Bug 1057647 - RFE: Spacewalk (XCCDF Scans functionality): Add Tailoring Support
Summary: RFE: Spacewalk (XCCDF Scans functionality): Add Tailoring Support
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Spacewalk
Classification: Community
Component: WebUI
Version: 2.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Šimon Lukašík
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: spacewalk-rfe 1058789 space21
TreeView+ depends on / blocked
 
Reported: 2014-01-24 14:39 UTC by Jan Lieskovsky
Modified: 2014-03-04 13:08 UTC (History)
3 users (show)

Fixed In Version: spacewalk-oscap-0.0.23-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1058789 (view as bug list)
Environment:
Last Closed: 2014-03-04 13:06:30 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Lieskovsky 2014-01-24 14:39:44 UTC 
Description of problem:
Looks current version of Spacewalk server (spacewalk-setup-2.1.8-1.fc19.noarch.rpm) doesn't support profile loading / using of XCCDF profiles from the tailoring file.

Version-Release number of selected component (if applicable):
spacewalk-setup-2.1.8-1.fc19.noarch.rpm

How reproducible:
Always

Steps to Reproduce:
1. Perform tailoring in scap-workbench for current SSG Fedora content (keep only SSH rules selected). Click "Finish tailoring", and then "Save as RPM" scap-workbench's button.

This will generate new RPM file with content like:

# rpm -ql ssg-fedora-xccdf
/usr/share/xml/scap/ssg-fedora-xccdf/ssg-fedora-oval.xml
/usr/share/xml/scap/ssg-fedora-xccdf/ssg-fedora-xccdf.xml
/usr/share/xml/scap/ssg-fedora-xccdf/tailoring-xccdf.xml.B17868

With content of that tailoring file being as follows:

<?xml version="1.0" encoding="UTF-8"?>
<cdf-11-tailoring:Tailoring xmlns:cdf-11-tailoring="http://open-scap.org/page/Xccdf-1.1-tailoring" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" id="xccdf_scap-workbench_tailoring_default">
  <cdf-11-tailoring:benchmark href="ssg-fedora-xccdf.xml"/>
  <cdf-11-tailoring:version time="2014-01-24T15:19:59">1</cdf-11-tailoring:version>
  <xccdf:Profile id="common_tailored" extends="common">
    <xccdf:title xml:lang="en-US">Common Profile for General-Purpose Fedora Systems [TAILORED]</xccdf:title>
    <xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This profile contains items common to general-purpose Fedora installations.</xccdf:description>
    <xccdf:select idref="intro" selected="false"/>
    <xccdf:select idref="ntp" selected="false"/>
    <xccdf:select idref="service_ntpd_enabled" selected="false"/>
    <xccdf:select idref="ntpd_specify_remote_server" selected="false"/>
    <xccdf:select idref="system" selected="false"/>
  </xccdf:Profile>
</cdf-11-tailoring:Tailoring>

=> a new profile named "common_tailored" is created.

2. Install such ssg-fedora-xccdf-1-1.noarch.rpm on system (client) subscribed to Spacewalk server.

3. Schedule XCCDF system scan for that client with "Schedule New XCCDF Scan" screen items being as follows:

Command: /usr/bin/oscap xccdf eval             /* the non-editable part */

Command-line Arguments: --profile common_tailored --tailoring-file /usr/share/xml/scap/ssg-fedora-xccdf/tailoring-xccdf.xml.B17868

Patch to XCCDF document*: /usr/share/xml/scap/ssg-fedora-xccdf/ssg-fedora-xccdf.xml

4. Click the "Schedule" button, and wait for the XCCDF scan to finish.
5. Look into System's events history and see how the XCCDF scan failed.
6. Click on the run of the Summary for further details.

Actual results:
---------------
System History Event
Summary:        OpenSCAP xccdf scanning scheduled by spacewalk
Details:        This action will be executed after 01/24/14 9:24:00 AM EST.

This action's status is: Failed.
The client picked up this action on 01/24/14 9:29:56 AM EST.
The client completed this action on 01/24/14 9:29:56 AM EST.
Client execution returned "oscap tool did not produce valid xml. xccdf_eval: Following arguments forbidden: --tailoring-file /usr/share/xml/scap/ssg-fedora-xccdf/tailoring-xccdf.xml.B17868 Profile "common_tailored" was not found. xccdf_eval: oscap tool returned 1 " (code 1)


Path to XCCDF document: /usr/share/xml/scap/ssg-fedora-xccdf/ssg-fedora-xccdf.xml
Parameters: --profile common_tailored --tailoring-file /usr/share/xml/scap/ssg-fedora-xccdf/tailoring-xccdf.xml.B17868

Detailed results not available.
Time:   01/24/14 9:29:31 AM EST
Reschedule:     This history event was caused by a failed scheduled action.

If you have corrected the problem, you may reschedule the action below.

Expected results:
------------------
Tailored profile known to Spacewalk and XCCDF Scan job finishes successfully.

Additional info:
----------------
Running the same command line content manually on the Spacewalk client via oscap tool passes (and evaluates only selected rules):

# oscap xccdf eval --profile common_tailored --tailoring-file /usr/share/xml/scap/ssg-fedora-xccdf/tailoring-xccdf.xml.B17868 /usr/share/xml/scap/ssg-fedora-xccdf/ssg-fedora-xccdf.xml
Title   SSH Root Login Disabled
Rule    sshd_disable_root_login
Result  fail

Title   SSH Access via Empty Passwords Disabled
Rule    sshd_disable_empty_passwords
Result  pass

Title   SSH Idle Timeout Interval Used
Rule    sshd_set_idle_timeout
Result  fail

Title   SSH Client Alive Count Used
Rule    sshd_set_keepalive
Result  fail

Note: Supplying --profile "common_tailored" instead of --profile common_tailored to Spacewalk's XCCDF Scan plug-in results into default profile being selected (nothing to be evaluated).
Comment 1 Šimon Lukašík 2014-01-27 08:51:57 UTC 
spacewalk.git a67ffe604b6866f541bb357be3f09d4a638b7d6b
Comment 2 Matej Kollar 2014-03-04 13:06:30 UTC 
Spacewalk 2.1 has been released.
https://fedorahosted.org/spacewalk/wiki/ReleaseNotes21
Comment 3 Matej Kollar 2014-03-04 13:08:32 UTC 
Spacewalk 2.1 has been released.
https://fedorahosted.org/spacewalk/wiki/ReleaseNotes21
Note You need to log in before you can comment on or make changes to this bug.