On 2/19/14, 9:11 AM, Jan Lieskovsky wrote:
This patch fixes 'make validate' error on current RHEL-7 content. Running 'make validate' in RHEL/7 currently returns output as detailed in attached old_output.txt.This problem is / was caused by missing OVAL definitions for: * service_sshd_disabled.xml and * package_openssh-server_removed.xml checks. Thus provide RHEL-7 specific check for service_sshd_disabled (since it uses systemd and can't be shared with RHEL-6), and move original package_openssh-server_removed.xml definition into shared, making symlinks on appropriate places for RHEL-6 and RHEL-7 content(s). After the patch 'make validate' succeeds already as shown in attached new_output.txt (it still prints warnings about missing definitions, but these aren't defined in RHEL-7 content yet => that warning being expected and to be fixed gradually later together with adding appropriate definitions. But after application of the patch make validate runs / completes correctly, without the above error). Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team new_output.txt $ make validate oscap xccdf validate-xml output/ssg-rhel7-xccdf.xml oscap oval validate-xml output/ssg-rhel7-oval.xml oscap oval validate-xml output/ssg-rhel7-cpe-oval.xml cd output; ../utils/verify-references.py --rules-with-invalid-checks --ovaldefs-unused ssg-rhel7-xccdf.xml Invalid OVAL definition referenced by XCCDF Rule: ensure_gpgcheck_globally_activated .. oscap oval validate-xml --schematron output/ssg-rhel7-oval.xml $ echo $? 0 old_output.txt $ make validate oscap xccdf validate-xml output/ssg-rhel7-xccdf.xml oscap oval validate-xml output/ssg-rhel7-oval.xml File 'output/ssg-rhel7-oval.xml' line 20: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition': No match found for key-sequence ['oval:ssg:def:111'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extendKeyRef'. File 'output/ssg-rhel7-oval.xml' line 36: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition': No match found for key-sequence ['oval:ssg:def:111'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extendKeyRef'. File 'output/ssg-rhel7-oval.xml' line 225: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition': No match found for key-sequence ['oval:ssg:def:111'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extendKeyRef'. File 'output/ssg-rhel7-oval.xml' line 363: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition': No match found for key-sequence ['oval:ssg:def:111'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extendKeyRef'. File 'output/ssg-rhel7-oval.xml' line 379: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition': No match found for key-sequence ['oval:ssg:def:111'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extendKeyRef'. File 'output/ssg-rhel7-oval.xml' line 439: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition': No match found for key-sequence ['oval:ssg:def:111'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extendKeyRef'. File 'output/ssg-rhel7-oval.xml' line 575: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition': No match found for key-sequence ['oval:ssg:def:111'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extendKeyRef'. File 'output/ssg-rhel7-oval.xml' line 672: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition': No match found for key-sequence ['oval:ssg:def:111'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extendKeyRef'. File 'output/ssg-rhel7-oval.xml' line 777: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition': No match found for key-sequence ['oval:ssg:def:111'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extendKeyRef'. File 'output/ssg-rhel7-oval.xml' line 898: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition': No match found for key-sequence ['oval:ssg:def:111'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extendKeyRef'. File 'output/ssg-rhel7-oval.xml' line 899: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition': No match found for key-sequence ['oval:ssg:def:229'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extendKeyRef'. Invalid OVAL Definition content(5.10) in output/ssg-rhel7-oval.xml. make: *** [validate-xml] Error 2 0001-RHEL-7-Fix-make-validate-error-caused-by-missing-two.patch From c1d0e76fa99092b7ce113c5b8ef74de7c31c6051 Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky<[email protected]> Date: Wed, 19 Feb 2014 14:55:49 +0100 Subject: [PATCH] [RHEL/7] Fix 'make validate' error caused by missing two OVAL checks definitions Signed-off-by: Jan Lieskovsky<[email protected]> --- .../checks/package_openssh-server_removed.xml | 27 +--------------- .../checks/package_openssh-server_removed.xml | 1 + RHEL/7/input/checks/service_sshd_disabled.xml | 36 ++++++++++++++++++++++ shared/oval/package_openssh-server_removed.xml | 27 ++++++++++++++++ 4 files changed, 65 insertions(+), 26 deletions(-) mode change 100644 => 120000 RHEL/6/input/checks/package_openssh-server_removed.xml create mode 120000 RHEL/7/input/checks/package_openssh-server_removed.xml create mode 100644 RHEL/7/input/checks/service_sshd_disabled.xml create mode 100644 shared/oval/package_openssh-server_removed.xml diff --git a/RHEL/6/input/checks/package_openssh-server_removed.xml b/RHEL/6/input/checks/package_openssh-server_removed.xml deleted file mode 100644 index 5455384..0000000 --- a/RHEL/6/input/checks/package_openssh-server_removed.xml +++ /dev/null @@ -1,26 +0,0 @@ -<def-group> - <!