Merge 1.3 into main #2277
Open
Merge 1.3 into main #2277
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Starting from ComplianceAsCode/content#12988 the SCAP content doesn't depend on exporting the OSCAP_BOOTC_BUILD variable. Therefore we can stop exporting this variable and we can stop passing this variable from outside environemnt to remediations environment.
Remove OSCAP_BOOTC_BUILD environment variable
OpenSCAP remediation is supposed to be used only at bootc container image build. Deployed bootc system is immutable, it can't be remediated with OpenSCAP and trying to do so would result in errors and bad user experience. We will update OpenSCAP to print error message for users in case they try to run remediation on an already deployed bootc system, informing them that it is not possible and that the openscap remediation must be performed during container build.
The jq is additional tool. Currently it's available in both RHEL and CentOS base bootable container images. But, we better not rely on it if someone removes it in future.
We don't like the current behavior when user needs to wait for the initial scan results just to see the error. We will move the error so it is printed right away and the initial scan is not even performed.
OPENSCAP-5235: Block remediation on deployed bootc system
There are a lot of possible memory overruns reported by helgrind coming from rbt_* operations without this flag.
We should not re-initialize thread_barrier, it is an UB.
This is implementation dependent, frown upon and triggering for sanitizers.
We should make sure that receiver gets something (error should do it), even if the worker thread suddenly terminates (e.g. thread_exit).
SEAP_cmd_exec function waiting branch was prone to spurious wakeups. Use pthread_cond_broadcast __SEAP_cmd_sync_handler to make sure all possible listeners are notified.
These log records were introduced in anticipation of the PCRE -> PCRE2 migration problems. We can get rid of them now.
According to OVAL docs the 'instance' tag should be able to take negative numbers. And these negative numbers should count from the last element matched. This is was not the case in oscap implementation Signed-off-by: Edgar Aguilar <[email protected]>
Validate behaviour with negative instance Signed-off-by: Edgar Aguilar <[email protected]>
Co-authored-by: Evgeny Kolesnikov <[email protected]>
Fix textfilecontent54_probe behaviour
Fix thread syncronization problems (1.3.x)
Next release from the maint-1.3 branch will be 1.3.13
This commit will cause that oscap-im will exit with exit code 1 if any of the called oscap calls will fail. This means that building hardened bootable container images will terminate if oscap crashes or doesn't work. Resolves: https://issues.redhat.com/browse/OPENSCAP-5415
Move the calls into `with` statement so that manual cleanup won't be needed. Also, do not catch output of the bash remediation to let the user watch the progress of the script.
We can remove it because the statements that use the temporary file were moved inside the "with" block.
Exit oscap-im if oscap fails
Modify the test so it could catch the regression with environment variable modified during execution. See OpenSCAP#2168.
tests: OVAL/API/skip_paths
with --remediate Make the Bash remediation environment consistent with other types of remediation.
…v-1.3 Inherit opscap environment when executing Bash remediations with `--remediate` option
Introduce CODEOWNERS and add owners of the tests directory
Fix codeql on 1.3
Add new STIG URL
- Document that the '--local-files' option works only with SCAP 1.3 source data streams. - Add a warning if users use '--local-files' with different versions of SCAP source data streams. - Add a simple upstream test for the added warning. Resolves: https://issues.redhat.com/browse/RHEL-74343
Clarify the '--local-files' option
…backport_1.3 Fixing inverted fields in HTML report (backport maint-1.3)
This change handles virtual packages in dpkginfo probe by parsing the "Provides" field of /var/lib/dpkg/status. Instead of relying on the "Package" field exclusively, this change also matches the requested package name with the package names listed in the "Provides" field. It should allow to query virtual package names like "system-log-daemon" to actually installed packages likes "rsyslog" and so on. See deb-control(5).
Bash remediations require PATH to be inherited by the oscap process to work correctly.
…kg-1.3 Handle virtual packages in dpkginfo probe
utils/oscap-im: Inherit environment for scanning and remediating
evgenyz
requested review from
Mab879,
jan-cerny and
matusmarhefka
as code owners
Contributor
Author
|
@jan-cerny Can you please verify that the merge results are correct? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.