Bug 1057647

Summary: RFE: Spacewalk (XCCDF Scans functionality): Add Tailoring Support
Product: [Community] Spacewalk Reporter: Jan Lieskovsky <jlieskov>
Component: WebUIAssignee: Šimon Lukašík <slukasik>
Status: CLOSED CURRENTRELEASE QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.1CC: mkollar, mpreisle, pvrabec
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spacewalk-oscap-0.0.23-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1058789 (view as bug list) Environment:
Last Closed: 2014-03-04 13:06:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 737830, 1058789, 1069560    

Description Jan Lieskovsky 2014-01-24 14:39:44 UTC 
Description of problem:
Looks current version of Spacewalk server (spacewalk-setup-2.1.8-1.fc19.noarch.rpm) doesn't support profile loading / using of XCCDF profiles from the tailoring file.

Version-Release number of selected component (if applicable):
spacewalk-setup-2.1.8-1.fc19.noarch.rpm

How reproducible:
Always

Steps to Reproduce:
1. Perform tailoring in scap-workbench for current SSG Fedora content (keep only SSH rules selected). Click "Finish tailoring", and then "Save as RPM" scap-workbench's button.

This will generate new RPM file with content like:

# rpm -ql ssg-fedora-xccdf
/usr/share/xml/scap/ssg-fedora-xccdf/ssg-fedora-oval.xml
/usr/share/xml/scap/ssg-fedora-xccdf/ssg-fedora-xccdf.xml
/usr/share/xml/scap/ssg-fedora-xccdf/tailoring-xccdf.xml.B17868

With content of that tailoring file being as follows:

<?xml version="1.0" encoding="UTF-8"?>
<cdf-11-tailoring:Tailoring xmlns:cdf-11-tailoring="http://open-scap.org/page/Xccdf-1.1-tailoring" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" id="xccdf_scap-workbench_tailoring_default">
  <cdf-11-tailoring:benchmark href="ssg-fedora-xccdf.xml"/>
  <cdf-11-tailoring:version time="2014-01-24T15:19:59">1</cdf-11-tailoring:version>
  <xccdf:Profile id="common_tailored" extends="common">
    <xccdf:title xml:lang="en-US">Common Profile for General-Purpose Fedora Systems [TAILORED]</xccdf:title>
    <xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This profile contains items common to general-purpose Fedora installations.</xccdf:description>
    <xccdf:select idref="intro" selected="false"/>
    <xccdf:select idref="ntp" selected="false"/>
    <xccdf:select idref="service_ntpd_enabled" selected="false"/>
    <xccdf:select idref="ntpd_specify_remote_server" selected="false"/>
    <xccdf:select idref="system" selected="false"/>
  </xccdf:Profile>
</cdf-11-tailoring:Tailoring>

=> a new profile named "common_tailored" is created.

2. Install such ssg-fedora-xccdf-1-1.noarch.rpm on system (client) subscribed to Spacewalk server.

3. Schedule XCCDF system scan for that client with "Schedule New XCCDF Scan" screen items being as follows:

Command: /usr/bin/oscap xccdf eval             /* the non-editable part */

Command-line Arguments: --profile common_tailored --tailoring-file /usr/share/xml/scap/ssg-fedora-xccdf/tailoring-xccdf.xml.B17868

Patch to XCCDF document*: /usr/share/xml/scap/ssg-fedora-xccdf/ssg-fedora-xccdf.xml

4. Click the "Schedule" button, and wait for the XCCDF scan to finish.
5. Look into System's events history and see how the XCCDF scan failed.
6. Click on the run of the Summary for further details.

Actual results:
---------------
System History Event
Summary:        OpenSCAP xccdf scanning scheduled by spacewalk
Details:        This action will be executed after 01/24/14 9:24:00 AM EST.

This action's status is: Failed.
The client picked up this action on 01/24/14 9:29:56 AM EST.
The client completed this action on 01/24/14 9:29:56 AM EST.
Client execution returned "oscap tool did not produce valid xml. xccdf_eval: Following arguments forbidden: --tailoring-file /usr/share/xml/scap/ssg-fedora-xccdf/tailoring-xccdf.xml.B17868 Profile "common_tailored" was not found. xccdf_eval: oscap tool returned 1 " (code 1)


Path to XCCDF document: /usr/share/xml/scap/ssg-fedora-xccdf/ssg-fedora-xccdf.xml
Parameters: --profile common_tailored --tailoring-file /usr/share/xml/scap/ssg-fedora-xccdf/tailoring-xccdf.xml.B17868

Detailed results not available.
Time:   01/24/14 9:29:31 AM EST
Reschedule:     This history event was caused by a failed scheduled action.

If you have corrected the problem, you may reschedule the action below.

Expected results:
------------------
Tailored profile known to Spacewalk and XCCDF Scan job finishes successfully.

Additional info:
----------------
Running the same command line content manually on the Spacewalk client via oscap tool passes (and evaluates only selected rules):

# oscap xccdf eval --profile common_tailored --tailoring-file /usr/share/xml/scap/ssg-fedora-xccdf/tailoring-xccdf.xml.B17868 /usr/share/xml/scap/ssg-fedora-xccdf/ssg-fedora-xccdf.xml
Title   SSH Root Login Disabled
Rule    sshd_disable_root_login
Result  fail

Title   SSH Access via Empty Passwords Disabled
Rule    sshd_disable_empty_passwords
Result  pass

Title   SSH Idle Timeout Interval Used
Rule    sshd_set_idle_timeout
Result  fail

Title   SSH Client Alive Count Used
Rule    sshd_set_keepalive
Result  fail

Note: Supplying --profile "common_tailored" instead of --profile common_tailored to Spacewalk's XCCDF Scan plug-in results into default profile being selected (nothing to be evaluated).
Comment 1 Šimon Lukašík 2014-01-27 08:51:57 UTC 
spacewalk.git a67ffe604b6866f541bb357be3f09d4a638b7d6b
Comment 2 Matej Kollar 2014-03-04 13:06:30 UTC 
Spacewalk 2.1 has been released.
https://fedorahosted.org/spacewalk/wiki/ReleaseNotes21
Comment 3 Matej Kollar 2014-03-04 13:08:32 UTC 
Spacewalk 2.1 has been released.
https://fedorahosted.org/spacewalk/wiki/ReleaseNotes21