Hello,
I have noticed that pci-dss profile, ssg-centos7-xccdf.xml will always fail
on test and remediation for disable_prelink rule. That seem to be caused by
insufficient CentOS RPM customization of upstream code. Specifically this:
https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/disable_prelink.xml#L24-L35
<https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/disable_prelink.xml>
That condition will always fail on CentOS because it misses:
<extend_definition comment="Installed OS is CentOS7"
definition_ref="
installed_OS_is_centos7" />
I was thinking about raising a bug on https://bugs.centos.org or committing
a fix in https://git.centos.org/summary/rpms!scap-security-guide but I am
unsure as to what action should I take.
The other issue I'm facing is trying to workaround the disable_prelink rule
by simply taking it out of tests. I have create a tailor file but it
doesn't seem to be taken into consideration. The file:
<?xml version="1.0" encoding="UTF-8"?>
<cdf-11-tailoring:Tailoring xmlns:cdf-11-tailoring="
http://open-scap.org/page/Xccdf-1.1-tailoring" xmlns:xccdf="
http://checklists.nist.gov/xccdf/1.1"
id="xccdf_scap-workbench_tailoring_default">
<cdf-11-tailoring:benchmark
href="/private/tmp/ssg-centos7-xccdf.xml"/>
<cdf-11-tailoring:version
time="2017-01-31T14:41:00">1</cdf-11-tailoring:version>
<xccdf:Profile id="pci-dss_disable_rule_prelink"
extends="pci-dss">
<xccdf:title xmlns:xhtml="http://www.w3.org/1999/xhtml"
xml:lang="en-US" override="true">PCI-DSS v3 Control
Baseline for CentOS
Linux 7 [CUSTOMIZED]</xccdf:title>
<xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml"
xml:lang="en-US" override="true">This is a *draft*
profile for PCI-DSS
v3</xccdf:description>
<xccdf:select idref="disable_prelink"
selected="false"/>
</xccdf:Profile>
</cdf-11-tailoring:Tailoring>
Then the oscap command I tried:
oscap xccdf eval --remediate --tailoring-file tailor.xml --profile pci-dss
--fetch-remote-resources
/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml
It is my debut on the list, thank you for your consideration :-)
On 02/01/2017 10:15 AM, Micha? Jankowski wrote:> Hello, > > I have noticed that pci-dss profile, ssg-centos7-xccdf.xml will always fail > on test and remediation for disable_prelink rule. That seem to be caused by > insufficient CentOS RPM customization of upstream code. Specifically this: > https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/disable_prelink.xml#L24-L35 > <https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/disable_prelink.xml> > > That condition will always fail on CentOS because it misses: > <extend_definition comment="Installed OS is CentOS7" definition_ref=" > installed_OS_is_centos7" /> > > I was thinking about raising a bug on https://bugs.centos.org or committing > a fix in https://git.centos.org/summary/rpms!scap-security-guide but I am > unsure as to what action should I take.You can clone that git project from git.centos.org, then checkout the 'c7' branch and fix the issue on your branch .. then use the git --format-patch option as explained here: https://ariejan.net/2009/10/26/how-to-create-and-apply-a-patch-with-git/ Then you can send your patch (attached to an email) to the CentOS-Devel mailing list (https://lists.centos.org/mailman/listinfo/centos-devel) and I will import it into the git repo and fix the package. <snip> Thanks, Johnny Hughes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20170203/b8024d6b/attachment.sig>
Please have a look at the patch. On Fri, Feb 3, 2017 at 1:52 AM Johnny Hughes <johnny at centos.org> wrote:> On 02/01/2017 10:15 AM, Micha? Jankowski wrote: > > Hello, > > > > I have noticed that pci-dss profile, ssg-centos7-xccdf.xml will always > fail > > on test and remediation for disable_prelink rule. That seem to be caused > by > > insufficient CentOS RPM customization of upstream code. Specifically > this: > > > https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/disable_prelink.xml#L24-L35 > > < > https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/disable_prelink.xml > > > > > > That condition will always fail on CentOS because it misses: > > <extend_definition comment="Installed OS is CentOS7" definition_ref=" > > installed_OS_is_centos7" /> > > > > I was thinking about raising a bug on https://bugs.centos.org or > committing > > a fix in https://git.centos.org/summary/rpms!scap-security-guide but I > am > > unsure as to what action should I take. > > You can clone that git project from git.centos.org, then checkout the > 'c7' branch and fix the issue on your branch .. then use the git > --format-patch option as explained here: > > https://ariejan.net/2009/10/26/how-to-create-and-apply-a-patch-with-git/ > > Then you can send your patch (attached to an email) to the CentOS-Devel > mailing list (https://lists.centos.org/mailman/listinfo/centos-devel) > and I will import it into the git repo and fix the package. > > <snip> > > Thanks, > Johnny Hughes > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >