We talked about putting scap-security-guide into security, I'll drop it there instead of fastbugs. Pat On 9/17/19 8:29 AM, Pat Riehecky wrote: > Thanks Dave! > > I'll see about getting this patched and staged for fastbugs. > > Pat > > On 9/16/19 5:25 PM, Kraus, Dave (GE Healthcare) wrote: >> So, after I stopped beating my head against the code and switched >> directions, I found the commit commentary for enable_derivatives.py >> in the upstream scap-security-guide package. Looking at that and the >> patches that were made between 0.1.40 and 0.1.43 to that file and the >> dependent library build_derivatives.py, it became clear that there >> was effort made to remove profiles and other content "that CentOS and >> derivatives don't need or shouldn't do..." That may make for some >> discussion about non-CentOS needs or desires in the upstream, >> unfortunately... >> >> Given the upstream commits, I came up with the following patch (also >> attached) which seems to effectively disable the filtering and >> restore the previous profiles to our lists. I don't think the >> remaining additions from the commits are doing anything to impair the >> functionality of what remains of the ds and oval files, but I don't >> have a good regression test to run. My test runs with remediation >> that I did today seem to indicate that things fundamentally work. >> YMMV... >> >> ------------------- Cut Here ----------------------- >> diff -Naur >> scap-security-guide-0.1.43-orig/build-scripts/enable_derivatives.py >> scap-security-guide-0.1.43-new/build-scripts/enable_derivatives.py >> --- >> scap-security-guide-0.1.43-orig/build-scripts/enable_derivatives.py >> 2019-02-18 08:15:54.000000000 -0500 >> +++ >> scap-security-guide-0.1.43-new/build-scripts/enable_derivatives.py >> 2019-09-16 17:01:53.777616290 -0400 >> @@ -95,7 +95,6 @@ >> raise RuntimeError("No Benchmark found!") >> for namespace, benchmark in benchmarks: >> - ssg.build_derivatives.profile_handling(benchmark, namespace) >> if not ssg.build_derivatives.add_cpes(benchmark, namespace, >> mapping): >> raise RuntimeError( >> "Could not add derivative OS CPEs to Benchmark '%s'." >> diff -Naur scap-security-guide-0.1.43-orig/ssg/build_derivatives.py >> scap-security-guide-0.1.43-new/ssg/build_derivatives.py >> --- scap-security-guide-0.1.43-orig/ssg/build_derivatives.py >> 2019-02-18 08:15:54.000000000 -0500 >> +++ scap-security-guide-0.1.43-new/ssg/build_derivatives.py >> 2019-09-16 17:02:22.770616290 -0400 >> @@ -97,8 +97,6 @@ >> rule.remove(ref) >> for fix in rule.findall(".//{%s}fix" % (namespace)): >> - if "fips" in fix.get("id"): >> - rule.remove(fix) >> sub_elems = fix.findall(".//{%s}sub" % (namespace)) >> for sub_elem in sub_elems: >> sub_elem.tail = re.sub(r"[\s]+- CCE-.*", "", >> sub_elem.tail) >> ------------------- Cut Here ----------------------- >> >> >> On 9/13/19, 2:23 PM, "Pat Riehecky" <[log in to unmask]> wrote: >> >> I'm in a similar boat. I fear I've not spent much time looking >> at the >> SCAP stuff since 7.2.... >> Pat >> On 9/13/19 2:14 PM, Kraus, Dave (GE Healthcare) wrote: >> > Ok. I had a feeling that was the case. >> > >> > Anything in particular you'd like me to dig deeper into? Some >> bits of the enable_derivatives.py seem to be where I'd suspect >> breakage, but I haven't figured a way to tap into them easily... >> > >> > -- Pat Riehecky Fermi National Accelerator Laboratory www.fnal.gov www.scientificlinux.org