Hello,
I have noticed that pci-dss profile, ssg-centos7-xccdf.xml will always fail on test and remediation for disable_prelink rule. That seem to be caused by insufficient CentOS RPM customization of upstream code. Specifically this: https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/disa... https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/disable_prelink.xml
That condition will always fail on CentOS because it misses: <extend_definition comment="Installed OS is CentOS7" definition_ref=" installed_OS_is_centos7" />
I was thinking about raising a bug on https://bugs.centos.org or committing a fix in https://git.centos.org/summary/rpms!scap-security-guide but I am unsure as to what action should I take.
The other issue I'm facing is trying to workaround the disable_prelink rule by simply taking it out of tests. I have create a tailor file but it doesn't seem to be taken into consideration. The file: <?xml version="1.0" encoding="UTF-8"?> <cdf-11-tailoring:Tailoring xmlns:cdf-11-tailoring=" http://open-scap.org/page/Xccdf-1.1-tailoring" xmlns:xccdf=" http://checklists.nist.gov/xccdf/1.1" id="xccdf_scap-workbench_tailoring_default"> <cdf-11-tailoring:benchmark href="/private/tmp/ssg-centos7-xccdf.xml"/> cdf-11-tailoring:version time="2017-01-31T14:41:00"1</cdf-11-tailoring:version> <xccdf:Profile id="pci-dss_disable_rule_prelink" extends="pci-dss"> <xccdf:title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">PCI-DSS v3 Control Baseline for CentOS Linux 7 [CUSTOMIZED]</xccdf:title> <xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">This is a *draft* profile for PCI-DSS v3</xccdf:description> <xccdf:select idref="disable_prelink" selected="false"/> </xccdf:Profile> </cdf-11-tailoring:Tailoring>
Then the oscap command I tried: oscap xccdf eval --remediate --tailoring-file tailor.xml --profile pci-dss --fetch-remote-resources /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml
It is my debut on the list, thank you for your consideration :-)
On 02/01/2017 10:15 AM, Michał Jankowski wrote:
Hello,
I have noticed that pci-dss profile, ssg-centos7-xccdf.xml will always fail on test and remediation for disable_prelink rule. That seem to be caused by insufficient CentOS RPM customization of upstream code. Specifically this: https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/disa... https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/disable_prelink.xml
That condition will always fail on CentOS because it misses: <extend_definition comment="Installed OS is CentOS7" definition_ref=" installed_OS_is_centos7" />
I was thinking about raising a bug on https://bugs.centos.org or committing a fix in https://git.centos.org/summary/rpms!scap-security-guide but I am unsure as to what action should I take.
You can clone that git project from git.centos.org, then checkout the 'c7' branch and fix the issue on your branch .. then use the git --format-patch option as explained here:
https://ariejan.net/2009/10/26/how-to-create-and-apply-a-patch-with-git/
Then you can send your patch (attached to an email) to the CentOS-Devel mailing list (https://lists.centos.org/mailman/listinfo/centos-devel) and I will import it into the git repo and fix the package.
<snip>
Thanks, Johnny Hughes
Please have a look at the patch.
On Fri, Feb 3, 2017 at 1:52 AM Johnny Hughes johnny@centos.org wrote:
On 02/01/2017 10:15 AM, Michał Jankowski wrote:
Hello,
I have noticed that pci-dss profile, ssg-centos7-xccdf.xml will always
fail
on test and remediation for disable_prelink rule. That seem to be caused
by
insufficient CentOS RPM customization of upstream code. Specifically
this:
https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/disa...
<
https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/disa...
That condition will always fail on CentOS because it misses: <extend_definition comment="Installed OS is CentOS7" definition_ref=" installed_OS_is_centos7" />
I was thinking about raising a bug on https://bugs.centos.org or
committing
a fix in https://git.centos.org/summary/rpms!scap-security-guide but I
am
unsure as to what action should I take.
You can clone that git project from git.centos.org, then checkout the 'c7' branch and fix the issue on your branch .. then use the git --format-patch option as explained here:
https://ariejan.net/2009/10/26/how-to-create-and-apply-a-patch-with-git/
Then you can send your patch (attached to an email) to the CentOS-Devel mailing list (https://lists.centos.org/mailman/listinfo/centos-devel) and I will import it into the git repo and fix the package.
<snip>
Thanks, Johnny Hughes
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-
Johnny Hughes -
Michał Jankowski