libopenscap8: Enable SCE option to make broader SCAP content available for Ubuntu users

Bug #1658792 reported by Alan Guan on 2017-01-23
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openscap (Debian)
Fix Released
Unknown
openscap (Ubuntu)
Undecided
Unassigned

Bug Description

[Impact]

Canonical security certification team is implementing SCAP content based on CIS and STIG compliance rules. A good portion of these rules are beyond the scope of SCAP and OVAL, and will require the Script Check Engine (SCE) facility provided by OpenSCAP.

SCE is not enabled by default, and will require the addition of the "--enable-sce" option in the "debian/rules" file to turn it on. The attached patch has all the necessary code change.

[Test Case]

run the command "oscap --v", and without the SCE option, content under "==== Capabilities added by auto-loaded plugins ====" will be empty. With the SCE option turned on, we'll see the following:

   ==== Capabilities added by auto-loaded plugins ====
   SCE Version: 1.0 (from libopenscap_sce.so.8)

[Regression Potential]

The changes proposed enables new functionality that is already included in the source package, and does not change the behavior of existing code significantly.

Using the same patch attached to this bug report, Canonical security certification team has created a PPA here: https://launchpad.net/~guanym/+archive/ubuntu/ppa.

The team is actively using the PPA to develop SCAP content, including shell and python scripts for SCE consumption. We also ran the following tests with and without the proposed changes:
 -- Without the proposed changes, ran scans using OpenSCAP against SCAP content with about 35 diverse rules based on CIS benchmark, and saved the xml scan result. The content included a rule that requires SCE support, and the rule simply evaluated to "not checked", which is expected since SCE support is not included with OpenSCAP without the proposed changes.
 -- With the proposed changes, ran scan against the same SCAP content, and saved the xml scan result. The result was identical with the only exception that the SCE rule evaluated properly, since the SCE support is included in OpenSCAP after making the proposed changes.

We also have been running similar scans against an ever growing SCAP content base 20~30 times on a daily basis, and OpenSCAP behaved the same way as before the SCE functionality was enabled.

[Other Info]

A similar bug report has been submitted to Debian.

Alan Guan (guanym) on 2017-01-23
summary: - Enable the Script Check Engine
+ [SRU] Enable the Script Check Engine

The attachment "patch to enable SCE" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Alan Guan (guanym) on 2017-01-27
summary: - [SRU] Enable the Script Check Engine
+ libopenscap8: Enable SCE option to make broader SCAP content available
+ for Ubuntu users
description: updated
Alan Guan (guanym) on 2017-01-27
description: updated
Changed in openscap (Debian):
status: Unknown → New
Alan Guan (guanym) on 2017-01-30
description: updated
description: updated
Alan Guan (guanym) wrote :

A PPA to address both this bug and #1661401 is available here: https://launchpad.net/~fips-cc-stig/+archive/ubuntu/fipsdevppa

Changed in openscap (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.