Great! that was my problem. Now it works! Thanx! Salu2! -- Miguel Armas CanaryTek Consultoria y Sistemas SL http://www.canarytek.com/
________________________________ De: Marek Haicman <mhaic...@redhat.com> Enviado: lunes, 16 de diciembre de 2019 14:49 Para: Kuko Armas <k...@canarytek.com> Cc: SCAP Security Guide <scap-security-guide@lists.fedorahosted.org> Asunto: Re: Bash remediations failing due to missing functions Ok. For about a week, ComplianceAsCode project had a bug that made this an issue :) You might have cloned the repo at that time? This PR from Monday last week fixes it, so try to rebase your work and try again: https://github.com/ComplianceAsCode/content/pull/5061 It's probably that, because on the released packages in RHEL7, I cannot reproduce what you observe: [dahaic@psyduck bla]$ rpm -qa openscap scap-security-guide openscap-1.2.17-4.el7.x86_64 scap-security-guide-0.1.43-13.el7.noarch [dahaic@psyduck bla]$ oscap xccdf generate fix --fix-type bash --profile ospp --fetch-remote-resources --output remediation.sh /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml [dahaic@psyduck bla]$ grep populate remediation.sh Regards, Marek On Mon, Dec 16, 2019 at 3:02 PM Kuko Armas <k...@canarytek.com<mailto:k...@canarytek.com>> wrote: Hello Miguel, remediations, as they are stored in the DataStream are prepared to be used within the environment provided by the `oscap` utility. (I.e. so `--remediate` works). So no, it's not supposed to be self contained in that particular form. What you are looking for is probably `oscap xccdf generate fix`. That one will process the snippets and produces self-contained bash script. So no issue - works as intended. ;) I also tried that, and at least in my box it's not working. It's one of the things I tried when I said "I have been playing with remediation code"... I generate the fix code with (ens is a profile I'm creating, but also fails with other profiles) oscap xccdf generate fix --fix-type bash --profile ens --fetch-remote-resources --output remediation.sh ssg-centos7-ds.xml This creates the remediation,sh, but it does not eem to contain the remediation functions defined in group xccdf_org.ssgproject.content_group_remediation_functions If I search for one of the functions that fail (populate), I see it "tries" to use the function, but it's not defined in the generated remedaite script: [root@test ~]# grep populate remediation.sh populate login_banner_text populate var_accounts_max_concurrent_login_sessions populate var_accounts_user_umask populate var_auditd_action_mail_acct populate var_auditd_admin_space_left_action populate var_auditd_max_log_file populate var_auditd_max_log_file_action populate var_auditd_num_logs populate var_auditd_space_left_action populate sysctl_net_ipv4_conf_all_accept_redirects_value populate sysctl_net_ipv4_conf_all_accept_source_route_value populate sysctl_net_ipv4_conf_all_log_martians_value populate sysctl_net_ipv4_conf_all_rp_filter_value populate sysctl_net_ipv4_conf_all_secure_redirects_value populate sysctl_net_ipv4_conf_default_accept_redirects_value populate sysctl_net_ipv4_conf_default_accept_source_route_value populate sysctl_net_ipv4_conf_default_log_martians_value populate sysctl_net_ipv4_conf_default_rp_filter_value populate sysctl_net_ipv4_conf_default_secure_redirects_value populate sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value populate sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value populate sysctl_net_ipv4_tcp_syncookies_value populate var_auditadm_exec_content And of course if I run it, I get errors for each invocation of that function (and any other that is supposed to be defined) root@test ~]# sh remediation.sh Remediating rule 1/105: 'xccdf_org.ssgproject.content_rule_banner_etc_issue' remediation.sh: line 34: populate: command not found Remediating rule 2/105: 'xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions' remediation.sh: line 52: populate: command not found Remediating rule 3/105: 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs' remediation.sh: line 68: populate: command not found remediation.sh: line 70: replace_or_append: command not found Remediating rule 4/105: 'xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users' FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users' IS MISSING! Remediating rule 5/105: 'xccdf_org.ssgproject.content_rule_audit_rules_immutable' Remediating rule 6/105: 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification' remediation.sh: line 115: fix_audit_watch_rule: command not found Until, I understand why it fails, I'm also trying the ansible remediation, which seems to be working better, but I won't be able to use ansible in all my clients. And anyway, I would like to learm how bash remediation code works (or should work), and help if I can 😉 Salu2! -- Miguel Armas CanaryTek Consultoria y Sistemas SL http://www.canarytek.com/ ________________________________ De: Marek Haicman <mhaic...@redhat.com<mailto:mhaic...@redhat.com>> Enviado: lunes, 16 de diciembre de 2019 12:15 Para: SCAP Security Guide <scap-security-guide@lists.fedorahosted.org<mailto:scap-security-guide@lists.fedorahosted.org>> Asunto: Re: Bash remediations failing due to missing functions Hello Miguel, remediations, as they are stored in the DataStream are prepared to be used within the environment provided by the `oscap` utility. (I.e. so `--remediate` works). So no, it's not supposed to be self contained in that particular form. What you are looking for is probably `oscap xccdf generate fix`. That one will process the snippets and produces self-contained bash script. So no issue - works as intended. ;) Regards, Marek On Mon, Dec 16, 2019 at 11:44 AM Kuko Armas <k...@canarytek.com<mailto:k...@canarytek.com>> wrote: I've been playing with remediation code, and I've seen that remediation code for many checks fails due to undefined functions as "populate" (to populate defined variables) and "fix_audit_syscall_rule" (for audit checks) I've seen that both functions (and many more) are defined inside the datasource, in group xccdf_org.ssgproject.content_group_remediation_functions Since I'm a complete newbie in openSCAP, I'm not sure how it should work: * Is remediation code supposed to be selt-contained in the data source? Or does it depend on the host having the security-guide package installed ir order to have that functions code? * If it's self contained, how and where are the functions code file extracted and read by remediation code? * If it's extracted, is there an option to keep the temp files around to take a look? * Maybe I need a more recent openscap version? (I'm using 1.2.17-4.el7 in centos7) * Should I file an issue on ComplianceAsCode GitHub repo? or am I doing something wrong? Thanks a lot! -- Miguel Armas CanaryTek Consultoria y Sistemas SL http://www.canarytek.com/ _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org<mailto:scap-security-guide@lists.fedorahosted.org> To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org<mailto:scap-security-guide-le...@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
_______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
