Closed matejak closed 6 years ago
Hello @matejak! Thanks for submitting the PR.
openscap_daemon/evaluation_spec.py
, following are the PEP8 issues :Line 289:80: E501 line too long (80 > 79 characters) Line 357:80: E501 line too long (84 > 79 characters) Line 435:80: E501 line too long (81 > 79 characters) Line 472:80: E501 line too long (80 > 79 characters) Line 480:80: E501 line too long (80 > 79 characters) Line 495:25: E128 continuation line under-indented for visual indent Line 546:80: E501 line too long (80 > 79 characters) Line 555:80: E501 line too long (81 > 79 characters) Line 566:80: E501 line too long (80 > 79 characters)
openscap_daemon/system.py
, following are the PEP8 issues :Line 129:80: E501 line too long (80 > 79 characters) Line 211:80: E501 line too long (80 > 79 characters) Line 231:80: E501 line too long (80 > 79 characters) Line 482:80: E501 line too long (80 > 79 characters) Line 515:80: E501 line too long (80 > 79 characters) Line 676:80: E501 line too long (81 > 79 characters)
@matejak I tested by building the image from your branch and then performing the scan, but it looks like the generated stig.xml
file is not valid and does not contain stig viewer IDs:
$ sudo atomic scan --scan_type configuration_compliance --scanner_args xccdf-id=scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml,profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa,report,stig-viewer rh7
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2018-02-06-18-23-06-383314:/scanin -v /var/lib/atomic/openscap/2018-02-06-18-23-06-383314:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro openscap oscapd-evaluate scan --targets chroots-in-dir:///scanin --output /scanout --no-cve-scan --fix_type bash -j1 --xccdf-id scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --report --stig-viewer
[...]
Files associated with this scan are in /var/lib/atomic/openscap/2018-02-06-18-23-06-383314.
$ ls /var/lib/atomic/openscap/2018-02-06-18-23-06-383314/a0c96d207269f3a4572f8815c2c61f18221261662f49a3e5e1e6d2b838a2946f/
arf.xml fix.sh json report.html stig.xml
$ grep "SV-" /var/lib/atomic/openscap/2018-02-06-18-23-06-383314/a0c96d207269f3a4572f8815c2c61f18221261662f49a3e5e1e6d2b838a2946f/stig.xml
$ echo $?
1
$ docker run --rm -it openscap rpm -qa | grep openscap
openscap-1.2.16-1.fc27.x86_64
openscap-utils-1.2.16-1.fc27.x86_64
openscap-scanner-1.2.16-1.fc27.x86_64
I confirm that this is an issue. However, it is not related to this PR, but to with the F27 stock scap-security-guide. When using a more up-to-date SSG (e.g. from git), it works as expected.
Confirmed, the issue was with not up-to-date SSG. With the updated one the feature works correctly.
This task has subtasks:
--stig-viewer
option is accepted byoscapd-evaluate
.As it is not possible to generate SV result from an ARF, the scanning session now has to support returning of more than one file. In the past, the
EvaluationSpec.evaluate
function returned the ARF file as a string (orNone
). This PR refactors the code, so it returns a dictionary orNone
. The dictionary will have thearf
key and it may have thestig
key, if the stig viewer results were generated. As a result, the existing code had to be made compliant with this API change.