SCIENTIFIC-LINUX-DEVEL Archives

September 2019

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: scap-security-guide-0.1.43 problems?
From:
"Kraus, Dave (GE Healthcare)" <[log in to unmask]>
Reply To:
Kraus, Dave (GE Healthcare)
Date:
Mon, 16 Sep 2019 22:25:08 +0000
Content-Type:
multipart/mixed
Parts/Attachments:
text/plain (3109 bytes) , ssg-re-enable-derivatives-profiles.patch (1461 bytes) 
So, after I stopped beating my head against the code and switched directions, I found the commit commentary for enable_derivatives.py in the upstream scap-security-guide package. Looking at that and the patches that were made between 0.1.40 and 0.1.43 to that file and the dependent library build_derivatives.py, it became clear that there was effort made to remove profiles and other content "that CentOS and derivatives don't need or shouldn't do..." That may make for some discussion about non-CentOS needs or desires in the upstream, unfortunately...



Given the upstream commits, I came up with the following patch (also attached) which seems to effectively disable the filtering and restore the previous profiles to our lists. I don't think the remaining additions from the commits are doing anything to impair the functionality of what remains of the ds and oval files, but I don't have a good regression test to run. My test runs with remediation that I did today seem to indicate that things fundamentally work. YMMV...



------------------- Cut Here -----------------------

diff -Naur scap-security-guide-0.1.43-orig/build-scripts/enable_derivatives.py scap-security-guide-0.1.43-new/build-scripts/enable_derivatives.py

--- scap-security-guide-0.1.43-orig/build-scripts/enable_derivatives.py	2019-02-18 08:15:54.000000000 -0500

+++ scap-security-guide-0.1.43-new/build-scripts/enable_derivatives.py	2019-09-16 17:01:53.777616290 -0400

@@ -95,7 +95,6 @@

         raise RuntimeError("No Benchmark found!")

 

     for namespace, benchmark in benchmarks:

-        ssg.build_derivatives.profile_handling(benchmark, namespace)

         if not ssg.build_derivatives.add_cpes(benchmark, namespace, mapping):

             raise RuntimeError(

                 "Could not add derivative OS CPEs to Benchmark '%s'."

diff -Naur scap-security-guide-0.1.43-orig/ssg/build_derivatives.py scap-security-guide-0.1.43-new/ssg/build_derivatives.py

--- scap-security-guide-0.1.43-orig/ssg/build_derivatives.py	2019-02-18 08:15:54.000000000 -0500

+++ scap-security-guide-0.1.43-new/ssg/build_derivatives.py	2019-09-16 17:02:22.770616290 -0400

@@ -97,8 +97,6 @@

                     rule.remove(ref)

 

         for fix in rule.findall(".//{%s}fix" % (namespace)):

-            if "fips" in fix.get("id"):

-                rule.remove(fix)

             sub_elems = fix.findall(".//{%s}sub" % (namespace))

             for sub_elem in sub_elems:

                 sub_elem.tail = re.sub(r"[\s]+- CCE-.*", "", sub_elem.tail)

------------------- Cut Here -----------------------





On 9/13/19, 2:23 PM, "Pat Riehecky" <[log in to unmask]> wrote:



    I'm in a similar boat.  I fear I've not spent much time looking at the 

    SCAP stuff since 7.2....

    

    Pat

    

    On 9/13/19 2:14 PM, Kraus, Dave (GE Healthcare) wrote:

    > Ok. I had a feeling that was the case.

    >

    > Anything in particular you'd like me to dig deeper into? Some bits of the enable_derivatives.py seem to be where I'd suspect breakage, but I haven't figured a way to tap into them easily...

    >

ATOM RSS1 RSS2