pool/openscap
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 651059 from home:rfrohl:branches:security

Browse Source 
- Update to openscap-1.3.0 
  - move to cmake
- improve unit test, planned for inclusion with 1.3.1
  - tests do no complete as of yet, still future work needed

OBS-URL: https://build.opensuse.org/request/show/651059
OBS-URL: https://build.opensuse.org/package/show/security/openscap?expand=0&rev=225
This commit is contained in:
Marcus Meissner 2018-11-22 10:48:01 +00:00 committed by Git OBS Bridge
parent 619b3160ac
commit 4d33f05db9
12 changed files with 274 additions and 268 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
1.2.17.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:877eeb69cf19f8cef9d161fabaa389b0a85477ddaf3be21e9ee3b84d4ca1841b
size 12517674

3
1.3.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:70bab797f956c5130dac862ccf79724ef795466ad59c4411ac8e2a7e0066493b
size 12327473

126
openscap-new-suse.patch
View File

@ -1,8 +1,8 @@
Index: openscap-1.2.16/cpe/openscap-cpe-dict.xml
Index: openscap-1.3.0/cpe/openscap-cpe-dict.xml
===================================================================
--- openscap-1.2.16.orig/cpe/openscap-cpe-dict.xml
+++ openscap-1.2.16/cpe/openscap-cpe-dict.xml
@@ -133,6 +133,14 @@
--- openscap-1.3.0.orig/cpe/openscap-cpe-dict.xml
+++ openscap-1.3.0/cpe/openscap-cpe-dict.xml
@@ -141,6 +141,14 @@
<title xml:lang="en-us">SUSE Linux Enterprise Desktop 12</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.sled:def:12</check>
</cpe-item>
@ -17,36 +17,11 @@ Index: openscap-1.2.16/cpe/openscap-cpe-dict.xml
<cpe-item name="cpe:/o:opensuse:opensuse:11.4">
<title xml:lang="en-us">openSUSE 11.4</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:114</check>
@@ -145,14 +153,22 @@
<title xml:lang="en-us">openSUSE 13.2</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:132</check>
</cpe-item>
- <cpe-item name="cpe:/o:novell:leap:42.1">
+ <cpe-item name="cpe:/o:opensuse:leap:42.1">
<title xml:lang="en-us">openSUSE 42.1</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:421</check>
</cpe-item>
- <cpe-item name="cpe:/o:novell:leap:42.2">
+ <cpe-item name="cpe:/o:opensuse:leap:42.2">
<title xml:lang="en-us">openSUSE 42.2</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:422</check>
</cpe-item>
+ <cpe-item name="cpe:/o:opensuse:leap:42.3">
+ <title xml:lang="en-us">openSUSE Leap 42.3</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:423</check>
+ </cpe-item>
+ <cpe-item name="cpe:/o:opensuse:leap:15.0">
+ <title xml:lang="en-us">openSUSE Leap 15.0</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:150</check>
+ </cpe-item>
<cpe-item name="cpe:/o:opensuse:opensuse">
<title xml:lang="en-us">openSUSE All Versions</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.opensuse:def:1</check>
Index: openscap-1.2.16/cpe/openscap-cpe-oval.xml
Index: openscap-1.3.0/cpe/openscap-cpe-oval.xml
===================================================================
--- openscap-1.2.16.orig/cpe/openscap-cpe-oval.xml
+++ openscap-1.2.16/cpe/openscap-cpe-oval.xml
@@ -449,6 +449,34 @@
--- openscap-1.3.0.orig/cpe/openscap-cpe-oval.xml
+++ openscap-1.3.0/cpe/openscap-cpe-oval.xml
@@ -475,6 +475,34 @@
</criteria>
</definition>
@ -81,54 +56,7 @@ Index: openscap-1.2.16/cpe/openscap-cpe-oval.xml
<definition class="inventory" id="oval:org.open-scap.cpe.opensuse:def:1" version="1">
<metadata>
<title>openSUSE All Versions</title>
@@ -519,17 +547,43 @@
</definition>
<definition class="inventory" id="oval:org.open-scap.cpe.opensuse:def:422" version="1">
<metadata>
- <title>openSUSE 42.2</title>
+ <title>openSUSE Leap 42.2</title>
<affected family="unix">
- <platform>openSUSE 42.2</platform>
+ <platform>openSUSE Leap 42.2</platform>
</affected>
<reference ref_id="cpe:/o:novell:leap:42.2" source="CPE"/>
- <description>The operating system installed on the system is openSUSE 42.2</description>
+ <description>The operating system installed on the system is openSUSE Leap 42.2</description>
</metadata>
<criteria>
<criterion comment="openSUSE 42.2 is installed" test_ref="oval:org.open-scap.cpe.opensuse:tst:422"/>
</criteria>
</definition>
+ <definition class="inventory" id="oval:org.open-scap.cpe.opensuse:def:423" version="1">
+ <metadata>
+ <title>openSUSE Leap 42.3</title>
+ <affected family="unix">
+ <platform>openSUSE Leap 42.3</platform>
+ </affected>
+ <reference ref_id="cpe:/o:novell:leap:42.3" source="CPE"/>
+ <description>The operating system installed on the system is openSUSE Leap 42.3</description>
