Bug 1085977 - Require openscap dict and oval support for CentOS
Summary: Require openscap dict and oval support for CentOS
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: openscap
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Šimon Lukašík
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-04-09 19:08 UTC by Dave Sullivan
Modified: 2014-09-22 14:37 UTC (History)
8 users (show)

Fixed In Version: openscap-1.1.0-1.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-22 14:37:13 UTC
Type: Bug


Attachments (Terms of Use)

Description Dave Sullivan 2014-04-09 19:08:35 UTC
Description of problem:

Currently investigating using preupgrade-assistant to perform premigrate ssessment




Version-Release number of selected component (if applicable):

[root@preup_centos_test preupgrade-assistant]# rpm -qa | grep openscap
openscap-0.9.12-1.el6.x86_64

[root@preup_centos_test preupgrade-assistant]# cat /etc/centos-release 
CentOS release 6.5 (Final)

How reproducible:

Noticed that our openscap files didn't include references to centos.

 

[root@preup_centos_test CENTOS6_6]# ls /usr/share/openscap/cpe/*
/usr/share/openscap/cpe/my-detailed-oval-results  /usr/share/openscap/cpe/openscap-cpe-dict.xml  /usr/share/openscap/cpe/openscap-cpe-oval.xml  /usr/share/openscap/cpe/README

 

tried some hacks to get things to work, not fully understanding openscap cpe dict/oval

 

phracek pointed me to #openscap and slukasik helped me understand how to hack around centos openscap support

 

If we do a walk through

 

<rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.rhel:tst:6" version="1" check="at least one" comment="redhat-release is version 6"

                  xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">

                  <object object_ref="oval:org.open-scap.cpe.redhat-release:obj:3"/>

                  <state state_ref="oval:org.open-scap.cpe.rhel:ste:6"/>

            </rpminfo_test>

 

[root@preup_centos_test ~]# cat /usr/share/preupgrade/CENTOS6_6/all-xccdf.xml | grep platform
  <ns0:platform idref="cpe:/o:redhat:enterprise_linux:6" />

 

[root@preup_centos_test ~]# grep -A 10 "enterprise_linux\:6" /usr/share/openscap/cpe/openscap-cpe-dict.xml

      <cpe-item name="cpe:/o:redhat:enterprise_linux:6">

            <title xml:lang="en-us">Red Hat Enterprise Linux 6</title>

            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.rhel:def:6</check>

      </cpe-item>

 

[root@preup_centos_test ~]# grep -A 10 "enterprise_linux\:6" /usr/share/openscap/cpe/openscap-cpe-oval.xml

                        <reference ref_id="cpe:/o:redhat:enterprise_linux:6" source="CPE"/>

                        <description>The operating system installed on the system is Red Hat Enterprise Linux 6</description>

                  </metadata>

                  <criteria>

                        <criterion comment="Installed operating system is part of the unix family" test_ref="oval:org.open-scap.cpe.rhel:tst:1"/>

                        <criterion comment="Red Hat Enterprise Linux 6 is installed" test_ref="oval:org.open-scap.cpe.rhel:tst:6"/>

                  </criteria>

            </definition>

 

Now we need to go look at oval:org.open-scap.cpe.rhel:tst:6

 

[root@preup_centos_test ~]# grep -A 10 "rhel\:tst\:6" /usr/share/openscap/cpe/openscap-cpe-oval.xml

 

points to <state state_ref="oval:org.open-scap.cpe.rhel:ste:6"/>

 

[root@preup_centos_test ~]# grep -A 10 "rhel\:ste\:6" /usr/share/openscap/cpe/openscap-cpe-oval.xml

 

we changed this to

<rpminfo_state id="oval:org.open-scap.cpe.rhel:ste:6" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
                  <name operation="pattern match">^centos-release</name>
                  <version operation="pattern match">6</version>
            </rpminfo_state>

 

as it was originally

 

<rpminfo_state id="oval:org.open-scap.cpe.rhel:ste:6" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">

                  <name operation="pattern match">^redhat-release</name>

                 <version operation="pattern match">^6[^\d]</version>

                  <version operation="pattern match">6</version>

             </rpminfo_state>

 

Once that was done, test showed as instead of not applicable to not checked.

 

oscap xccdf eval --results xccd-results.xml /usr/share/preupgrade/CENTOS6_6/all-xccdf.xml

 

Good note on things that can help doing eval on oval

 

oscap oval eval --results my-detailed-oval-results openscap-cpe-oval.xml

 

Now not checked meant there was an SCE issue, which installation of preupgrade covers

 

So need to file fedora/RHEL bugs to get centos openscap dict/oval support.

 

The abstract part of openscap can lead to confusion.   This should help.

 

http://oval.mitre.org/language/version5.10.1/ovaldefinition/documentation/linux-definitions-schema.html

 

For the example able checking version we changed to the right package centos-release and then we corrected version to show 6

 

[root@preup_centos_test ~]# rpm -qa --queryformat "%{version}" centos-release
6

In short openscap dict/oval needs to support CentOS



Additional info:

Comment 1 Šimon Lukašík 2014-05-06 16:38:56 UTC
Thanks for the report! However, it is not clear to me what exactly is requested. Am I right supposing that OpenSCAP internal CPE dict is requested to include CentOS CPE strings? Like:

  cpe:/o:centos:centos:6
  cpe:/o:centos:centos:5
  cpe:/o:centos:centos:4

?

Comment 2 Šimon Lukašík 2014-05-23 11:09:17 UTC
openscap.git e09f29496081a0525cda0b18299bccb9803baf76

Comment 3 Dave Sullivan 2014-09-22 13:58:31 UTC
Simon, yes to Comment #1, looks like we are in post now so all is good.

Thx...Dave

Btw, I think we needed something similar for Oracle I can't remember if I created a BZ for that, but I'll check on it soon.

Comment 4 Šimon Lukašík 2014-09-22 14:37:13 UTC
Well, this is actually already released in Fedoras. Thanks for report.


Note You need to log in before you can comment on or make changes to this bug.