/oscap_docker_python/oscap_docker_common.py +index c9afd6b..30289fd 100644 +--- a/utils/oscap_docker_python/oscap_docker_common.py ++++ b/utils/oscap_docker_python/oscap_docker_common.py +@@ -55,7 +55,7 @@ def get_dist(mountpoint, oscap_binary, local_env): + + ''' + Test the chroot and determine what RHEL dist it is; returns +- an integer representing the dist ++ an integer representing the dist (5 - 8 for RHEL, 12 and 15 for SLES) + ''' + + cpe_dict = '/usr/share/openscap/cpe/openscap-cpe-oval.xml' +@@ -77,3 +77,32 @@ def get_dist(mountpoint, oscap_binary, local_env): + if "{0}{1}: true".format(CPE_RHEL, dist) in result.stdout: + print("This system seems based on RHEL{0}.".format(dist)) + return dist ++ ++ CPE_SLES = 'oval:org.open-scap.cpe.sles:def:' ++ DISTS = ["12", "15"] ++ ++ ''' ++ Test the chroot and determine what SUSE dist it is; returns ++ an integer representing the dist (12 and 15 for SUSE) ++ ''' ++ ++ cpe_dict = '/usr/share/openscap/cpe/openscap-cpe-oval.xml' ++ if not os.path.exists(cpe_dict): ++ # sometime it's installed into /usr/local/share instead of /usr/local ++ cpe_dict = '/usr/local/share/openscap/cpe/openscap-cpe-oval.xml' ++ if not os.path.exists(cpe_dict): ++ raise OscapError() ++ ++ for dist in DISTS: ++ result = oscap_chroot( ++ mountpoint, oscap_binary, ++ ("oval", "eval", "--id", CPE_SLES + dist, cpe_dict, ++ mountpoint, "2>&1", ">", "/dev/null"), ++ '*', ++ local_env ++ ) ++ ++ if "{0}{1}: true".format(CPE_SLES, dist) in result.stdout: ++ print("This system seems based on SLES {0}.".format(dist)) ++ return dist ++ print("System version not detected.") +-- +2.40.0 + diff --git a/0004-oscap-remediate-is-located-in-bindir.patch b/0004-oscap-remediate-is-located-in-bindir.patch new file mode 100644 index 0000000..56f7723 --- /dev/null +++ b/0004-oscap-remediate-is-located-in-bindir.patch @@ -0,0 +1,24 @@ +From 290186ec99dedf00477447d53b2c0c01c764eaa5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Klaus=20K=C3=A4mpf?= +Date: Tue, 28 Mar 2023 12:06:36 +0200 +Subject: [PATCH 4/5] oscap-remediate is located in bindir + +--- + oscap-remediate.service.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/oscap-remediate.service.in b/oscap-remediate.service.in +index 2b48398..b6d07b7 100644 +--- a/oscap-remediate.service.in ++++ b/oscap-remediate.service.in +@@ -8,6 +8,6 @@ Before=shutdown.target system-update.target + + [Service] + Type=oneshot +-ExecStart=@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_LIBEXECDIR@/oscap-remediate ++ExecStart=@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_BINDIR@/oscap-remediate + + FailureAction=reboot +-- +2.40.0 + diff --git a/openscap-1.3.10.tar.gz b/openscap-1.3.10.tar.gz new file mode 100644 index 0000000..adf0ae3 --- /dev/null +++ b/openscap-1.3.10.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2a51a09810d6d188e82afb31e454d06989d59d05f39e2aec99a661b01cd660aa +size 14047461 diff --git a/openscap-rpmlintrc b/openscap-rpmlintrc new file mode 100644 index 0000000..ba0f4a7 --- /dev/null +++ b/openscap-rpmlintrc @@ -0,0 +1,4 @@ +# can not change docs implementation +addFilter("files-duplicate /usr/share/doc/packages/openscap/html/search") +# ignore duplicates in different schema versions +addFilter("files-duplicate /usr/share/openscap/schemas") diff --git a/openscap.changes b/openscap.changes new file mode 100644 index 0000000..8ceeb8d --- /dev/null +++ b/openscap.changes @@ -0,0 +1,1376 @@ +------------------------------------------------------------------- +Mon Sep 16 11:49:29 UTC 2024 - Marcus Meissner + +- disable sendmail buildrequires (seems unused) +- only use distribution-release to make work everywhere + +------------------------------------------------------------------- +Sat May 4 09:44:02 UTC 2024 - Marcus Meissner + +- 0001-Add-openSUSE-cpe-links.patch: added Leap 15.6 + +------------------------------------------------------------------- +Wed Mar 20 18:37:30 UTC 2024 - Dan Čermák + +- Rename oscap-docker to oscap-containers and provide oscap-podman as well + (Relates to jsc#SLE-12852) + +------------------------------------------------------------------- +Wed Mar 20 08:56:12 UTC 2024 - Robert Frohl + +- update to 1.3.10: + * New features + - Dump all env. variables that affects the behaviour on INFO log level + - Support Blueprint services customization for masking + - Fix Blueprint template to be self-contained + - Add a refine-rule tailoring ability to autotailor + - Introduce JSON tailoring import option for autotailor + - Select rules based on reference + - Skip certain paths from scanning (controlled via env. variable) + - Introduce a limit of collected items (controlled via env. variable) + * Maintenance, bug fix + - Fix partition probe for PCRE2 + - Fix NSS crypto backend + - Wrap Bash snippets in a subshell when generating a fix script + - Improve references in HTML guides and reports + - Update html report with OVAL details + - Rewrite dpkginfo probe without using APT + - Fix incorrect openscap-cpe-oval result filename + - Implement xccdf_session_get_rule_results function in XCCDF session API + - Implement xccdf_session_result_reset function in XCCDF session API +- drop 0005-rename-requires-reqs-for-C-20-compatibility.patch: fixed upstream + +------------------------------------------------------------------- +Tue Feb 27 22:23:26 UTC 2024 - Jaime Marquínez Ferrándiz + +- Use the correct documentation's path. + +------------------------------------------------------------------- +Thu Sep 21 19:43:34 UTC 2023 - Andreas Stieger + +- update to 1.3.9: + * use PCRE2 library + * Fix offline mode (OVAL/sysctl) + * Fix leak of dpkg cache when dpkginfo_init is called multiple times + * Fix un-expanded variable in xccdf report output + * Fix issues when parsing profiles + * Fix minor problems and resource leaks + +------------------------------------------------------------------- +Wed Jun 21 07:32:35 UTC 2023 - Robert Frohl + +- openscap 1.3.8 + * New features + - The boot-time remediation service for systemd's Offline Update mode is now disabled by default + - Add offline capabilities to the shadow OVAL probe + - Add offline capabilities to the sysctl OVAL probe + - Add 'auristorfs' to list of network fileystems + - Add new experimental linux-bound fwupdsecattr probe for system firmware security attributes (fwupd-based) + * Maintenance, bug fix + - Use ListUnitFiles D-Bus method to fetch all units in systemd OVAL probe + - Fix minor resource leaks + +------------------------------------------------------------------- +Wed Mar 29 15:22:55 UTC 2023 - Marcus Meissner + +- remove _service confusion, we use final tarballs. + +------------------------------------------------------------------- +Tue Mar 28 09:59:10 UTC 2023 - kkaempf@suse.com + +- Update to version 1.3.7: + * openscap-1.3.7 + * Bump soname from 25.5.0 to 25.5.1 + * Bump version to openscap-1.3.7 + * Fix typos in docs + * Remove a check for suspicious files + * Add debian_evr_string tests to CMakeLists + * Add a few unittests for debian_evr_string + * Remove To be done + * Move release guide to upstream + +- add 0005-rename-requires-reqs-for-C-20-compatibility.patch + +- rename patches + openscap-opensuse-cpe.patch to 0001-Add-openSUSE-cpe-links.patch + openscap-suse-cpe.patch to 0002-Add-SUSE-cpe-links.patch + openscap-docker-add-suse.patch to 0003-Use-openSUSE-SUSE-cpe-links.patch + oscap-remediate.service.in.patch to 0004-oscap-remediate-is-located-in-bindir.patch + +- drop 0001-Use-correct-includes.patch (upstream) + +------------------------------------------------------------------- +Mon Jan 23 08:13:19 UTC 2023 - Thorsten Kukuk + +- Require systemd for building, was pulled in before by indirect + dependencies which don't exist anymore + +------------------------------------------------------------------- +Thu Jan 19 15:55:11 UTC 2023 - Marcus Meissner + +- 0001-Use-correct-includes.patch: fixed build with rpm 4.18 + +------------------------------------------------------------------- +Wed Sep 21 07:41:07 UTC 2022 - Dirk Müller + +- require shared library in the same version or newer + +------------------------------------------------------------------- +Thu Sep 15 08:29:25 UTC 2022 - Marcus Meissner + +- added Leap 15.4 and 15.5 dictionary entries. (bsc#1203408) + +------------------------------------------------------------------- +Sat Feb 19 13:46:06 UTC 2022 - Bjørn Lie + +- Conditionally drop optional gconf2-devel BuildRequires for + openSUSE Tumbleweed and newer: gconf2 is being droppped from + openSUSE Tumbleweed, build without gconf2 support. + +------------------------------------------------------------------- +Thu Jan 20 08:43:41 UTC 2022 - Robert Frohl + +- openscap 1.3.6 + * New features + - Select and exclude groups of rules on the command line + - The boot-time remediation service for systemd's Offline Update mode + - Memory limit control using OSCAP_PROBE_MEMORY_USAGE_RATIO environment variable + - Allow disablement of SHA-1 and MD5 + - Allow providing pre-downloaded components + - Introduce OSBuild Blueprint fix type + * Maintenance, bug fix + - Fix coverity issues + - Patch the `segfault` in dpkginfo_fini() + - Add an alternative source of hostname + - Fail download on HTTP errors + - Compile "environmentvariable_probe" on Windows + - FreeBSD build and test fixes + - Add offline mode for password probe + - Initialize crypto API only once + - Fix UBI 9 scan + - oval/yamlfilecontent: Add 'null' values handling + - Do not set Rpath + - Do not split `XCCDF:requires` with multiple `idrefs` + - Allow empty /proc in offline mode +- oscap-remediate is shipped via /usr/bin + Added oscap-remediate.service.in.patch +- spec-cleaner run + +------------------------------------------------------------------- +Tue Dec 7 