Accepting request 107462 from home:mcalmer:branches:security

- Update to 0.8.1
- introduce Script Check Engine
- Added an OVAL Directives schema to allow for a tool
  to supply a set of directives to more easily specify
  desired results content.
- Enhanced OVAL Results directives to allow for more flexibility
  in allowed results content
- added new OVAL objects(all OVAL 5.8 objects are covered now)
- update dpkgprobe
- all issues reported by coverity are fixed
- add capability to export OVAL Variables from XCCDF
- added cvss score calculator from vector

OBS-URL: https://build.opensuse.org/request/show/107462
OBS-URL: https://build.opensuse.org/package/show/security/openscap?expand=0&rev=21

assume.patch

@@ -1,26 +0,0 @@
-Index: openscap-0.7.2/src/OVAL/oval_agent.c
-===================================================================
---- openscap-0.7.2.orig/src/OVAL/oval_agent.c
-+++ openscap-0.7.2/src/OVAL/oval_agent.c
-@@ -33,7 +33,7 @@
- 
- #include <string.h>
- #include <time.h>
--#include <assume.h>
-+#include "common/assume.h"
- 
- #include "oval_definitions_impl.h"
- #include "oval_agent_api_impl.h"
-Index: openscap-0.7.2/src/OVAL/oval_stringMap.c
-===================================================================
---- openscap-0.7.2.orig/src/OVAL/oval_stringMap.c
-+++ openscap-0.7.2/src/OVAL/oval_stringMap.c
-@@ -192,7 +192,7 @@ void oval_string_map_free_string(struct
- }
- #else
- # include <rbt/rbt.h>
--# include <assume.h>
-+# include <common/assume.h>
- 
- struct oval_string_map *oval_string_map_new(void)
- {

openscap-0.7.2.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:674b1c700e87f77caf754f2cf8a7cd4d4e5351fc977e79404f6aaa604d4ac36b
-size 2921266

openscap-0.8.1.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c2232d3a925c92a29cd3acd7799a769bcba704b1fd42358f2717ab848c3d8a6d
+size 3156094

openscap.changes

@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Tue Feb 28 17:52:44 CET 2012 - mc@suse.de
+
+- Update to 0.8.1
+- introduce Script Check Engine
+- Added an OVAL Directives schema to allow for a tool
+  to supply a set of directives to more easily specify
+  desired results content.
+- Enhanced OVAL Results directives to allow for more flexibility
+  in allowed results content
+- added new OVAL objects(all OVAL 5.8 objects are covered now)
+- update dpkgprobe
+- all issues reported by coverity are fixed
+- add capability to export OVAL Variables from XCCDF
+- added cvss score calculator from vector
+
 -------------------------------------------------------------------
 Fri Apr 29 15:56:23 CEST 2011 - meissner@suse.de
 

openscap.spec

@@ -17,15 +17,17 @@
 
 # norootforbuild
 
-%define soname 0
+%define soname 1
+%define with_bindings 0
 
 Name:           openscap
-Version:        0.7.2
+Version:        0.8.1
 Release:        1.0
 License:        GNU GPL v3 or later
 Group:          Development/Tools/Other
 Source:         http://www.open-scap.org/download/%name-%version.tar.bz2
-Patch0:         assume.patch
+Source1:        oscap-scan.init
+Source2:        sysconfig.oscap-scan
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  libcurl-devel libgcrypt-devel libnl-devel libxml2-devel
 # Use package name cause of "have choice for perl(XML::Parser): brp-check-suse perl-XML-Parser"
@@ -52,75 +54,183 @@ Summary:        OpenSCAP C Library
 The OpenSCAP C Library for easy integration with SCAP.
 
 
-%package -n libopenscap-devel
+%package devel
 Group:          Development/Libraries/C and C++
 Requires:       libopenscap%{soname} = %{version}
+Requires:       %{name} = %{version}-%{release}
 Summary:        Development Files for OpenSCAP
 
-%description -n libopenscap-devel
+%description devel
 This package contains the development files (mainly C header files) for the 
 OpenSCAP C library.
 
-
+%if 0%{?with_bindings}
 %package -n python-openscap
 Group:          Development/Libraries/Python
 %py_requires
+Requires:       %{name} = %{version}-%{release}
+Provides:       openscap-python = %{version}-%{release}
 Summary:        OpenSCAP Python Library
 
 %description -n python-openscap
 The OpenSCAP Python Library for easy integration with SCAP.
 
