rpm/openscap
SHA256
1
0
Fork 0
forked from pool/openscap
Code Pull Requests Activity

Accepting request 709892 from home:rfrohl:branches:security

Browse Source 
update openscap to version 1.3.1

OBS-URL: https://build.opensuse.org/request/show/709892
OBS-URL: https://build.opensuse.org/package/show/security/openscap?expand=0&rev=232
This commit is contained in:
Robert Frohl 2019-06-14 12:32:39 +00:00 committed by Git OBS Bridge
parent 96f998b11f
commit f7b7f9df1b
9 changed files with 24 additions and 167 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
1.3.0.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:70bab797f956c5130dac862ccf79724ef795466ad59c4411ac8e2a7e0066493b
size 12327473

3
1.3.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1c5caa1bc8f10c470cf03bf6818986185f51513b9775f6363260cb6e79038c2f
size 12333871

19
openscap.changes
View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Thu Jun 13 14:22:06 UTC 2019 - Robert Frohl <rfrohl@suse.com>
- openscap 1.3.1
- New features
- Support for SCAP 1.3 Source Datastreams (evaluating, XML schemas, validation)
- Introduced `oscap-podman` -- a tool for SCAP evaluation of Podman images and containers
- Tailoring files are included in ARF result files
- OVAL details are always shown in HTML report, users do not have to provide `--oval-results` on command line
- HTML report displays OVAL test details also for OVAL tests included from other OVAL definitions using `extend_definition`
- OVAL test IDs are shown in HTML report - Rule IDs are shown in HTML guide
- Added `block_size` in Linux `partition_state` defined in OVAL 5.11.2
- Added `oscap_wrapper` that can be used to comfortably execute custom compiled oscap tool
- Maintenance and bug fixes
for a complete list please see https://github.com/OpenSCAP/openscap/releases/tag/1.3.1
- removed patches accepted upstream:
rpmverifyfile_unittest.patch rpmverify_unittest.patch sysctl_unittest.patch
test_probes_rpmverifypackage-disable-epoch-test.patch xinetd_probe.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Mar 26 13:55:18 UTC 2019 - Robert Frohl <rfrohl@suse.com> Tue Mar 26 13:55:18 UTC 2019 - Robert Frohl <rfrohl@suse.com>

13
openscap.spec
View File

@ -25,7 +25,7 @@
%define with_bindings 0 %define with_bindings 0
Name: openscap Name: openscap
Version: 1.3.0 Version: 1.3.1
Release: 1.0 Release: 1.0
Source: https://github.com/OpenSCAP/openscap/archive/%{version}.tar.gz Source: https://github.com/OpenSCAP/openscap/archive/%{version}.tar.gz
Source1: openscap-rpmlintrc Source1: openscap-rpmlintrc
@ -37,11 +37,6 @@ Source4: scap-yast2sec-oval.xml
Source5: oscap-scan.service Source5: oscap-scan.service
Source6: oscap-scan.sh Source6: oscap-scan.sh
Patch0: openscap-new-suse.patch Patch0: openscap-new-suse.patch
Patch1: xinetd_probe.patch
Patch2: test_probes_rpmverifypackage-disable-epoch-test.patch
Patch3: sysctl_unittest.patch
Patch4: rpmverifyfile_unittest.patch
Patch5: rpmverify_unittest.patch
Url: http://www.open-scap.org/ Url: http://www.open-scap.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: asciidoc BuildRequires: asciidoc
@ -175,11 +170,6 @@ This package contains the Script Checking Engine Library (SCE) for OpenSCAP.
%prep %prep
%setup -q %setup -q
%patch0 -p1 %patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build %build
%if 0%{?with_bindings} %if 0%{?with_bindings}
@ -299,6 +289,7 @@ ln -s %{_datadir}/openscap/scap-yast2sec-xccdf.xml %{buildroot}/%{_datadir}/ope
%{_bindir}/oscap-ssh %{_bindir}/oscap-ssh
%{_bindir}/oscap-chroot %{_bindir}/oscap-chroot
%{_bindir}/scap-as-rpm %{_bindir}/scap-as-rpm
%{_bindir}/oscap-podman
%{_sbindir}/rcoscap-scan %{_sbindir}/rcoscap-scan
%{_datadir}/bash-completion/completions/* %{_datadir}/bash-completion/completions/*

