LISTSERV - SCIENTIFIC-LINUX-DEVEL Archives

SCIENTIFIC-LINUX-DEVEL Archives

September 2019

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-DEVEL Home
	SCIENTIFIC-LINUX-DEVEL September 2019

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: scap-security-guide-0.1.43 problems?
From:	"Kraus, Dave (GE Healthcare)" <[log in to unmask]>
Reply To:	Kraus, Dave (GE Healthcare)
Date:	Tue, 17 Sep 2019 15:28:21 +0000
Content-Type:	text/plain
Parts/Attachments:	text/plain (103 lines)

Woo Hoo! 2 for 1! 



I didn't dig into why oscap-anaconda-addon is not showing anything on SL Security Profiles, so you might need to do a bit more digging there. (Our patched version, which depends on your patch, shows everything I expected from the start.)



That may require more release-level jiggering than you want to do, at this time, but that's for you to figure out how to handle...



Sorry I didn't catch these in testing when I should have, but we were preoccupied with other things and couldn't get to 7.7 in time.



On 9/17/19, 8:58 AM, "[log in to unmask] on behalf of Pat Riehecky" <[log in to unmask] on behalf of [log in to unmask]> wrote:



    We talked about putting scap-security-guide into security, I'll drop it 

    there instead of fastbugs.

    

    Pat

    

    On 9/17/19 8:29 AM, Pat Riehecky wrote:

    > Thanks Dave!

    >

    > I'll see about getting this patched and staged for fastbugs.

    >

    > Pat

    >

    > On 9/16/19 5:25 PM, Kraus, Dave (GE Healthcare) wrote:

    >> So, after I stopped beating my head against the code and switched 

    >> directions, I found the commit commentary for enable_derivatives.py 

    >> in the upstream scap-security-guide package. Looking at that and the 

    >> patches that were made between 0.1.40 and 0.1.43 to that file and the 

    >> dependent library build_derivatives.py, it became clear that there 

    >> was effort made to remove profiles and other content "that CentOS and 

    >> derivatives don't need or shouldn't do..." That may make for some 

    >> discussion about non-CentOS needs or desires in the upstream, 

    >> unfortunately...

    >>

    >> Given the upstream commits, I came up with the following patch (also 

    >> attached) which seems to effectively disable the filtering and 

    >> restore the previous profiles to our lists. I don't think the 

    >> remaining additions from the commits are doing anything to impair the 

    >> functionality of what remains of the ds and oval files, but I don't 

    >> have a good regression test to run. My test runs with remediation 

    >> that I did today seem to indicate that things fundamentally work. 

    >> YMMV...

    >>

    >> ------------------- Cut Here -----------------------

    >> diff -Naur 

    >> scap-security-guide-0.1.43-orig/build-scripts/enable_derivatives.py 

    >> scap-security-guide-0.1.43-new/build-scripts/enable_derivatives.py

    >> --- 

    >> scap-security-guide-0.1.43-orig/build-scripts/enable_derivatives.py 

    >> 2019-02-18 08:15:54.000000000 -0500

    >> +++ 

    >> scap-security-guide-0.1.43-new/build-scripts/enable_derivatives.py 

    >> 2019-09-16 17:01:53.777616290 -0400

    >> @@ -95,7 +95,6 @@

    >>           raise RuntimeError("No Benchmark found!")

    >>         for namespace, benchmark in benchmarks:

    >> -        ssg.build_derivatives.profile_handling(benchmark, namespace)

    >>           if not ssg.build_derivatives.add_cpes(benchmark, namespace, 

    >> mapping):

    >>               raise RuntimeError(

    >>                   "Could not add derivative OS CPEs to Benchmark '%s'."

    >> diff -Naur scap-security-guide-0.1.43-orig/ssg/build_derivatives.py 

    >> scap-security-guide-0.1.43-new/ssg/build_derivatives.py

    >> --- scap-security-guide-0.1.43-orig/ssg/build_derivatives.py 

    >> 2019-02-18 08:15:54.000000000 -0500

    >> +++ scap-security-guide-0.1.43-new/ssg/build_derivatives.py 

    >> 2019-09-16 17:02:22.770616290 -0400

    >> @@ -97,8 +97,6 @@

    >>                       rule.remove(ref)

    >>             for fix in rule.findall(".//{%s}fix" % (namespace)):

    >> -            if "fips" in fix.get("id"):

    >> -                rule.remove(fix)

    >>               sub_elems = fix.findall(".//{%s}sub" % (namespace))

    >>               for sub_elem in sub_elems:

    >>                   sub_elem.tail = re.sub(r"[\s]+- CCE-.*", "", 

    >> sub_elem.tail)

    >> ------------------- Cut Here -----------------------

    >>

    >>

    >> On 9/13/19, 2:23 PM, "Pat Riehecky" <[log in to unmask]> wrote:

    >>

    >>      I'm in a similar boat.  I fear I've not spent much time looking 

    >> at the

    >>      SCAP stuff since 7.2....

    >>           Pat

    >>           On 9/13/19 2:14 PM, Kraus, Dave (GE Healthcare) wrote:

    >>      > Ok. I had a feeling that was the case.

    >>      >

    >>      > Anything in particular you'd like me to dig deeper into? Some 

    >> bits of the enable_derivatives.py seem to be where I'd suspect 

    >> breakage, but I haven't figured a way to tap into them easily...

    >>      >

    >>

    >

    

    -- 

    Pat Riehecky

    

    Fermi National Accelerator Laboratory

    http://www.fnal.gov

    https://urldefense.proofpoint.com/v2/url?u=http-3A__www.scientificlinux.org&d=DwIGaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbBYBgsCHS7vSr83lHQ-aa58eXICk1KkzZlAHgohLRRrX&m=OEx33Kr4yBDibUTAwIrvhfWI9f4iOmbrC5Y9vkxW4n8&s=BKkpTHgQni8kZzp4wM5a-7NY-WcSjrKtDxhlWindThE&e=

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV