Add script to update generated SDS to SCAP 1.3

[yuumasato]

Description:

• Add script that updates generated DataStream to be compliant with SCAP 1.3.

How to test

• Use scapval-1.3.2

  • Use openjdk-1.8.0 on a RHEL environment. (for some reason it doesn't work on Fedora)
  • Increase allocated memory: -Xmx1024m

• Workaround bugs in scap-schematron-rules-1.3.2 (just to test that scapval passes):

  • group_id and user_id cannot be zero, tracked here Multiple schematron false-positives OVAL-Community/OVAL#23
    • workaround it :
      • sed -i -E "s/(group_id .*\">)/\1-1/" ./ssg-rhel7-ds.xml
      • sed -i -E "s/(user_id .*\">)/\1-1/" ./ssg-rhel7-ds.xml
  • OCIL checks for security_patches_up_to_date is causing fail of SRC-377, when requirement is about OVAL checks. I have e-mailed NIST about this to try to sort out what is the issue.
    • workaround it:
      • awk '/check-content-ref.*up_to_date_ocil/{for(x=NR-1;x<=NR+1;x++)d[x];}{a[NR]=$0}END{for(i=1;i<=NR;i++)if(!(i in d))print a[i]}' ./ssg-rhel7-ds.xml > ./ssg-rhel7-ds-1.3.xml

• Validate it: java -Xmx1024m -jar scapval-1.3.2.jar -file ./ssg-rhel7-ds-1.3.xml -scapversion 1.3 > scap-1.3.log

• Report of scapval with workarounds: https://fedorapeople.org/~wsato/scap-1.3/validation-report.html

Rationale:

• SCAP 1.3 should supersede SCAP 1.2
• In the near future OpenSCAP should be update to handle generation of SCAP 1.3 DS.
  • More specifically the command oscap ds sds-compose

[pep8speaks]

Hello @yuumasato! Thanks for updating this PR. We checked the lines you've touched for PEP 8 issues, and found:

There are currently no PEP 8 issues detected in this Pull Request. Cheers! 🍻

Comment last updated at 2019-04-29 14:41:25 UTC

[jan-cerny]

Please also fix PEP8 issues.

[jan-cerny]

This way of using namespaces us not supported in Python 2.6. You need to use eg.
find(".//{%s}Benchmark" % (ssg.constants.XCCDF12_NS))

[yuumasato]

I have stopped using the namespace dictionary in favor of suggested namespace approach.

[jan-cerny]

Pyhton 2.6 doesn't support XPath attributes, you have to loop and filter manually:

for rule in rules:
    id_ = rule.get("id")
    if id_ == "xccdf_org.ssgproject.content_rule_security_patches_up_to_date":
        checks = ....
...

[yuumasato]

That is unfortunate.
I have implemented the filtering manually.

[jan-cerny]

It would be nice to have a comment explaining this [1:].

[yuumasato]

I have made it explicit, and also added a comment.

[jan-cerny]

Great, but there are still 2 other occurrences of this [1:] which might not be clear.

[yuumasato]

Sure, thank you for asking for these clarifications.
I have added some comments.

[jan-cerny]

When I build RHEL 7 data stream I get in scap_org.open-scap_cref_ssg-rhel7-pcidss-xccdf-1.2.xml component-ref this element:
<ns2:uri name="ecurity-data-oval-com.redhat.rhsa-RHEL7.xml.bz2" uri="#scap_org.open-scap_cref_ecurity-data-oval-com.redhat.rhsa-RHEL7.xml.bz2"/>. There is missing s 2 times.

[yuumasato]

Nice catch, I ended up introducing a bug during manual filtering. Fixed in ce7ec59.

[yuumasato]

Commits 15c70d0 and 304270f rename variables to make them clear about what components they are about.

[jan-cerny]

This is just renaming variables. Please use them directly.

[yuumasato]

I have updated the import definition and changed code to use them.

[scrutinizer-notifier]

The inspection completed: 4 updated code elements

[yuumasato]

@jan-cerny Thank you for all the reviews.
The content is finally building on RHEL6, and the PEP8 issues are fixed as well.

[yuumasato]

Here is validation report from rhel8 content, with sed and awk workarounds applied.
https://fedorapeople.org/~wsato/scap-1.3/rhel8-validation-report.html

[yuumasato]

With these changes, OpenSCAP 1.3.0 will fail to scan if --fetch-remote-resources is not provided.

$ oscap-ssh rhel7.6-kicked 22 xccdf eval --profile pci-dss ./ssg-rhel7-ds.xml 
Connecting to 'rhel7.6-kicked' on port '22'...
Connected!
Copying input file './ssg-rhel7-ds.xml' to remote working directory '/tmp/tmp.bMdBnKwcR6'...
ssg-rhel7-ds.xml                                                                                                                                                                 100%   26MB 163.4MB/s   00:00    
Starting the evaluation...
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL7.xml.bz2' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2' file which is referenced from datastream
OpenSCAP Error: Could not extract scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml with all dependencies from datastream. [ds_sds_session.c:211]
oscap exit code: 1
Copying back requested files...
Removing remote temporary directory...
Disconnecting ssh and removing master ssh socket directory...
Exit request sent.

This should be fixed in OpenSCAP.

[jan-cerny]

@yuumasato Moreover,
oscap xccdf eval --fetch-remote-resources --profile ospp build/ssg-rhel8-ds.xml fails because https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2 doesn't exist yet, so that probably needs to be checked as well.

[jan-cerny]

Great job!