+ </metadata>
+ <criteria>
+ <criterion comment="openSUSE 42.3 is installed" test_ref="oval:org.open-scap.cpe.opensuse:tst:423"/>
+ </criteria>
+ </definition>
+ <definition class="inventory" id="oval:org.open-scap.cpe.opensuse:def:150" version="1">
+ <metadata>
+ <title>openSUSE Leap 15.0</title>
+ <affected family="unix">
+ <platform>openSUSE Leap 15.0</platform>
+ </affected>
+ <reference ref_id="cpe:/o:novell:leap:15.0" source="CPE"/>
+ <description>The operating system installed on the system is openSUSE Leap 15.0</description>
+ </metadata>
+ <criteria>
+ <criterion comment="openSUSE 42.3 is installed" test_ref="oval:org.open-scap.cpe.opensuse:tst:423"/>
+ </criteria>
+ </definition>
<definition class="inventory" id="oval:org.open-scap.cpe.wrlinux:def:1" version="1" >
<metadata>
<title>Wind River Linux</title>
@@ -715,6 +769,11 @@
@@ -870,6 +898,11 @@
<object object_ref="oval:org.open-scap.cpe.sles-release:obj:1"/>
<state state_ref="oval:org.open-scap.cpe.sles:ste:12"/>
</rpminfo_test>
@ -140,7 +68,7 @@ Index: openscap-1.2.16/cpe/openscap-cpe-oval.xml
<rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.sled:tst:10" version="1" check="at least one" comment="sled-release is version 10"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:org.open-scap.cpe.sled-release:obj:1"/>
@@ -730,6 +789,11 @@
@@ -885,6 +918,11 @@
<object object_ref="oval:org.open-scap.cpe.sled-release:obj:1"/>
<state state_ref="oval:org.open-scap.cpe.sled:ste:12"/>
</rpminfo_test>
@ -152,24 +80,7 @@ Index: openscap-1.2.16/cpe/openscap-cpe-oval.xml
<rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.opensuse:tst:1" version="1" check="at least one" comment="openSUSE-release is version 11.4"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/>
@@ -760,6 +824,16 @@
<object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/>
<state state_ref="oval:org.open-scap.cpe.opensuse:ste:422"/>
</rpminfo_test>
+ <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.opensuse:tst:423" version="2" check="at least one" comment="openSUSE-release is version 42.2"
+ xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/>
+ <state state_ref="oval:org.open-scap.cpe.opensuse:ste:423"/>
+ </rpminfo_test>
+ <rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.opensuse:tst:150" version="2" check="at least one" comment="openSUSE-release is version 42.2"
+ xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <object object_ref="oval:org.open-scap.cpe.openSUSE-release:obj:1"/>
+ <state state_ref="oval:org.open-scap.cpe.opensuse:ste:150"/>
+ </rpminfo_test>
<family_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.wrlinux:tst:1" version="1" check="only one"
comment="Installed operating system is part of the Unix family."
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
@@ -955,6 +1029,9 @@
@@ -1159,6 +1207,9 @@
<rpminfo_state id="oval:org.open-scap.cpe.sles:ste:12" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<version operation="pattern match">^12($|[^\d])</version>
</rpminfo_state>
@ -179,7 +90,7 @@ Index: openscap-1.2.16/cpe/openscap-cpe-oval.xml
<rpminfo_state id="oval:org.open-scap.cpe.sled:ste:10" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<version operation="pattern match">^10($|[^\d])</version>
</rpminfo_state>
@@ -964,6 +1041,9 @@
@@ -1168,6 +1219,9 @@
<rpminfo_state id="oval:org.open-scap.cpe.sled:ste:12" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<version operation="pattern match">^12($|[^\d])</version>
</rpminfo_state>
@ -189,16 +100,3 @@ Index: openscap-1.2.16/cpe/openscap-cpe-oval.xml
<rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:2" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<name operation="pattern match">^openSUSE-release</name>
</rpminfo_state>
@@ -982,6 +1062,12 @@
<rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:422" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<version operation="pattern match">^42.2$</version>
</rpminfo_state>
+ <rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:423" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <version operation="pattern match">^42.3$</version>
+ </rpminfo_state>
+ <rpminfo_state id="oval:org.open-scap.cpe.opensuse:ste:150" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+ <version operation="pattern match">^15.0$</version>
+ </rpminfo_state>
<textfilecontent54_state
id="oval:org.open-scap.cpe.wrlinux-release:ste:8"
comment="Check the /etc/wrlinux-release file for VERSION 8 specification."