10:58:50 UTC 2021 - Marcus Meissner + +- openscap-docker-add-suse.patch: add SLES support oscap-docker + (bsc#1179314) + +------------------------------------------------------------------- +Mon Oct 4 15:33:23 UTC 2021 - Marcus Meissner + +- ship python3 docker module always + +------------------------------------------------------------------- +Thu Aug 19 04:51:24 UTC 2021 - Steve Kowalik + +- Since upstream has moved to Python 3, switch the BuildRequires from + python-devel to python3-devel. + +------------------------------------------------------------------- +Wed Jul 14 13:58:45 UTC 2021 - Robert Frohl + +- Add definition for tumbleweed to openscap-opensuse-cpe.patch (boo#1186735) + +------------------------------------------------------------------- +Wed Jun 2 15:11:14 UTC 2021 - Robert Frohl + +- add old patches - slightly renamed; cpe are needed (boo#1186735) + * openscap-opensuse-cpe.patch + * openscap-suse-cpe.patch + +------------------------------------------------------------------- +Fri Apr 23 11:08:00 UTC 2021 - Robert Frohl + +- openscap 1.3.5 + * New features + - Made schematron-based validation enabled by default for validate command of oval and xccdf modules + - Added SCAP 1.3 source data stream Schematron + - Added XML Signature Validation + - Added --enforce-signature option for eval, guide, and fix modules + - Added entity support (OVAL/yamlfilecontent) + - Allowed to clamp mtime to SOURCE_DATE_EPOCH + - Added severity and role attributes + - Added support for requires/conflicts elements of the Rule and Group (XCCDF) + - Added Kubernetes remediation to HTML report + * Maintenance, bug fix + - Fixed CMake warnings + - Made 'gpfs', 'proc' and 'sysfs' filesystems non-local + - Fixed handling of '--arg=val'-styled common options + - Documented used environment variables + - Updated man page and help texts + - Added --skip-validation option synonym for --skip-valid + - Fixed behavior of StateType operator + - Fixed some of the coverity warnings + - Ignoring namespace in XPath expressions + - Fixed how oval_probe_ext_eval checks absence of the response from the probe (obtrusive data warning) + - Described SWID tags detection + - Improved documentation about --stig-viewer option + - File probe behaviour fixed (symlink traversal now behaves as defined by OVAL) + - Fixed multiple segfaults and broken test in --stig-viewer feature + - Added dpkg version comparison algorithm + - Pluged some memory leaks + - Fixed TestResult/benchmark/@href attribute + - Fixed memory allocation + - Fixed field names for cases where key selection section is followed by a set section (probes/yamfilecontent) + - Changing hard coded libperl path in favor of FindPerlLibs method + - Check local filesystems when using 'filepath' element +- dropped, because not needed anymore: + * 0001-Fix-memory-allocation.patch + * openscap-new-suse.patch + * openscap-leap-cpe-15.12.patch + +------------------------------------------------------------------- +Sat Nov 14 08:55:03 UTC 2020 - Marcus Meissner + +- 0001-Fix-memory-allocation.patch: fixed a crash during oscap oval eval + +------------------------------------------------------------------- +Mon Nov 9 13:10:09 UTC 2020 - Marcus Meissner + +- openscap-leap-cpe-15.12.patch: add CPE dict entries for openSUSE + Leap 15.1 and 15.2 + +------------------------------------------------------------------- +Sat Oct 31 08:33:48 UTC 2020 - Marcus Meissner + +- add dbus-1-devel buildrequires to enable systemd tests (bsc#1178301) + +------------------------------------------------------------------- +Fri Oct 2 08:03:23 UTC 2020 - Robert Frohl + +- openscap 1.3.4 + * New features + - Add support for FreeBSD + - Make use of HTTP header content-encoding: gzip if available + - Improved yamlfilecontent: updated yaml-filter, extend the schema and probe to be able to work with a set of values in maps + * Maintenance, bug fixes + - A lot of memory leaks have been plugged + - Refactored rpmverifyfile probe and fixed memory leak + - Fixed SEGFAULT caused by recursive and circular dependencies between OVAL definitions + - Fixed DOM representation of the profile platform + - Test suit: better portability, more granularity in results, inclusion of memory-related tests + - Compatibility with uClibc + - Local and remote file system detection method was improved + - Make the report a valid HTML5 document + +------------------------------------------------------------------- +Mon May 4 05:35:18 UTC 2020 - Marcus Meissner + +- openscap 1.3.3. Notable improvements in this release: + - a Python script that can be used for CLI tailoring (autotailor) (thank you, Matěj Týč); + - timezone for XCCDF TestResult start and end time (thank you, Jan Černý); + - new yamlfilecontent independent probe (draft implementation), + see the proposal https://github.com/OVAL-Community/OVAL/issues/91 + for additional information. + +There are other changes as well, here is the list: + - Introduced `urn:xccdf:fix:script:kubernetes` fix type in XCCDF; + - Added ability to generate `machineconfig` fix; + - Detect ambiguous scan target (utils/oscap-podman); + - Fixed #170: The rpmverifyfile probe can't verify files from '/bin' directory; + - The data system_info probe return for offline and online modes is consistent and actual; + - Prevent crashes when complicated regexes are executed in textfilecontent58 probe; + - Fixed #1512: Severity refinement lost in generated guide; + - Fixed #1453: Pointer lost in Swig API; + - Evaluation Characteristics of the XCCDF report are now consistent with OVAL entities; + from system_info probe; + - Fixed filepath pattern matching in offline mode in textfilecontent58 probe; + - Fixed infinite recursion in systemdunitdependency probe; + - Fixed the case when CMake couldn't find libacl or xattr.h. +- dropped 0001-Do-not-use-C-keyword-operator-as-a-function-paramete.patch: upstream + +------------------------------------------------------------------- +Wed Mar 25 13:53:51 UTC 2020 - Christophe Giboudeaux + +- Add upstream patch to fix the scap-workbench build: + * 0001-Do-not-use-C-keyword-operator-as-a-function-paramete.patch + +------------------------------------------------------------------- +Tue Jan 14 13:43:11 UTC 2020 - Marcus Meissner + +- switch back to official release +- openscap 1.3.2 + - the test suite and build scripts were improved to support Debian 10 + - offline mode has received some love with a set of dedicated tests and various fixes in OVAL probes; + - the oscap-docker wrapper is no longer dependent on Atomic + - Python binding are now more robust + - HTML reports and guides, generated by the scanner, are now more accessible for non-visual rendering agents + - Support of multi-check rules has been improved across the whole workflow + + There are other changes as well, here is the list: + * New features + - Offline mode support for environmentvariable58 probe + - The oscap-docker wrapper is available without Atomic + + + Maintenance, bug fixes + - Improved support of multi-check rules (report, remediations, console output) + - Improved HTML report look and feel, including printed version + - Less clutter in verbose mode output; some warnings and errors demoted to verbose mode levels + - Probe rpmverifyfile uses and returns canonical paths + - Improved a11y of HTML reports and guides + - Fixes and improvements for SWIG Python bindings + - #1403 fixed: Scanner would not apply remediation for multicheck rules (verbosity) + - Fixed URL link mechanism for Red Hat Errata + - New STIG Viewer URI: public.cyber.mil + - Probe selinuxsecuritycontext would not check if SELinux is enabled + - Scanner would provide information about unsupported OVAL objects + - Added more tests for offline mode (probes, remediation) + - #528 fixed: Eval SCE script when /tmp is in mode noexec + - #1173, RHBZ#1603347 fixed: Double chdir/chroot in probe rpmverifypackage + +------------------------------------------------------------------- +Sat Jan 11 17:24:21 UTC 2020 - Marcus Meissner + +- temporary openscap 1.3.1 git snapshot + - make it build with new RPM (bsc#1160720) + +------------------------------------------------------------------- +Sat Jan 11 09:01:49 UTC 2020 - Marcus Meissner + +- use distribution-release instead of dummy-release + +------------------------------------------------------------------- +Thu Jun 13 14:22:06 UTC 2019 - Robert Frohl + +- openscap 1.3.1 + - New features + - Support for SCAP 1.3 Source Datastreams (evaluating, XML schemas, validation) + - Introduced `oscap-podman` -- a tool for SCAP evaluation of Podman images and containers + - Tailoring files are included in ARF result files + - OVAL details are always shown in HTML report, users do not have to provide `--oval-results` on command line + - HTML report displays OVAL test details also for OVAL tests included from other OVAL definitions using `extend_definition` + - OVAL test IDs are shown in HTML report - Rule IDs are shown in HTML guide + - Added `block_size` in Linux `partition_state` defined in OVAL 5.11.2 + - Added `oscap_wrapper` that can be used to comfortably execute custom compiled oscap tool + - Maintenance and bug fixes + for a complete list please see https://github.com/OpenSCAP/openscap/releases/tag/1.3.1 +- removed patches accepted upstream: + rpmverifyfile_unittest.patch rpmverify_unittest.patch sysctl_unittest.patch + test_probes_rpmverifypackage-disable-epoch-test.patch xinetd_probe.patch + +------------------------------------------------------------------- +Tue Mar 26 13:55:18 UTC 2019 - Robert Frohl + +- obsolete removed packages: openscap-engine-sce and openscap-extra-probes + +------------------------------------------------------------------- +Mon Mar 25 18:54:37 UTC 2019 - Bjørn Lie + +- Drop gconf2-devel BuildRequires: It is not mandatory, so lets + build without this obsolete package. +- Add pkgconfig(glib-2.0) and pkgconfig(gobject-2.0) BuildRequires: + They are also optional, but not obsolete, and previously pulled + in via gconf2-devel dependency, so lets build support for them. + +------------------------------------------------------------------- +Fri Oct 19 15:46:44 UTC 2018 - Robert Frohl + +- openscap-1.3.0 + - New features + - Introduced a virtual '(all)' profile selecting all rules + - Verbose mode is a global option in all modules + - Added Microsoft Windows CPEs + - oscap-ssh can supply SSH options into an environment variable + - Maintenance + - Removed SEXP parser + - Added Fedora 30 CPE + - Fixed many Coverity defects (memory leaks etc.) + - SCE builds are enabled by default + - Moved many low-level functions out of public API + - Removed unused and dead code + - Updated manual pages + - Numerous small fixes +- xinetd_probe.patch: fix trailing whitespace in config +- test_probes_rpmverifypackage-disable-epoch-test.patch: fix rpmverifypackage unit test +- sysctl_unittest.patch: fix sysctl unit test +- rpmverifyfile_unittest.patch: fix rpmverifyfile unit test +- rpmverify_unittest.patch: fix rpmverify unit test +- openscap-xattr.patch: removed, included by upstream + +------------------------------------------------------------------- +Wed Sep 12 05:56:03 UTC 2018 - meissner@suse.com + +- openscap-xattr.patch: build against new libattr + +------------------------------------------------------------------- +Thu Jun 7 08:46:23 UTC 2018 - meissner@suse.com + +- scap-yast2sec-xccdf.xml: remove platform cpe match, as it is impossible + to match both opensuse and sles or official suse_linux_enterprise_server + names at once. (bsc#1091040) + +------------------------------------------------------------------- +Tue May 29 09:47:16 UTC 2018 - meissner@suse.com + +- openscap-1.2.17 + - New features + - HTML Guide user experience improvements + - New options in HTML report "Group By" menu + - oscap-ssh supports --oval-results (issue #863) + - Maintenance + - Support comparing state record elements with item + - Updated Bash completion + - Make Bash role headers consistent with --help output + - Fixed problems reported by Coverity (issue #909) + - Fixed CVE schema to support 4 to 7 digits CVEs + - Fix output of generated bash role missing fix message + - Fix oscap-docker to clean up temporary image (RHBZ #1454637) + - Fix Ansible remediations generation + - Add a newline between ids in xccdf info (issue #968) + - Fix unknown subtype handling in oval_subtype_parse (issue #986) + - Outsourced the pthreads feature check and setup + - Speed up in debug mode + - Refactored the Python handling in build scripts + - Prevent reading from host in offline mode (issue #1001) + - Many probes use OWN offline mode + - Improve offline mode logic in OVAL probes + - Do not use chroot in system_info probe + - Prevent a segfault in oscap_seterr on Solaris + - Out of tree build is possible + - Use chroot for RPM probes in offline mode + - PEP8 accepts lines up to 99 characters + - New configure parameter --with-oscap-temp-dir (issue #1016) + - Fixed OVAL record elements namespace and SEXP conversion + - Removed '\r' characters from help output (issue #1023) + - Full Python 3 compatibility + - Removed basic Python implementation of oval_probes.c + - Added support for Travis CI and Sonar Cloud + - Minor fixes inspired by Sonar Cloud + - Added Fedora 29 CPE + - New tests in upstream test suite (offline mode, Ansible, etc.) + +------------------------------------------------------------------- +Thu Apr 26 12:56:42 UTC 2018 - meissner@suse.com + +- openscap-new-suse.patch: handle SLE15 and openSUSE Leap 42.3 and 15.0 + (bsc#1091040) + +------------------------------------------------------------------- +Mon Mar 5 15:11:19 UTC 2018 - jengelh@inai.de + +- Replace old $RPM_* shell vars. + +------------------------------------------------------------------- +Mon Mar 5 12:39:51 UTC 2018 - meissner@suse.com + +- replace oscap-scan.init by oscap-scan.service, add a /usr/bin/oscap-scan + helper tool for this. (bsc#1083115) + +------------------------------------------------------------------- +Thu Feb 22 13:41:36 UTC 2018 - meissner@suse.com + +- disable scap-as-rpm binary to avoid python2 dependency. (bsc#1082135) + +------------------------------------------------------------------- +Thu Nov 23 13:44:24 UTC 2017 - rbrown@suse.com + +- Replace references to /var/adm/fillup-templates with new + %_fillupdir macro (boo#1069468) + +------------------------------------------------------------------- +Tue Nov 14 14:17:28 UTC 2017 - meissner@suse.com + +- openscap-productid-cvrf.patch: add a --productid selector + for "oscap cvrf" as upstream does not detect the system yet. + (might go away) + +------------------------------------------------------------------- +Tue Nov 14 12:14:41 UTC 2017 - meissner@suse.com + +- openscap-1.2.16 + - New features + - oscap can generate output that is compatible with STIG Viewer. + - CVRF parsing and export has been implemented. + - oscap info command has been expanded. + - The AIX platform is supported. + - Many documentation improvements. + - Numerous other improvements of existing features. + - Maintenance + - Huge cross-platform improvements. + - Memory leaks fixed (RHBZ#1485876). + - SELinux fixes. + - Many coverity fixes. + - Numerous other bugfixes. +- buildrequire procps-devel + +------------------------------------------------------------------- +Fri Aug 25 13:41:48 UTC 2017 - meissner@suse.com + +- openscap-1.2.15 / 25-08-2017 + - New features + - short profile names can be used instead of long IDs + - new option --rule allows to evaluate only a single rule + - new option --fix-type in "oscap xccdf generate fix" allows choosing + remediation script type without typing long URL + - "oscap info" shows profile titles + - OVAL details in HTML report are easier to read + - HTML report is smaller because unselected rules are removed + - HTML report supports NIST 800-171 and CJIS + - remediation scripts contain headers with useful information + - remediation scripts report progress when they run + - basic support for Oracle Linux (CPEs, runlevels) + - remediation scripts can be generated from datastreams that contain + multiple XCCDF benchmarks (issue #772) + - basic support for OVAL 5.11.2 (only schemas, no features) + - enabled offline RPM database in rpminfo probe (issue #778) + - added Fedora 28 CPE + - Maintenance + - fixed oscap-docker with Docker >= 2.0 (issue #794) + - fixed behavior of sysctl probe to be consistent with sysctl tool + - fixed generating remediation scripts (issue #723, #773) + - severity of tailored rules is not discarded (issue #739) + - fixed errors in RPM probes initialization + - oscap-docker shows all warnings reported by oscap (issue #713) + - small improvements in verbose mode + - standard C operations are used instead of custom OpenSCAP operations + - fixed compiler warnings + - fixed missing header files + - fixed resource leaks (issue #715) + - fixed pkgconfig file (RHBZ #1414777) + - refactoring + - documentation fixes and improvements + +------------------------------------------------------------------- +Fri Apr 7 09:35:00 UTC 2017 - jengelh@inai.de + +- Remove line-trailing whitespace from last changelog entry. +- Rename %soname to %sover to better reflect its use. +- Replace unnecessary %__-type macro indirections. + +------------------------------------------------------------------- +Tue Mar 21 12:20:23 UTC 2017 - meissner@suse.com + +- openscap-1.2.14 / 21-03-2017 + - New features + - Detailed information about ARF files in 'oscap info' (issue #664) + - XSLT template creating XCCDF files from OVAL files + - Generating remediation scripts from ARF + - Significant improvements of User Manual (issue #249, #513) + - HTML report UX improvements (issue #601, #620, #622, #655) + - Warnings are shown by default + - Verbose mode is available in 'xccdf remediate' module (issue #520) + - Added Fedora 26, Fedora 27 and OpenSUSE 42.2 CPEs (issue #698) + - Support for Anaconda remediation in HTML report + - Maintenance + - Fixed CPE dictionary to identify RHEVH as RHEL7 (RHBZ #1420038) + - Fixed systemd probes crashes inside containers (RHBZ #1431186, issue #700) + - Added a warning on non-existing XCCDF Benchmarks (issue #614) + - Fixed output on terminals with white background (RHBZ #1365911, issue #512) + - Error handling in oscap-vm (RHBZ #1391754) + - Fixed SCE stderr stalling (RHBZ #1420811) + - Fixed Android OVAL schema (issue #279) + - Fixed absolute filepath parsing in OVAL (RHBZ #1312831, #1312824) + - Fixes based on Coverity scan report (issue #581, #634, #681) + - Fixed duplicated error messages (issue #707) + - Fixed XCCDF score calculation (issue #617) + - Fixed segmentation faults in RPM probes (RHBZ #1414303, #1414312) + - Fixed failing DataStream build if "@" is in filepath + - Fixed missing header in result-oriented Ansible remediations + - Memory leak and resource leak fixes (issue #635, #636) + - New upstream tests + - Many minor fixes and improvements + +------------------------------------------------------------------- +Fri Jan 6 14:37:37 UTC 2017 - meissner@suse.com + +- openscap-1.2.13 / 05-01-2017 + - Maintenance + - we always build system_info OVAL probe, fixed configure output accordingly + - warn when the user requests to generate an ARF from XCCDF 1.1 + - fixed a segfault when loading an OVAL file with invalid family attribute + - added --thin-results CLI override to oscap xccdf eval + - added --without-syschar CLI override to oscap xccdf eval + - fixed a segfault when freeing xccdf_policy of the default