Merge branch 'maint-1.2' into maint-1.3

jan-cerny · jan-cerny · commit c70bc4744939 · 2019-07-22T08:20:25.000+02:00
Conflicts:
	cpe/openscap-cpe-dict.xml
	cpe/openscap-cpe-oval.xml
diff --git a/cpe/openscap-cpe-dict.xml b/cpe/openscap-cpe-dict.xml
@@ -214,6 +214,10 @@
             <title xml:lang="en-us">Wind River Linux 8</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.wrlinux:def:8</check>
       </cpe-item>
+      <cpe-item name="cpe:/o:windriver:wrlinux:1019">
+            <title xml:lang="en-us">Wind River Linux 1019</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.wrlinux:def:1019</check>
+      </cpe-item>
       <cpe-item name="cpe:/o:microsoft:windows_7">
             <title xml:lang="en-us">Microsoft Windows 7</title>
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.windows:def:7</check>
diff --git a/cpe/openscap-cpe-oval.xml b/cpe/openscap-cpe-oval.xml
@@ -651,6 +651,19 @@
                         <criterion comment="Wind River Linux version is 8." test_ref="oval:org.open-scap.cpe.wrlinux:tst:8" />
                   </criteria>
             </definition>
+            <definition class="inventory" id="oval:org.open-scap.cpe.wrlinux:def:1019" version="1" >
+                  <metadata>
+                        <title>Wind River Linux 1019</title>
+                        <affected family="unix">
+                            <platform>Wind River Linux 1019</platform>
+                        </affected>
+                        <reference ref_id="cpe:/o:windriver:wrlinux:1019" source="CPE"/>
+                        <description>The operating system installed on the system is Wind River Linux 1019</description>
+                  </metadata>
+                  <criteria>
+                        <criterion comment="Wind River Linux version is 1019." test_ref="oval:org.open-scap.cpe.wrlinux:tst:1019" />
+                  </criteria>
+            </definition>
             <definition class="inventory" id="oval:org.open-scap.cpe.windows:def:7" version="1">
                   <metadata>
                         <title>Microsoft Windows 7</title>
@@ -1006,6 +1019,17 @@
                   <object object_ref="oval:org.open-scap.cpe.wrlinux-release:obj:2"/>
                   <state state_ref="oval:org.open-scap.cpe.wrlinux-release:ste:8"/>
             </textfilecontent54_test>
+            <textfilecontent54_test
+                            id="oval:org.open-scap.cpe.wrlinux:tst:1019"
+                            check="all"
+                            check_existence="all_exist"
+                            comment="Check /etc/os-release for VERSION 1019 specification."
+                            version="1"
+                            xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
+                            >
+                  <object object_ref="oval:org.open-scap.cpe.wrlinux-release:obj:3"/>
+                  <state state_ref="oval:org.open-scap.cpe.wrlinux-release:ste:10"/>
+            </textfilecontent54_test>
             <rpminfo_test check="all" check_existence="only_one_exists" comment="redhat-release-virtualization-host RPM package is installed" id="oval:org.open-scap.cpe.rhevh:tst:1" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
                   <object object_ref="oval:org.open-scap.cpe.rhevh:obj:1" />
             </rpminfo_test>
@@ -1083,6 +1107,17 @@
                 <pattern operation="pattern match">^VERSION=.([[:digit:]]*)</pattern>
                 <instance operation="greater than or equal" datatype="int">1</instance>
             </textfilecontent54_object>
+            <textfilecontent54_object
+                            id="oval:org.open-scap.cpe.wrlinux-release:obj:3"
+                            comment="Check VERSION specification in /etc/os-release."
+                            version="1"
+                            xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
+                            >
+                <path>/etc</path>
+                <filename>os-release</filename>
+                <pattern operation="pattern match">^VERSION=.(\d*.\d*)</pattern>
+                <instance operation="greater than or equal" datatype="int">1</instance>
+            </textfilecontent54_object>
             <rpminfo_object id="oval:org.open-scap.cpe.rhevh:obj:1" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
                 <name>redhat-release-virtualization-host</name>
             </rpminfo_object>
@@ -1266,6 +1301,14 @@
                             >
                   <subexpression operation="pattern match">8</subexpression>
             </textfilecontent54_state>
+            <textfilecontent54_state
+                            id="oval:org.open-scap.cpe.wrlinux-release:ste:10"
+                            comment="Check the /etc/os-release file for VERSION 1019 specification."
+                            version="1"
+                            xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
+                            >
+                  <subexpression operation="pattern match">10.19</subexpression>
+            </textfilecontent54_state>
             <textfilecontent54_state id="oval:org.open-scap.cpe.rhevh:ste:2" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
                   <subexpression operation="pattern match">7</subexpression>
             </textfilecontent54_state>
diff --git a/docs/manual/manual.adoc b/docs/manual/manual.adoc
@@ -459,6 +459,50 @@ Ident   CCE-3967-7
 Result  pass
 ----
 
