Hello Simon, ----- Original Message ----- > From: Simon Lukasik <[email protected]> > > The previous version of the check generated false positives. > It was even matching on even Fedora system.
Yes, you are correct previous version was too liberal. > > Also the version of the redhat-release package has been changed > during the past year (it no longer include Server or Workstation > string). Right, good catch. > --- > RHEL/7/input/checks/installed_OS_is_rhel7.xml | 18 ++++++++++-------- > 1 file changed, 10 insertions(+), 8 deletions(-) > > diff --git a/RHEL/7/input/checks/installed_OS_is_rhel7.xml > b/RHEL/7/input/checks/installed_OS_is_rhel7.xml > index dc6c629..060206c 100644 > --- a/RHEL/7/input/checks/installed_OS_is_rhel7.xml > +++ b/RHEL/7/input/checks/installed_OS_is_rhel7.xml > @@ -14,10 +14,12 @@ > <criteria> > <criterion comment="Installed operating system is part of the unix > family" > test_ref="test_unix_family" /> > - <criterion comment="Red Hat Enterprise Linux 7 Workstation is > installed" > - test_ref="test_rhel_workstation" /> > - <criterion comment="Red Hat Enterprise Linux 7 Server is installed" > - test_ref="test_rhel_server" /> > + <criteria operator="OR"> > + <criterion comment="Red Hat Enterprise Linux 7 Workstation is > installed" > + test_ref="test_rhel_workstation" /> > + <criterion comment="Red Hat Enterprise Linux 7 Server is installed" > + test_ref="test_rhel_server" /> > + </criteria> > </criteria> > </definition> > > @@ -30,23 +32,23 @@ > </ind:family_state> > <ind:family_object id="obj_unix_family" version="1" /> > > - <linux:rpminfo_test check="all" check_existence="any_exist" > comment="redhat-release-workstation is version 7" id="test_rhel_workstation" > version="1"> > + <linux:rpminfo_test check="all" check_existence="at_least_one_exists" > comment="redhat-release-workstation is version 7" id="test_rhel_workstation" > version="1"> > <linux:object object_ref="obj_rhel_workstation" /> > <linux:state state_ref="state_rhel_workstation" /> > </linux:rpminfo_test> > <linux:rpminfo_state id="state_rhel_workstation" version="1"> > - <linux:version operation="pattern match">^7Workstation$</linux:version> > + <linux:version operation="pattern match">^7\.\d+$</linux:version> > </linux:rpminfo_state> > <linux:rpminfo_object id="obj_rhel_workstation" version="1"> > <linux:name>redhat-release-workstation</linux:name> > </linux:rpminfo_object> > > - <linux:rpminfo_test check="all" check_existence="any_exist" > comment="redhat-release-server is version 7" id="test_rhel_server" > version="1"> > + <linux:rpminfo_test check="all" check_existence="at_least_one_exists" > comment="redhat-release-server is version 7" id="test_rhel_server" > version="1"> > <linux:object object_ref="obj_rhel_server" /> > <linux:state state_ref="state_rhel_server" /> > </linux:rpminfo_test> > <linux:rpminfo_state id="state_rhel_server" version="1"> > - <linux:version operation="pattern match">^7Server$</linux:version> > + <linux:version operation="pattern match">^7\.\d+$</linux:version> > </linux:rpminfo_state> > <linux:rpminfo_object id="obj_rhel_server" version="1"> > <linux:name>redhat-release-server</linux:name> > -- > 1.8.5.3 ACK for me, please push. Btw. RHEL-6 implementation: https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL/6/input/checks/installed_OS_is_rhel6.xml would desire the same criterion operator change -- i.e. replace former: unix AND 0+ AND O+ with yours: unix AND (1+ OR 1+) form, not to be too liberal also (AFAICT 6Server pattern match doesn't need to be modified for RHEL-6). Will you make a RHEL-6 patch too? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