profile + - removed ARF schematron workaround when there are no applicable checks + - fixed verbose output in oscap xccdf generate fix + - do not filter fix by applicability when generating remediations from results + - fixed memory leaks, resource leaks and other minor issues + +------------------------------------------------------------------- +Mon Nov 21 09:40:15 UTC 2016 - meissner@suse.com + +- openscap-1.2.12 / 21-11-2016 + - New features + - separated stdout and stderr in SCE results and HTML report + - HTML reports contain [ref] links for rules and groups + - Maintenance + - fixed ARF errors reported by the SCAPval tool + - fixed CVE parsing (issue #550) + - fixed namespace of ARF vocabulary according to NIST SP800-126 errata + - fixed exporting OVAL Windows namespaces + - fixed injecting xccdf:check-content-ref references in ARF results + - fixed oscap-docker incompliance reporting (issue #475, RHBZ #1387248) + - fixed oscap-docker man page (RHBZ #1387166) + - fixed memory leaks and resource leaks + - small fixes and refactoring, test suite fixes + +------------------------------------------------------------------- +Tue Oct 18 07:09:13 UTC 2016 - meissner@suse.com + +- openscap-1.2.11 / 14-10-2016 + - New features + - huge speed-up of generating HTML reports and guides + - support remote datastream components (issue #526) + - support tailoring of external datastreams + - various attributes of remediation scripts are now shown in HTML report (issue #541) + - new option generating OVAL results without system characteristics + - remediation scripts in HTML report are now collapsed + - support for extracting Ansible playbooks + - enabled fetching remote resources in OVAL module + - added Wind River Linux CPE + - Maintenance + - updated jQuery and bootstrap libraries in HTML reports + - extended, improved and updated user manual + - fixed issues with proxy in oscap-docker (RHBZ #1351952) + - fixed a bug in OVAL arithmetic function + - fixed a segmentation fault (issue #529) + - fixed results of XCCDF rules with @role="unscored" (issue #525) + - fixed invalid characters in OVAL results (issue #468) + - fixed a segmentation fault in tailoring (RHBZ #1367896) + - updated SUSE 11 CPE + - fixed many memory issues + - large refactoring of datastream module + - new tests in upstream test suite + - various small fixes and improvements + +- openscap-1.2.10 / 29-06-2016 + - New features + - support --benchmark-id when running `oscap xccdf generate guide` + - added CPE support for OpenSUSE 42.1 + - Maintenance + - oscap-docker fixed to be source compatible with both Python 2 and 3 + - fixed offline mode in rpmverifypackage probe + - fixed scanning of non-RHEL containers in oscap-docker (issue #427) + - fixed regression in loading a datastream session (RHBZ #1250072) + - fixed missing SCE results in XCCDF reports (issue #394) + - fixed a segmentation fault (issue #370) + - fix error message when OVAL generator element is missing (issue #345) + - fixed failing rpminfo probe + - fixed compilation on RHEL5 (issue #393) + - new tests in upstream test suite + - test suite is able to run on Fedora 24 + - fixed remediation scripts appearance in HTML guides (issue #460) + - fixed autoconf build + - small fixes, refactoring, small documentation improvements + +------------------------------------------------------------------- +Fri Apr 22 13:50:51 UTC 2016 - meissner@suse.com + +- openscap 1.2.9 release + - New features + - oscap-chroot - a tool for offline scanning of filesystems mounted at arbitrary paths + - enabled offline scanning in many probes + - support for SCE in data streams + - many improvements of verbose mode + - verbose messages can be written on stderr + - runlevel probe supports SUSE systems + - new upstream tests + - Maintenance + - a lot of refactoring + - fixes in various tests + - OCILs are correctly placed in datastreams (issue #364) + - oscap-vm can work with fusermount when guestunmount is not available + - fixed oscap-docker HTTP communication issues (issue #304) + - fixed oscap-docker tracebacks (issue #303, #317) + - fixed container mounting in oscap-docker (issue #329) + - added Fedora 25 CPE + - only non-empty profiles are built (rhbz#1256879, rhbz#1302230) + - fixed compiler errors on RHEL5 and SLES11 + - fixed sorting of groups in HTML report (issue #342) + - fixed version/@time and version/@update in XCCDF Benchmark + - fixed CPE definitions to work also in offline mode + - fixed sysctl probe (issue #258) + - fixed manual page for oscap-ssh (rhbz#1299969) + - updated user manuals and manual pages + - updated .gitignore +- dropped fix-missing-include.dif, not needed anymore + +------------------------------------------------------------------- +Wed Mar 23 10:21:27 UTC 2016 - meissner@suse.com + +- enable the SCE (script checking engine) + packaged in "openscap-engine-sce" subpackage. +- enable the CCE (Common Configuration Enumeration) + + +------------------------------------------------------------------- +Tue Jan 19 10:22:08 UTC 2016 - meissner@suse.com + +- openscap 1.2.8 release + - Maintenance + - textfilecontent54_probe does not produce false positives on non-UTF files (rhbz #1285757) + - fixed oscap-docker + - small improvements in verbose mode + - oscap info module shows information about tailoring files + - fixed build with CCE (issue #264) + - fixed XCCDF score computation (issue #272) + - fixed segmentation fault in variable probe (issue #277) + - fixed broken support for OVAL directives + - fixed bash completion + - plugged memory leaks + - fixed fresh static analysis (coverity) findings + - fixed shellcheck warnings + - new tests + - refactoring in datastream module + - many small bugfixes and typo fixes + +------------------------------------------------------------------- +Thu Dec 3 13:06:14 UTC 2015 - meissner@suse.com + +- openscap 1.2.7 release + - New features + - OVAL 5.11.1 fully supported + - oscap-vm - tool for offline scanning of virtual machines + - verbose mode + - added SLED, SLES and OpenSUSE CPE names + - show profile description in HTML report and guide + - group rules by PCI DSS identifier in HTML report + - preliminary support for Ansible Playbooks within xccdf:fix + - added "How to contribute" and "Versioning" documents + - Maintenance + - using bziped RHSA documents in oscap-docker + - fixed errors of sysctl probe + - fixed skip-valid option (issue #203) + - fixed segmentation faults in SCE content reporting (issue #231) + - fixed tracebacks of scap-as-rpm + - fixed invalid memory reads in rpmverifyfile probe (issue #212) + - updated README and user manual + - many small bugfixes and new tests +- openscap-new-inventory.patch: upstreamed +- fix-missing-include.dif: refreshed, 1 hunk upstream + +------------------------------------------------------------------- +Fri Oct 9 09:35:46 UTC 2015 - meissner@suse.com + +- openscap-new-inventory.patch: find out the CPE ids of + SUSE Linux Enterprise and openSUSE versions. + +------------------------------------------------------------------- +Mon Oct 5 11:45:28 UTC 2015 - meissner@suse.com + +- openscap 1.2.6 release + - New features + - introduced OpenSCAP user manual + - improved OVAL 5.11.1 support + - added OVAL 5.11.1 XSD schemas and schematrons + - support for core/platform schema versions + - support for check_existence attribute in state entities + - support for CIM datetime format + - amended behavior of mask attribute + - added support for remote .xml.bz2 files (use with --fetch-remote-resources) + - rewrote oscap-docker to python, deeper integration with Atomic Host + - introduced CPE name for Fedora 24 to the internal dictionary + - HTML report & guide + - results can be grouped by according to various aspects + - printing supported (interactive elements are now hidden when printing) + - table of content now shows only selected items (rule & groups) + - references to RHSA are presented as links to website (rhbz#1243808) + - Maintenance + - scap-as-rpm can now build source rpm packages (srpms) (trac#469) + - scap-as-rpm now supports python3 + - refactored oval processing into oval_session structure + - many smaller bugfixes and new tests +- new openscap-docker subpackage + +------------------------------------------------------------------- +Mon Jul 6 11:40:29 UTC 2015 - meissner@suse.com + +- openscap-1.2.5 update + - maintenance + - smaller bugfixes + - plugged memory leaks + - fixed fresh static analysis (coverity) findings + - fixed shellcheck warnings + - fixes for Solaris platform + +------------------------------------------------------------------- +Mon Jun 22 09:39:44 UTC 2015 - meissner@suse.com + +- openscap-1.2.4 update + - new features + - OVAL 5.11 support 99.8% completed! + - new symlink probe introduced + - new process58 test capabilities + - added possible_value support for external variables + - added possible_restriction support for external variables + - improved IP address comparisons + - Added Scientific Linux CPEs + - Added oscap-docker tool + - Created man-page for oscap-ssh + - HTML changes + - improved visibility of selected XCCDF profile in guides and reports + - render rule-result/message contents in reports + - maintenance + - Tests now pass on ppc64 little endian arch (rhbz#1215220) + - partition probe now supports remount, bind and move mount options + - Patched NIST OVAL-5.11 schemas to be backward compatible with + OVAL-5.10 (rhbz#1220262) + - fixed scap-as-rpm to work with vintage python (2.6) + - better error reporting when a probe dies (i.e. due to OOM killer) + - dropped selinux policy from upstream (rhbz#1209969) + - fix segfault on invalid selectors (rhbz#1220944) + - solaris support patches: file-system zones, systeminfo improvements + - many