----- Original Message ----- > From: "Shawn Wells" <[email protected]> > To: "Jan Lieskovsky" <[email protected]> > Cc: "SCAP Security Guide" <[email protected]> > Sent: Tuesday, July 15, 2014 5:41:26 AM > Subject: Re: [PATCH 1/2] [*/transforms/idtranslate.py] Allow shorthand format > to contain <ind:variable_object> > definition > > > On 7/14/14, 5:57 AM, Jan Lieskovsky wrote: > > Hello Shawn, > > > > ----- Original Message ----- > >> From: "Shawn Wells" <[email protected]> > >> To: [email protected] > >> Sent: Monday, July 7, 2014 5:43:53 PM > >> Subject: Re: [PATCH 1/2] [*/transforms/idtranslate.py] Allow shorthand > >> format to contain <ind:variable_object> > >> definition > >> > >> > >> On 7/7/14, 4:55 AM, Jan Lieskovsky wrote: > >>> ----- Original Message ----- > >>>>> From: "Shawn Wells"<[email protected]> > >>>>> To:[email protected] > >>>>> Sent: Thursday, July 3, 2014 8:19:33 PM > >>>>> Subject: Re: [PATCH 1/2] [*/transforms/idtranslate.py] Allow shorthand > >>>>> format to contain <ind:variable_object> > >>>>> definition > >>>>> > >>>>> > >>>>> On 7/3/14, 6:23 AM, Jan Lieskovsky wrote: > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> Currently it's not possible the shorthand form of OVAL definition to > >>>>> contain > >>>>> <ind:variable_object> definition (based on previously defined > >>>>> <local_variable>). > >>>>> > >>>>> The reason behind this limitation being that idtranslate.py script > >>>>> (which > >>>>> is > >>>>> internally > >>>>> called by relabelids.py script, which is subsequently called during the > >>>>> benchmark > >>>>> build process) is not currently able to properly handle <ind:var_ref> > >>>>> element. > >>>>> > >>>>> When translating the OVAL ids idtranslate.py is able to correctly > >>>>> replace > >>>>> value of > >>>>> 'var_ref' attribute, but not able to translate the id when 'var_ref' > >>>>> isn't an > >>>>> attribute, > >>>>> but rather an tag / element directly. The <variable_object> definition > >>>>> expects > >>>>> the form of: > >>>>> > >>>>> <ind:variable_object id="object_id" version="1"> > >>>>> <ind:var_ref>reference_to_previously_defined_variable_used_in_the_check</ind:var_ref> > >>>>> </ind:variable_object> > >>>>> > >>>>> Since (currently) value of <ind:var_ref> element isn't properly > >>>>> translated > >>>>> into > >>>>> real ID, during the benchmark build process the error like the > >>>>> following > >>>>> is > >>>>> raised: > >>>>> > >>>>> ... [pattern] id 'variable_name' does not meet the expected pattern > >>>>> [oval:a-z...] > >>>>> > >>>>> This results in unability to successfully build the benchmark, when > >>>>> variable_object > >>>>> (containing by xsd required reference to var_ref) is used. > >>>>> > >>>>> Since I need the capability to define variable_objects (see the patch > >>>>> [2/2]), > >>>>> update > >>>>> idtranslate.py script (in RHEL/6 and also across the content) to be > >>>>> able > >>>>> to > >>>>> properly > >>>>> handle variable_objects (properly translate var_ref ids even in case > >>>>> it's > >>>>> listed as tag / element). > >>>>> > >>>>> The function / proper work of proposed change is confirmed by > >>>>> successful > >>>>> work > >>>>> of subsequent