Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package yast2-security for openSUSE:Factory
checked in at 2023-01-14 00:02:22
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/yast2-security (Old)
and /work/SRC/openSUSE:Factory/.yast2-security.new.32243 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-security"
Sat Jan 14 00:02:22 2023 rev:120 rq:1057969 version:4.5.5
Changes:
--------
--- /work/SRC/openSUSE:Factory/yast2-security/yast2-security.changes
2022-12-02 13:12:21.617595962 +0100
+++ /work/SRC/openSUSE:Factory/.yast2-security.new.32243/yast2-security.changes
2023-01-14 00:02:29.109454870 +0100
@@ -1,0 +2,10 @@
+Tue Dec 20 10:21:49 UTC 2022 - Imobach Gonzalez Sosa <igonzalezs...@suse.com>
+
+- AutoYaST: export security policy settings (related to
+ jsc#SLE-24764).
+- Always write the ssg-apply configuration if a security policy
+ is enabled, even if the action is 'none' (related to
+ jsc#SLE-24764).
+- 4.5.5
+
+-------------------------------------------------------------------
Old:
----
yast2-security-4.5.4.tar.bz2
New:
----
yast2-security-4.5.5.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ yast2-security.spec ++++++
--- /var/tmp/diff_new_pack.3irI4C/_old 2023-01-14 00:02:29.989459996 +0100
+++ /var/tmp/diff_new_pack.3irI4C/_new 2023-01-14 00:02:29.993460019 +0100
@@ -1,7 +1,7 @@
#
# spec file for package yast2-security
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: yast2-security
-Version: 4.5.4
+Version: 4.5.5
Release: 0
Group: System/YaST
License: GPL-2.0-only
++++++ yast2-security-4.5.4.tar.bz2 -> yast2-security-4.5.5.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-security-4.5.4/package/yast2-security.changes
new/yast2-security-4.5.5/package/yast2-security.changes
--- old/yast2-security-4.5.4/package/yast2-security.changes 2022-12-01
16:36:37.000000000 +0100
+++ new/yast2-security-4.5.5/package/yast2-security.changes 2022-12-30
11:19:00.000000000 +0100
@@ -1,4 +1,14 @@
-------------------------------------------------------------------
+Tue Dec 20 10:21:49 UTC 2022 - Imobach Gonzalez Sosa <igonzalezs...@suse.com>
+
+- AutoYaST: export security policy settings (related to
+ jsc#SLE-24764).
+- Always write the ssg-apply configuration if a security policy
+ is enabled, even if the action is 'none' (related to
+ jsc#SLE-24764).
+- 4.5.5
+
+-------------------------------------------------------------------
Thu Dec 1 14:56:43 UTC 2022 - Stefan Hundhammer <shundham...@suse.com>
- Fixed wrong steps count causing a crash during saving (bsc#1205918)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-security-4.5.4/package/yast2-security.spec
new/yast2-security-4.5.5/package/yast2-security.spec
--- old/yast2-security-4.5.4/package/yast2-security.spec 2022-12-01
16:36:37.000000000 +0100
+++ new/yast2-security-4.5.5/package/yast2-security.spec 2022-12-30
11:19:00.000000000 +0100
@@ -17,7 +17,7 @@
Name: yast2-security
-Version: 4.5.4
+Version: 4.5.5
Release: 0
Group: System/YaST
License: GPL-2.0-only
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-security-4.5.4/src/lib/y2security/autoinst_profile/security_policy_section.rb
new/yast2-security-4.5.5/src/lib/y2security/autoinst_profile/security_policy_section.rb
---
old/yast2-security-4.5.4/src/lib/y2security/autoinst_profile/security_policy_section.rb
2022-12-01 16:36:37.000000000 +0100
+++
new/yast2-security-4.5.5/src/lib/y2security/autoinst_profile/security_policy_section.rb
2022-12-30 11:19:00.000000000 +0100
@@ -18,6 +18,10 @@
# find current contact information at www.suse.com.
require "installation/autoinst_profile/section_with_attributes"
+require "y2security/security_policies/manager"
+require "cfa/ssg_apply"
+
+Yast.import "Service"
module Y2Security
module AutoinstProfile
@@ -42,6 +46,23 @@
# @return [String,nil] SCAP action to apply on first boot ("none",
"scan" or "remediate")
# @!attribute policy
# @return [String,nil] Enabled policy
+
+ # Clones the security policy settings from the underlying system
+ def self.new_from_system
+ file = CFA::SsgApply.load
+ section = new
+ return section if file.empty?