smaller fixes and new tests + + +------------------------------------------------------------------- +Sun May 3 07:55:55 UTC 2015 - meissner@suse.com + +- openscap-1.2.3 update + - new features + - oscap-ssh -- handy utility to run remote scan over ssh + - glob_to_regexp OVAL function added + - HTML changes + - show rationale elements + - show fixtext elements + - show Benchmark's front-matter, description and notices + - show warnings for Groups and Rules + - improved handling of multiple fixes within a single Rule + - scroll evaluation characteristic if they overflow + - maintenance + - OVAL 5.11 schema fixes + - Coverity and memory leak fixes + - skip transient files when traversing /proc (trac#457) + +------------------------------------------------------------------- +Tue Apr 7 09:35:55 UTC 2015 - meissner@suse.com + +- openscap-1.2.2 update + - new features + - OVAL 5.11 support turned on by default + - included OVAL 5.11 schematron rules + - DataStream can now contain OVAL 5.11 + - `oscap ds sds-compose` now supports --skip-valid parameter + - HTML report changes + - Notably increased level of OVAL details + - Table of contents is now generated for HTML guides + - maitenance + - rhbz#1182242, rhbz#1159289 - @var_check & @var_ref exporting + - solaris build fixes + - xccdf:fix/instance processing fixes + - improved (none) epoch processing in rpm probe + - environmentvariable58 now emits warning messages when appropriate + - offline mode improvements + - other bugfixes + +------------------------------------------------------------------- +Mon Jan 12 09:40:11 UTC 2015 - meissner@suse.com + +- openscap-1.2.1 update + - API changes + - 5.11 schemas updated (from RC1 to gold) + - oscap_source_new_from_memory can take bzip2ed content + - HTML report changes + - severity bar is now reversed (left-to-right) + - maintenance + - rhbz#1165139 - fix probe cancelation + - dozen of bugfixes + +------------------------------------------------------------------- +Tue Dec 2 12:44:35 UTC 2014 - meissner@suse.com + +- openscap-1.2.0 update + - new features + - native support of bzip2ed SCAP files (file extension needs to be '.xml.bz2') + - improved performance on huge XML documents, especially DataStreams + - minimized use of temp files to absolute minimum + - added OVAL-5.11 release candidate schemas + - API changes + - overall 50 new symbols added to public API + - introduced oscap_source abstraction for input files + - further info: http://isimluk.livejournal.com/4859.html + - all the parsers converted to use oscap_source abstraction + - introduced ds_sds_session, high level API for playing with Source DataStreams + - introduced cpe_session, abstraction to approach multiple CPE resources + - introduced ds_rds_session, high level API for playing with Result DataStreams + (ARF files) + - deprecated dozens of API calls dependent on filepath + - introduced API for waivers (xccdf:override) and modification of ARF + - initial support for waivers in HTML Report + - dozens of small improvements + - maintenance + - dozens of small fixes + - dozens of memory leaks (whole test suite is now leak free) + - updated gnulib +- openscap-1.1.0-fix-bashisms.patch: upstreamed + +------------------------------------------------------------------- +Mon Dec 1 12:38:45 UTC 2014 - meissner@suse.com + +- openscap-1.1.1 update + - Hint towards `oscap info` when profile is not found in oscap tool + - HTML report changes: + - Source OVAL results from ARF if available + - Highlight notchecked rules, treat them as rules that need attention + - HTML guide changes: + - Variable Substitution improvements + - Show benchmark title + - Show info about selected profile + - Avoid cdf12:notice, show only its contents + - bugfixes: + - improved handling of fqdn in XCCDF + - memory leaks + - static analysis fixes + +------------------------------------------------------------------- +Sat Nov 29 01:11:00 UTC 2014 - Led + +- fix bashism in oscap-scan.cron script +- add patches: + * openscap-1.1.0-fix-bashisms.patch + +------------------------------------------------------------------- +Wed Sep 3 12:09:10 UTC 2014 - meissner@suse.com + +- openscap-1.1.0 update + - HTML report and guide redesign + - dropped support for docbook + - Introduced new probes (that are to be part of OVAL 5.11) + - probe_systemdunitproperty + - probe_systemdunitdependency + - introduced raw bindings for python3 + - dozens of small bug fixes + +------------------------------------------------------------------- +Wed Jul 2 12:41:39 UTC 2014 - meissner@suse.com + +- openscap-1.0.9 update + - xccdf_session_export_arf must not return 0 if the export failed + - expose xccdf_policy_get_value_of_item as public API + - skip "Signature" when parsing sds_index without spewing out an error + - return non-zero when cannot resolve XCCDF + - consider the last set-value as the effective set-value and export only one + - test suite fixes + - do not destroy SVG data in XCCDFs when generating guide or report + +------------------------------------------------------------------- +Thu Jun 19 14:19:09 UTC 2014 - crrodriguez@opensuse.org + +- Remove unused build require on libnl-1_1 according to the + changelog, it stopped beign used in 2010 +- libattr is also unused. + +------------------------------------------------------------------- +Fri Mar 28 13:19:22 UTC 2014 - meissner@suse.com + +- openscap-1.0.8 update: + - fixes related to Asset Reporting Format + - Inject arf:report/@id into nested + rule-result/check/check-content-ref/@href + - Add hostname for each fqdn when generating ARF asset identification + data + - Add all MAC addresses from target-facts to ARF as asset + identification data + +------------------------------------------------------------------- +Fri Mar 21 12:46:34 UTC 2014 - meissner@suse.com + +- openscap-1.0.7 update: + - fix namespaces for attributes in ARF relationship element + - Avoid ".00" as the score in HTML report when score is 0. + +------------------------------------------------------------------- +Wed Mar 19 09:09:20 UTC 2014 - meissner@suse.com + +- openscap-1.0.6 update: + - fix process58 loginuid integer handling on 32bit + +------------------------------------------------------------------- +Mon Mar 17 07:06:35 UTC 2014 - meissner@suse.com + +- openscap-1.0.5 update: + - XCCDF titles and description support xccdf:sub resolution + - HTML Report lists only applicable cpe platforms + - TestResult element contains applicable cpe platforms + - Introduced XCCDF 1.2 schematron validation + - XCCDF bug fixes + - tailoring profiles shall regards inherited refine-values (trac#373) + - rule-result now always includes at least one check + - Other bug fixes: + - Dpkginfo probe collects epoch in evr + - Updated examplary openscap-content based on the latest facts from + Red Hat Enterprise Linux 6 + - Minor changes + +------------------------------------------------------------------- +Fri Feb 14 10:21:47 UTC 2014 - meissner@suse.com + +- openscap-1.0.4 update: + - Introduced xccdf_tailoring_remove_profile to API + - OVAL bug fixes + +------------------------------------------------------------------- +Tue Jan 14 16:42:51 UTC 2014 - meissner@suse.com + +- openscap-1.0.3 update: + - bug fixes + - a few coverity issues + - a few memory leak plugs + - broken comparison of huge integet in OVAL +- fix-return.patch: removed, has upstream fix + +------------------------------------------------------------------- +Fri Jan 10 10:25:19 UTC 2014 - meissner@suse.com + +- openscap-1.0.2 update: + - XCCDF generate fix now supports tailoring file + - XCCDF bug fixes + - Generate guide points to RHSA pages (rhbz#1018291) + - Generate report ommits remediation when assesment passed + (rhbz#1029879) + - $PATH variable is available for SCE checks (rhbz#1026833) + - Tailoring of top-level Group elements via API fixed + - Fix-filtering should not drop fixes (affected SSG) + - Generated fix file is created with sane permissions (trac#362) + - Inherit parent's namespace when exporting oscap_text with HTML + trait + - OVAL bug fixes: + - Handful of xinetd probe fixes + - Handful of process and process58 fixes + - Obsoleted textfilecontent now supports text ent comparisons + - rpm*_item/epoch is reported as '(none)' when needed + - Fixed dozen of flaws in ipv4 and ipv6_address comparison + (CIDR handling) + - Made integer and floating type number parsing much stricter + - Fixed floating point numbers comparisons (trac#366) + - Fixed case-insensitive comparisons + - Item filtering fixes in probes + - Consolidated some of comparisons in results model and probes + (trac#367) + - Other bug fixes: + - Workaround libxml2 bug handling x509 xmldsig (gnomebz#350248) + - Fixed static build (--disable-shared) + - Format assertions (-Werror=format-security) turned on by default + - SCE scripts are notified when parent (oscap) is killed + - oscap info now recognizes all the document types + (adeded: tailoring & CVE) + - Documentation improvements + - Handful of other minor fixes +- fix-return.patch: Fixed a void return + +------------------------------------------------------------------- +Mon Dec 2 16:53:56 UTC 2013 - meissner@suse.com + +- move the gconf probe to openscap-extra-probes to reduce + dependencies of the core probe set. + +------------------------------------------------------------------- +Thu Nov 28 12:57:03 UTC 2013 - meissner@suse.com + +- openscap-1.0.1 update: + - versioned interface is used to handle internal SCE plug-in + - build-in gnulib package was updated to current version + - bug fixes: + - selinux_domain_label and posix_capability properties + were reintroduced to OVAL system characteristics model + - selinux_domain_label now collects the domain/type + (not the