Public bug reported:
[Impact]
Canonical security certification team is automating Ubuntu specific
security hardening guides using Security Content Automation Protcol
(SCAP). SCAP requires Open Vulnerability and Assessment Language (xccdf
and xml) to implement SCAP content.
The openSCAP implementation processes SCAP content, but has been
extended to also process python and bash scripts via a Script Check
Engine (SCE). This ability to process bash and python scripts is needed
because OVAL is somewhat limited in what it can do. We have had to write
a few python and bash scripts.
SCE is not enabled by default, and will require the addition of the
"--enable-sce" option in the "debian/rules" file to turn it on.
There are security hardening rules for systemd. There is also OVAL
schema implemented as "probes" in openSCAP. The systemd probe to be
enabled requires libdbus-1-dev during build. This would be set in the
debian/control file
The attached patch has all the necessary code change.
These 2 changes were made in more current versions of libopenscap8 in
Debian as indicated above. As a result, Artful, Bionic and Cosmic also
have these changes. The automation we are working on is required for
Xenial though.
[Test Case]
1. run the command "oscap --v", and should see following with SEC option
enabled,
==== Capabilities added by auto-loaded plugins ====
SCE Version: 1.0 (from libopenscap_sce.so.8)
without the SCE option enabled, the list of plugins is empty.
Also, should see under "==== Supported OVAL objects and associated
OpenSCAP probes ===="
systemdunitproperty probe_systemdunitproperty
systemdunitdependency probe_systemdunitdependency
2. The second testcase requires running our SCAP content and verifying that
those rules using scripts are run and those rules using systemd probes are run.
[Regression Potential]
The regression potential should be small. The changes proposed enables
new functionality that is already included in the source package, and
does not change the behavior of existing functionality.
** Affects: openscap (Ubuntu)
Importance: Undecided
Status: New
** Affects: openscap (Debian)
Importance: Unknown
Status: Unknown
** Bug watch added: Debian Bug tracker #852826
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852826
** Also affects: openscap (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852826
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1782031
Title:
[SRU][xenial] Enable SCE option and systemd probe in libopenscap8
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
