Description of problem: Looks current version of Spacewalk server (spacewalk-setup-2.1.8-1.fc19.noarch.rpm) doesn't support profile loading / using of XCCDF profiles from the tailoring file. Version-Release number of selected component (if applicable): spacewalk-setup-2.1.8-1.fc19.noarch.rpm How reproducible: Always Steps to Reproduce: 1. Perform tailoring in scap-workbench for current SSG Fedora content (keep only SSH rules selected). Click "Finish tailoring", and then "Save as RPM" scap-workbench's button. This will generate new RPM file with content like: # rpm -ql ssg-fedora-xccdf /usr/share/xml/scap/ssg-fedora-xccdf/ssg-fedora-oval.xml /usr/share/xml/scap/ssg-fedora-xccdf/ssg-fedora-xccdf.xml /usr/share/xml/scap/ssg-fedora-xccdf/tailoring-xccdf.xml.B17868 With content of that tailoring file being as follows: <?xml version="1.0" encoding="UTF-8"?> <cdf-11-tailoring:Tailoring xmlns:cdf-11-tailoring="http://open-scap.org/page/Xccdf-1.1-tailoring" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" id="xccdf_scap-workbench_tailoring_default"> <cdf-11-tailoring:benchmark href="ssg-fedora-xccdf.xml"/> <cdf-11-tailoring:version time="2014-01-24T15:19:59">1</cdf-11-tailoring:version> <xccdf:Profile id="common_tailored" extends="common"> <xccdf:title xml:lang="en-US">Common Profile for General-Purpose Fedora Systems [TAILORED]</xccdf:title> <xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This profile contains items common to general-purpose Fedora installations.</xccdf:description> <xccdf:select idref="intro" selected="false"/> <xccdf:select idref="ntp" selected="false"/> <xccdf:select idref="service_ntpd_enabled" selected="false"/> <xccdf:select idref="ntpd_specify_remote_server" selected="false"/> <xccdf:select idref="system" selected="false"/> </xccdf:Profile> </cdf-11-tailoring:Tailoring> => a new profile named "common_tailored" is created. 2. Install such ssg-fedora-xccdf-1-1.noarch.rpm on system (client) subscribed to Spacewalk server. 3. Schedule XCCDF system scan for that client with "Schedule New XCCDF Scan" screen items being as follows: Command: /usr/bin/oscap xccdf eval /* the non-editable part */ Command-line Arguments: --profile common_tailored --tailoring-file /usr/share/xml/scap/ssg-fedora-xccdf/tailoring-xccdf.xml.B17868 Patch to XCCDF document*: /usr/share/xml/scap/ssg-fedora-xccdf/ssg-fedora-xccdf.xml 4. Click the "Schedule" button, and wait for the XCCDF scan to finish. 5. Look into System's events history and see how the XCCDF scan failed. 6. Click on the run of the Summary for further details. Actual results: --------------- System History Event Summary: OpenSCAP xccdf scanning scheduled by spacewalk Details: This action will be executed after 01/24/14 9:24:00 AM EST. This action's status is: Failed. The client picked up this action on 01/24/14 9:29:56 AM EST. The client completed this action on 01/24/14 9:29:56 AM EST. Client execution returned "oscap tool did not produce valid xml. xccdf_eval: Following arguments forbidden: --tailoring-file /usr/share/xml/scap/ssg-fedora-xccdf/tailoring-xccdf.xml.B17868 Profile "common_tailored" was not found. xccdf_eval: oscap tool returned 1 " (code 1) Path to XCCDF document: /usr/share/xml/scap/ssg-fedora-xccdf/ssg-fedora-xccdf.xml Parameters: --profile common_tailored --tailoring-file /usr/share/xml/scap/ssg-fedora-xccdf/tailoring-xccdf.xml.B17868 Detailed results not available. Time: 01/24/14 9:29:31 AM EST Reschedule: This history event was caused by a failed scheduled action. If you have corrected the problem, you may reschedule the action below. Expected results: ------------------ Tailored profile known to Spacewalk and XCCDF Scan job finishes successfully. Additional info: ---------------- Running the same command line content manually on the Spacewalk client via oscap tool passes (and evaluates only selected rules): # oscap xccdf eval --profile common_tailored --tailoring-file /usr/share/xml/scap/ssg-fedora-xccdf/tailoring-xccdf.xml.B17868 /usr/share/xml/scap/ssg-fedora-xccdf/ssg-fedora-xccdf.xml Title SSH Root Login Disabled Rule sshd_disable_root_login Result fail Title SSH Access via Empty Passwords Disabled Rule sshd_disable_empty_passwords Result pass Title SSH Idle Timeout Interval Used Rule sshd_set_idle_timeout Result fail Title SSH Client Alive Count Used Rule sshd_set_keepalive Result fail Note: Supplying --profile "common_tailored" instead of --profile common_tailored to Spacewalk's XCCDF Scan plug-in results into default profile being selected (nothing to be evaluated).
spacewalk.git a67ffe604b6866f541bb357be3f09d4a638b7d6b
Spacewalk 2.1 has been released. https://fedorahosted.org/spacewalk/wiki/ReleaseNotes21