search

rocky-linux / oval

OVAL file generator
BSD 3-Clause "New" or "Revised" License
1 stars 3 forks source link

Rocky linux 8/9 oval data contains invalid filepath in the rpmverifyfile_object used to check if the system is Rocky Linux #18

Closed yavor-atanasov closed 1 week ago

yavor-atanasov commented 3 months ago

Using latest Rocky Linux 8/9 oval data from https://download.rockylinux.org/pub/oval

We have an in-house tool which uses Red Hat's oval data (e.g. https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2) to scan our systems for vulnerabilities. We'd like to move to Rocky's oval data. When attempting a scan with Rocky's ovals we get an error at the rpmverifyfile_test which tests that "Rocky Linux must be installed". The test is meant to check whether the system has the following filepath: /etc/rocky-release. However the filepath attribute of rpmverifyfile_object for this test is empty. Here are the relevant snippets from the rocky 8 oval (the rocky 9 is the same):

The rpmverifyfile_test definition, which points to the problematic object with ref oval:org.rockylinux.rlsa:obj:20234378001:

  <red-def:rpmverifyfile_test check="none satisfy" comment="Rocky Linux must be installed" id="oval:org.rockylinux.rlsa:tst:20234378001" version="1">
    <red-def:object object_ref="oval:org.rockylinux.rlsa:obj:20234378001"/>
    <red-def:state state_ref="oval:org.rockylinux.rlsa:ste:20234378001"/>
  </red-def:rpmverifyfile_test>

And this is the rpmverifyfile_state definition, which basically checks that the filepath should match the expected pattern:

  <red-def:rpmverifyfile_state id="oval:org.rockylinux.rlsa:ste:20234378001" version="1">
    <red-def:name operation="pattern match">^rocky-release</red-def:name>
  </red-def:rpmverifyfile_state>

And finally the problematic object:

  <red-def:rpmverifyfile_object id="oval:org.rockylinux.rlsa:obj:20234378001" version="1">
    <red-def:behaviors noconfigfiles="true" noghostfiles="true" nogroup="true" nolinkto="true" nomd5="true" nomode="true" nomtime="true" nordev="true" nosize="true" nouser="true"/>
    <red-def:name operation="pattern match"/>
    <red-def:epoch operation="pattern match"/>
    <red-def:version operation="pattern match"/>
    <red-def:release operation="pattern match"/>
    <red-def:arch operation="pattern match"/>
    <red-def:filepath operation="pattern match"/>
  </red-def:rpmverifyfile_object>

As you can see, the <red-def:filepath/> tag is empty and it should contain /etc/rocky-release. For example this is what the Red Hat equivalent oval contains for this same object:

 <red-def:filepath>/etc/redhat-release</red-def:filepath>
yavor-atanasov commented 3 months ago

Sent you a pull request: https://github.com/rocky-linux/oval/pull/19

To keep the diff at a minimum I've only sent the required source change. However, I found the instructions in the README don't actually work (I did work out how to run it by building the container). In addition, as I stated in the pull request I don't fully understand how the unit tests are meant to be run and as far as I can see they only print things on stdout without doing any assertions and they seem to contain broken imports. I'm happy to contribute to both the README and tests, but wanted first to get your feedback on that.

yavor-atanasov commented 2 months ago

Hey guys, any movement here?

NeilHanlon commented 1 week ago

fixed by #19. thank you!