+The meaning of results is defined by https://csrc.nist.gov/CSRC/media/Publications/nistir/7275/rev-4/final/documents/nistir-7275r4_updated-march-2012_clean.pdf[XCCDF Specification].
+This table lists the possible results of a single rule:
+
+.XCCDF results
+|===
+|Result |Description |Example Situation
+
+|pass
+|The target system or system component satisfied all the conditions of the rule.
+|
+
+|fail
+|The target system or system component did not satisfy all the conditions of the rule.
+|
+
+|error
+|The checking engine could not complete the evaluation, therefore the status of the target’s compliance with the rule is not certain.
+|OpenSCAP was run with insufficient privileges and could not gather all of the necessary information.
+
+|unknown
+|The testing tool encountered some problem and the result is unknown.
+|OpenSCAP was unable to interpret the output of the checking engine (the output has no meaning to OpenSCAP).
+
+|notapplicable
+|The rule was not applicable to the target of the test.
+|The rule might have been specific to a different version of the target OS, or it might have been a test against a platform feature that was not installed.
+
+|notchecked
+|The rule was not evaluated by the checking engine. This status is designed for rules that have no <xccdf:check> elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.
+|The rule does not reference any OVAL check.
+
+|notselected
+|The rule was not selected in the benchmark. OpenSCAP does not display rules that were not selected.
+|The rule exists in the benchmark, but is not a part of selected profile.
+
+|informational
+|The rule was checked, but the output from the checking engine is simply information for auditors or administrators; it is not a compliance category. This status value is designed for rules whose main purpose is to extract information from the target rather than test the target.
+|
+
+|fixed
+|The rule had failed, but was then fixed by automated remediation.
+|
+|===
+
 The CPE dictionary is used to determine whether the content is
 applicable on the target platform or not. Any content that is not
 applicable will result in each relevant XCCDF rule being evaluated to
@@ -1859,3 +1903,12 @@ Again, usage of the tool mimics usage and options of `oscap` tool.
 
 
 
+== Frequently Asked Questions (FAQs)
+*Why do I get "notchecked" results when I use e.g. https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V2R3_STIG.zip[STIG checklist]?*
+
+The downloaded guidance contains rule descriptions, but it doesn't contain OVAL checks which could be used for evaluation by OpenSCAP. You can find guidances with implemented OVAL checks and also with remediations at https://github.com/ComplianceAsCode/content[ComplianceAsCode] project, which contains wide range of profiles.
+
+*I try to apply a tailoring file, but OpenSCAP still evaluates rules that I have unselected. How can I enforce my changes of the profile?*
+
+Make sure that you provide the ID of the customized profile in `--profile` option instead of the ID of the original profile.
+If you created the tailoring file using SCAP Workbench, you were prompted to choose the ID of the customized profile. You can display the ID of the customized profile by running `oscap info <your_tailoring_file>`. By default, the ID of the customized profile ends with `_customized` suffix.
diff --git a/src/SCE/sce_engine.c b/src/SCE/sce_engine.c
@@ -425,6 +425,9 @@ xccdf_test_result_type_t sce_engine_eval_rule(struct xccdf_policy *policy, const
 		if (value == NULL)
 		{
 			value = xccdf_value_binding_get_value(binding);
+			if (value == NULL) {
+				value = "";
+			}
 		}
 		xccdf_operator_t operator = xccdf_value_binding_get_operator(binding);
 
diff --git a/src/XCCDF_POLICY/xccdf_policy.c b/src/XCCDF_POLICY/xccdf_policy.c
@@ -592,10 +592,10 @@ _xccdf_policy_rule_get_applicable_check(struct xccdf_policy *policy, struct xccd
 
