Hello Martin, sorry for the delay when processing this request (other issues prevented me from sooner reaction). Anyway, pls see below.
----- Original Message ----- > From: "Martin Preisler" <[email protected]> > To: "Jan Lieskovsky" <[email protected]> > Cc: "SCAP Security Guide" <[email protected]>, > "open-scap-list" <[email protected]> > Sent: Thursday, July 28, 2016 8:01:47 PM > Subject: Re: Latest OpenSCAP changes to speed up SSG builds > > ----- Original Message ----- > > From: "Jan Lieskovsky" <[email protected]> > > To: "Martin Preisler" <[email protected]> > > Cc: "SCAP Security Guide" <[email protected]>, > > "open-scap-list" <[email protected]> > > Sent: Thursday, July 28, 2016 5:05:26 AM > > Subject: Re: Latest OpenSCAP changes to speed up SSG builds > > > > [snip] > > > > That would be helpful, yes. Thanks, Martin. > > > > There will be some differences (for example timestamp) for sure. But > > the point is to ensure there won't be some other inevitable deviations > > (that could lead e.g. to the reduction of the file size at the end). > > IOW verification if those XSLT changes are that isolated enough, > > it won't hurt when they are used also together with old openscap > > code base (without other patches from upstream being applied). > > I wrote a blog post about the optimizations and about the test-case I > created to verify correctness. Check it out at > https://martin.preisler.me/2016/07/openscap-xslt-performance-improvements-for-faster-ssg-builds/ > and let me know if this addresses your concerns. > > Feel free to run the test-case on your machine as well so that we have > more data sources. I have compared the output on two RHEL-7 machines running openscap-1.2.10 vs openscap-1.2.11 (latest 1.2-main master) and diffed both *-xccdf-1.2.xml and selected guides manually, and the results are below: * for -xccdf-1.2 files, the output is identical: $ diff -s ssg-rhel7-xccdf-1.2.xml ssg-rhel7-xccdf-1.2.xml-latest Files ssg-rhel7-xccdf-1.2.xml and ssg-rhel7-xccdf-1.2.xml-latest are identical $ ls -l ssg-rhel7-xccdf-1.2.xml* -rw-r--r--. 1 iankko iankko 1839260 aug 1 18:16 ssg-rhel7-xccdf-1.2.xml -rw-rw-r--. 1 iankko iankko 1839260 aug 1 17:47 ssg-rhel7-xccdf-1.2.xml-latest * for the modified guides template, the output differs slightly. The 'guide-tree-leaf-id*' changes are irrelevant (looks like just different hash value) => safe. When unified all of them to same form in both files, there are some changes in xccdf:Values yet (looks some xccdf:Values got different default selector values, pls see the attached file below. But IMHO this is just demonstration of the bug you have mentioned before) => changes pending confirmation. The other change is just oscap version change in some element at the benchmark end => expected / safe change too. To summary, IMHO the changes are either safe, or are demonstration of that 'default selector' xccdf:Value bug, you mentioned earlier => I agree this change to be safe to be applied on Jenkins slaves (IOW it's functionally identical to version in previous oscap releases). Regards, Jan -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > -- > Martin Preisler > Identity Management and Platform Security | Red Hat, Inc. >
1719c1719 < var_password_pam_dcredit="<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_password_pam_dcredit">1</abbr>" --- > var_password_pam_dcredit="<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_password_pam_dcredit">-1</abbr>" 1867c1867 < var_password_pam_ucredit="<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_password_pam_ucredit">1</abbr>" --- > var_password_pam_ucredit="<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_password_pam_ucredit">-1</abbr>" 1929c1929 < <code>/etc/security/pwquality.conf</code> to equal <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_password_pam_ocredit">1</abbr> to require use of a special character in passwords. --- > <code>/etc/security/pwquality.conf</code> to equal <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_password_pam_ocredit">-1</abbr> to require use of a special character in passwords. 1944c1944 < var_password_pam_ocredit="<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_password_pam_ocredit">1</abbr>" --- > var_password_pam_ocredit="<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_password_pam_ocredit">-1</abbr>" 2021c2021 < var_password_pam_lcredit="<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_password_pam_lcredit">1</abbr>" --- > var_password_pam_lcredit="<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_password_pam_lcredit">-1</abbr>" 2083c2083 < to equal <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_password_pam_difok">8</abbr> to require differing characters --- > to equal <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_password_pam_difok">5</abbr> to require differing characters 2102c2102 < var_password_pam_difok="<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_password_pam_difok">8</abbr>" --- > var_password_pam_difok="<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_password_pam_difok">5</abbr>" 3049c3049 < sysctl_net_ipv4_conf_all_accept_redirects_value="<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_accept_redirects_value">disabled</abbr>" --- > sysctl_net_ipv4_conf_all_accept_redirects_value="<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_accept_redirects_value">0</abbr>" 3083c3083 < sysctl_net_ipv4_conf_default_accept_source_route_value="<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_source_route_value">disabled</abbr>" --- > sysctl_net_ipv4_conf_default_accept_source_route_value="<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_source_route_value">0</abbr>" 3116c3116 < sysctl_net_ipv4_conf_default_accept_redirects_value="<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_redirects_value">disabled</abbr>" --- > sysctl_net_ipv4_conf_default_accept_redirects_value="<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_redirects_value">0</abbr>" 13664c13664 < Generated using <a href="http://open-scap.org";>OpenSCAP</a> 1.2.10</p></div></footer></body></html> --- > Generated using <a href="http://open-scap.org";>OpenSCAP</a> 1.2.11</p></div></footer></body></html>
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected] https://github.com/OpenSCAP/scap-security-guide/