+
+ section.action = if
!Y2Security::SecurityPolicies::Manager.instance.service_enabled?
+ "none"
+ elsif file.remediate == "yes"
+ "remediate"
+ else
+ "scan"
+ end
+ section.policy = file.profile
+ section
+ end
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-security-4.5.4/src/lib/y2security/security_policies/manager.rb
new/yast2-security-4.5.5/src/lib/y2security/security_policies/manager.rb
--- old/yast2-security-4.5.4/src/lib/y2security/security_policies/manager.rb
2022-12-01 16:36:37.000000000 +0100
+++ new/yast2-security-4.5.5/src/lib/y2security/security_policies/manager.rb
2022-12-30 11:19:00.000000000 +0100
@@ -126,11 +126,16 @@
write_failing_rules(config, enabled_policy)
adjust_service
- return if scap_action == :none
-
write_config(enabled_policy)
end
+ # Determines whether the service to scan/remediate the system is enabled
or not
+ #
+ # @return [Boolean]
+ def service_enabled?
+ Yast::Service.enabled?(SERVICE_NAME)
+ end
+
private
# Writes custom configuration for the ssg-apply script
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-security-4.5.4/src/modules/Security.rb
new/yast2-security-4.5.5/src/modules/Security.rb
--- old/yast2-security-4.5.4/src/modules/Security.rb 2022-12-01
16:36:37.000000000 +0100
+++ new/yast2-security-4.5.5/src/modules/Security.rb 2022-12-30
11:19:00.000000000 +0100
@@ -853,7 +853,10 @@
settings["PASSWD_USE_CRACKLIB"] =
settings.delete("PASSWD_USE_PWQUALITY")
end
- settings.merge(lsm_config.export)
+ merged_settings = settings.merge(lsm_config.export)
+ security_policy = export_security_policy
+ merged_settings.merge!("security_policy" => security_policy) unless
security_policy.empty?
+ merged_settings
end
# Create a textual summary and a list of unconfigured cards
@@ -963,6 +966,14 @@
log.error("SCAP action '#{section.action}' is not valid.")
end
+ # Export security policy settings
+ #
+ # @return [Hash]
+ def export_security_policy
+ Y2Security::AutoinstProfile::SecurityPolicySection.new_from_system
+ .to_hashes
+ end
+
# Sets @missing_mandatory_services honoring the systemd aliases
def read_missing_mandatory_services
log.info("Checking mandatory services")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-security-4.5.4/test/security_test.rb
new/yast2-security-4.5.5/test/security_test.rb
--- old/yast2-security-4.5.4/test/security_test.rb 2022-12-01
16:36:37.000000000 +0100
+++ new/yast2-security-4.5.5/test/security_test.rb 2022-12-30
11:19:00.000000000 +0100
@@ -656,8 +656,17 @@
end
describe "#Export" do
+ let(:security_policy_section) do
+ instance_double(
+ Y2Security::AutoinstProfile::SecurityPolicySection,
+ to_hashes: { "profile" => "stig" }
+ )
+ end
+
before do
Security.lsm_config.reset
+ allow(Y2Security::AutoinstProfile::SecurityPolicySection)
+ .to receive(:new_from_system).and_return(security_policy_section)
end
it "merges LSM settings" do
@@ -670,6 +679,22 @@
expect(settings["lsm_select"]).to eq("selinux")
expect(settings["selinux_mode"]).to eq("permissive")
end
+
+ context "when there are no security_policy settings" do
+ let(:security_policy_section) do
+ instance_double(Y2Security::AutoinstProfile::SecurityPolicySection,
to_hashes: {})
+ end
+
+ it "merges security policy settings" do
+ settings = Security.Export
+ expect(settings.keys).to_not include("security_policy")
+ end
+ end
+
+ it "merges security policy settings" do
+ settings = Security.Export
+ expect(settings["security_policy"]).to eq("profile" => "stig")
+ end
end
describe "#SafeRead" do
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-security-4.5.4/test/y2security/autoinst_profile/security_policy_section_test.rb
new/yast2-security-4.5.5/test/y2security/autoinst_profile/security_policy_section_test.rb
---
old/yast2-security-4.5.4/test/y2security/autoinst_profile/security_policy_section_test.rb
2022-12-01 16:36:37.000000000 +0100
+++
new/yast2-security-4.5.5/test/y2security/autoinst_profile/security_policy_section_test.rb
2022-12-30 11:19:00.000000000 +0100
@@ -41,4 +41,55 @@
end
end
end
+
+ describe ".new_from_system" do
+ let(:service_enabled?) { true }
+
+ before do
+ allow(CFA::SsgApply).to receive(:load).and_return(file)
+ allow(Yast::Service).to receive(:enabled?).and_return(service_enabled?)
