[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
This bug was fixed in the package openscap - 1.2.8-1ubuntu0.1 --- openscap (1.2.8-1ubuntu0.1) xenial; urgency=medium * Enable both systemd probes and SCE. (LP: #1782031) - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852826 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853995 -- Joy Latten Mon, 16 Jul 2018 17:05:18 -0500 ** Changed in: openscap (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
** Tags removed: verification-needed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
Hi Robie, I tested this SRU with the new package in proposed and verified. $ dpkg -l | grep libopenscap8 ii libopenscap8 1.2.8-1ubuntu0.1 amd64Set of libraries enabling integration of the SCAP line of standards I ran a few rules in my oval that use the systemd probe and they now come back as passing, $ sudo oscap oval eval --id oval:com.ubuntu.xenial.cis:def:6400 Ubuntu_16.04_LTS_CIS_Benchmark-oval-sec2.xmlDefinition oval:com.ubuntu.xenial.cis:def:6400: true Evaluation done. $ sudo oscap oval eval --id oval:com.ubuntu.xenial.cis:def:6600 Ubuntu_16.04_LTS_CIS_Benchmark-oval-sec2.xml Definition oval:com.ubuntu.xenial.cis:def:6600: true Evaluation done. I ran a few scripts (SCE) and they now pass, $ ls *.sh CIS-3.6.2.sh CIS-3.6.3.sh CIS-3.6.5.sh CIS-5.4.1.5.sh CIS-6.2.9.sh Title Ensure users own their home directories Rulexccdf_com.ubuntu.xenial.cis_rule_CIS-6.2.9 Result pass Title Ensure all users last password change date is in the past Rulexccdf_com.ubuntu.xenial.cis_rule_CIS-5.4.1.5 Result pass To note any regression, I ran the entire testsuite and saw similar output (other than those that now pass). I consider this verification for this SRU. ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
Thanks to Łukasz for a second opinion. I think your points are quite convincing, and I'm inclined to accept the SRU now. I wondered if it was within the SRU's remit to make this decision, but as you point out all fixes are regressions for people relying on broken behaviour, so think that making that decision is an SRU team judgement call now. Łukasz confirmed on IRC. ** Changed in: openscap (Ubuntu Xenial) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
I agree with the above analysis. There is something else I have noticed... the openscap community consists of several components, one of them implements security-guides (scap content (checklists) to pass to oscap). xenial did not ship any security-guide component. However, bionic does. Bionic also includes the above mentioned changes. In the past year the openscap community has made many improvements to the security-guides including creating a small checklist specifically for ubuntu-16.04. Bionic ships the security-guides in several packages, - ssg-debderived (contains ubuntu-16.04 checklist) - ssg-nondebian (contains rhel and sles checklists) - ssg-debian (contains debian checklist) It is possible ubuntu users will try several things using the ssg-debderived package - take the ubuntu-16.04 checklist file and try to run it on a xenial system However, there are systemd checks in this xccdf. It is possible a bugreport will be generated. - try to run the ubuntu-16.04 checklists file on bionic. This will fail because checklist file first looks to verify is a 16.04 system. A savvy user can modify the xccdf (checklist file) to recognize 18.04. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
I have been asked to give a second opinion regarding this SRU and I must say my feelings are a bit mixed. On one side: I have to agree with Robie that this SRU might confuse existing users, those that would otherwise expect some checks coming back with "unknown" or "notchecked" to suddenly start failing. That might regress existing users in a sense, and that is bad. On the other hand, both SCE and systemd probes/schema were not available nor supported for xenial before, right? Deliberately using functionality that's not supported and relying on it to return an ambiguous state at the end is not valid use IMO. I think it will be quite obvious for anyone using unsupported functionality and relying on it to stay as "unknown"/"notchecked" that eventually those might just start actually running. I think we should not really care about cases of such assumptions, since I somehow feel the developer was not doing the right thing anyway. We can't handle all use-cases. It's still a regression, yes, but a regression that most probably is caused by invalid use. Am I wrong? Sure, this might be a problem for 'backport' cases, where there's the same check-set for different series, but since there was obviously a difference in functionality between one version an the other, the developer should have handled this better. That being said, I do not have a strong opinion here. It's really hard to say what's the best way to go as I don't know how many users are there of openscap. I'm probably lacking that context to be able to give a solid answer. Regressing users is bad, but even normal, non-feature bugfixes can 'regress' people that are depending on the erroneous behavior. I do remember one case handled by a more experienced SRU member that also involved slight regression of functionality for users that didn't use the package properly and the decision was to accept it. Not sure exactly if we have the same case here though. Somehow it does feel like it, but maybe I lack context here as well. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