context) + - oscap oval collect reports progress on stdout (not on the stderr) + - typo in the manual page (rhbz#1032537), and another small + clarification + +------------------------------------------------------------------- +Tue Nov 19 12:50:35 UTC 2013 - meissner@suse.com + +- openscap-1.0.0 / 19-11-2013 + - Improved heuristic to distinguish 'local' and 'remote' file systems + - Improved comparison of EntityStateEVRStringType (trac#355) + - Link against librpm (if available) to include rpmvercmp + (on other platforms we fall back to the build-in rpmvercmp) + - Bug fixes + +- openscap-0.9.13 / 08-11-2013 + - Moved SCE to separate shared library (libopenscap_sce.so) + - Introduction of scap-as-rpm tool + - Improvements of sql and sql57 probes + - Improvements of SELinux policy + - Amendments based on SCAP 1.2 Errata (sp800-126r2-errata-20120409.pdf) + - Minor improvements in state_entity processing + - Introduction of CPE name for Fedora 21 to the internal dictionary + - Added support for ind-def:pid/@xsi:nil (rhbz#1013011) + - Improved error reporting + - Bug fixes + - Changed CPE name regex to be more permissive + - avoided reports from the library to the stdout and stderr + - plugged several memory leaks + - improved xccdf:check-content-refs processing + - misspelling in syslog message (rhbz#1021695) + - fixed OVAL's element processing + - fixes based on static analysers + - test suite is locale independent +- new library major version 8 + +------------------------------------------------------------------- +Fri Oct 11 13:10:42 UTC 2013 - meissner@suse.com + +- Updated to 0.9.12 + - tailoring improvements (@id, version, and benchmark ref attributes) + - XCCDF 1.1 tailoring extension + - improved robustness of CPE dictionary parser and exporter + - and added misc CPE 2.3 elements + - added Fedora 20 to internal CPE dictionary + - updated OVAL's results_to_html stylesheet from Mitre Corporation. + - profiles with duplicate selects (same @idref) now export correctly + - test improvements + - bug fixes + - fixed IPv6 export in TestResult/target-address + - consistently inject target-id-ref into TestResult in ARFs + - improved rpmdb manipulation (rhbz#999903) + - solaris build fixes + - spelling of name of default language fixed (oscap_text related) + - fixed CPE names matching (generalization vs. specialization) + +------------------------------------------------------------------- +Wed Jul 17 15:25:53 UTC 2013 - meissner@suse.com + +- Updated to 0.9.11 + - bugfixes +- Updated to 0.9.10 + - bugfixes +- Updated to 0.9.9 + - --oval-results also exports CPE OVAL results + - added --benchmark-id to select a component-ref by ID of Benchmark it's pointing to + - OVAL variable_instance processing (or so called value multiset) and the processing + of @variable_instance attribute to OVAL Result Definition, OVAL Result Test and + Collected Objects. + - improved test coverage of OVAL variable processing + - introduced new internal data type: oval_smc + - added support for evaluating OVAL definitions against an RPM database, a.k.a. rpm + database offline mode + - bug fixes and dead code removal + +------------------------------------------------------------------- +Mon Jun 17 11:44:21 UTC 2013 - meissner@suse.com + +- updated to 0.9.8 + - added experimental support for offline mode scanning to the OVAL + check engine (i.e. scanning of virtual host disk images) + - improved OVAL variables processing + - bug fixes and dead code removal + +------------------------------------------------------------------- +Sat May 4 15:37:25 UTC 2013 - mc@suse.com + +- fix build on SLE11 - possible 64Bit issue + - fix-missing-include.dif + +------------------------------------------------------------------- +Mon Apr 29 09:21:35 UTC 2013 - meissner@suse.com + +- updated to 0.9.7 + - bugfixes + +------------------------------------------------------------------- +Thu Apr 25 11:28:31 UTC 2013 - meissner@suse.com + +- updated to 0.9.6 + - new command-line module added as preview: "oscap ds sds-add" + - improved xccdf:fix processing (support of DataStreams and CPE) + - internal selinux policy preview + - added Fedora 19 to default CPE dictionary + - bug fixes + +------------------------------------------------------------------- +Wed Mar 20 10:04:57 UTC 2013 - meissner@suse.com + +- updated to 0.9.5 + - oscap xccdf remediate (new oscap module which introduces offline + remediation; the remediation based on existing xccdf:testresult file) + - added support for sce into datastream (sce scripts can now be + embedded into the datastream file similarly as oval can) + - improved bash completion and documentation + - bug fixes +- bumped SOVERSION from 2 to 3. + +------------------------------------------------------------------- +Wed Feb 27 08:53:37 UTC 2013 - meissner@suse.com + +- updated to 0.9.4 + - high Level API + - improved Text Substitution Processing + - technical Preview of Online Remediation Execution + (the oscap xccdf eval --remediate) + - improved Library Internal Error Reporting. + - the oscap xccd export-oval-variables now support DataStreams. + - improved documentation + - improved schema files. + - tailoring file support + - profile shadowing support + - bug Fixes +- DOWNGRADED SOVERSION from 3 to 2. + +------------------------------------------------------------------- +Tue Jan 8 10:47:53 UTC 2013 - meissner@suse.com + +- updated to 0.9.3 + - Embedded CPE dictionary (allows users to ommit --cpe argument) + - improvements of DataStream and CPE processing on RHEL5 + - changed API of various functions in cpe_dict, benchmark and + xccdf_policy to use string timestamp instead of time_t [1] + - fixed several issues found by Coverity and cppcheck static code + analysis + - bug fixes +- bumped SOVERSION from 2 to 3. + +------------------------------------------------------------------- +Mon Nov 19 15:47:21 UTC 2012 - meissner@suse.com + +- updated to 0.9.2: +- rewritten the heuristic for pattern matching on path and filepath +- CPE 2.3 language applicability testing +- new ds_sds_index API providing a datastream overview +- CPEs in source datastreams are automatically registered and used + for XCCDF evaluation +- --cpe option autodetects CPE dictionary and language +- CVE support (validate feed, print CVEs) +- introduced info module +- made "$oscap xccdf generate custom" work again -> man page update +- bug fixes + + +------------------------------------------------------------------- +Thu Oct 25 14:26:53 UTC 2012 - meissner@suse.com + +- updated to 0.9.1: + - the http in the check-content-ref/@hrefhref support + - the cpedict support + - obsoleted the oscap_reporter + - send start and finish messages to the syslog + - the XCCDF multi-check evaluation support + - "oscap oval validate-xml" autodetect a document type + - bug fixes + +------------------------------------------------------------------- +Fri Sep 28 07:54:36 UTC 2012 - meissner@suse.com + +- updated to 0.9.0: + * few public headers were renamed to follow common schema + * cve and cce modules are not build by default -> these modules are not + utilized by oscap tool and thus untested. + * --enable-bindings configure option was split into --enable-python and + support of SCAP datastream support was improved + * plus fixes in OVAL and XCCDF modules. oscap tool reports support of + XCCDF 1.2 and OVAL 5.10.1 +- libopenscap.so major version changed from 1 to 2. + +------------------------------------------------------------------- +Wed Aug 29 07:56:05 UTC 2012 - meissner@suse.com + +- updated to 0.8.5: + - added rpmverifypackage probe + - added initial support for source and result datastreams + - added xccdf 1.2 dc-status support + - several probes were updated to conform to OVAL 5.10.1 + - bug fixes + + This release is able to evaluate the DISA STIG content. + +------------------------------------------------------------------- +Tue Aug 7 12:57:51 UTC 2012 - meissner@suse.com + +- updated to 0.8.4 + - added OVAL schemas 5.9, 5.10.1 + - alloc.h is no more public api + - bug fixes + +------------------------------------------------------------------- +Fri Aug 3 09:00:36 UTC 2012 - dmacvicar@suse.de + +- Fix schema_version of scap-rhel6-oval.xml (to 5.8) + +------------------------------------------------------------------- +Wed Aug 1 09:43:28 UTC 2012 - meissner@suse.com + +- Updated to 0.8.3 + - added XCCDF 1.2 schemas + - changed XCCDF report format + - updated schemas for OVAL 5.10 + - added additional OVAL schemas - 5.3, 5.4, 5.5, 5.6, 5.7 + - multi version support for XCCDF and OVAL + - a schema version of an imported and exported content is same + - added rpmverifyfile probe + - results are validated only if an OSCAP_FULL_VALIDATION variable is set + - bug fixes + +------------------------------------------------------------------- +Wed Aug 1 09:18:06 UTC 2012 - dmacvicar@suse.de + +- add OVAL/XCCDF content based on yast2-security checks + and set them as the default content (using symlinks) + +------------------------------------------------------------------- +Sat Jul 28 14:24:46 UTC 2012 - aj@suse.de + +- Fix build with missing gets declaration (glibc 2.16) + +------------------------------------------------------------------- +Fri Mar 30 16:21:21 CEST 2012 - meissner@suse.de + +- Updated to 0.8.2 + - XCCDF check-import support + - XSLT transformation for XCCDF 1.1 to 1.2 migration + - SCE reports now optionally use the new check-import functionality + and don't need separate SCE result files + - bug fixes + +------------------------------------------------------------------- +Sat Mar 24 10:54:22 UTC 2012 - mc@suse.com + +- require libnl-devel on older SUSE version + +------------------------------------------------------------------- +Mon Mar 19 15:52:17 