Bug 1440192
Summary: | xccdf scan requires remote content from RedHat, which errors out | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Przemek Klosowski <przemek> |
Component: | openscap | Assignee: | Jan Černý <jcerny> |
Status: | CLOSED ERRATA | QA Contact: | Marek Haicman <mhaicman> |
Severity: | medium | Docs Contact: | Mirek Jahoda <mjahoda> |
Priority: | high | ||
Version: | 7.3 | CC: | brubisch, mhaicman, mjahoda, mpreisle, openscap-maint |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
*OpenSCAP* now handles also uncompressed XML files in a CVE OVAL feed
Previously, the *OpenSCAP* tool was able to handle only compressed CVE OVAL files from a feed. As a consequence, the CVE OVAL feed provided by Red Hat cannot be used as a base for vulnerability scanning. With this update, *OpenSCAP* supports not only ZIP and BZIP2 files but also uncompressed XML files in a CVE OVAL feed, and the CVE OVAL-based scanning works properly without additional steps.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 08:45:48 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Przemek Klosowski
2017-04-07 14:17:16 UTC
This was fixed in OpenSCAP 1.2.11 by this patch: https://github.com/OpenSCAP/openscap/commit/bc9db8a31a977d8f7a89ff3d98df939d9269007b A workaround is to use compressed version of the remote XML file: # sed -i "s@http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml@https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2@" /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml Verified version openscap-1.2.14-2.el7.x86_64 fixes the issue OLD: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Test of bz2 (default) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Command 'oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard_customized --fetch-remote-resources --tailoring-file tailoring-xccdf.xml ssg-rhel7-ds.xml' (Expected 0,2, got 2) :: [ PASS ] :: File 'output' should contain '^Downloading: ' :: [ LOG ] :: Duration: 4s :: [ LOG ] :: Assertions: 2 good, 0 bad :: [ PASS ] :: RESULT: Test of bz2 (default) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Test of xml (old default) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ FAIL ] :: Command 'oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard_customized --fetch-remote-resources --tailoring-file tailoring-xccdf.xml ssg-rhel7-ds-plain.xml' (Expected 0,2, got 1) :: [ PASS ] :: File 'output' should contain '^Downloading: ' :: [ LOG ] :: Duration: 1s :: [ LOG ] :: Assertions: 1 good, 1 bad :: [ FAIL ] :: RESULT: Test of xml (old default) NEW: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Test of bz2 (default) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Command 'oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard_customized --fetch-remote-resources --tailoring-file tailoring-xccdf.xml ssg-rhel7-ds.xml' (Expected 0,2, got 2) :: [ PASS ] :: File 'output' should contain '^Downloading: ' :: [ LOG ] :: Duration: 4s :: [ LOG ] :: Assertions: 2 good, 0 bad :: [ PASS ] :: RESULT: Test of bz2 (default) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Test of xml (old default) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Command 'oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard_customized --fetch-remote-resources --tailoring-file tailoring-xccdf.xml ssg-rhel7-ds-plain.xml' (Expected 0,2, got 2) :: [ PASS ] :: File 'output' should contain '^Downloading: ' :: [ LOG ] :: Duration: 5s :: [ LOG ] :: Assertions: 2 good, 0 bad :: [ PASS ] :: RESULT: Test of xml (old default) Please note, that the issue is also mitigated by use of newer SCAP Security Guide, for example scap-security-guide-0.1.33-5.el7.noarch (because it uses bz2 by default) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2291 |