- openscap 1.3.3. Notable improvements in this release:
- a Python script that can be used for CLI tailoring (autotailor) (thank you, Matěj Týč);
- timezone for XCCDF TestResult start and end time (thank you, Jan Černý);
- new yamlfilecontent independent probe (draft implementation),
see the proposal https://github.com/OVAL-Community/OVAL/issues/91
for additional information.
There are other changes as well, here is the list:
- Introduced `urn:xccdf:fix:script:kubernetes` fix type in XCCDF;
- Added ability to generate `machineconfig` fix;
- Detect ambiguous scan target (utils/oscap-podman);
- Fixed#170: The rpmverifyfile probe can't verify files from '/bin' directory;
- The data system_info probe return for offline and online modes is consistent and actual;
- Prevent crashes when complicated regexes are executed in textfilecontent58 probe;
- Fixed#1512: Severity refinement lost in generated guide;
- Fixed#1453: Pointer lost in Swig API;
- Evaluation Characteristics of the XCCDF report are now consistent with OVAL entities;
from system_info probe;
- Fixed filepath pattern matching in offline mode in textfilecontent58 probe;
- Fixed infinite recursion in systemdunitdependency probe;
- Fixed the case when CMake couldn't find libacl or xattr.h.
- dropped 0001-Do-not-use-C-keyword-operator-as-a-function-paramete.patch: upstream
OBS-URL: https://build.opensuse.org/request/show/799976
OBS-URL: https://build.opensuse.org/package/show/security/openscap?expand=0&rev=248
- the test suite and build scripts were improved to support Debian 10
- offline mode has received some love with a set of dedicated tests and various fixes in OVAL probes;
- the oscap-docker wrapper is no longer dependent on Atomic
- Python binding are now more robust
- HTML reports and guides, generated by the scanner, are now more accessible for non-visual rendering agents
- Support of multi-check rules has been improved across the whole workflow
There are other changes as well, here is the list:
* New features
- Offline mode support for environmentvariable58 probe
- The oscap-docker wrapper is available without Atomic
+ Maintenance, bug fixes
- Improved support of multi-check rules (report, remediations, console output)
- Improved HTML report look and feel, including printed version
- Less clutter in verbose mode output; some warnings and errors demoted to verbose mode levels
- Probe rpmverifyfile uses and returns canonical paths
- Improved a11y of HTML reports and guides
- Fixes and improvements for SWIG Python bindings
- #1403 fixed: Scanner would not apply remediation for multicheck rules (verbosity)
- Fixed URL link mechanism for Red Hat Errata
- New STIG Viewer URI: public.cyber.mil
- Probe selinuxsecuritycontext would not check if SELinux is enabled
- Scanner would provide information about unsupported OVAL objects
- Added more tests for offline mode (probes, remediation)
- #528 fixed: Eval SCE script when /tmp is in mode noexec
- #1173, RHBZ#1603347 fixed: Double chdir/chroot in probe rpmverifypackage
OBS-URL: https://build.opensuse.org/package/show/security/openscap?expand=0&rev=242
- HTML Guide user experience improvements
- New options in HTML report "Group By" menu
- oscap-ssh supports --oval-results (issue #863)
- Maintenance
- Support comparing state record elements with item
- Updated Bash completion
- Make Bash role headers consistent with --help output
- Fixed problems reported by Coverity (issue #909)
- Fixed CVE schema to support 4 to 7 digits CVEs
- Fix output of generated bash role missing fix message
- Fix oscap-docker to clean up temporary image (RHBZ #1454637)
- Fix Ansible remediations generation
- Add a newline between ids in xccdf info (issue #968)
- Fix unknown subtype handling in oval_subtype_parse (issue #986)
- Outsourced the pthreads feature check and setup
- Speed up in debug mode
- Refactored the Python handling in build scripts
- Prevent reading from host in offline mode (issue #1001)
- Many probes use OWN offline mode
- Improve offline mode logic in OVAL probes
- Do not use chroot in system_info probe
- Prevent a segfault in oscap_seterr on Solaris
- Out of tree build is possible
- Use chroot for RPM probes in offline mode
- PEP8 accepts lines up to 99 characters
- New configure parameter --with-oscap-temp-dir (issue #1016)
- Fixed OVAL record elements namespace and SEXP conversion
