Hi Jan, Thanks for looking into this. Not sure, if you have had a chance to check Gautam's reply to this.
He said, "Process58 probe: Unit tests in the "make check" for process58 fail and there is a segmentation fault. I haven't looked into the code there yet, but it is likely that it might not be tested on SUSE." So, it looks like it has not been tested on SLES. Are unit tests on SLES for process58 passing? <?xml version="1.0" encoding="UTF-8"?> <oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"; xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"; xmlns:linux-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"; xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"; xmlns:independent-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"; xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd"> <generator> <oval:product_name>None</oval:product_name> <oval:product_version>None</oval:product_version> <oval:schema_version>5.11</oval:schema_version> <oval:timestamp>2016-04-04T01:31:55</oval:timestamp> </generator> <definitions> <definition id="oval:test-sles113.test.com:def:1" version="1" class="compliance"> <metadata> <title>Verify audit service is running</title> <affected family="unix"> <platform>cpe:/o:sles11:linux</platform> </affected> <description>This rule verifies that the 'auditd' service is running.</description> </metadata> <criteria operator="AND" negate="false" comment="None"> <criterion comment="None" test_ref="oval:test-sles113.test.com:tst:1" /> </criteria> </definition> </definitions> <tests> <process58_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"; id="oval:test-sles113.test.com:tst:1" version="1" check="all" comment="None" check_existence="at_least_one_exists"> <object object_ref="oval:test-sles113.test.com:obj:1" /> </process58_test> </tests> <objects> <process58_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"; id="oval:test-sles113.test.com:obj:1" version="1" comment="None"> <command_line datatype="string" operation="pattern match">.*auditd.*</command_line> <pid datatype="int" operation="greater than">0</pid> </process58_object> </objects> </oval_definitions> Thanks and regards, Pravin Goyal ________________________________________ From: Jan Lieskovsky <[email protected]> Sent: Monday, April 11, 2016 6:29 PM To: Pravin Goyal Cc: [email protected] Subject: Re: [Open-scap] Struggling with Perl based regular expressions Hello Pravin, thank you for checking with us. ----- Original Message ----- > From: "Pravin Goyal" <[email protected]> > To: [email protected] > Sent: Thursday, April 7, 2016 7:44:34 AM > Subject: [Open-scap] Struggling with Perl based regular expressions > > > > Hi All, > > Today, I spent quite a lot of time figuring out how to make pattern match > work on different flavors of Linux - especially SLES 11 SP3 and Red Hat. Can you hopefully provide a complete example of particular OVAL check that isn't working on RHEL vs SLES 11 SP3 systems? > > > > > A pattern match string of ".*auditd.*" works perfectly on Red Hat but gives > segmentation fault on SLES. > > > > > If I give "*auditd*", it does not work on Red Hat. It also does NOT give > segmentation fault on SLES but the problem is that it does NOT work either. > Even though auditd process is running, process58 says "does not exist" in > oscap oval collect command. Frustrated. The above makes me only guess the problem is somewhere in the process58 probe. Having the details provides it's hard to tell source of the issue. My guess being a mixture of shell glob pattern (when 'equals' operation is provided, IIRC this is the default operation) vs Perl 5 regex expression (when 'pattern match' is used as operation). Both of them required the expression to be written differently (and won't work when wrong combination is used). > > > > > Do you know how to make it work? Please provide concrete full example and we might advise what needs to be changed / how to reproduce the issue. > > > > > The more frustration is because on SLES, we have small utility 'pcretest'. > The regex '*auditd*' works there but when it comes to OpenSCAP, it does not > seem to work. Don't know what's wrong. Thank you && Regards, Jan -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > > > > Please help. > > > > > Thanks and regards, > > Pravin Goyal > > _______________________________________________ > Open-scap-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/open-scap-list _______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
