[Bug 1658792] Re: libopenscap8: Enable SCE option to make broader SCAP content available for Ubuntu users
A PPA to address both this bug and #1661401 is available here: https://launchpad.net/~fips-cc-stig/+archive/ubuntu/fipsdevppa -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658792 Title: libopenscap8: Enable SCE option to make broader SCAP content available for Ubuntu users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1658792/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1661401] Re: libopenscap8: missing dependency resulting in missing OVAL objects support
A PPA to address both this bug and #1658792 is available here: https://launchpad.net/~fips-cc-stig/+archive/ubuntu/fipsdevppa -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1661401 Title: libopenscap8: missing dependency resulting in missing OVAL objects support To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1661401/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1661401] Re: libopenscap8: missing dependency resulting in missing OVAL objects support
** Bug watch added: Debian Bug tracker #852826 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852826 ** Also affects: openscap (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852826 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1661401 Title: libopenscap8: missing dependency resulting in missing OVAL objects support To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1661401/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1661401] [NEW] libopenscap8: missing dependency resulting in missing OVAL objects support
Public bug reported: [Impact] The "libdbus-1-dev" package is missing from the "Build-Depends" in the "debian/control" file, and as a result, the OVAL object support for "systemdunitproperty" and "systemdunitdependency" is missing. About 10~15% of the SCAP content based on CIS benchmark relies on these two OVAL objects - they are important and should be supported. Simply adding the missing dependency will enable these OVAL objects for OpenSCAP. [Test Case] Run the command "oscap --v", and without the "libdbus-1-dev" dependency, content under "Supported OVAL objects and associated OpenSCAP probes" will NOT include the "systemdunitproperty" and "systemdunitdependency". Once the "libdbus-1-dev" dependency is added and libopenscap8 rebuilt, the command "oscap --v" will show "systemdunitproperty" and "systemdunitdependency" as supported. [Regression Potential] The changes proposed enables new functionality that is already included in the source package, and does not change the behavior of existing code significantly. Using the same patch attached to this bug report, Canonical security certification team has created a PPA here: https://launchpad.net/~guanym/+archive/ubuntu/ppa. The team is actively using the PPA to develop SCAP content with and without the proposed changes: -- Without the proposed changes, ran scans using OpenSCAP against SCAP content with 40+ diverse rules based on CIS benchmark, and saved the xml scan result. The content included a rule that requires "systemdunitproperty" support, and the rule simply evaluated to "unknown", which is expected -- With the proposed changes, ran scan against the same SCAP content, and saved the xml scan result. The result was identical with the only exception that the "systemdunitproperty" dependent rule evaluated properly. We are also running similar scans against an ever growing SCAP content base 20~30 times on a daily basis, and OpenSCAP behaved normally. [Other Info] A similar bug report has been submitted to Debian. ** Affects: openscap (Ubuntu) Importance: Undecided Status: New ** Patch added: "enable systemdunit support by adding libdbus-1-dev as a required build dependency" https://bugs.launchpad.net/bugs/1661401/+attachment/4812243/+files/openscap-1.2.8.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1661401 Title: libopenscap8: missing dependency resulting in missing OVAL objects support To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1661401/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1658792] Re: libopenscap8: Enable SCE option to make broader SCAP content available for Ubuntu users
** Description changed: [Impact] Canonical security certification team is implementing SCAP content based on CIS and STIG compliance rules. A good portion of these rules are beyond the scope of SCAP and OVAL, and will require the Script Check Engine (SCE) facility provided by OpenSCAP. SCE is not enabled by default, and will require the addition of the "--enable-sce" option in the "debian/rules" file to turn it on. The attached patch has all the necessary code change. - [Test Case] run the command "oscap --v", and without the SCE option, content under " Capabilities added by auto-loaded plugins " will be empty. With the SCE option turned on, we'll see the following: - Capabilities added by auto-loaded plugins -SCE Version: 1.0 (from libopenscap_sce.so.8) + Capabilities added by auto-loaded plugins + SCE Version: 1.0 (from libopenscap_sce.so.8) + [Regression Potential] - [Regression Potential] + The changes proposed just enables new code and does not change the + behavior of existing code. - Using the same patch attached to this bug report, Canonical security - certification team has created a PPA here: - https://launchpad.net/~guanym/+archive/ubuntu/ppa. The team is actively - using the PPA to develop SCAP content, including shell and python - scripts for SCE consumption. No regression has been noticed. + Using the same patch attached to this bug report, Canonical security certification team has created a PPA here: https://launchpad.net/~guanym/+archive/ubuntu/ppa. The team is actively using the PPA to develop SCAP content, including shell and python scripts for SCE consumption. We also ran the following tests with and without the proposed changes: + -- Without the proposed changes, ran scans using OpenSCAP against SCAP content with about 35 diverse rules based on CIS benchmark, and saved the xml scan result. The content included a rule that requires SCE support, and the rule simply evaluated to "not checked", which is expected since SCE support is not included with OpenSCAP without the proposed changes. + -- With the proposed changes, ran scan against the same SCAP content, and saved the xml scan result. The result was identical with the only exception that the SCE rule evaluated properly, since the SCE support is included in OpenSCAP after making the proposed