4
openscap-rpmlintrc Normal file
View File

@ -0,0 +1,4 @@
# can not change docs implementation
addFilter("files-duplicate /usr/share/doc/openscap/html/search")
# ignore duplicates in different schema versions
addFilter("files-duplicate /usr/share/openscap/schemas")

26
openscap-xattr.patch
View File

@ -1,26 +0,0 @@
Index: openscap-1.2.17/configure.ac
===================================================================
--- openscap-1.2.17.orig/configure.ac
+++ openscap-1.2.17/configure.ac
@@ -476,7 +476,7 @@ AC_CHECK_HEADERS([acl/libacl.h sys/acl.h
echo
echo ' * Checking presence of required headers for the fileextendedattribute probe'
-AC_CHECK_HEADERS([attr/xattr.h errno.h limits.h pthread.h stdlib.h string.h sys/stat.h sys/types.h ],[],[probe_fileextendedattribute_req_deps_ok=no; probe_fileextendedattribute_req_deps_missing='header files'],[-])
+AC_CHECK_HEADERS([attr/libattr.h errno.h limits.h pthread.h stdlib.h string.h sys/stat.h sys/types.h ],[],[probe_fileextendedattribute_req_deps_ok=no; probe_fileextendedattribute_req_deps_missing='header files'],[-])
echo
echo ' * Checking presence of required headers for the password probe'
Index: openscap-1.2.17/src/OVAL/probes/unix/fileextendedattribute.c
===================================================================
--- openscap-1.2.17.orig/src/OVAL/probes/unix/fileextendedattribute.c
+++ openscap-1.2.17/src/OVAL/probes/unix/fileextendedattribute.c
@@ -41,7 +41,7 @@
#include <limits.h>
#include <sys/types.h>
-#include <attr/xattr.h>
+#include <attr/libattr.h>
#include <probe/probe.h>
#include <probe/option.h>

25
openscap.changes
View File

@ -1,3 +1,28 @@
-------------------------------------------------------------------
Fri Oct 19 15:46:44 UTC 2018 - Robert Frohl <rfrohl@suse.com>
- openscap-1.3.0
- New features
- Introduced a virtual '(all)' profile selecting all rules
- Verbose mode is a global option in all modules
- Added Microsoft Windows CPEs
- oscap-ssh can supply SSH options into an environment variable
- Maintenance
- Removed SEXP parser
- Added Fedora 30 CPE
- Fixed many Coverity defects (memory leaks etc.)
- SCE builds are enabled by default
- Moved many low-level functions out of public API
- Removed unused and dead code
- Updated manual pages
- Numerous small fixes
- xinetd_probe.patch: fix trailing whitespace in config
- test_probes_rpmverifypackage-disable-epoch-test.patch: fix rpmverifypackage unit test
- sysctl_unittest.patch: fix sysctl unit test
- rpmverifyfile_unittest.patch: fix rpmverifyfile unit test
- rpmverify_unittest.patch: fix rpmverify unit test
- openscap-xattr.patch: removed, included by upstream
-------------------------------------------------------------------
Wed Sep 12 05:56:03 UTC 2018 - meissner@suse.com