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT. --> - <definition class="compliance" id="package_openssh-server_removed" - version="1"> - <metadata> - <title>Package openssh-server Removed</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The RPM package openssh-server should be removed.</description> - <reference source="swells" ref_id="20130829" ref_url="test_attestation"/> - </metadata> - <criteria> - <criterion comment="package openssh-server is removed" - test_ref="test_package_openssh-server_removed" /> - </criteria> - </definition> - <linux:rpminfo_test check="all" check_existence="none_exist" - id="test_package_openssh-server_removed" version="1" - comment="package openssh-server is removed"> - <linux:object object_ref="obj_package_openssh-server_removed" /> - </linux:rpminfo_test> - <linux:rpminfo_object id="obj_package_openssh-server_removed" version="1"> - <linux:name>openssh-server</linux:name> - </linux:rpminfo_object> -</def-group> diff --git a/RHEL/6/input/checks/package_openssh-server_removed.xml b/RHEL/6/input/checks/package_openssh-server_removed.xml new file mode 120000 index 0000000..08bf662 --- /dev/null +++ b/RHEL/6/input/checks/package_openssh-server_removed.xml @@ -0,0 +1 @@ +../../../../shared/oval/package_openssh-server_removed.xml \ No newline at end of file diff --git a/RHEL/7/input/checks/package_openssh-server_removed.xml b/RHEL/7/input/checks/package_openssh-server_removed.xml new file mode 120000 index 0000000..08bf662 --- /dev/null +++ b/RHEL/7/input/checks/package_openssh-server_removed.xml @@ -0,0 +1 @@ +../../../../shared/oval/package_openssh-server_removed.xml \ No newline at end of file diff --git a/RHEL/7/input/checks/service_sshd_disabled.xml b/RHEL/7/input/checks/service_sshd_disabled.xml new file mode 100644 index 0000000..031d8ea --- /dev/null +++ b/RHEL/7/input/checks/service_sshd_disabled.xml @@ -0,0 +1,36 @@ +<def-group> + <definition class="compliance" id="service_sshd_disabled" version="1"> + <metadata> + <title>Service sshd Disabled</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description> + The sshd service should be disabled. + </description> + </metadata> + <criteria comment="package openssh-server removed or service sshd is not configured to start" operator="OR"> + <extend_definition comment="openssh-server removed" definition_ref="package_openssh-server_removed" /> + <criterion comment="sshd disabled in multi-user.target" test_ref="test_sshd_disabled_multi_user_target" /> + </criteria> + </definition> + + <unix:file_test check="all" check_existence="none_exist" + comment="look for sshd.service in /etc/systemd/system/multi-user.target.wants" + id="test_sshd_disabled_multi_user_target" version="1"> + + <unix:object object_ref="object_sshd_disabled_multi_user_target" /> + </unix:file_test> + + <unix:file_object comment="look for sshd.service in /etc/systemd/system/multi-user.target.wants" + id="object_sshd_disabled_multi_user_target" version="1"> + + <unix:filepath>/etc/systemd/system/multi-user.target.wants/sshd.service</unix:filepath> + <filter action="include">state_symlink</filter> + </unix:file_object> + + <unix:file_state id="state_symlink" version="1"> + <unix:type operation="equals">symbolic link</unix:type> + </unix:file_state> + +</def-group> diff --git a/shared/oval/package_openssh-server_removed.xml b/shared/oval/package_openssh-server_removed.xml new file mode 100644 index 0000000..311463e --- /dev/null +++ b/shared/oval/package_openssh-server_removed.xml @@ -0,0 +1,27 @@ +<def-group> + <!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT. --> + <definition class="compliance" id="package_openssh-server_removed" + version="1"> + <metadata> + <title>Package openssh-server Removed</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description>The RPM package openssh-server should be removed.</description> + <reference source="swells" ref_id="20130829" ref_url="test_attestation"/> + </metadata> + <criteria> + <criterion comment="package openssh-server is removed" + test_ref="test_package_openssh-server_removed" /> + </criteria> + </definition> + <linux:rpminfo_test check="all" check_existence="none_exist" + id="test_package_openssh-server_removed" version="1" + comment="package openssh-server is removed"> + <linux:object object_ref="obj_package_openssh-server_removed" /> + </linux:rpminfo_test> + <linux:rpminfo_object id="obj_package_openssh-server_removed" version="1"> + <linux:name>openssh-server</linux:name> + </linux:rpminfo_object> +</def-group> -- 1.8.3.1
Tested on RHEL7 beta. Ack.
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
