Proposed solution for RHEL8 and RHEL9 in system detection to avoid false positives

[mrkanon]

trafficstars

Description:

Updated

installed_OS_is_rhel9 installed_OS_is_rhel8

Rationale:

We have a false positive from RHEL9 to OL9, we also have a false positive from RHEL8 to OL8, this is because OL9 and OL8 have redhat-release package present.

When we check the rule installed_OS_is_vendor_supported we have the following oval results: OL9

<definition definition_id="oval:ssg-installed_OS_is_vendor_supported:def:1" result="true" version="1">
                  <criteria operator="OR" result="true">
                    <extend_definition definition_ref="oval:ssg-installed_OS_is_rhel8:def:1" version="1" result="false"/>
                    <extend_definition definition_ref="oval:ssg-installed_OS_is_rhel9:def:1" version="1" result="true"/>
                    <extend_definition definition_ref="oval:ssg-installed_OS_is_ol7:def:1" version="1" result="false"/>
                    <extend_definition definition_ref="oval:ssg-installed_OS_is_ol8:def:1" version="1" result="false"/>
                    <extend_definition definition_ref="oval:ssg-installed_OS_is_ol9:def:1" version="1" result="true"/>
                    <extend_definition definition_ref="oval:ssg-installed_OS_is_sle12:def:1" version="1" result="false"/>
                    <extend_definition definition_ref="oval:ssg-installed_OS_is_sle15:def:1" version="1" result="false"/>
                    <extend_definition definition_ref="oval:ssg-installed_OS_is_slmicro5:def:1" version="1" result="false"/>
                  </criteria>
                </definition>

OL8

<definition definition_id="oval:ssg-installed_OS_is_vendor_supported:def:1" result="true" version="1">
                  <criteria operator="OR" result="true">
                    <extend_definition definition_ref="oval:ssg-installed_OS_is_rhel8:def:1" version="1" result="true"/>
                    <extend_definition definition_ref="oval:ssg-installed_OS_is_rhel9:def:1" version="1" result="false"/>
                    <extend_definition definition_ref="oval:ssg-installed_OS_is_ol7:def:1" version="1" result="false"/>
                    <extend_definition definition_ref="oval:ssg-installed_OS_is_ol8:def:1" version="1" result="true"/>
                    <extend_definition definition_ref="oval:ssg-installed_OS_is_ol9:def:1" version="1" result="false"/>
                    <extend_definition definition_ref="oval:ssg-installed_OS_is_sle12:def:1" version="1" result="false"/>
                    <extend_definition definition_ref="oval:ssg-installed_OS_is_sle15:def:1" version="1" result="false"/>
                    <extend_definition definition_ref="oval:ssg-installed_OS_is_slmicro5:def:1" version="1" result="false"/>
                  </criteria>
                </definition>

[openshift-ci[bot]]

Hi @mrkanon. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions[bot]]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[github-actions[bot]]

:robot: A k8s content image for this PR is available at: ghcr.io/complianceascode/k8scontent:12334 This image was built from commit: 2c060752cd5a5769538bd6882ac524997819d60f

Click here to see how to deploy it

If you alread have Compliance Operator deployed: utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12334

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12334 make deploy-local

[jan-cerny]

@mrkanon Can you please rebase this PR on the top of the latest upstream master branch to try if it would help the failing CI.

[jan-cerny]

Unfortunately, the rebase didn't hlep. I will try to find out what is wrong

The specific error from the build is

OpenSCAP Error: File '/builddir/build/BUILD/scap-security-guide-0.1.75/build/ssg-cs9-ds.xml' line 65535: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}definition': Duplicate key-sequence ['oval:ssg-installed_OS_is_part_of_Unix_family:def:1'] in key identity-constraint '{http://oval.mitre.org/XMLSchema/oval-definitions-5}definitionKey'.
 [/builddir/build/BUILD/openscap-1.3.10/src/XCCDF/xccdf_session.c:761]
File '/builddir/build/BUILD/scap-security-guide-0.1.75/build/ssg-cs9-ds.xml' line 65535: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5#independent}family_test': Duplicate key-sequence ['oval:ssg-test_unix_family:tst:1'] in key identity-constraint '{http://oval.mitre.org/XMLSchema/oval-definitions-5}testKey'.
 [/builddir/build/BUILD/openscap-1.3.10/src/XCCDF/xccdf_session.c:761]
File '/builddir/build/BUILD/scap-security-guide-0.1.75/build/ssg-cs9-ds.xml' line 65535: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5#independent}family_object': Duplicate key-sequence ['oval:ssg-object_unix_family:obj:1'] in key identity-constraint '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKey'.
 [/builddir/build/BUILD/openscap-1.3.10/src/XCCDF/xccdf_session.c:761]
File '/builddir/build/BUILD/scap-security-guide-0.1.75/build/ssg-cs9-ds.xml' line 65535: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5#independent}family_state': Duplicate key-sequence ['oval:ssg-state_unix_family:ste:1'] in key identity-constraint '{http://oval.mitre.org/XMLSchema/oval-definitions-5}stateKey'.
 [/builddir/build/BUILD/openscap-1.3.10/src/XCCDF/xccdf_session.c:761]

so I would like to find what caused this "duplication" of the definition.

[jan-cerny]

Hi @mrkanon

The following patch helps me:

diff --git a/ssg/build_derivatives.py b/ssg/build_derivatives.py
index 79fc3eb308..e090b71063 100644
--- a/ssg/build_derivatives.py
+++ b/ssg/build_derivatives.py
@@ -76,7 +76,8 @@ def add_element_to(oval_root, tag_name, component_element):
     if xml_el is None:
         xml_el = ElementTree.Element("{%s}%s" % (oval_namespace, tag_name))
         oval_root.append(xml_el)
-    xml_el.append(component_element)
+    if xml_el.find("%s[@id='%s']" % (component_element.tag, component_element.get("id"))) is None:
+        xml_el.append(component_element)
 
 
 def add_oval_components_to_oval_xml(oval_root, tag_name, component_dict):

Can you try it?

[qlty-cloud-legacy[bot]]

Code Climate has analyzed commit 2c060752 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 0.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.5% (0.1% change).

View more on Code Climate.