[PATCH] [RHEL/7] Fix 'make validate' error caused by missing two OVAL checks definitions

Jan Lieskovsky Wed, 19 Feb 2014 06:11:25 -0800

This patch fixes 'make validate' error on current RHEL-7 content.
Running 'make validate' in RHEL/7 currently returns output as
detailed in attached old_output.txt.


This problem is / was caused by missing OVAL definitions for:
* service_sshd_disabled.xml and
* package_openssh-server_removed.xml

checks. Thus provide RHEL-7 specific check for service_sshd_disabled
(since it uses systemd and can't be shared with RHEL-6), and
move original package_openssh-server_removed.xml definition into
shared, making symlinks on appropriate places for RHEL-6 and RHEL-7
content(s).

After the patch 'make validate' succeeds already as shown in
attached new_output.txt (it still prints warnings about missing
definitions, but these aren't defined in RHEL-7 content yet => that
warning being expected and to be fixed gradually later together with
adding appropriate definitions. But after application of the patch
make validate runs / completes correctly, without the above error).

Please review.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team

$ make validate
oscap xccdf validate-xml output/ssg-rhel7-xccdf.xml
oscap oval validate-xml output/ssg-rhel7-oval.xml
oscap oval validate-xml output/ssg-rhel7-cpe-oval.xml
cd output; ../utils/verify-references.py --rules-with-invalid-checks 
--ovaldefs-unused ssg-rhel7-xccdf.xml
Invalid OVAL definition referenced by XCCDF Rule: 
ensure_gpgcheck_globally_activated
..
oscap oval validate-xml --schematron output/ssg-rhel7-oval.xml

$ echo $?
0

$ make validate
oscap xccdf validate-xml output/ssg-rhel7-xccdf.xml
oscap oval validate-xml output/ssg-rhel7-oval.xml
File 'output/ssg-rhel7-oval.xml' line 20: Element 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition': No 
match found for key-sequence ['oval:ssg:def:111'] of keyref 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}extendKeyRef'.
File 'output/ssg-rhel7-oval.xml' line 36: Element 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition': No 
match found for key-sequence ['oval:ssg:def:111'] of keyref 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}extendKeyRef'.
File 'output/ssg-rhel7-oval.xml' line 225: Element 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition': No 
match found for key-sequence ['oval:ssg:def:111'] of keyref 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}extendKeyRef'.
File 'output/ssg-rhel7-oval.xml' line 363: Element 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition': No 
match found for key-sequence ['oval:ssg:def:111'] of keyref 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}extendKeyRef'.
File 'output/ssg-rhel7-oval.xml' line 379: Element 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition': No 
match found for key-sequence ['oval:ssg:def:111'] of keyref 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}extendKeyRef'.
File 'output/ssg-rhel7-oval.xml' line 439: Element 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition': No 
match found for key-sequence ['oval:ssg:def:111'] of keyref 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}extendKeyRef'.
File 'output/ssg-rhel7-oval.xml' line 575: Element 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition': No 
match found for key-sequence ['oval:ssg:def:111'] of keyref 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}extendKeyRef'.
File 'output/ssg-rhel7-oval.xml' line 672: Element 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition': No 
match found for key-sequence ['oval:ssg:def:111'] of keyref 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}extendKeyRef'.
File 'output/ssg-rhel7-oval.xml' line 777: Element 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition': No 
match found for key-sequence ['oval:ssg:def:111'] of keyref 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}extendKeyRef'.
File 'output/ssg-rhel7-oval.xml' line 898: Element 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition': No 
match found for key-sequence ['oval:ssg:def:111'] of keyref 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}extendKeyRef'.
File 'output/ssg-rhel7-oval.xml' line 899: Element 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition': No 
match found for key-sequence ['oval:ssg:def:229'] of keyref 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}extendKeyRef'.
Invalid OVAL Definition content(5.10) in output/ssg-rhel7-oval.xml.
make: *** [validate-xml] Error 2

From c1d0e76fa99092b7ce113c5b8ef74de7c31c6051 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]>
Date: Wed, 19 Feb 2014 14:55:49 +0100
Subject: [PATCH] [RHEL/7] Fix 'make validate' error caused by missing two OVAL
 checks definitions

Signed-off-by: Jan Lieskovsky <[email protected]>
---
 .../checks/package_openssh-server_removed.xml      | 27 +---------------
 .../checks/package_openssh-server_removed.xml      |  1 +
 RHEL/7/input/checks/service_sshd_disabled.xml      | 36 ++++++++++++++++++++++
 shared/oval/package_openssh-server_removed.xml     | 27 ++++++++++++++++
 4 files changed, 65 insertions(+), 26 deletions(-)
 mode change 100644 => 120000 RHEL/6/input/checks/package_openssh-server_removed.xml
 create mode 120000 RHEL/7/input/checks/package_openssh-server_removed.xml
 create mode 100644 RHEL/7/input/checks/service_sshd_disabled.xml
 create mode 100644 shared/oval/package_openssh-server_removed.xml