-
 %package -n perl-openscap
 Group:          Development/Libraries/Perl
 Requires:       perl = %{perl_version}
+Requires:       %{name} = %{version}-%{release}
+Provides:       openscap-perl = %{version}-%{release}
 Summary:        OpenSCAP Perl Library
 
 %description -n perl-openscap
 The OpenSCAP Perl Library for easy integration with SCAP.
+%endif
 
+%package        utils
+Summary:        Openscap utilities
+Group:          Applications/System
+Requires:       %{name} = %{version}-%{release}
+PreReq:         %insserv_prereq %fillup_prereq
+
+%description    utils
+The %{name}-utils package contains various utilities based on %{name} library.
+
+
+%package        content
+Summary:        SCAP content
+Group:          Applications/System
+Requires:       %{name} = %{version}-%{release}
+
+%description    content
+SCAP content for Fedora delivered by Open-SCAP project.
+
+
+%package        extra-probes
+Summary:        SCAP probes
+Group:          Applications/System
+Requires:       %{name} = %{version}-%{release}
+BuildRequires:  openldap2-devel
+#BuildRequires:  opendbx - for sql
+
+%description    extra-probes
+The %{name}-extra-probes package contains additional probes that are not
+commonly used and require additional dependencies.
+
+%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
 
 %prep
 %setup -q
-%patch0 -p1
 
 %build
+
+%if 0%{?with_bindings}
 %configure --disable-silent-rules
+%else
+%configure --disable-silent-rules --disable-bindings
+%endif
 %__make %{?_smp_mflags}
 
 %check
-%__make check %{?_smp_mflags}
+# #%__make check %{?_smp_mflags} ||:
 
 %install
 %__make install DESTDIR=%{buildroot}
 find %{buildroot} -name "*.la" -delete
 
+mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates
+install -d -m 755 $RPM_BUILD_ROOT%{_initrddir}
+install -p -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_initrddir}/oscap-scan
+install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/var/adm/fillup-templates
+
+# create symlinks to default content
+ln -s  %{_datadir}/openscap/scap-fedora14-oval.xml $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-oval.xml
+ln -s  %{_datadir}/openscap/scap-fedora14-xccdf.xml $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-xccdf.xml
+
 %post -n libopenscap%{soname} -p /sbin/ldconfig
 
 %postun -n libopenscap%{soname} -p /sbin/ldconfig
 
+%post utils
+%{fillup_and_insserv -n oscap-scan}
+
+%postun utils
+%{insserv_cleanup}
+
 %clean
 %__rm -rf %{buildroot}
 
 %files
 %defattr(-, root, root)
-%{_datadir}/openscap
+%doc AUTHORS COPYING ChangeLog NEWS README
+%dir %{_libexecdir}/openscap
+%{_libexecdir}/openscap/probe_dnscache
+%{_libexecdir}/openscap/probe_environmentvariable
+%{_libexecdir}/openscap/probe_environmentvariable58
+%{_libexecdir}/openscap/probe_family
+%{_libexecdir}/openscap/probe_file
+%{_libexecdir}/openscap/probe_filehash
+%{_libexecdir}/openscap/probe_filehash58
+%{_libexecdir}/openscap/probe_inetlisteningservers
+%{_libexecdir}/openscap/probe_interface
+%{_libexecdir}/openscap/probe_partition
+%{_libexecdir}/openscap/probe_password
+%{_libexecdir}/openscap/probe_process
+%{_libexecdir}/openscap/probe_rpminfo
+%{_libexecdir}/openscap/probe_runlevel
+%{_libexecdir}/openscap/probe_shadow
+%{_libexecdir}/openscap/probe_sysctl
+%{_libexecdir}/openscap/probe_system_info
+%{_libexecdir}/openscap/probe_textfilecontent
+%{_libexecdir}/openscap/probe_textfilecontent54
+%{_libexecdir}/openscap/probe_uname
+%{_libexecdir}/openscap/probe_variable
+%{_libexecdir}/openscap/probe_xinetd
+%{_libexecdir}/openscap/probe_xmlfilecontent
+%{_libexecdir}/openscap/probe_iflisteners
+%{_libexecdir}/openscap/probe_routingtable
+%{_libexecdir}/openscap/probe_rpmverify
+%dir %{_datadir}/openscap
+%dir %{_datadir}/openscap/schemas
+%dir %{_datadir}/openscap/xsl
+%{_datadir}/openscap/schemas/*
+%{_datadir}/openscap/xsl/*
 
 %files -n libopenscap%{soname}
 %defattr(-, root, root)
 %{_libdir}/libopenscap.so.%{soname}*
 
-%files -n libopenscap-devel
+%files devel
 %defattr(-, root, root)
-%{_includedir}/openscap
-%{_libdir}/libopenscap.so
+%doc docs/{html,examples}/
+%{_includedir}/*
+%{_libdir}/*.so
+%{_libdir}/pkgconfig/*.pc
 
