Hello Greg, ----- Original Message ----- > From: "Greg Silverman (CS)" <[email protected]> > To: [email protected] > Cc: "DL-VTAS-AS-Team-Sangria" <[email protected]> > Sent: Thursday, April 13, 2017 2:01:16 AM > Subject: Re: [Open-scap] Pleas explain this (Shawn Wells) > > I understand why IFS needs to be reset. But > > unset $IFS > > does not reset IFS to its previous value. For Example > > > //a script > > IFS='\n' > unset $IFS > > -bash: unset: `': not a valid identifier > -bash: unset: `': not a valid identifier > > > This code cause an error and does not reset IFS to its original value. > > unset IFS
You are correct. It's a bug, that should be corrected [*]. It probably went unnoticed when implementing those functions, because calling remediation scripts directly from the content doesn't display stdout / stderr of the script by default. And since this error isn't critical for the run of the script (read like doesn't cause exit 1), it went unnoticed. But it doesn't mean that failing unset wouldn't have impact at the behaviour of the script itself (especially in the combination with other scripts). Long story short - you are correct. It's a bug. Good catch! Please file a new SSG issue to address this in future versions: https://github.com/OpenSCAP/scap-security-guide/issues/new > > does. HTH. Regards, Jan [*] The dollar sign should be removed from all 'unset $IFS' statements in: https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/xccdf/remediation_functions.xml And also in the *.sh alternative of the remediation functions scripts, if it exists yet. > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > [email protected] > Sent: Wednesday, April 12, 2017 4:51 PM > To: [email protected] > Subject: Open-scap-list Digest, Vol 97, Issue 14 > > Send Open-scap-list mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/open-scap-list > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific than "Re: > Contents of Open-scap-list digest..." > > > Today's Topics: > > 1. Pleas explain this (Greg Silverman (CS)) > 2. Re: Pleas explain this (Shawn Wells) > 3. Stigviewer (Matthew) > 4. Re: Stigviewer (Shawn Wells) > 5. Re: Stigviewer (Dan White) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 12 Apr 2017 17:15:44 +0000 > From: "Greg Silverman (CS)" <[email protected]> > To: "[email protected]" <[email protected]> > Cc: DL-VTAS-AS-Team-Sangria <[email protected]> > Subject: [Open-scap] Pleas explain this > Message-ID: > <675329def2504742aec893b0bc5e5...@vrtsxchclupin05.community.veritas.com> > > Content-Type: text/plain; charset="us-ascii" > > Many of the generated fixes uses this idiom > > IFS=$'\n' ... > unset $IFS > > IFS is a variable, but, $IFS is a character string, so, unsetting it does not > restore IFS to its default value. What am I missing? > > Thanks, > > Greg Silverman > Mountain View, Ca > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <https://www.redhat.com/archives/open-scap-list/attachments/20170412/a3ae3561/attachment.html> > > ------------------------------ > > Message: 2 > Date: Wed, 12 Apr 2017 17:05:38 -0400 > From: Shawn Wells <[email protected]> > To: [email protected] > Subject: Re: [Open-scap] Pleas explain this > Message-ID: <[email protected]> > Content-Type: text/plain; charset="windows-1252" > > > > On 4/12/17 1:15 PM, Greg Silverman (CS) wrote: > > > > Many of the generated fixes uses this idiom > > > > IFS=$?\n? ? > > > > unset $IFS > > > > IFS is a variable, but, $IFS is a character string, so, unsetting it > > does not restore IFS to its default value. What am I missing? > > > > Those lines are from the audit remediation templates, e.g.: > https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/xccdf/remediation_functions.xml#L97#L99 > > > IFS=$'\n' matches=($(sed -s -n -e "/${pattern}/!d" -e "/${arch}/!d" -e > > "/${group}/!d;F" /etc/audit/rules.d/*.rules)) # Reset IFS back to > > default unset $IFS > > Because the variable is used multiple times (e.g. each audit remediation), it > is a good practice to completely remove the variable/data from the system > between function calls. > > For example: > > $ stringVar="This is my string" > $ echo $stringVar > This is my string > > $ unset stringVar > > $ echo $stringVar > -bash: stringVar: unbound variable > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <https://www.redhat.com/archives/open-scap-list/attachments/20170412/81b7336c/attachment.html> > > ------------------------------ > > Message: 3 > Date: Wed, 12 Apr 2017 19:08:33 -0400 > From: Matthew <[email protected]> > To: [email protected] > Subject: [Open-scap] Stigviewer > Message-ID: > <CAHc5b7-_qJD0NEL_Ap7fE=nvw9whapugm8qslggc00utwr+...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > Curious, what's the best way to use openscap, and be able to get results for > stigviewer? > > Matthew Conley > 912-398-6704 > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <https://www.redhat.com/archives/open-scap-list/attachments/20170412/02e8c15e/attachment.html> > > ------------------------------ > > Message: 4 > Date: Wed, 12 Apr 2017 19:42:20 -0400 > From: Shawn Wells <[email protected]> > To: [email protected] > Subject: Re: [Open-scap] Stigviewer > Message-ID: <[email protected]> > Content-Type: text/plain; charset=windows-1252 > > > > On 4/12/17 7:08 PM, Matthew wrote: > > Curious, what's the best way to use openscap, and be able to get > > results for stigviewer? > > IIRC, stigviewer can consume OVAL results. Something like: > > oscap xccdf eval --profile stig --report human-readable.html --results > stigviewer-readable.xml ssg-rhel7-ds.xml > > > > ------------------------------ > > Message: 5 > Date: Wed, 12 Apr 2017 19:50:28 -0400 > From: Dan White <[email protected]> > To: [email protected] > Subject: Re: [Open-scap] Stigviewer > Message-ID: <[email protected]> > Content-Type: text/plain; charset=us-ascii > > Are you referring to the DISA tool or the COTS/freeware tool ? > > > On Apr 12, 2017, at 7:42 PM, Shawn Wells <[email protected]> wrote: > > > > > > > >> On 4/12/17 7:08 PM, Matthew wrote: > >> Curious, what's the best way to use openscap, and be able to get > >> results for stigviewer? > > > > IIRC, stigviewer can consume OVAL results. Something like: > > > > oscap xccdf eval --profile stig --report human-readable.html --results > > stigviewer-readable.xml ssg-rhel7-ds.xml > > > > _______________________________________________ > > Open-scap-list mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/open-scap-list > > > > ------------------------------ > > _______________________________________________ > Open-scap-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/open-scap-list > > End of Open-scap-list Digest, Vol 97, Issue 14 > ********************************************** > > _______________________________________________ > Open-scap-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/open-scap-list > _______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