- Removed '\r' characters from help output (issue #1023)
- Full Python 3 compatibility
OBS-URL: https://build.opensuse.org/package/show/security/openscap?expand=0&rev=215
- New features
- HTML Guide user experience improvements
- New options in HTML report "Group By" menu
- oscap-ssh supports --oval-results (issue #863)
- Maintenance
- Support comparing state record elements with item
- Updated Bash completion
- Make Bash role headers consistent with --help output
- Fixed problems reported by Coverity (issue #909)
- Fixed CVE schema to support 4 to 7 digits CVEs
- Fix output of generated bash role missing fix message
- Fix oscap-docker to clean up temporary image (RHBZ #1454637)
- Fix Ansible remediations generation
- Add a newline between ids in xccdf info (issue #968)
- Fix unknown subtype handling in oval_subtype_parse (issue #986)
- Outsourced the pthreads feature check and setup
- Speed up in debug mode
- Refactored the Python handling in build scripts
- Prevent reading from host in offline mode (issue #1001)
- Many probes use OWN offline mode
- Improve offline mode logic in OVAL probes
- Do not use chroot in system_info probe
- Prevent a segfault in oscap_seterr on Solaris
- Out of tree build is possible
- Use chroot for RPM probes in offline mode
- PEP8 accepts lines up to 99 characters
- New configure parameter --with-oscap-temp-dir (issue #1016)
- Fixed OVAL record elements namespace and SEXP conversion
- Removed '\r' characters from help output (issue #1023)
OBS-URL: https://build.opensuse.org/package/show/security/openscap?expand=0&rev=212
- New features
- oscap can generate output that is compatible with STIG Viewer.
- CVRF parsing and export has been implemented.
- oscap info command has been expanded.
- The AIX platform is supported.
- Many documentation improvements.
- Numerous other improvements of existing features.
- Maintenance
- Huge cross-platform improvements.
- Memory leaks fixed (RHBZ#1485876).
- SELinux fixes.
- Many coverity fixes.
- Numerous other bugfixes.
OBS-URL: https://build.opensuse.org/package/show/security/openscap?expand=0&rev=185
- New features
- short profile names can be used instead of long IDs
- new option --rule allows to evaluate only a single rule
- new option --fix-type in "oscap xccdf generate fix" allows choosing
remediation script type without typing long URL
- "oscap info" shows profile titles
- OVAL details in HTML report are easier to read
- HTML report is smaller because unselected rules are removed
- HTML report supports NIST 800-171 and CJIS
- remediation scripts contain headers with useful information
- remediation scripts report progress when they run
- basic support for Oracle Linux (CPEs, runlevels)
- remediation scripts can be generated from datastreams that contain
multiple XCCDF benchmarks (issue #772)
- basic support for OVAL 5.11.2 (only schemas, no features)
- enabled offline RPM database in rpminfo probe (issue #778)
- added Fedora 28 CPE
- Maintenance
- fixed oscap-docker with Docker >= 2.0 (issue #794)
- fixed behavior of sysctl probe to be consistent with sysctl tool
- fixed generating remediation scripts (issue #723, #773)
- severity of tailored rules is not discarded (issue #739)
- fixed errors in RPM probes initialization
- oscap-docker shows all warnings reported by oscap (issue #713)
- small improvements in verbose mode
- standard C operations are used instead of custom OpenSCAP operations
- fixed compiler warnings
- fixed missing header files
- fixed resource leaks (issue #715)
OBS-URL: https://build.opensuse.org/package/show/security/openscap?expand=0&rev=183
- Maintenance
- we always build system_info OVAL probe, fixed configure output accordingly
- warn when the user requests to generate an ARF from XCCDF 1.1
- fixed a segfault when loading an OVAL file with invalid family attribute
- added --thin-results CLI override to oscap xccdf eval
- added --without-syschar CLI override to oscap xccdf eval
- fixed a segfault when freeing xccdf_policy of the default profile
- removed ARF schematron workaround when there are no applicable checks
- fixed verbose output in oscap xccdf generate fix
- do not filter fix by applicability when generating remediations from results
- fixed memory leaks, resource leaks and other minor issues
OBS-URL: https://build.opensuse.org/package/show/security/openscap?expand=0&rev=169