19
rpmverify_unittest.patch
View File

@ -1,19 +0,0 @@
diff --git a/tests/probes/rpmverify/test_not_equals_operation.xml b/tests/probes/rpmverify/test_not_equals_operation.xml
index abdfcc4c7..1855b981e 100644
--- a/tests/probes/rpmverify/test_not_equals_operation.xml
+++ b/tests/probes/rpmverify/test_not_equals_operation.xml
@@ -29,12 +29,12 @@
<objects>
<rpmverify_object id="oval:x:obj:1" version="1" comment="should return precisely one package" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<name operation="pattern match"/>
- <filepath>/</filepath>
+ <filepath>/etc</filepath>
</rpmverify_object>
<rpmverify_object id="oval:x:obj:2" version="1" comment="the path should match two packages but the result should only be one package" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<name operation="not equal" var_ref="oval:x:var:1"/>
- <filepath operation="pattern match">(^/$|^/etc/passwd$)</filepath>
+ <filepath operation="pattern match">(^/etc$|^/etc/os-release$)</filepath>
</rpmverify_object>
</objects>

52
rpmverifyfile_unittest.patch
View File

@ -1,52 +0,0 @@
diff --git a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.sh b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.sh
index ee93a7058..0299ec6e0 100755
--- a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.sh
+++ b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.sh
@@ -40,7 +40,7 @@ function test_probes_rpmverifyfile {
assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:release'
assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:arch'
assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath'
- assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/etc/passwd"]'
+ assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/etc/os-release"]'
sc='oval_results/results/system/oval_system_characteristics/'
sd=$sc'system_data/'
assert_exists 1 $sc'collected_objects/object'
diff --git a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.xml b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.xml
index 049b82627..b36428582 100644
--- a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.xml
+++ b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile.xml
@@ -30,7 +30,7 @@
<lin-def:version operation="pattern match"/>
<lin-def:release operation="pattern match"/>
<lin-def:arch operation="pattern match"/>
- <lin-def:filepath>/etc/passwd</lin-def:filepath>
+ <lin-def:filepath>/etc/os-release</lin-def:filepath>
</lin-def:rpmverifyfile_object>
</objects>
diff --git a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.sh b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.sh
index 642f209e9..f9486e314 100755
--- a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.sh
+++ b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.sh
@@ -39,7 +39,7 @@ function test_probes_rpmverifyfile {
assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:release'
assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:arch'
assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath'
- assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/etc/passwd"]'
+ assert_exists 1 'oval_results/oval_definitions/objects/lin-def:rpmverifyfile_object/lin-def:filepath[text()="/etc/os-release"]'
sc='oval_results/results/system/oval_system_characteristics/'
sd=$sc'system_data/'
assert_exists 1 $sc'collected_objects/object'
diff --git a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.xml b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.xml
index fe83a1e1c..c39282f51 100644
--- a/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.xml
+++ b/tests/probes/rpmverifyfile/test_probes_rpmverifyfile_older.xml
@@ -30,7 +30,7 @@
<lin-def:version operation="pattern match"/>
<lin-def:release operation="pattern match"/>
<lin-def:arch operation="pattern match"/>
- <lin-def:filepath>/etc/passwd</lin-def:filepath>
+ <lin-def:filepath>/etc/os-release</lin-def:filepath>
</lin-def:rpmverifyfile_object>
</objects>