202
openscap.spec
View File

@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
@ -21,11 +21,11 @@
%define _fillupdir /var/adm/fillup-templates
%endif
%define sover 8
%define sover 25
%define with_bindings 0
Name: openscap
Version: 1.2.17
Version: 1.3.0
Release: 1.0
Source: https://github.com/OpenSCAP/openscap/archive/%{version}.tar.gz
Source2: sysconfig.oscap-scan
@ -37,31 +37,47 @@ Source4: scap-yast2sec-oval.xml
Source5: oscap-scan.service
Source6: oscap-scan.sh
Patch0: openscap-new-suse.patch
Patch1: openscap-xattr.patch
Patch1: xinetd_probe.patch
Patch2: test_probes_rpmverifypackage-disable-epoch-test.patch
Patch3: sysctl_unittest.patch
Patch4: rpmverifyfile_unittest.patch
Patch5: rpmverify_unittest.patch
Url: http://www.open-scap.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: asciidoc
BuildRequires: doxygen
# Next few lines are needed for unit tests, they expect /etc/os-release to exist
%if !0%{?is_opensuse} && 0%{?sle_version} < 130000
BuildRequires: sles-release
%else
BuildRequires: dummy-release
%endif
BuildRequires: libacl-devel
BuildRequires: libattr-devel
BuildRequires: libbz2-devel
BuildRequires: libcurl-devel
BuildRequires: libgcrypt-devel
BuildRequires: libxml2-devel
# Use package name cause of "have choice for perl(XML::Parser): brp-check-suse perl-XML-Parser"
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: cmake
BuildRequires: gcc-c++
BuildRequires: gconf2-devel
BuildRequires: libblkid-devel
BuildRequires: libcap-devel
BuildRequires: libselinux-devel
BuildRequires: libtool
BuildRequires: libxslt-devel
BuildRequires: lua
BuildRequires: openldap2-devel
BuildRequires: pcre-devel
BuildRequires: perl-XML-Parser
BuildRequires: perl-XML-XPath
BuildRequires: pkg-config
BuildRequires: procps
BuildRequires: procps-devel
BuildRequires: python-devel
BuildRequires: rpm-devel
BuildRequires: sendmail
BuildRequires: swig
BuildRequires: unixODBC-devel
Summary: A Set of Libraries for Integration with SCAP
@ -79,37 +95,6 @@ related information.
More information about SCAP can be found at nvd.nist.gov.
%package -n libopenscap%{sover}
Summary: OpenSCAP C Library
Group: System/Libraries
%description -n libopenscap%{sover}
The OpenSCAP C Library for easy integration with SCAP.
%package docker
Summary: Docker plugin for OpenSCAP
Group: System/Libraries
%description docker
This package contains the Docker support for OpenSCAP.
%package engine-sce
Summary: Script Checking Engine for OpenSCAP
Group: System/Libraries
%description engine-sce
This package contains the Script Checking Engine (SCE) support for OpenSCAP.
%package -n libopenscap_sce%{sover}
Summary: Script Checking Engine Library for OpenSCAP
Group: System/Libraries
Recommends: openscap-engine-sce
%description -n libopenscap_sce%{sover}
This package contains the Script Checking Engine Library (SCE) for OpenSCAP.
%package devel
Requires: %{name} = %{version}-%{release}
Requires: libopenscap%{sover} = %{version}
@ -120,6 +105,13 @@ Group: Development/Libraries/C and C++
This package contains the development files (mainly C header files) for the
OpenSCAP C library.
%package docker
Summary: Docker plugin for OpenSCAP
Group: System/Libraries
%description docker
This package contains the Docker support for OpenSCAP.
%if 0%{?with_bindings}
%package -n python-openscap
%py_requires
@ -142,6 +134,13 @@ Group: Development/Libraries/Perl
The OpenSCAP Perl Library for easy integration with SCAP.
%endif
%package -n libopenscap%{sover}