patch (see patch [2/2] for further details). > >>>>> > >>>>> Please review. > >>>>> > >>>>> Thank you && Regards, Jan. > >>>>> -- > >>>>> Jan iankko Lieskovsky / Red Hat Security Technologies Team > >>>>> > >>>>> > >>>>> 0001-transforms-idtranslate.py-Allow-shorthand-format-to-.patch > >>>>> From 6666cca40efcf54711ed76ac1b1eb176ec62b271 Mon Sep 17 00:00:00 2001 > >>>>> From: Jan Lieskovsky<[email protected]> Date: Thu, 3 Jul 2014 > >>>>> 11:21:39 > >>>>> +0200 > >>>>> Subject: [PATCH 1/2] [*/transforms/idtranslate.py] Allow shorthand > >>>>> format > >>>>> to > >>>>> contain <ind:variable_object> definition > >>>>> > >>>>> Signed-off-by: Jan Lieskovsky<[email protected]> --- > >>>>> Fedora/transforms/idtranslate.py | 3 +++ > >>>>> OpenStack/transforms/idtranslate.py | 3 +++ > >>>>> RHEL/6/transforms/idtranslate.py | 3 +++ > >>>>> RHEL/7/transforms/idtranslate.py | 3 +++ > >>>>> RHEVM3/transforms/idtranslate.py | 3 +++ > >>>>> 5 files changed, 15 insertions(+) > >>>>> > >>>>> diff --git a/Fedora/transforms/idtranslate.py > >>>>> b/Fedora/transforms/idtranslate.py > >>>>> index 77f078a..67c1cf4 100755 > >>>>> --- a/Fedora/transforms/idtranslate.py > >>>>> +++ b/Fedora/transforms/idtranslate.py > >>>>> @@ -123,6 +123,9 @@ class idtranslator: > >>>>> if element.tag == "{" + oval_ns + "}filter": > >>>>> element.text = self.assign_id("{" + > >>>>> oval_ns + "}state", > >>>>> element.text) > >>>>> continue > >>>>> + if element.tag == "{" + oval_ns + > >>>>> "#independent}var_ref": > >>>>> + element.text = self.assign_id("{" + > >>>>> oval_ns + "}variable", > >>>>> element.text) > >>>>> + continue > >>>>> for attr in element.keys(): > >>>>> if attr in ovalrefattr_to_tag.keys(): > >>>>> > >>>>> element.set(attr,self.assign_id( "{" + oval_ns + "} " + > >>>>> ovalrefattr_to_tag[attr], > >>>>> element.get(attr))) > >>>>> diff --git a/OpenStack/transforms/idtranslate.py > >>>>> b/OpenStack/transforms/idtranslate.py > >>>>> index 77f078a..67c1cf4 100755 > >>>>> --- a/OpenStack/transforms/idtranslate.py > >>>>> +++ b/OpenStack/transforms/idtranslate.py > >>>>> @@ -123,6 +123,9 @@ class idtranslator: > >>>>> if element.tag == " {" + oval_ns + "}filter": > >>>>> element.text = self.assign_id("{" + > >>>>> oval_ns + "}state", > >>>>> element.text) > >>>>> continue > >>>>> + if element.tag == "{" + oval_ns + > >>>>> "#independent}var_ref": > >>>>> + element.text = self.assign_id("{" + > >>>>> oval_ns + "}variable", > >>>>> element.text) > >>>>> + continue > >>>>> for attr in element.keys(): > >>>>> if attr in ovalrefattr_to_tag.keys(): > >>>>> > >>>>> element.set(attr,self.assign_id( "{" + oval_ns + "} " + > >>>>> ovalrefattr_to_tag[attr], > >>>>> element.get(attr))) > >>>>> diff --git a/RHEL/6/transforms/idtranslate.py > >>>>> b/RHEL/6/transforms/idtranslate.py > >>>>> index 77f078a..67c1cf4 100755 > >>>>> --- a/RHEL/6/transforms/idtranslate.py > >>>>> +++ b/RHEL/6/transforms/idtranslate.py > >>>>> @@ -123,6 +123,9 @@ class idtranslator: > >>>>> if element.tag == " {" + oval_ns + "}filter": > >>>>> element.text = self.assign_id("{" + > >>>>> oval_ns + "}state", > >>>>> element.text) > >>>>> continue > >>>>> + if element.tag == "{" + oval_ns + > >>>>> "#independent}var_ref": > >>>>> + element.text = self.assign_id("{" + > >>>>> oval_ns + "}variable", > >>>>> element.text) > >>>>> + continue > >>>>> for attr in element.keys(): > >>>>> if attr in ovalrefattr_to_tag.keys(): > >>>>> > >>>>> element.set(attr,self.assign_id( "{" + oval_ns + "} " + > >>>>> ovalrefattr_to_tag[attr], > >>>>> element.get(attr))) > >>>>> diff --git a/RHEL/7/transforms/idtranslate.py > >>>>> b/RHEL/7/transforms/idtranslate.py > >>>>> index 77f078a..67c1cf4 100755 > >>>>> --- a/RHEL/7/transforms/idtranslate.py > >>>>> +++ b/RHEL/7/transforms/idtranslate.py > >>>>> @@ -123,6 +123,9 @@ class idtranslator: > >>>>> if element.tag == " {" + oval_ns + "}filter": > >>>>> element.text = self.assign_id("{" + > >>>>> oval_ns + "}state", > >>>>> element.text) > >>>>> continue > >>>>> + if element.tag == "{" + oval_ns + > >>>>> "#independent}var_ref": > >>>>> + element.text = self.assign_id("{" + > >>>>> oval_ns + "}variable", > >>>>> element.text) > >>>>> + continue > >>>>> for attr in element.keys(): > >>>>> if attr in ovalrefattr_to_tag.keys(): > >>>>> > >>>>> element.set(attr,self.assign_id( "{" + oval_ns + "} " + > >>>>> ovalrefattr_to_tag[attr], > >>>>> element.get(attr))) > >>>>> diff --git a/RHEVM3/transforms/idtranslate.py > >>>>> b/RHEVM3/transforms/idtranslate.py > >>>>> index 77f078a..67c1cf4 100755 > >>>>> --- a/RHEVM3/transforms/idtranslate.py > >>>>> +++ b/RHEVM3/transforms/idtranslate.py > >>>>> @@ -123,6 +123,9 @@ class idtranslator: > >>>>> if element.tag == " {" + oval_ns + "}filter": > >>>>> element.text = self.assign_id("{" + > >>>>> oval_ns + "}state", > >>>>> element.text) > >>>>> continue > >>>>> + if element.tag == "{" + oval_ns + > >>>>> "#independent}var_ref": > >>>>> + element.text = self.assign_id("{" + > >>>>> oval_ns + "}variable", > >>>>> element.text) > >>>>> + continue > >>>>> for attr in element.keys(): > >>>>> if attr in ovalrefattr_to_tag.keys(): > >>>>> > >>>>> element.set(attr,self.assign_id( "{" + oval_ns + "}" + > >>>>> ovalrefattr_to_tag[attr], > >>>>> element.get(attr))) > >>>>> -- > >>>>> 1.8.3.1 > >>>>> > >>>>> ack > >>> Thanks, Shawn. Pushed. By any chance have you had found time to review / > >>> test also the second one? > >> The second was a bit more detailed, so didn't have time last week. It's > >> on the to-do for today. > > Sorry to bother you, but by any chance have you found time to check the > > second one too?: > > > > https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-July/005783.html > > > > Wouldn't like it to fall out of the radar due to: > > * it's the last RHEL-6 causing 'make validate' to fail, > > * it has been tested & confirmed for work by Ray already (+ Ray found > > another issue > > with current XCCDF description which needs yet additional patch): > > > > https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-July/005798.html > > > > So if there objections, could you (anyone else) express them, so they could > > be corrected > > & we could move on? > > > > Thank you a lot in advance && Regards, Jan. > > ack
Thank you. Pushed: https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=eb334959e5c9559a57d153b58eed3b60afaa515a Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