UTC 2012 - cfarrell@suse.com + +- license update: LGPL-2.1+ + There is no GPL-3.0+ in this package. Also, the Fedora spec file states + LGPL-2.1+. This appears to be the correct license + +------------------------------------------------------------------- +Wed Feb 29 22:47:20 CET 2012 - meissner@suse.de + +- some cleanups to make it factory acceptable + +------------------------------------------------------------------- +Tue Feb 28 17:52:44 CET 2012 - mc@suse.de + +- Update to 0.8.1 +- introduce Script Check Engine +- Added an OVAL Directives schema to allow for a tool + to supply a set of directives to more easily specify + desired results content. +- Enhanced OVAL Results directives to allow for more flexibility + in allowed results content +- added new OVAL objects(all OVAL 5.8 objects are covered now) +- update dpkgprobe +- all issues reported by coverity are fixed +- add capability to export OVAL Variables from XCCDF +- added cvss score calculator from vector + +------------------------------------------------------------------- +Fri Apr 29 15:56:23 CEST 2011 - meissner@suse.de + +- Updated to 0.7.2 + - OVAL 5.7 is supported + - content for Red Hat Enterprise Linux 6.1 - draft + - oscap tool enable user to skip content validation before evaluation + - bugfixes + +------------------------------------------------------------------- +Mon Jul 5 00:16:27 UTC 2010 - bitshuffler #suse@irc.freenode.org + +- Update to 0.5.12 +- Proper subpackages added + +------------------------------------------------------------------- +Thu Nov 19 13:50:12 CET 2009 - meissner@suse.de + +- initial 0.5.5 import + - open SCAP protocol implementation + diff --git a/openscap.spec b/openscap.spec new file mode 100644 index 0000000..05cff40 --- /dev/null +++ b/openscap.spec @@ -0,0 +1,338 @@ +# +# spec file for package openscap +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define sover 25 +%define with_bindings 0 +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir %{_localstatedir}/adm/fillup-templates +%endif +Name: openscap +Version: 1.3.10 +Release: 0 +Summary: A Set of Libraries for Integration with SCAP +License: LGPL-2.1-or-later +Group: Development/Tools/Other +URL: https://www.open-scap.org/ +Source: https://github.com/OpenSCAP/openscap/archive/%{version}.tar.gz#/%name-%version.tar.gz +Source1: openscap-rpmlintrc +Source2: sysconfig.oscap-scan +# SUSE specific profile, based on yast2-security checks. +# Generated from http://gitorious.org/test-suite/scap +Source3: scap-yast2sec-xccdf.xml +Source4: scap-yast2sec-oval.xml +Source5: oscap-scan.service +Source6: oscap-scan.sh +Patch1: 0001-Add-openSUSE-cpe-links.patch +Patch2: 0002-Add-SUSE-cpe-links.patch +Patch3: 0003-Use-openSUSE-SUSE-cpe-links.patch +%if 0%{?suse_version} != 1599 +Patch4: 0004-oscap-remediate-is-located-in-bindir.patch +%endif + +BuildRequires: asciidoc +# Use package name cause of "have choice for perl(XML::Parser): brp-check-suse perl-XML-Parser" +BuildRequires: cmake +BuildRequires: dbus-1-devel +BuildRequires: doxygen +BuildRequires: gcc-c++ +%if 0%{?suse_version} < 1550 +BuildRequires: gconf2-devel +%endif +BuildRequires: libacl-devel +BuildRequires: libattr-devel +BuildRequires: libblkid-devel +BuildRequires: libbz2-devel +BuildRequires: libcap-devel +BuildRequires: libcurl-devel +BuildRequires: libgcrypt-devel +BuildRequires: libselinux-devel +BuildRequires: libtool +BuildRequires: libxml2-devel +BuildRequires: libxslt-devel +BuildRequires: libyaml-devel +BuildRequires: lua +BuildRequires: openldap2-devel +BuildRequires: perl-XML-Parser +BuildRequires: perl-XML-XPath +BuildRequires: pkgconfig +BuildRequires: procps +BuildRequires: procps-devel +BuildRequires: python3-devel +BuildRequires: rpm-devel +BuildRequires: swig +BuildRequires: systemd-rpm-macros +BuildRequires: unixODBC-devel +BuildRequires: xmlsec1-devel +BuildRequires: xmlsec1-openssl-devel +BuildRequires: pkgconfig(glib-2.0) +BuildRequires: pkgconfig(gobject-2.0) +BuildRequires: pkgconfig(libpcre2-8) +BuildRequires: pkgconfig(systemd) +# remove extra packages from version 1.2.9 and older +Obsoletes: openscap-engine-sce < %{version} +Obsoletes: openscap-extra-probes < %{version} +BuildRequires: distribution-release + +%description +OpenSCAP is a set of open source libraries providing an easier path for +integration of the SCAP line of standards. + +SCAP is a line of standards managed by NIST with the goal of providing +a standard language for the expression of Computer Network Defense +related information. + +More information about SCAP can be found at nvd.nist.gov. + +%package devel +Summary: Development Files for OpenSCAP +Group: Development/Libraries/C and C++ +Requires: %{name} = %{version}-%{release} +Requires: libopenscap%{sover} = %{version} + +%description devel +This package contains the development files (mainly C header files) for the +OpenSCAP C library. + +%package containers +Summary: OpenSCAP plugin for scanning containers +Group: System/Libraries +Provides: openscap-docker = %{version}-%{release} +Obsoletes: openscap-docker < %{version}-%{release} + +%description containers +This package contains plugins for scanning containers using OpenSCAP either via +podman or docker. + +%if 0%{?with_bindings} +%package -n python-openscap +Summary: OpenSCAP Python Library +Group: Development/Libraries/Python +Requires: %{name} = %{version}-%{release} +Provides: openscap-python = %{version}-%{release} + +%description -n python-openscap +The OpenSCAP Python Library for easy integration with SCAP. + +%package -n perl-openscap +Summary: OpenSCAP Perl Library +Group: Development/Libraries/Perl +Requires: %{name} = %{version}-%{release} +Requires: perl = %{perl_version} +Provides: openscap-perl = %{version}-%{release} + +%description -n perl-openscap +The OpenSCAP Perl Library for easy integration with SCAP. +%endif + +%package -n libopenscap%{sover} +Summary: OpenSCAP C Library +Group: System/Libraries + +%description -n libopenscap%{sover} +The OpenSCAP C Library for easy integration with SCAP. + +%package utils +Summary: Openscap utilities +Group: System/Monitoring +Requires: %{name} = %{version}-%{release} +Requires: libopenscap%{sover} >= %{version}-%{release} +Requires(pre): %fillup_prereq +%systemd_requires + +%description utils +The %{name}-utils package contains various utilities based on %{name} library. + +%package content +Summary: SCAP content +Group: System/Monitoring +Requires: %{name} = %{version}-%{release} +Requires: libopenscap%{sover} >= %{version}-%{release} + +%description content +SCAP content for Fedora delivered by Open-SCAP project. + +%package -n libopenscap_sce%{sover} +Summary: Script Checking Engine Library for OpenSCAP +Group: System/Libraries + +%description -n libopenscap_sce%{sover} +This package contains the Script Checking Engine Library (SCE) for OpenSCAP. + +%{!?python_sitearch: %global python_sitearch %(python -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} + +%prep +%autosetup -p1 + +%build +%cmake \ + -DENABLE_DOCS=TRUE \ +%if 0%{?suse_version} < 1600 + -DCMAKE_INSTALL_DOCDIR:PATH=%{_docdir}/%{name} \ +%endif + -DCMAKE_SHARED_LINKER_FLAGS="" \ + -DENABLE_OSCAP_REMEDIATE_SERVICE=TRUE \ + -DWITH_PCRE2=ON \ +%if !0%{?with_bindings} + -DENABLE_PYTHON3=FALSE \ + -DENABLE_PERL=FALSE \ +%endif +%{nil} +%if 0%{?sle_version} > 150100 || 0%{?suse_version} == 1599 +%cmake_build +%else +%make_jobs +%endif + +%check +export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:%{buildroot}/%{_libdir} +cd build +# unit tests do not succeed, while working on 1.3 migration we submitted a few +# patches upstream but there is still one unit test that always fails and 1-3 +# which fail occasionally +ctest %{?_smp_mflags} || : +cd .. + +%install +%cmake_install + +mkdir -p %{buildroot}/%{_fillupdir} +install -m 644 %{SOURCE2} %{buildroot}/%{_fillupdir} + +mkdir -p %{buildroot}/%{_libexecdir}/openscap +mkdir -p %{buildroot}/%{_libdir}/openscap + +install -m 644 %{SOURCE3} %{buildroot}/%{_datadir}/openscap +install -m 644 %{SOURCE4} %{buildroot}/%{_datadir}/openscap + +# specific local scan during boot script +mkdir -p %{buildroot}/%{_unitdir} +install -m 644 %{SOURCE5} %{buildroot}/%{_unitdir}/oscap-scan.service +mkdir -p %{buildroot}/%{_bindir} +install -m 755 %{SOURCE6} %{buildroot}/%{_bindir}/oscap-scan + +mkdir -p %{buildroot}/%{_sbindir} +ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcoscap-scan + +mkdir -p %{buildroot}%{_datadir}/bash-completion/completions +mv %{buildroot}%{_sysconfdir}/bash_completion.d/* %{buildroot}%{_datadir}/bash-completion/completions/ +# create symlinks to default content +ln -s %{_datadir}/openscap/scap-yast2sec-oval.xml %{buildroot}/%{_datadir}/openscap/scap-oval.xml +ln -s %{_datadir}/openscap/scap-yast2sec-xccdf.xml %{buildroot}/%{_datadir}/openscap/scap-xccdf.xml + +# for some reason the serivce file is put under /usr/usr/lib/systemd.. +mv %{buildroot}/usr/%{_unitdir}/oscap-remediate.service %{buildroot}/%{_unitdir} +# oscap-remediate should be in /usr/libexec but this is not well supported in +# older versions of the distro +%if 0%{?suse_version} != 1599 +%if 0%{?sle_version} > 150200 +mv %{buildroot}/%{_libexecdir}/oscap-remediate %{buildroot}/%{_bindir} +%else +# in older versions _libexecdir expands to /usr/lib, which does not help +mv %{buildroot}/%{_prefix}/libexec/oscap-remediate %{buildroot}/%{_bindir} +%endif +%endif + +%post -n libopenscap%{sover} -p /sbin/ldconfig +%postun -n libopenscap%{sover} -p /sbin/ldconfig + +%post -n libopenscap_sce%{sover} -p /sbin/ldconfig +%postun -n libopenscap_sce%{sover} -p /sbin/ldconfig + +%post -n openscap-utils +%service_add_post oscap-scan.service oscap-remediate.service + +%postun -n openscap-utils +%service_del_postun oscap-scan.service oscap-remediate.service + +%pre -n openscap-utils +%service_add_pre oscap-scan.service oscap-remediate.service + +%preun -n openscap-utils +%service_del_preun oscap-scan.service oscap-remediate.service + +%files +%license COPYING +%doc AUTHORS NEWS +%dir %{_datadir}/openscap +%dir %{_datadir}/openscap/cpe +%dir %{_datadir}/openscap/schemas +%dir %{_datadir}/openscap/xsl +%{_datadir}/openscap/cpe/* +%{_datadir}/openscap/schemas/* +%{_datadir}/openscap/xsl/* + +%files -n libopenscap%{sover} +%{_libdir}/libopenscap.so.