Summary: OpenSCAP C Library
Group: System/Libraries
%description -n libopenscap%{sover}
The OpenSCAP C Library for easy integration with SCAP.
%package utils
Summary: Openscap utilities
Group: System/Monitoring
@ -152,7 +151,6 @@ PreReq: %fillup_prereq
%description utils
The %{name}-utils package contains various utilities based on %{name} library.
%package content
Summary: SCAP content
Group: System/Monitoring
@ -161,16 +159,12 @@ Requires: %{name} = %{version}-%{release}
%description content
SCAP content for Fedora delivered by Open-SCAP project.
%package -n libopenscap_sce%{sover}
Summary: Script Checking Engine Library for OpenSCAP
Group: System/Libraries
%package extra-probes
Summary: SCAP probes
Group: System/Monitoring
Requires: %{name} = %{version}-%{release}
#BuildRequires: opendbx - for sql
%description extra-probes
The %{name}-extra-probes package contains additional probes that are not
commonly used and require additional dependencies.
%description -n libopenscap_sce%{sover}
This package contains the Script Checking Engine Library (SCE) for OpenSCAP.
%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
@ -178,102 +172,70 @@ commonly used and require additional dependencies.
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build
bash ./autogen.sh
%if 0%{?with_bindings}
%configure --disable-silent-rules --enable-sce --enable-cce
%cmake -DENABLE_DOCS=TRUE -DCMAKE_SHARED_LINKER_FLAGS=""
%else
%configure --disable-silent-rules --enable-sce --enable-cce --disable-bindings --disable-python --disable-python3
%cmake -DENABLE_DOCS=TRUE -DENABLE_PYTHON3=FALSE -DENABLE_PERL=FALSE -DCMAKE_SHARED_LINKER_FLAGS=""
%endif
make %{?_smp_mflags}
cd docs
doxygen
cd ..
%make_jobs
%check
make check %{?_smp_mflags} || :
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:%{buildroot}/%{_libdir}
cd build
# unit tests do not succeed, while working on 1.3 migration we submitted a few
# patches upstream but there is still one unit test that always fails and 1-3
# which fail occasionally
ctest %{?_smp_mflags} || :
cd ..
%install
make install DESTDIR=%{buildroot}
find %{buildroot} -name "*.la" -delete
# last python2 user in oscap-utils ... needs porting to python3
rm %{buildroot}/usr/bin/scap-as-rpm
%cmake_install
mkdir -p %{buildroot}/%{_fillupdir}
install -m 644 %{SOURCE2} %{buildroot}/%{_fillupdir}
mkdir -p %{buildroot}/%{_libexecdir}/openscap
mkdir -p %{buildroot}/%{_libdir}/openscap
install -m 644 %{SOURCE3} %{buildroot}/%{_datadir}/openscap
install -m 644 %{SOURCE4} %{buildroot}/%{_datadir}/openscap
# specific local scan during boot script
mkdir -p %{buildroot}/%{_unitdir}
install -m 644 %{SOURCE5} %{buildroot}/%{_unitdir}/oscap-scan.service
mkdir -p %{buildroot}/%{_bindir}
install -m 755 %{SOURCE6} %{buildroot}/%{_bindir}/oscap-scan
mkdir -p %{buildroot}/%{_sbindir}
ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcoscap-scan
mkdir -p %{buildroot}%{_datadir}/bash-completion/completions
mv %{buildroot}%{_sysconfdir}/bash_completion.d/* %{buildroot}%{_datadir}/bash-completion/completions/
# create symlinks to default content
ln -s %{_datadir}/openscap/scap-yast2sec-oval.xml %{buildroot}/%{_datadir}/openscap/scap-oval.xml
ln -s %{_datadir}/openscap/scap-yast2sec-xccdf.xml %{buildroot}/%{_datadir}/openscap/scap-xccdf.xml
%post -n libopenscap%{sover} -p /sbin/ldconfig
%post -n libopenscap_sce%{sover} -p /sbin/ldconfig
%post -n openscap-utils %service_add_post oscap-scan.service