diff --git a/RHEL/6/input/checks/package_openssh-server_removed.xml b/RHEL/6/input/checks/package_openssh-server_removed.xml
deleted file mode 100644
index 5455384..0000000
--- a/RHEL/6/input/checks/package_openssh-server_removed.xml
+++ /dev/null
@@ -1,26 +0,0 @@
-<def-group>
- <!-- THIS FILE IS GENERATED by create_package_removed.py.  DO NOT EDIT.  -->
-  <definition class="compliance" id="package_openssh-server_removed"
-  version="1">
-    <metadata>
-      <title>Package openssh-server Removed</title>
-      <affected family="unix">
-        <platform>Red Hat Enterprise Linux 6</platform>
-      </affected>
-      <description>The RPM package openssh-server should be removed.</description>
-      <reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
-    </metadata>
-    <criteria>
-      <criterion comment="package openssh-server is removed"
-      test_ref="test_package_openssh-server_removed" />
-    </criteria>
-  </definition>
-  <linux:rpminfo_test check="all" check_existence="none_exist"
-  id="test_package_openssh-server_removed" version="1"
-  comment="package openssh-server is removed">
-    <linux:object object_ref="obj_package_openssh-server_removed" />
-  </linux:rpminfo_test>
-  <linux:rpminfo_object id="obj_package_openssh-server_removed" version="1">
-    <linux:name>openssh-server</linux:name>
-  </linux:rpminfo_object>
-</def-group>
diff --git a/RHEL/6/input/checks/package_openssh-server_removed.xml b/RHEL/6/input/checks/package_openssh-server_removed.xml
new file mode 120000
index 0000000..08bf662
--- /dev/null
+++ b/RHEL/6/input/checks/package_openssh-server_removed.xml
@@ -0,0 +1 @@
+../../../../shared/oval/package_openssh-server_removed.xml
\ No newline at end of file
diff --git a/RHEL/7/input/checks/package_openssh-server_removed.xml b/RHEL/7/input/checks/package_openssh-server_removed.xml
new file mode 120000
index 0000000..08bf662
--- /dev/null
+++ b/RHEL/7/input/checks/package_openssh-server_removed.xml
@@ -0,0 +1 @@
+../../../../shared/oval/package_openssh-server_removed.xml
\ No newline at end of file
diff --git a/RHEL/7/input/checks/service_sshd_disabled.xml b/RHEL/7/input/checks/service_sshd_disabled.xml
new file mode 100644
index 0000000..031d8ea
--- /dev/null
+++ b/RHEL/7/input/checks/service_sshd_disabled.xml
@@ -0,0 +1,36 @@
+<def-group>
+  <definition class="compliance" id="service_sshd_disabled" version="1">
+    <metadata>
+      <title>Service sshd Disabled</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 7</platform>
+      </affected>
+      <description>
+        The sshd service should be disabled.
+      </description>
+    </metadata>
+    <criteria comment="package openssh-server removed or service sshd is not configured to start" operator="OR">
+    <extend_definition comment="openssh-server removed" definition_ref="package_openssh-server_removed" />
+      <criterion comment="sshd disabled in multi-user.target" test_ref="test_sshd_disabled_multi_user_target" />
+    </criteria>
+  </definition>
+
+  <unix:file_test check="all" check_existence="none_exist"
+   comment="look for sshd.service in /etc/systemd/system/multi-user.target.wants"
+   id="test_sshd_disabled_multi_user_target" version="1">
+
+    <unix:object object_ref="object_sshd_disabled_multi_user_target" />
+  </unix:file_test>
+
+  <unix:file_object comment="look for sshd.service in /etc/systemd/system/multi-user.target.wants"
+   id="object_sshd_disabled_multi_user_target" version="1">
+
+    <unix:filepath>/etc/systemd/system/multi-user.target.wants/sshd.service</unix:filepath>
+    <filter action="include">state_symlink</filter>
+  </unix:file_object>
+
+  <unix:file_state id="state_symlink" version="1">
+    <unix:type operation="equals">symbolic link</unix:type>
+  </unix:file_state>
+
+</def-group>
diff --git a/shared/oval/package_openssh-server_removed.xml b/shared/oval/package_openssh-server_removed.xml
new file mode 100644
index 0000000..311463e
--- /dev/null
+++ b/shared/oval/package_openssh-server_removed.xml
@@ -0,0 +1,27 @@
+<def-group>
+ <!-- THIS FILE IS GENERATED by create_package_removed.py.  DO NOT EDIT.  -->
+  <definition class="compliance" id="package_openssh-server_removed"
+  version="1">
+    <metadata>
+      <title>Package openssh-server Removed</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 6</platform>
+        <platform>Red Hat Enterprise Linux 7</platform>
+      </affected>
+      <description>The RPM package openssh-server should be removed.</description>
+      <reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
+    </metadata>
+    <criteria>
+      <criterion comment="package openssh-server is removed"
+      test_ref="test_package_openssh-server_removed" />
+    </criteria>
+  </definition>
+  <linux:rpminfo_test check="all" check_existence="none_exist"
+  id="test_package_openssh-server_removed" version="1"
+  comment="package openssh-server is removed">
+    <linux:object object_ref="obj_package_openssh-server_removed" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_object id="obj_package_openssh-server_removed" version="1">
+    <linux:name>openssh-server</linux:name>
+  </linux:rpminfo_object>
+</def-group>
-- 
1.8.3.1

_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

[PATCH] [RHEL/7] Fix 'make validate' error caused by missing two OVAL checks definitions

Reply via email to