-
Notifications
You must be signed in to change notification settings - Fork 690
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Stabilization] revert modifications to file_groupownership template and respective rules #10683
[Stabilization] revert modifications to file_groupownership template and respective rules #10683
Conversation
c5dc5b3
to
ab0a8f2
Compare
I believe the |
ab0a8f2
to
90c31c2
Compare
90c31c2
to
ca91455
Compare
@ggbecker thank you, I was not sure. I modified the branch. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried to run a scan of the RHEL 7.9 virtual machine where previously I reproduced the issue and I have seen that the problematic error message doesn't appear with this patch.
[root@localhost ~]# rpm -q openscap
openscap-1.2.17-11.el7.x86_64
[root@localhost ~]# oscap xccdf eval --profile '(all)' --rule xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog ./ssg-rhel7-ds.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL7.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2' file which is referenced from datastream
W: oscap: File ssg-rhel7-cpe-oval.xml has already been registered in Source DataStream session: ./ssg-rhel7-ds.xml
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content
Title Verify Group Who Owns /var/log/syslog File
Rule xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog
Result pass
[root@localhost ~]#
The rule has passed its test scenarios
[jcerny@thinkpad scap-security-guide{pr/10683}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel7 file_groupowner_var_log_syslog
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-06-06-1103/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog
INFO - Script correct_groupowner.pass.sh using profile (all) OK
INFO - Script missing_file_test.pass.sh using profile (all) OK
INFO - Script incorrect_groupowner.fail.sh using profile (all) OK
[jcerny@thinkpad scap-security-guide{pr/10683}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel7 --remediate-using ansible file_groupowner_var_log_syslog
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-06-06-1108/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog
INFO - Script correct_groupowner.pass.sh using profile (all) OK
INFO - Script missing_file_test.pass.sh using profile (all) OK
INFO - Script incorrect_groupowner.fail.sh using profile (all) OK
[jcerny@thinkpad scap-security-guide{pr/10683}]$
The CI fail on Rawhide isn't related to the contents of this PR because it's a fail in dnf update -y. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have run TSs for some other rules that use the file_groupowner template and they pass.
Description:
Rationale:
Review Hints:
Try to reproduce the fixed issue #10655