[SRU][xenial] Enable SCE option and systemd probe in libopenscap8
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openscap (Debian) |
Fix Released
|
Unknown
|
|||
openscap (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
Canonical security certification team is automating Ubuntu specific security hardening guides using Security Content Automation Protcol (SCAP). SCAP requires Open Vulnerability and Assessment Language (xccdf and xml) to implement SCAP content.
The openSCAP implementation processes SCAP content, but has been extended to also process python and bash scripts via a Script Check Engine (SCE). This ability to process bash and python scripts is needed because OVAL is somewhat limited in what it can do. We have had to write a few python and bash scripts.
SCE is not enabled by default, and will require the addition of the "--enable-sce" option in the "debian/rules" file to turn it on.
There are security hardening rules for systemd. There is also OVAL schema implemented as "probes" in openSCAP. The systemd probe to be enabled requires libdbus-1-dev during build. This would be set in the debian/control file
The attached patch has all the necessary code change.
These 2 changes were made in more current versions of libopenscap8 in Debian as indicated above. As a result, Artful, Bionic and Cosmic also have these changes. The automation we are working on is required for Xenial though.
[Test Case]
1. run the command "oscap --v", and should see following with SEC option enabled,
==== Capabilities added by auto-loaded plugins ====
SCE Version: 1.0 (from libopenscap_
without the SCE option enabled, the list of plugins is empty.
Also, should see under "==== Supported OVAL objects and associated OpenSCAP probes ===="
systemdunitproperty probe_systemdun
systemdunitdepe
2. The second testcase requires running our SCAP content and verifying that those rules using scripts are run and those rules using systemd probes are run.
[Regression Potential]
The regression potential should be small. The changes proposed enables new functionality that is already included in the source package, and does not change the behavior of existing functionality.
Changed in openscap (Debian): | |
status: | Unknown → Fix Released |
Changed in openscap (Ubuntu Bionic): | |
status: | New → Fix Released |
Changed in openscap (Ubuntu): | |
status: | Confirmed → Fix Released |
Changed in openscap (Ubuntu Xenial): | |
status: | New → Confirmed |
tags: | removed: verification-needed-xenial |
tags: |
added: verification-done removed: verification-needed |
This bug is to enable 2 options available in the libopenscap8 source. Both of these options have been enabled in artful, bionic and cosmic. Both options have also been enabled in Debian via the following Debian bugreports,
https:/ /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 853995 /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 852826
https:/
There are 2 Debian bugs, but I was able to add only 1 above. Since these are small changes, I am hoping one Ubuntu bug will be ok. If not, I can open another bugreport.
Prior bugs, https:/ /bugs.launchpad .net/ubuntu/ +source/ openscap/ +bug/1658792 AND https:/ /bugs.launchpad .net/ubuntu/ +source/ openscap/ +bug/1661401 were opened to address this. The original bugreporter is no longer available. I would like to duplicate those to this bug and use this one to address and resolve this issue.