 		// Only print a warning if we didn't select a check but could've otherwise.
 		if (print_oval_warning) {
-			printf("WARNING: Skipping rule that uses OVAL but is possibly malformed; "
+			dW("Skipping rule that uses OVAL but is possibly malformed; "
 			       "an incorrect content reference prevents this check from being evaluated.\n");
 		} else if (print_general_warning && result == NULL) {
-			printf("WARNING: Skipping rule that requires an unregistered check system "
+			dW("Skipping rule that requires an unregistered check system "
 			       "or incorrect content reference to evaluate. "
 			       "Please consider providing a valid SCAP/OVAL instead of %s\n",
 				warning_check_system);
diff --git a/tests/API/XCCDF/unittests/test_xccdf_check_processing_selector_empty.sh b/tests/API/XCCDF/unittests/test_xccdf_check_processing_selector_empty.sh
@@ -13,7 +13,8 @@ $OSCAP xccdf eval --profile xccdf_moc.elpmaxe.www_profile_1 --results $result $s
 
 echo "Stderr file = $stderr"
 echo "Result file = $result"
-[ -f $stderr ]; [ ! -s $stderr ]; rm $stderr
+grep "Skipping rule that requires an unregistered check system or incorrect content reference to evaluate." $stderr
+rm $stderr
 
 $OSCAP xccdf validate $result
 
diff --git a/tests/API/XCCDF/unittests/test_xccdf_check_unsupported_check_system.sh b/tests/API/XCCDF/unittests/test_xccdf_check_unsupported_check_system.sh
@@ -9,7 +9,8 @@ stderr=`mktemp`
 
 $OSCAP xccdf eval --results $result $srcdir/test_xccdf_check_unsupported_check_system.xml 2> $stderr
 echo "Stderr file = $stderr"
-[ -f $stderr ]; [ ! -s $stderr ]; rm $stderr
+grep "Skipping rule that requires an unregistered check system or incorrect content reference to evaluate." $stderr
+rm $stderr
 
 $OSCAP xccdf validate $result
 
diff --git a/tests/API/XCCDF/unittests/test_xccdf_check_without_content_refs.sh b/tests/API/XCCDF/unittests/test_xccdf_check_without_content_refs.sh
@@ -11,7 +11,9 @@ $OSCAP xccdf eval --results $result $srcdir/test_xccdf_check_without_content_ref
 
 echo "Stderr file = $stderr"
 echo "Result file = $result"
-[ -f $stderr ]; [ ! -s $stderr ]; rm $stderr
+[ -f $stderr ]
+grep "Skipping rule that uses OVAL but is possibly malformed; an incorrect content reference prevents this check from being evaluated." $stderr
+rm $stderr
 
 $OSCAP xccdf validate $result
 
diff --git a/tests/API/XCCDF/unittests/test_xccdf_multiple_testresults.sh b/tests/API/XCCDF/unittests/test_xccdf_multiple_testresults.sh
@@ -17,7 +17,7 @@ tmpdir=$(dirname $result)
 for i in {1..5}; do
 	$OSCAP xccdf eval --results $result $result 2> $stderr
 	[ -f $stderr ]
-	[ "`cat $stderr`" == "WARNING: Skipping $tmpdir/non_existent.oval.xml file which is referenced from XCCDF content" ]
+	grep "Skipping $tmpdir/non_existent\.oval\.xml file which is referenced from XCCDF content" $stderr
 	:> $stderr
 
 	$OSCAP xccdf validate $result
diff --git a/tests/API/XCCDF/unittests/test_xccdf_notchecked_has_check.sh b/tests/API/XCCDF/unittests/test_xccdf_notchecked_has_check.sh
@@ -14,7 +14,7 @@ $OSCAP xccdf eval --results $result $srcdir/${name}.xccdf.xml 2> $stderr
 echo "Stderr file = $stderr"
 echo "Result file = $result"
 [ -f $stderr ]
-[ "WARNING: Skipping $srcdir/_non_existent_.oval.xml file which is referenced from XCCDF content" == "`cat $stderr`" ]
+grep "Skipping $srcdir/_non_existent_\.oval\.xml file which is referenced from XCCDF content" $stderr
 rm $stderr
 
 $OSCAP xccdf validate $result
diff --git a/utils/oscap-ssh b/utils/oscap-ssh
@@ -114,6 +114,13 @@ function scp_retreive_from_temp_dir {
     scp -o ControlPath="$MASTER_SOCKET" -P "$SSH_PORT" $SSH_ADDITIONAL_OPTIONS "$SSH_HOST:$REMOTE_TEMP_DIR/$1" "$2"
 }
 
