Woo Hoo! 2 for 1!
I didn't dig into why oscap-anaconda-addon is not showing anything on SL Security Profiles, so you might need to do a bit more digging there. (Our patched version, which depends on your patch, shows everything I expected from the start.)
That may require more release-level jiggering than you want to do, at this time, but that's for you to figure out how to handle...
Sorry I didn't catch these in testing when I should have, but we were preoccupied with other things and couldn't get to 7.7 in time.
On 9/17/19, 8:58 AM, "[log in to unmask] on behalf of Pat Riehecky" <[log in to unmask] on behalf of [log in to unmask]> wrote:
We talked about putting scap-security-guide into security, I'll drop it
there instead of fastbugs.
Pat
On 9/17/19 8:29 AM, Pat Riehecky wrote:
> Thanks Dave!
>
> I'll see about getting this patched and staged for fastbugs.
>
> Pat
>
> On 9/16/19 5:25 PM, Kraus, Dave (GE Healthcare) wrote:
>> So, after I stopped beating my head against the code and switched
>> directions, I found the commit commentary for enable_derivatives.py
>> in the upstream scap-security-guide package. Looking at that and the
>> patches that were made between 0.1.40 and 0.1.43 to that file and the
>> dependent library build_derivatives.py, it became clear that there
>> was effort made to remove profiles and other content "that CentOS and
>> derivatives don't need or shouldn't do..." That may make for some
>> discussion about non-CentOS needs or desires in the upstream,
>> unfortunately...
>>
>> Given the upstream commits, I came up with the following patch (also
>> attached) which seems to effectively disable the filtering and
>> restore the previous profiles to our lists. I don't think the
>> remaining additions from the commits are doing anything to impair the
>> functionality of what remains of the ds and oval files, but I don't
>> have a good regression test to run. My test runs with remediation
>> that I did today seem to indicate that things fundamentally work.
>> YMMV...
>>
>> ------------------- Cut Here -----------------------
>> diff -Naur
>> scap-security-guide-0.1.43-orig/build-scripts/enable_derivatives.py
>> scap-security-guide-0.1.43-new/build-scripts/enable_derivatives.py
>> ---
>> scap-security-guide-0.1.43-orig/build-scripts/enable_derivatives.py
>> 2019-02-18 08:15:54.000000000 -0500
>> +++
>> scap-security-guide-0.1.43-new/build-scripts/enable_derivatives.py
>> 2019-09-16 17:01:53.777616290 -0400
>> @@ -95,7 +95,6 @@
>> raise RuntimeError("No Benchmark found!")
>> for namespace, benchmark in benchmarks:
>> - ssg.build_derivatives.profile_handling(benchmark, namespace)
>> if not ssg.build_derivatives.add_cpes(benchmark, namespace,
>> mapping):
>> raise RuntimeError(
>> "Could not add derivative OS CPEs to Benchmark '%s'."
>> diff -Naur scap-security-guide-0.1.43-orig/ssg/build_derivatives.py
>> scap-security-guide-0.1.43-new/ssg/build_derivatives.py
>> --- scap-security-guide-0.1.43-orig/ssg/build_derivatives.py
>> 2019-02-18 08:15:54.000000000 -0500
>> +++ scap-security-guide-0.1.43-new/ssg/build_derivatives.py
>> 2019-09-16 17:02:22.770616290 -0400
>> @@ -97,8 +97,6 @@
>> rule.remove(ref)
>> for fix in rule.findall(".//{%s}fix" % (namespace)):
>> - if "fips" in fix.get("id"):
>> - rule.remove(fix)
>> sub_elems = fix.findall(".//{%s}sub" % (namespace))
>> for sub_elem in sub_elems:
>> sub_elem.tail = re.sub(r"[\s]+- CCE-.*", "",
>> sub_elem.tail)
>> ------------------- Cut Here -----------------------
>>
>>
>> On 9/13/19, 2:23 PM, "Pat Riehecky" <[log in to unmask]> wrote:
>>
>> I'm in a similar boat. I fear I've not spent much time looking
>> at the
>> SCAP stuff since 7.2....
>> Pat
>> On 9/13/19 2:14 PM, Kraus, Dave (GE Healthcare) wrote:
>> > Ok. I had a feeling that was the case.
>> >
>> > Anything in particular you'd like me to dig deeper into? Some
>> bits of the enable_derivatives.py seem to be where I'd suspect
>> breakage, but I haven't figured a way to tap into them easily...
>> >
>>
>
--
Pat Riehecky
Fermi National Accelerator Laboratory
http://www.fnal.gov
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.scientificlinux.org&d=DwIGaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbBYBgsCHS7vSr83lHQ-aa58eXICk1KkzZlAHgohLRRrX&m=OEx33Kr4yBDibUTAwIrvhfWI9f4iOmbrC5Y9vkxW4n8&s=BKkpTHgQni8kZzp4wM5a-7NY-WcSjrKtDxhlWindThE&e=
|