changes. + + We also have been running similar scans against an ever growing SCAP + content base 20~30 times on a daily basis, and OpenSCAP behaved the same + way as before the SCE functionality was enabled. [Other Info] A similar bug report has been submitted to Debian. ** Description changed: [Impact] Canonical security certification team is implementing SCAP content based on CIS and STIG compliance rules. A good portion of these rules are beyond the scope of SCAP and OVAL, and will require the Script Check Engine (SCE) facility provided by OpenSCAP. SCE is not enabled by default, and will require the addition of the "--enable-sce" option in the "debian/rules" file to turn it on. The attached patch has all the necessary code change. [Test Case] run the command "oscap --v", and without the SCE option, content under " Capabilities added by auto-loaded plugins " will be empty. With the SCE option turned on, we'll see the following: Capabilities added by auto-loaded plugins SCE Version: 1.0 (from libopenscap_sce.so.8) [Regression Potential] - The changes proposed just enables new code and does not change the - behavior of existing code. + The changes proposed enables new functionality that is already included + in the source package, and does not change the behavior of existing code + significantly. - Using the same patch attached to this bug report, Canonical security certification team has created a PPA here: https://launchpad.net/~guanym/+archive/ubuntu/ppa. The team is actively using the PPA to develop SCAP content, including shell and python scripts for SCE consumption. We also ran the following tests with and without the proposed changes: - -- Without the proposed changes, ran scans using OpenSCAP against SCAP content with about 35 diverse rules based on CIS benchmark, and saved the xml scan result. The content included a rule that requires SCE support, and the rule simply evaluated to "not checked", which is expected since SCE support is not included with OpenSCAP without the proposed changes. - -- With the proposed changes, ran scan against the same SCAP content, and saved the xml scan result. The result was identical with the only exception that the SCE rule evaluated properly, since the SCE support is included in OpenSCAP after making the proposed changes. + Using the same patch attached to this bug report, Canonical security + certification team has created a PPA here: + https://launchpad.net/~guanym/+archive/ubuntu/ppa. +
[Bug 1658792] Re: libopenscap8: Enable SCE option to make broader SCAP content available for Ubuntu users
** Description changed: - Dear Maintainer, + [Impact] - We are implementing SCAP content based on CIS and STIG compliance rules. - A good portion of these rules are beyond the scope of SCAP and OVAL, and - will require the Script Check Engine (SCE) facility provided by - OpenSCAP. However SCE is not enabled by default, and will require the - addition of the "--enable-sce" option in the "debian/rules" file to turn - it on. + Canonical security certification team is implementing SCAP content based + on CIS and STIG compliance rules. A good portion of these rules are + beyond the scope of SCAP and OVAL, and will require the Script Check + Engine (SCE) facility provided by OpenSCAP. + + SCE is not enabled by default, and will require the addition of the + "--enable-sce" option in the "debian/rules" file to turn it on. The + attached patch has all the necessary code change. + + + [Test Case] + + run the command "oscap --v", and without the SCE option, content under + " Capabilities added by auto-loaded plugins " will be empty. + With the SCE option turned on, we'll see the following: + + Capabilities added by auto-loaded plugins +SCE Version: 1.0 (from libopenscap_sce.so.8) + + + [Regression Potential] + + Using the same patch attached to this bug report, Canonical security + certification team has created a PPA here: + https://launchpad.net/~guanym/+archive/ubuntu/ppa. The team is actively + using the PPA to develop SCAP content, including shell and python + scripts for SCE consumption. No regression has been noticed. + + + [Other Info] + + A similar bug report has been submitted to Debian. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658792 Title: libopenscap8: Enable SCE option to make broader SCAP content available for Ubuntu users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1658792/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1658792] Re: libopenscap8: Enable SCE option to make broader SCAP content available for Ubuntu users
** Summary changed: - [SRU] Enable the Script Check Engine + libopenscap8: Enable SCE option to make broader SCAP content available for Ubuntu users ** Description changed: - The Script Check Engine is disabled by default. Xenial and Zesty binary - packages should have the Script Check Engine enabled. + Dear Maintainer, + + We are implementing SCAP content based on CIS and STIG compliance rules. + A good portion of these rules are beyond the scope of SCAP and OVAL, and + will require the Script Check Engine (SCE) facility provided by + OpenSCAP. However SCE is not enabled by default, and will require the + addition of the "--enable-sce" option in the "debian/rules" file to turn + it on. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658792 Title: libopenscap8: Enable SCE option to make broader SCAP content available for Ubuntu users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1658792/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1658792] Re: [SRU] Enable the Script Check Engine
** Patch added: "patch to enable SCE" https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1658792/+attachment/4809007/+files/openscap-1.2.8.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658792 Title: [SRU] Enable the Script Check Engine To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1658792/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1658792] [NEW] [SRU] Enable the Script Check Engine
Public bug reported: The Script Check Engine is disabled by default. Xenial and Zesty binary packages should have the Script Check Engine enabled. ** Affects: openscap (Ubuntu) Importance: Undecided Status: New ** Summary changed: - Enable the Script Check Engine + [SRU] Enable the Script Check Engine -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658792 Title: [SRU] Enable the Script Check Engine To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1658792/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs