LISTSERV - SCIENTIFIC-LINUX-DEVEL Archives

Woo Hoo! 2 for 1! 

I didn't dig into why oscap-anaconda-addon is not showing anything on SL Security Profiles, so you might need to do a bit more digging there. (Our patched version, which depends on your patch, shows everything I expected from the start.)

That may require more release-level jiggering than you want to do, at this time, but that's for you to figure out how to handle...

Sorry I didn't catch these in testing when I should have, but we were preoccupied with other things and couldn't get to 7.7 in time.

On 9/17/19, 8:58 AM, "[log in to unmask] on behalf of Pat Riehecky" <[log in to unmask] on behalf of [log in to unmask]> wrote:

    We talked about putting scap-security-guide into security, I'll drop it 
    there instead of fastbugs.
    
    Pat
    
    On 9/17/19 8:29 AM, Pat Riehecky wrote:
    > Thanks Dave!
    >
    > I'll see about getting this patched and staged for fastbugs.
    >
    > Pat
    >
    > On 9/16/19 5:25 PM, Kraus, Dave (GE Healthcare) wrote:
    >> So, after I stopped beating my head against the code and switched 
    >> directions, I found the commit commentary for enable_derivatives.py 
    >> in the upstream scap-security-guide package. Looking at that and the 
    >> patches that were made between 0.1.40 and 0.1.43 to that file and the 
    >> dependent library build_derivatives.py, it became clear that there 
    >> was effort made to remove profiles and other content "that CentOS and 
    >> derivatives don't need or shouldn't do..." That may make for some 
    >> discussion about non-CentOS needs or desires in the upstream, 
    >> unfortunately...
    >>
    >> Given the upstream commits, I came up with the following patch (also 
    >> attached) which seems to effectively disable the filtering and 
    >> restore the previous profiles to our lists. I don't think the 
    >> remaining additions from the commits are doing anything to impair the 
    >> functionality of what remains of the ds and oval files, but I don't 
    >> have a good regression test to run. My test runs with remediation 
    >> that I did today seem to indicate that things fundamentally work. 
    >> YMMV...
    >>
    >> ------------------- Cut Here -----------------------
    >> diff -Naur 
    >> scap-security-guide-0.1.43-orig/build-scripts/enable_derivatives.py 
    >> scap-security-guide-0.1.43-new/build-scripts/enable_derivatives.py
    >> --- 
    >> scap-security-guide-0.1.43-orig/build-scripts/enable_derivatives.py 
    >> 2019-02-18 08:15:54.000000000 -0500
    >> +++ 
    >> scap-security-guide-0.1.43-new/build-scripts/enable_derivatives.py 
    >> 2019-09-16 17:01:53.777616290 -0400
    >> @@ -95,7 +95,6 @@
    >>           raise RuntimeError("No Benchmark found!")
    >>         for namespace, benchmark in benchmarks:
    >> -        ssg.build_derivatives.profile_handling(benchmark, namespace)
    >>           if not ssg.build_derivatives.add_cpes(benchmark, namespace, 
    >> mapping):
    >>               raise RuntimeError(
    >>                   "Could not add derivative OS CPEs to Benchmark '%s'."
    >> diff -Naur scap-security-guide-0.1.43-orig/ssg/build_derivatives.py 
    >> scap-security-guide-0.1.43-new/ssg/build_derivatives.py
    >> --- scap-security-guide-0.1.43-orig/ssg/build_derivatives.py 
    >> 2019-02-18 08:15:54.000000000 -0500
    >> +++ scap-security-guide-0.1.43-new/ssg/build_derivatives.py 
    >> 2019-09-16 17:02:22.770616290 -0400
    >> @@ -97,8 +97,6 @@
    >>                       rule.remove(ref)
    >>             for fix in rule.findall(".//{%s}fix" % (namespace)):
    >> -            if "fips" in fix.get("id"):
    >> -                rule.remove(fix)
    >>               sub_elems = fix.findall(".//{%s}sub" % (namespace))
    >>               for sub_elem in sub_elems:
    >>                   sub_elem.tail = re.sub(r"[\s]+- CCE-.*", "", 
    >> sub_elem.tail)
    >> ------------------- Cut Here -----------------------
    >>
    >>
    >> On 9/13/19, 2:23 PM, "Pat Riehecky" <[log in to unmask]> wrote:
    >>
    >>      I'm in a similar boat.  I fear I've not spent much time looking 
    >> at the
    >>      SCAP stuff since 7.2....
    >>           Pat
    >>           On 9/13/19 2:14 PM, Kraus, Dave (GE Healthcare) wrote:
    >>      > Ok. I had a feeling that was the case.
    >>      >
    >>      > Anything in particular you'd like me to dig deeper into? Some 
    >> bits of the enable_derivatives.py seem to be where I'd suspect 
    >> breakage, but I haven't figured a way to tap into them easily...
    >>      >
    >>
    >
    
    -- 
    Pat Riehecky
    
    Fermi National Accelerator Laboratory
    http://www.fnal.gov
    https://urldefense.proofpoint.com/v2/url?u=http-3A__www.scientificlinux.org&d=DwIGaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbBYBgsCHS7vSr83lHQ-aa58eXICk1KkzZlAHgohLRRrX&m=OEx33Kr4yBDibUTAwIrvhfWI9f4iOmbrC5Y9vkxW4n8&s=BKkpTHgQni8kZzp4wM5a-7NY-WcSjrKtDxhlWindThE&e=