+ end
+
+ context "when the ssg-apply service does not exist" do
+ let(:file) { instance_double(CFA::SsgApply, empty?: true) }
+
+ it "returns an empty section" do
+ section = described_class.new_from_system
+ expect(section.to_hashes).to be_empty
+ end
+ end
+
+ context "when the ssg-apply service exists is disabled" do
+ let(:file) { instance_double(CFA::SsgApply, empty?: false, profile:
"stig") }
+ let(:service_enabled?) { false }
+
+ it "returns a section with action set to 'none'" do
+ section = described_class.new_from_system
+ expect(section.action).to eq("none")
+ end
+ end
+
+ context "when the remediate option is set to 'yes'" do
+ let(:file) do
+ instance_double(CFA::SsgApply, empty?: false, profile: "stig",
remediate: "yes")
+ end
+
+ it "returns a section with action set to 'remediate'" do
+ section = described_class.new_from_system
+ expect(section.action).to eq("remediate")
+ end
+ end
+
+ context "when the remediate option is set to 'no'" do
+ let(:file) do
+ instance_double(CFA::SsgApply, empty?: false, profile: "stig",
remediate: "no")
+ end
+
+ it "returns a section with action set to 'scan'" do
+ section = described_class.new_from_system
+ expect(section.action).to eq("scan")
+ end
+ end
+ end
+
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-security-4.5.4/test/y2security/security_policies/manager_test.rb
new/yast2-security-4.5.5/test/y2security/security_policies/manager_test.rb
--- old/yast2-security-4.5.4/test/y2security/security_policies/manager_test.rb
2022-12-01 16:36:37.000000000 +0100
+++ new/yast2-security-4.5.5/test/y2security/security_policies/manager_test.rb
2022-12-30 11:19:00.000000000 +0100
@@ -267,12 +267,19 @@
expect(content).to eq("rule1\nrule2\n")
end
+ it "writes the ssg-apply configuration" do
+ subject.write
+ expect(File).to exist(override_file_path)
+ end
+
context "when neither checks or remedation are enabled" do
let(:scap_action) { :none }
- it "does not write the configuration" do
+ it "disables ssg-apply remediation" do
subject.write
- expect(File).to_not exist(override_file_path)
+ apply_file = CFA::SsgApply.load
+ expect(apply_file.remediate).to eq("no")
+ expect(apply_file.profile).to eq("stig")
end
it "disables the service" do
@@ -330,4 +337,26 @@
end
end
end
+
+ describe "#service_enabled?" do
+ before do
+ allow(Yast::Service).to
receive(:enabled?).with("ssg-apply").and_return(enabled?)
+ end
+
+ context "when the ssg-apply service is enabled" do
+ let(:enabled?) { true }
+
+ it "returns true" do
+ expect(subject.service_enabled?).to eq(true)
+ end
+ end
+
+ context "when the ssg-apply service is disabled" do
+ let(:enabled?) { false }
+
+ it "returns false" do
+ expect(subject.service_enabled?).to eq(false)
+ end
+ end
+ end
end