+# $1: The name of the array holding command elements
+# Returns: String, where individual command components are double-quoted, so they are not interpreted by the shell.
+#  For example, an array ('-p' '(all)') will be transformed to "\"-p\" \"(all)\"", so after the shell expansion, it will end up as "-p" "(all)".
+function command_array_to_string {
+	eval "printf '\"%s\" ' \"\${$1[@]}\""
+}
+
 function first_argument_is_sudo {
 	[ "$1" == "sudo" ] || [ "$1" == "--sudo" ]
 	return $?
@@ -272,7 +279,7 @@ echo "Starting the evaluation..."
 # changing directory because of --oval-results support. oval results files are
 # dumped into PWD, and we can't be sure by the file names - we need controlled
 # environment
-ssh_execute_with_command_and_options "cd $REMOTE_TEMP_DIR; $OSCAP_SUDO oscap ${oscap_args[*]}" "$SSH_TTY_ALLOCATION_OPTION"
+ssh_execute_with_command_and_options "cd $REMOTE_TEMP_DIR; $OSCAP_SUDO oscap $(command_array_to_string oscap_args)" "$SSH_TTY_ALLOCATION_OPTION"
 OSCAP_EXIT_CODE=$?
 echo "oscap exit code: $OSCAP_EXIT_CODE"
 
diff --git a/utils/oscap-xccdf.c b/utils/oscap-xccdf.c
@@ -402,21 +402,6 @@ static int callback_scr_result(struct xccdf_rule_result *rule_result, void *arg)
 	return 0;
 }
 
-static int callback_scr_rule_progress(struct xccdf_rule *rule, void *arg)
-{
-	const char * rule_id = xccdf_rule_get_id(rule);
-
-	/* is rule selected? we print only selected rules */
-	const bool selected = xccdf_policy_is_item_selected((struct xccdf_policy *) arg, rule_id);
-	if (!selected)
-		return 0;
-
-	printf("%s:", rule_id);
-	fflush(stdout);
-
-	return 0;
-}
-
 static int callback_scr_result_progress(struct xccdf_rule_result *rule_result, void *arg)
 {
 	xccdf_test_result_type_t result = xccdf_rule_result_get_result(rule_result);
@@ -426,9 +411,10 @@ static int callback_scr_result_progress(struct xccdf_rule_result *rule_result, v
 		return 0;
 
 	/* print result */
-	const char * result_str = xccdf_test_result_type_get_text(result);
+	const char *rule_id = xccdf_rule_result_get_idref(rule_result);
+	const char *result_str = xccdf_test_result_type_get_text(result);
 
-	printf("%s\n", result_str);
+	printf("%s:%s\n", rule_id, result_str);
 	fflush(stdout);
 
 	return 0;
@@ -470,8 +456,6 @@ static void _register_progress_callback(struct xccdf_session *session, bool prog
 {
 	struct xccdf_policy_model *policy_model = xccdf_session_get_policy_model(session);
 	if (progress) {
-		xccdf_policy_model_register_start_callback(policy_model, callback_scr_rule_progress,
-				(void *) xccdf_session_get_xccdf_policy(session));
 		xccdf_policy_model_register_output_callback(policy_model, callback_scr_result_progress, NULL);
 	}
 	else {
diff --git a/xsl/xccdf-resources.xsl b/xsl/xccdf-resources.xsl
diff --git a/xsl/xccdf-resources/openscap.js b/xsl/xccdf-resources/openscap.js
@@ -2,8 +2,8 @@ function openRuleDetailsDialog(rule_result_id)
 {
     $("#detail-modal").remove();
 
-    var closebutton = $('<button type="button" class="close btn btn-sm btn-default" data-dismiss="modal" aria-hidden="true" title="Close">&#x274c;</button>');
-    var modal = $('<div id="detail-modal" class="modal fade" tabindex="-1" role="dialog" aria-hidden="true"><div id="detail-modal-body" class="modal-body"></div></div>');
+    var closebutton = $('<button type="button" class="close btn btn-sm btn-default" data-dismiss="modal" aria-hidden="false" title="Close">&#x274c;</button>');
+    var modal = $('<div id="detail-modal" class="modal fade" tabindex="-1" role="dialog" aria-hidden="false"><div id="detail-modal-body" class="modal-body"></div></div>');
 
     $("body").prepend(modal);
 

Original file line number	Diff line number	Diff line change
`@@ -425,6 +425,9 @@ xccdf_test_result_type_t sce_engine_eval_rule(struct xccdf_policy *policy, const`
`425`	`425`	`if (value == NULL)`
`426`	`426`	`{`
`427`	`427`	`value = xccdf_value_binding_get_value(binding);`
	`428`	`+ if (value == NULL) {`
	`429`	`+ value = "";`
	`430`	`+ }`
`428`	`431`	`}`
`429`	`432`	`xccdf_operator_t operator = xccdf_value_binding_get_operator(binding);`
`430`	`433`