%postun -n libopenscap%{sover} -p /sbin/ldconfig
%postun -n libopenscap_sce%{sover} -p /sbin/ldconfig
%postun -n openscap-utils %service_del_postun oscap-scan.service
%preun utils
%service_del_preun oscap-scan.service
%post utils
%service_add_post oscap-scan.service
%{fillup_only -n oscap-scan}
%postun utils
%service_del_postun oscap-scan.service
%pre utils
%service_add_pre oscap-scan.service
%pre -n openscap-utils %service_add_pre oscap-scan.service
%preun -n openscap-utils %service_del_preun oscap-scan.service
%files
%defattr(-, root, root)
%doc AUTHORS COPYING NEWS
%dir %{_libexecdir}/openscap
%{_libexecdir}/openscap/probe_dnscache
%{_libexecdir}/openscap/probe_environmentvariable
%{_libexecdir}/openscap/probe_environmentvariable58
%{_libexecdir}/openscap/probe_family
%{_libexecdir}/openscap/probe_file
%{_libexecdir}/openscap/probe_fileextendedattribute
%{_libexecdir}/openscap/probe_filehash
%{_libexecdir}/openscap/probe_filehash58
%{_libexecdir}/openscap/probe_iflisteners
%{_libexecdir}/openscap/probe_inetlisteningservers
%{_libexecdir}/openscap/probe_interface
%{_libexecdir}/openscap/probe_partition
%{_libexecdir}/openscap/probe_password
%{_libexecdir}/openscap/probe_process
%{_libexecdir}/openscap/probe_process58
%{_libexecdir}/openscap/probe_routingtable
%{_libexecdir}/openscap/probe_rpminfo
%{_libexecdir}/openscap/probe_rpmverify*
%{_libexecdir}/openscap/probe_runlevel
%{_libexecdir}/openscap/probe_selinuxboolean
%{_libexecdir}/openscap/probe_selinuxsecuritycontext
%{_libexecdir}/openscap/probe_shadow
%{_libexecdir}/openscap/probe_symlink
%{_libexecdir}/openscap/probe_sysctl
%{_libexecdir}/openscap/probe_systemdunitdependency
%{_libexecdir}/openscap/probe_systemdunitproperty
%{_libexecdir}/openscap/probe_system_info
%{_libexecdir}/openscap/probe_textfilecontent
%{_libexecdir}/openscap/probe_textfilecontent54
%{_libexecdir}/openscap/probe_uname
%{_libexecdir}/openscap/probe_variable
%{_libexecdir}/openscap/probe_xinetd
%{_libexecdir}/openscap/probe_xmlfilecontent
%license COPYING
%doc AUTHORS NEWS
%dir %{_datadir}/openscap
%dir %{_datadir}/openscap/cpe
%dir %{_datadir}/openscap/schemas
@ -288,7 +250,8 @@ ln -s %{_datadir}/openscap/scap-yast2sec-xccdf.xml %{buildroot}/%{_datadir}/ope
%files devel
%defattr(-, root, root)
%doc docs/{html,examples}/
%dir /usr/share/doc/openscap
/usr/share/doc/openscap/*
%{_includedir}/*
%{_libdir}/*.so
%{_libdir}/pkgconfig/*.pc
@ -310,7 +273,7 @@ ln -s %{_datadir}/openscap/scap-yast2sec-xccdf.xml %{buildroot}/%{_datadir}/ope
%files -n perl-openscap
%defattr(-, root, root)
%{perl_vendorlib}/openscap.pm
%{perl_vendorarch}/_openscap_pm.so
%{perl_vendorarch}/openscap_pm.so
%endif
%files utils
@ -324,27 +287,16 @@ ln -s %{_datadir}/openscap/scap-yast2sec-xccdf.xml %{buildroot}/%{_datadir}/ope
%{_bindir}/oscap-scan
%{_bindir}/oscap-ssh
%{_bindir}/oscap-chroot
# currently not shipped as it is still python2
#{_bindir}/scap-as-rpm
%config %{_sysconfdir}/bash_completion.d/*
%{_bindir}/scap-as-rpm
%{_sbindir}/rcoscap-scan
%{_datadir}/bash-completion/completions/*
%files content
%defattr(-,root,root,-)
%{_datadir}/openscap/scap*.xml
%files engine-sce
%defattr(-,root,root,-)
%dir %{_datadir}/openscap
%dir %{_datadir}/openscap/sectool-sce/
%{_datadir}/openscap/sectool-sce/*
%files -n libopenscap_sce%{sover}
%defattr(-,root,root,-)
%{_libdir}/libopenscap_sce.so.*
%files extra-probes
%defattr(-,root,root,-)
%{_libexecdir}/openscap/probe_ldap57
%{_libexecdir}/openscap/probe_gconf
%changelog