+%if 0%{?with_bindings}
 %files -n python-openscap
 %defattr(-, root, root)
-%{python_sitearch}/_openscap_py.so
-%{python_sitearch}/openscap.*
+%{python_sitearch}/*
 
 %files -n perl-openscap
 %defattr(-, root, root)
 %{perl_vendorlib}/openscap.pm
 %{perl_vendorarch}/_openscap_pm.so
+%endif
+
+%files utils
+%defattr(-,root,root,-)
+/var/adm/fillup-templates/sysconfig.oscap-scan
+%doc docs/oscap-scan.cron
+%{_initrddir}/oscap-scan
+%{_mandir}/man8/*
+%{_bindir}/*
+%config %{_sysconfdir}/bash_completion.d/*
+
+%files content
+%defattr(-,root,root,-)
+%{_datadir}/openscap/scap*.xml
+
+%files extra-probes
+%defattr(-,root,root,-)
+%{_libexecdir}/openscap/probe_ldap57
+

oscap-scan.init

@@ -0,0 +1,106 @@
+#!/bin/sh
+#
+# oscap-scan:		OpenSCAP security scanner
+#
+# chkconfig: - 96 99
+# description:  This service runs OpenSCAP security scanner to check the \
+#		system settings. The program does not stay resident, \
+#		but rather runs once. The results of security audit are 
+#		stored in /var/log/oscap-scan.xml.log
+#
+# processname: /usr/bin/oscap
+# config: /etc/sysconfig/oscap-scan
+#
+# Return values according to LSB for all commands but status:
+# 0 - success
+# 1 - generic or unspecified error
+# 2 - invalid or excess argument(s)
+# 3 - unimplemented feature (e.g. "reload")
+# 4 - insufficient privilege
+# 5 - program is not installed
+# 6 - program is not configured
+# 7 - program is not running
+### BEGIN INIT INFO
+# Provides: oscap-scan
+# Required-Start: $syslog $local_fs $network $remote_fs
+# Required-Stop: $syslog $local_fs $network $remote_fs
+# Should-Start:
+# Should-Stop:
+# Default-Start:  3 5
+# Default-Stop: 0 1 6
+# Short-Description: OpenSCAP security scanner
+# Description:       This service runs OpenSCAP security scanner to check the
+#	system settings. The program does not stay resident,
+#	but rather runs once. The results of security audit are
+#	stored in /var/log/oscap-scan.xml.log
+### END INIT INFO
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+prog="oscap"
+
+# Source function library.
+. /etc/rc.status
+
+# Allow anyone to run status
+if [ "$1" = "status" ] ; then
+	exit 3
+fi
+
+# Check that we are root ... so non-root users stop here
+test $EUID = 0  ||  exit 4
+
+# Check config
+test -f /etc/sysconfig/oscap-scan && . /etc/sysconfig/oscap-scan
+
+RETVAL=0
+
+start() {
+	test -x /usr/bin/oscap  || exit 5
+	# Now check that the sysconfig is found and has important things
+	# configured
+	test -f /etc/sysconfig/oscap-scan || exit 6
+	test x"$OPTIONS" != "x" || exit 6
+	echo  -n $"Starting $prog: "
+	$prog $OPTIONS
+	rc_status -v
+	ERR=$?
+	if [ $ERR -eq 0 ] ; then
+		sleep 1
+		logger "OpenSCAP security scan: PASS"
+	elif [ $ERR -eq 1 ] ; then
+		sleep 1
+		logger "OpenSCAP security scan: ERROR. Run oscap scan from command line."
+	else
+		sleep 1
+		logger "OpenSCAP security scan: FAILED. See results in /var/log/oscap-scan.xml.log"
+	fi
+}
+
+
+# See how we were called.
+case "$1" in
+    start)
+	start
+	;;
+    restart)
+	start
+	;;
+    stop)
+	RETVAL=0;
+	;;
+    condrestart)
+	RETVAL=0;
+	;;
+    try-restart)
+	RETVAL=0;
+	;;
+    reload)
+	RETVAL=0;
+	;;
+    *)
+	echo $"Usage: $0 {start}"
+	RETVAL=2
+	;;
+esac
+exit $RETVAL
+

sysconfig.oscap-scan

@@ -0,0 +1,11 @@
+## Path:                System/Security
+## Description:         oscap-scan command line options
+
+## Type:                string
+## Default:             ""
+## ServiceRestart:      oscap-scan
+#
+# oscap-scan command line options
+# Example: OPTIONS="-q xccdf eval --profile F14-Desktop --report /var/log/oscap-scan-log.html --results /var/log/oscap-scan-log.xml /usr/share/openscap/scap-xccdf.xml"
+#
+OPTIONS=""