search

OpenSCAP / openscap

NIST Certified SCAP 1.2 toolkit
https://www.open-scap.org/tools/openscap-base
GNU Lesser General Public License v2.1
1.37k stars 378 forks source link

Checking symlink to directory #1299

Closed jdeluyck closed 4 years ago

jdeluyck commented 5 years ago

Description of Problem:

OpenSCAP Version:

1.3.0

Operating System & Version:

RHEL 7.6 Fedora 29

Steps to Reproduce:

$ mkdir -p /tmp/link-target/foo /tmp/link-target/foo2 $ ln -s /tmp/link-target/foo2 /tmp/link-source

  <definitions>
    <definition class="compliance" id="oval:com.flubber.internal.test.test:def:1" version="1">
      <metadata>
        <title>TEST</title>
        <description>Test</description>
        <reference ref_id="tst-000001" source="XCCDF"/>
        <affected family="unix">
          <platform>Red Hat Enterprise Linux 7</platform>
        </affected>
      </metadata>
      <criteria operator="AND">
        <criterion comment="TEST" test_ref="oval:com.flubber.internal.test.test:tst:1"/>
      </criteria>
    </definition>
  </definitions>
  <tests>
    <symlink_test check="all" check_existence="all_exist" comment="TEST" id="oval:com.flubber.internal.test.test:tst:1" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
      <object object_ref="oval:com.flubber.internal.test.test:obj:2"/>
      <state state_ref="oval:com.flubber.internal.test.test:ste:1"/>
    </symlink_test>
  </tests>
  <objects>
    <file_object id="oval:com.flubber.internal.test.test:obj:1" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
      <behaviors max_depth="1" recurse_direction="down"/>
      <path>/tmp/link-target</path>
      <filename operation="pattern match">^.*$</filename>
    </file_object>
    <symlink_object id="oval:com.flubber.internal.test.test:obj:2" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
      <filepath var_ref="oval:com.flubber.internal.test.test_link_source:var:1"/>
    </symlink_object>
  </objects>
  <states>
    <symlink_state id="oval:com.flubber.internal.test.test:ste:1" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
      <filepath var_check="at least one" var_ref="oval:com.flubber.internal.test.test_link_target:var:1"/>
    </symlink_state>
  </states>
  <variables>
    <constant_variable comment="Link source" datatype="string" id="oval:com.flubber.internal.test.test_link_source:var:1" version="1">
      <value>/tmp/link-source</value>
    </constant_variable>
    <local_variable comment="Link target" datatype="string" id="oval:com.flubber.internal.test.test_link_target:var:1" version="1">
      <object_component item_field="filepath" object_ref="oval:com.flubber.internal.test.test:obj:1"/>
    </local_variable>
  </variables>
</oval_definitions>

Do oscap oval eval.

Actual Results:

Returns 'failed' because variable is not filled with directories

Expected Results:

Returns 'pass' because the link is to one of the listed directories

Additional Information / Debugging Steps:

evgenyz commented 4 years ago

@jdeluyck Could you please test again with recent version of the scanner (1.3.2, available in Fedora and RHEL)?

evgenyz commented 4 years ago

Assuming that the bug was fixed, feel free to re-open if it's not the case.

jdeluyck commented 4 years ago

@evgenyz Sorry, I missed the notification. Also, I no longer have access to the machines where I could easily test this.

evgenyz commented 4 years ago

@jdeluyck Sure, no problem. Please re-open it if you stumble upon it again and would be able to confirm that it was not fixed.