19
rpmverify_unittest.patch Normal file
View File

@ -0,0 +1,19 @@
diff --git a/tests/probes/rpmverify/test_not_equals_operation.xml b/tests/probes/rpmverify/test_not_equals_operation.xml
index abdfcc4c7..1855b981e 100644
--- a/tests/probes/rpmverify/test_not_equals_operation.xml
+++ b/tests/probes/rpmverify/test_not_equals_operation.xml
@@ -29,12 +29,12 @@
<objects>
<rpmverify_object id="oval:x:obj:1" version="1" comment="should return precisely one package" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<name operation="pattern match"/>
- <filepath>/</filepath>
+ <filepath>/etc</filepath>
</rpmverify_object>
<rpmverify_object id="oval:x:obj:2" version="1" comment="the path should match two packages but the result should only be one package" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<name operation="not equal" var_ref="oval:x:var:1"/>
- <filepath operation="pattern match">(^/$|^/etc/passwd$)</filepath>
+ <filepath operation="pattern match">(^/etc$|^/etc/os-release$)</filepath>
</rpmverify_object>
</objects>

52
rpmverifyfile_unittest.patch Normal file
View File

@ -0,0 +1,52 @@
diff --git a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.sh b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.sh
index ee93a7058..0299ec6e0 100755
--- a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.sh
+++ b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.sh
@@ -40,7 +40,7 @@ function test_probes_rpmverifyfile {
assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:release'
assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:arch'
assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath'
- assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/etc/passwd"]'
+ assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/etc/os-release"]'
sc='oval_results/results/system/oval_system_characteristics/'
sd=$sc'system_data/'
assert_exists 1 $sc'collected_objects/object'
diff --git a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.xml b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.xml
index 049b82627..b36428582 100644
--- a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.xml
+++ b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.xml
@@ -30,7 +30,7 @@
<lin-def:version operation="pattern match"/>
<lin-def:release operation="pattern match"/>
<lin-def:arch operation="pattern match"/>
- <lin-def:filepath>/etc/passwd</lin-def:filepath>
+ <lin-def:filepath>/etc/os-release</lin-def:filepath>
</lin-def:rpmverifyfile_object>
</objects>
diff --git a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.sh b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.sh
index 642f209e9..f9486e314 100755
--- a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.sh
+++ b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.sh
@@ -39,7 +39,7 @@ function test_probes_rpmverifyfile {
assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:release'
assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:arch'
assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath'
- assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/etc/passwd"]'
+ assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/etc/os-release"]'
sc='oval_results/results/system/oval_system_characteristics/'
sd=$sc'system_data/'
assert_exists 1 $sc'collected_objects/object'
diff --git a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.xml b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.xml
index fe83a1e1c..c39282f51 100644
--- a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.xml
+++ b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.xml
@@ -30,7 +30,7 @@
<lin-def:version operation="pattern match"/>
<lin-def:release operation="pattern match"/>
<lin-def:arch operation="pattern match"/>
- <lin-def:filepath>/etc/passwd</lin-def:filepath>
+ <lin-def:filepath>/etc/os-release</lin-def:filepath>
</lin-def:rpmverifyfile_object>
</objects>

29
sysctl_unittest.patch Normal file
View File

@ -0,0 +1,29 @@
diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh
index bb9859d71..6534e1142 100755
--- a/tests/probes/sysctl/test_sysctl_probe_all.sh
+++ b/tests/probes/sysctl/test_sysctl_probe_all.sh
@@ -4,6 +4,12 @@
set -e -o pipefail
+# on some systems sysctl might live in sbin, which can cause problems for
+# non root users
+PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
+# non root users are not able to access some kernel params, so they get blacklisted
+SYSCTL_BLACKLIST='stable_secret\|vm.stat_refresh\|fs.protected_hardlinks\|fs.protected_symlinks\|kernel.cad_pid\|kernel.unprivileged_userns_apparmor_policy\|kernel.usermodehelper.bset\|kernel.usermodehelper.inheritable\|net.core.bpf_jit_harden\|net.core.bpf_jit_kallsyms\|net.ipv4.tcp_fastopen_key\|vm.mmap_rnd_bits\|vm.mmap_rnd_compat_bits'
+
function perform_test {
probecheck "sysctl" || return 255
@@ -24,9 +30,9 @@ $OSCAP oval eval --results $result $srcdir/test_sysctl_probe_all.oval.xml > /dev
# sysctl has duplicities in output
# hide permission errors like: "sysctl: permission denied on key 'fs.protected_hardlinks'"
# kernel parameters might use "/" and "." separators interchangeably - normalizing
-sysctl -aN --deprecated 2> /dev/null | tr "/" "." | sort -u > "$sysctlNames"
+sysctl -aN --deprecated 2> /dev/null | grep -v $SYSCTL_BLACKLIST | tr "/" "." | sort -u > "$sysctlNames"
-grep unix-sys:name "$result" | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames"
+grep unix-sys:name "$result" | grep -v $SYSCTL_BLACKLIST | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames"
diff "$sysctlNames" "$ourNames"

23
test_probes_rpmverifypackage-disable-epoch-test.patch Normal file
View File

@ -0,0 +1,23 @@
diff --git a/tests/probes/rpmverifypackage/test_probes_rpmverifypackage.sh b/tests/probes/rpmverifypackage/test_probes_rpmverifypackage.sh
index f4179e063..475ebf0b3 100755
--- a/tests/probes/rpmverifypackage/test_probes_rpmverifypackage.sh
+++ b/tests/probes/rpmverifypackage/test_probes_rpmverifypackage.sh
@@ -11,6 +11,8 @@
. $builddir/tests/test_common.sh
+[ -f /etc/os-release ] && . /etc/os-release
+
set -e -o pipefail
set -x
@@ -79,7 +81,9 @@ function test_probes_rpmverifypackage_noepoch {
test_init
+if [[ $ID_LIKE != *"suse"* ]]; then
test_run "test_probes_rpmverifypackage_epoch" test_probes_rpmverifypackage_epoch
+fi
test_run "test_probes_rpmverifypackage_noepoch" test_probes_rpmverifypackage_noepoch
test_exit

30
xinetd_probe.patch Normal file
View File

@ -0,0 +1,30 @@
diff --git a/src/OVAL/probes/unix/xinetd_probe.c b/src/OVAL/probes/unix/xinetd_probe.c
index 965d8cd04..e911ecc29 100644
--- a/src/OVAL/probes/unix/xinetd_probe.c
+++ b/src/OVAL/probes/unix/xinetd_probe.c
@@ -1298,6 +1298,7 @@ int op_merge_u16(void *dst, void *src, int type)
int op_assign_str(void *var, char *val)
{
+ char *strend = NULL;
if (var == NULL) {
return -1;
}
@@ -1306,7 +1307,16 @@ int op_assign_str(void *var, char *val)
while(isspace(*val)) ++val;
if (*val != '\0') {
- *((char **)(var)) = strdup(val);
+ strend = strrchr(val, '\0');
+ /* strip trailing whitespaces */
+ do {
+ strend--;
+ } while(isspace(*strend));
+ if((strend-val) < 0) {
+ dE("Error stripping white space from string '%s'", val);
+ return (-1);
+ }
+ *((char **)(var)) = strndup(val, (strend-val+1));
return (0);
} else
return (-1);