Hi Robie, Yes, you are correct. This SRU enables 2 things. First, it enables systemd probes/schema. The user would have to have oval code that implements this schema/probe for it to be used. So, several things are likely: 1. users did not implement code using this schema since it was unavailable. 2. if there were codes using this schema, and they were not commented out, the results probably came back "unknown" since it was not available. Enabling this systemd probe/schema, users with #1 scenario will not notice anything. users with #2 scenario will now have those particular checks come back with "pass" or "fail" instead of "unknown". The 2nd thing it enables is the script-check-engine (SCE), which allows oscap to include bash or python scripts to assist in scans/checks. The xccdf/xml code has to explicitly call a particular script. And the script would have had to been written for the xccdf. So several things are likely: 1. user's implemented xccdf code without using this feature since it is not available. These users won't see any change when this is enabled. 2. user's xccdf code does call particular scripts. As of now, these checks will always result in a "notchecked" since SCE is not there. When this feature is enabled, for these users, the check will then come back as "pass" or "fail" instead of "notchecked". In all these scenarios, existing checks that do not implement sce or systemd schemas will continue as they always have and will not be impacted. Hopefully this is all ok? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
Hi Joy, >From the statement: "The changes proposed enables new functionality that is already included in the source package, and does not change the behavior of existing functionality." Is it correct for me to infer that existing users won't see any changes in behaviour following this SRU if they aren't aware of this proposed change? I think this is a subtly different question from the statement above, because it's a question of defaults and default behaviour, rather than what functionality is provided. For example: is it possible that the addition of new checks would cause a system that previously passed an assessment to fail following this SRU because new checks that happen to fail on some existing system have been added? Or is it that all new functionality added by this change will have to be explicitly opted in to by the user? I'm not sure I fully understand how users use this package so this question may not make exact sense, but I hope you can follow the sort of regression I'm looking for. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
ACK on the debdiff in comment #4, looks good. Uploaded for processing by the SRU team with some slight changelog adjustments. Thanks! ** Changed in: openscap (Ubuntu Xenial) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
** Also affects: openscap (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: openscap (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: openscap (Ubuntu Bionic) Status: New => Fix Released ** Changed in: openscap (Ubuntu) Status: Confirmed => Fix Released ** Changed in: openscap (Ubuntu Xenial) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
libopenscap8 in bionic contains the changes requested in this SRU for xenial. Thus bionic and cosmic do not require this change since already done. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: openscap (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
** Attachment added: "debdiff.xenial" https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+attachment/5167767/+files/debdiff.xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
Testcases: The testcases included with the libopenscap8 source are disabled. It appears they do not all compile or run correctly, thus disabled. To test this I did the following: 1. oscap --v Shows that SCE plugin has been enabled and also that the 2 systemd probes have been enabled. (See attachment) 2. Our SCAP content for those rules using SCE or systemdprobes now run and also pass. Rule 1.1.21 uses the systemdunitdependency probe to check that autofs is disabled. This check now passes with the systemd probes enabled. Title Disable Automounting Rule xccdf_com.ubuntu.xenial.cis_rule_CIS-1.1.21 Resultpass Rule 6.2.9 uses a script to check that users own their home directory. Title Ensure users own their home directories Rule xccdf_com.ubuntu.xenial.cis_rule_CIS-6.2.9 Resultpass ** Attachment added: "Attachment shows output of oscap --v with updated libopenscap8" https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+attachment/5167766/+files/oscap--v -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
build log: https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/15137237 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
** Changed in: openscap (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
This bug is to enable 2 options available in the libopenscap8 source. Both of these options have been enabled in artful, bionic and cosmic. Both options have also been enabled in Debian via the following Debian bugreports, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853995 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852826 There are 2 Debian bugs, but I was able to add only 1 above. Since these are small changes, I am hoping one Ubuntu bug will be ok. If not, I can open another bugreport. Prior bugs, https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1658792 AND https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1661401 were opened to address this. The original bugreporter is no longer available. I would like to duplicate those to this bug and use this one to address and resolve this issue. ** Bug watch added: Debian Bug tracker #853995 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853995 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