%{sover}* + +%files devel +%dir %{_docdir}/openscap +%{_docdir}/openscap/html +%{_docdir}/openscap/manual +%{_libdir}/*.so +%{_libdir}/pkgconfig/*.pc +%{_includedir}/* + +%files containers +%{python3_sitelib}/oscap_docker_python +%{_bindir}/oscap-docker +%{_bindir}/oscap-podman +%{_mandir}/man8/oscap-podman.8* +%{_mandir}/man8/oscap-docker.8* + +%if 0%{?with_bindings} +%files -n python-openscap +%{python_sitearch}/* + +%files -n perl-openscap +%{perl_vendorlib}/openscap.pm +%{perl_vendorarch}/openscap_pm.so +%endif + +%files utils +%{_fillupdir}/sysconfig.oscap-scan +%doc docs/oscap-scan.cron +%{_mandir}/man8/* +%{_unitdir}/oscap-scan.service +%{_bindir}/autotailor +%{_bindir}/oscap +%{_bindir}/oscap-vm +%{_bindir}/oscap-scan +%{_bindir}/oscap-ssh +%{_bindir}/oscap-chroot +%{_bindir}/scap-as-rpm +%{_bindir}/oscap-run-sce-script +%{_sbindir}/rcoscap-scan +%{_datadir}/bash-completion/completions/* +%exclude %{_mandir}/man8/oscap-podman.8* +%exclude %{_mandir}/man8/oscap-docker.8* +%{_bindir}/oscap-remediate-offline +%{_prefix}/lib/systemd/system/oscap-remediate.service +%if 0%{?suse_version} != 1599 +%{_bindir}/oscap-remediate +%else +%{_libexecdir}/oscap-remediate +%endif + +%files content +%{_datadir}/openscap/scap*.xml + +%files -n libopenscap_sce%{sover} +%{_libdir}/libopenscap_sce.so.* + +%changelog diff --git a/oscap-scan.service b/oscap-scan.service new file mode 100644 index 0000000..d17e8cc --- /dev/null +++ b/oscap-scan.service @@ -0,0 +1,12 @@ +[Unit] +Description=OpenSCAP security scanner +Wants=local-fs.target +After=local-fs.target + +[Service] +Type=forking +EnvironmentFile=-/etc/sysconfig/oscap-scan +ExecStart=/usr/bin/oscap $OPTIONS + +[Install] +WantedBy=multi-user.target diff --git a/oscap-scan.sh b/oscap-scan.sh new file mode 100644 index 0000000..949aa38 --- /dev/null +++ b/oscap-scan.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +PATH=/sbin:/bin:/usr/sbin:/usr/bin +prog="oscap" + +# Check config +test -f /etc/sysconfig/oscap-scan && . /etc/sysconfig/oscap-scan + +RETVAL=0 + +test -f /etc/sysconfig/oscap-scan || exit 6 + +test x"$OPTIONS" != "x" || exit 6 + +$prog $OPTIONS + +ERR=$? +if [ $ERR -eq 0 ] ; then + logger "OpenSCAP security scan: PASS" +elif [ $ERR -eq 1 ] ; then + logger "OpenSCAP security scan: ERROR. Run oscap scan from command line." +else + logger "OpenSCAP security scan: FAILED. See results in /var/log/oscap-scan.xml.log" +fi + +exit 0 diff --git a/scap-yast2sec-oval.xml b/scap-yast2sec-oval.xml new file mode 100644 index 0000000..81446ff --- /dev/null +++ b/scap-yast2sec-oval.xml @@ -0,0 +1,577 @@ + + + + vim + 5.9 + 2011-10-31T12:00:00-04:00 + + + + + + + sysctl net.ipv4.ip_forward must be 0 + sysctl net.ipv4.ip_forward must be 0 + + + + + + + + sysctl net.ipv4.tcp_syncookies must be 1 + sysctl net.ipv4.tcp_syncookies must be 1 + + + + + + + + sysctl net.ipv6.conf.all.forwarding must be 0 + sysctl net.ipv6.conf.all.forwarding must be 0 + + + + + + + + sysctl net.ipv6.conf.default.forwarding must be 0 + sysctl net.ipv6.conf.default.forwarding must be 0 + + + + + + + + kernel config CONFIG_SYN_COOKIES must be y + kernel config CONFIG_SYN_COOKIES must be y + + + + + + + + file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999 + file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999 + + + + + + + + file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0 + file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0 + + + + + + + + file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7 + file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7 + + + + + + + + file /etc/pam.d/common-password must have a line that matches minlen=6 + file /etc/pam.d/common-password must have a line that matches minlen=6 + + + + + + + + file /etc/pam.d/common-password must have a line that matches remember= + file /etc/pam.d/common-password must have a line that matches remember= + + + + + + + + file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0 + file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0 + + + + + + + + file /etc/login.defs must have a line that matches ^FAIL_DELAY + file /etc/login.defs must have a line that matches ^FAIL_DELAY + + + + + + + + file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no + file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no + + + + + + + + file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no + file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no + + + + + + + + file /etc/login.defs must have a line that matches ^UID_MIN.*1000 + file /etc/login.defs must have a line that matches ^UID_MIN.*1000 + + + + + + + + file /etc/login.defs must have a line that matches ^UID_MAX.*60000 + file /etc/login.defs must have a line that matches ^UID_MAX.*60000 + + + + + + + + file /etc/login.defs must have a line that matches ^GID_MIN.*1000 + file /etc/login.defs must have a line that matches ^GID_MIN.*1000 + + + + + + + + file /etc/login.defs must have a line that matches ^GID_MAX.*60000 + file /etc/login.defs must have a line that matches ^GID_MAX.*60000 + + + + + + + + sysctl kernel.sysrq must be 0 + sysctl kernel.sysrq must be 0 + + + + + + + + file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5 + file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5 + + + + + + + + file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des + file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des + + + + + + + + file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set + file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set + + + + + + + + file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes + file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes + + + + + + + + file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes + file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes + + + + + + + + file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd + file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd + + + + + + + + file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes + file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes + + + + + + + + file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd + file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd + + + + + + + + file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes + file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes + + + + + + + + file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes + file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /proc/sys/net/ipv4/ip_forward + ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$ + 1 + + + /proc/sys/net/ipv4/tcp_syncookies + ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$ + 1 + + + /usr/src/linux/.config + (CONFIG_SYN_COOKIES.*) + 1 + + + /proc/sys/net/ipv6/conf/all/forwarding + ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$ + 1 + + + /proc/sys/net/ipv6/conf/default/forwarding + ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$ + 1 + + + /proc/sys/kernel/sysrq + ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$ + 1 + + + /etc/login.defs + ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$ + 1 + + + /etc/pam.d/common-passwd + ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$ + 1 + + + /etc/default/passwd + ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$ + 1 + + + /etc/pam.d/common-password + ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$ + 1 + + + /etc/sysconfig/dhcpd + ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$ + 1 + + + /etc/sysconfig/displaymanager + ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$ + 1 + + + /etc/sysconfig/security + ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$ + 1 + + + /etc/sysconfig/services + ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$ + 1 + + + + + + + + 0 + + + 1 + + + CONFIG_SYN_COOKIES=y + + + ^PASS_MAX_DAYS.*99999 + + + ^PASS_MIN_DAYS.*0 + + + ^PASS_WARN_AGE.*7 + + + ^minlen=6 + + + ^remember= + + + ^FAIL_DELAY.*0 + + + ^FAIL_DELAY + + + ^UID_MIN.*1000 + + + ^UID_MAX.*60000 + + + ^GID_MIN.*1000 + + + ^GID_MAX.*60000 + + + ^CRYPT_FILES=md5 + + + ^CRYPT_FILES=des + + + minlen=6 + + + remember= + + + ^DHCPD_RUN_CHROOTED.*yes + + + ^DHCPD_RUN_AS.*dhcpd + + + ^DHCPD6_RUN_CHROOTED.*yes + + + ^DHCPD6_RUN_AS.*dhcpd + + + ^DISPLAYMANAGER_REMOTE_ACCESS.*no + + + ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no + + + ^CHECK_PERMISSIONS.*set + + + ^CHECK_SIGNATURES.*yes + + + ^DISABLE_RESTART_ON_UPDATE.*yes + + + ^DISABLE_STOP_ON_REMOVAL.*yes + + + + + + + + + diff --git a/scap-yast2sec-xccdf.xml b/scap-yast2sec-xccdf.xml new file mode 100644 index 0000000..f060fac --- /dev/null +++ b/scap-yast2sec-xccdf.xml @@ -0,0 +1,319 @@ + + + draft + Hardening Linux Kernel + + The Linux kernel is at the heart of every Linux system. With its extensive configuration + options, it comes to no surprise that specific settings can be enabled to further harden + your system. + + + In this guide, we focus on Linux kernel configuration entries that support additional + hardening of your system, as well as the configuration through the syctl + settings. + + 1 + + + + Default vanilla kernel hardening + + Profile matching all standard (vanilla-kernel) hardening rules + + + + + + + + + + + + + + + +