29
sysctl_unittest.patch
View File

@ -1,29 +0,0 @@
diff --git a/tests/probes/sysctl/test_sysctl_probe_all.sh b/tests/probes/sysctl/test_sysctl_probe_all.sh
index bb9859d71..6534e1142 100755
--- a/tests/probes/sysctl/test_sysctl_probe_all.sh
+++ b/tests/probes/sysctl/test_sysctl_probe_all.sh
@@ -4,6 +4,12 @@
set -e -o pipefail
+# on some systems sysctl might live in sbin, which can cause problems for
+# non root users
+PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
+# non root users are not able to access some kernel params, so they get blacklisted
+SYSCTL_BLACKLIST='stable_secret\|vm.stat_refresh\|fs.protected_hardlinks\|fs.protected_symlinks\|kernel.cad_pid\|kernel.unprivileged_userns_apparmor_policy\|kernel.usermodehelper.bset\|kernel.usermodehelper.inheritable\|net.core.bpf_jit_harden\|net.core.bpf_jit_kallsyms\|net.ipv4.tcp_fastopen_key\|vm.mmap_rnd_bits\|vm.mmap_rnd_compat_bits'
+
function perform_test {
probecheck "sysctl" || return 255
@@ -24,9 +30,9 @@ $OSCAP oval eval --results $result $srcdir/test_sysctl_probe_all.oval.xml > /dev
# sysctl has duplicities in output
# hide permission errors like: "sysctl: permission denied on key 'fs.protected_hardlinks'"
# kernel parameters might use "/" and "." separators interchangeably - normalizing
-sysctl -aN --deprecated 2> /dev/null | tr "/" "." | sort -u > "$sysctlNames"
+sysctl -aN --deprecated 2> /dev/null | grep -v $SYSCTL_BLACKLIST | tr "/" "." | sort -u > "$sysctlNames"
-grep unix-sys:name "$result" | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames"
+grep unix-sys:name "$result" | grep -v $SYSCTL_BLACKLIST | sed -E 's;.*>(.*)<.*;\1;g' | sort > "$ourNames"
diff "$sysctlNames" "$ourNames"

23
test_probes_rpmverifypackage-disable-epoch-test.patch
View File

@ -1,23 +0,0 @@
diff --git a/tests/probes/rpmverifypackage/test_probes_rpmverifypackage.sh b/tests/probes/rpmverifypackage/test_probes_rpmverifypackage.sh
index f4179e063..475ebf0b3 100755
--- a/tests/probes/rpmverifypackage/test_probes_rpmverifypackage.sh
+++ b/tests/probes/rpmverifypackage/test_probes_rpmverifypackage.sh
@@ -11,6 +11,8 @@
. $builddir/tests/test_common.sh
+[ -f /etc/os-release ] && . /etc/os-release
+
set -e -o pipefail
set -x
@@ -79,7 +81,9 @@ function test_probes_rpmverifypackage_noepoch {
test_init
+if [[ $ID_LIKE != *"suse"* ]]; then
test_run "test_probes_rpmverifypackage_epoch" test_probes_rpmverifypackage_epoch
+fi
test_run "test_probes_rpmverifypackage_noepoch" test_probes_rpmverifypackage_noepoch
test_exit

30
xinetd_probe.patch
View File

@ -1,30 +0,0 @@
diff --git a/src/OVAL/probes/unix/xinetd_probe.c b/src/OVAL/probes/unix/xinetd_probe.c
index 965d8cd04..e911ecc29 100644
--- a/src/OVAL/probes/unix/xinetd_probe.c
+++ b/src/OVAL/probes/unix/xinetd_probe.c
@@ -1298,6 +1298,7 @@ int op_merge_u16(void *dst, void *src, int type)
int op_assign_str(void *var, char *val)
{
+ char *strend = NULL;
if (var == NULL) {
return -1;
}
@@ -1306,7 +1307,16 @@ int op_assign_str(void *var, char *val)
while(isspace(*val)) ++val;
if (*val != '\0') {
- *((char **)(var)) = strdup(val);
+ strend = strrchr(val, '\0');
+ /* strip trailing whitespaces */
+ do {
+ strend--;
+ } while(isspace(*strend));
+ if((strend-val) < 0) {
+ dE("Error stripping white space from string '%s'", val);
+ return (-1);
+ }
+ *((char **)(var)) = strndup(val, (strend-val+1));
return (0);
} else
return (-1);