So, after I stopped beating my head against the code and switched directions, I found the commit commentary for enable_derivatives.py in the upstream scap-security-guide package. Looking at that and the patches that were made between 0.1.40 and 0.1.43 to that file and the dependent library build_derivatives.py, it became clear that there was effort made to remove profiles and other content "that CentOS and derivatives don't need or shouldn't do..." That may make for some discussion about non-CentOS needs or desires in the upstream, unfortunately...
Given the upstream commits, I came up with the following patch (also attached) which seems to effectively disable the filtering and restore the previous profiles to our lists. I don't think the remaining additions from the commits are doing anything to impair the functionality of what remains of the ds and oval files, but I don't have a good regression test to run. My test runs with remediation that I did today seem to indicate that things fundamentally work. YMMV...
------------------- Cut Here -----------------------
diff -Naur scap-security-guide-0.1.43-orig/build-scripts/enable_derivatives.py scap-security-guide-0.1.43-new/build-scripts/enable_derivatives.py
--- scap-security-guide-0.1.43-orig/build-scripts/enable_derivatives.py 2019-02-18 08:15:54.000000000 -0500
+++ scap-security-guide-0.1.43-new/build-scripts/enable_derivatives.py 2019-09-16 17:01:53.777616290 -0400
@@ -95,7 +95,6 @@
raise RuntimeError("No Benchmark found!")
for namespace, benchmark in benchmarks:
- ssg.build_derivatives.profile_handling(benchmark, namespace)
if not ssg.build_derivatives.add_cpes(benchmark, namespace, mapping):
raise RuntimeError(
"Could not add derivative OS CPEs to Benchmark '%s'."
diff -Naur scap-security-guide-0.1.43-orig/ssg/build_derivatives.py scap-security-guide-0.1.43-new/ssg/build_derivatives.py
--- scap-security-guide-0.1.43-orig/ssg/build_derivatives.py 2019-02-18 08:15:54.000000000 -0500
+++ scap-security-guide-0.1.43-new/ssg/build_derivatives.py 2019-09-16 17:02:22.770616290 -0400
@@ -97,8 +97,6 @@
rule.remove(ref)
for fix in rule.findall(".//{%s}fix" % (namespace)):
- if "fips" in fix.get("id"):
- rule.remove(fix)
sub_elems = fix.findall(".//{%s}sub" % (namespace))
for sub_elem in sub_elems:
sub_elem.tail = re.sub(r"[\s]+- CCE-.*", "", sub_elem.tail)
------------------- Cut Here -----------------------
On 9/13/19, 2:23 PM, "Pat Riehecky" <[log in to unmask]> wrote:
I'm in a similar boat. I fear I've not spent much time looking at the
SCAP stuff since 7.2....
Pat
On 9/13/19 2:14 PM, Kraus, Dave (GE Healthcare) wrote:
> Ok. I had a feeling that was the case.
>
> Anything in particular you'd like me to dig deeper into? Some bits of the enable_derivatives.py seem to be where I'd suspect breakage, but I haven't figured a way to tap into them easily...
>
|