From Fedora Project Wiki

(→‎Test Results: ppisar: rule-3.7.1.1.a)
No edit summary
Line 61: Line 61:
! [[QA:TestCase OpenSCAP Fedora adjusted settings|Fedora adjusted settings]]
! [[QA:TestCase OpenSCAP Fedora adjusted settings|Fedora adjusted settings]]
! [[QA:TestCase OpenSCAP secstate|secstate tool]]
! [[QA:TestCase OpenSCAP secstate|secstate tool]]
! [[QA:TestCase_OpenSCAP_Fedora_FirstAidKit|FAK plugin]]
! References
! References
|-
|-
Line 67: Line 68:
| {{result|warn}} <ref>Test pass, but also encountered {{bz|54321}}</ref>
| {{result|warn}} <ref>Test pass, but also encountered {{bz|54321}}</ref>
| {{result|fail}} <ref>{{bz|12345}}</ref>
| {{result|fail}} <ref>{{bz|12345}}</ref>
| {{result|none}}
| <references/>
| <references/>
|-
|-
Line 72: Line 74:
| {{result|fail|newgle1}}<ref name=bug />
| {{result|fail|newgle1}}<ref name=bug />
| {{result|fail|newgle1}} <ref name=bug>err:*** buffer overflow detected ***: oscap terminated</ref>
| {{result|fail|newgle1}} <ref name=bug>err:*** buffer overflow detected ***: oscap terminated</ref>
| {{result|none}}
| {{result|none}}
| {{result|none}}
| <references/>
| <references/>
Line 78: Line 81:
| {{result|fail|rhe}}<ref>buffer overflowed and some rules failed: http://fpaste.org/wSvq/</ref>
| {{result|fail|rhe}}<ref>buffer overflowed and some rules failed: http://fpaste.org/wSvq/</ref>
| {{result|fail|rhe}}<ref>tested the rule-2.2.2.3.a (Disable the Automounter if Possible), when I stopped the autofs service as the rules suggested, the result was still 'fail'.(Yum remove autofs can get a 'pass' result) </ref>
| {{result|fail|rhe}}<ref>tested the rule-2.2.2.3.a (Disable the Automounter if Possible), when I stopped the autofs service as the rules suggested, the result was still 'fail'.(Yum remove autofs can get a 'pass' result) </ref>
| {{result|none}}
| {{result|none}}
| {{result|none}}
| <references/>
| <references/>
Line 84: Line 88:
| [[User:jkaluza|Jan Kaluza]]
| [[User:jkaluza|Jan Kaluza]]
| {{result|fail|jkaluza}}<ref>buffer overflowed - {{bz|627488}}</ref>
| {{result|fail|jkaluza}}<ref>buffer overflowed - {{bz|627488}}</ref>
| {{result|none}}
| {{result|none}}
| {{result|none}}
| {{result|none}}
| {{result|none}}
Line 95: Line 100:
| {{result|fail|ppisar}} <ref>Test rule-3.6.1.1.a (Disable X Windows at System Boot) fails if enabled despite my inittab has default runlevel 3. Test is defined as equality to number 5 in oval file. More ever `X Windows' is nonsense. Correct name is `X Window' without the `s' suffix. See X(7) manual page. You are breaking trade mark ;)</ref>
| {{result|fail|ppisar}} <ref>Test rule-3.6.1.1.a (Disable X Windows at System Boot) fails if enabled despite my inittab has default runlevel 3. Test is defined as equality to number 5 in oval file. More ever `X Windows' is nonsense. Correct name is `X Window' without the `s' suffix. See X(7) manual page. You are breaking trade mark ;)</ref>
   {{result|fail|ppisar}} <ref>Test rule-3.7.1.1.a (Disable Avahi Server Software) fails even if avahi-deamon is disabled in all runlevels and none is running</ref>
   {{result|fail|ppisar}} <ref>Test rule-3.7.1.1.a (Disable Avahi Server Software) fails even if avahi-deamon is disabled in all runlevels and none is running</ref>
| {{result|none}}
| {{result|none}}
| {{result|none}}
| <references/>
| <references/>
Line 100: Line 106:
| [[User:jgorig|Jan Gorig]]
| [[User:jgorig|Jan Gorig]]
| {{result|fail|jgorig}}<ref>same problem - buffer overflowed on x86_64 F13 - {{bz|627488}}</ref>
| {{result|fail|jgorig}}<ref>same problem - buffer overflowed on x86_64 F13 - {{bz|627488}}</ref>
| {{result|none}}
| {{result|none}}
| {{result|none}}
| {{result|none}}
| {{result|none}}
Line 106: Line 113:
| [[User:kushal|Kushal Das]]
| [[User:kushal|Kushal Das]]
| {{result|fail|kushal}}<ref>same problem - buffer overflowed on x86 F13 - {{bz|627488}}</ref>
| {{result|fail|kushal}}<ref>same problem - buffer overflowed on x86 F13 - {{bz|627488}}</ref>
| {{result|none}}
| {{result|none}}
| {{result|none}}
| {{result|none}}
| {{result|none}}
Line 112: Line 120:
| [[User:mgrepl|Miroslav Grepl]]
| [[User:mgrepl|Miroslav Grepl]]
| {{result|fail|mgrepl}}<ref>same problem - buffer overflowed on x86 F13 - {{bz|627488}}. Test finished (fixed pkgs from koji)</ref>
| {{result|fail|mgrepl}}<ref>same problem - buffer overflowed on x86 F13 - {{bz|627488}}. Test finished (fixed pkgs from koji)</ref>
| {{result|none}}
| {{result|none}}
| {{result|none}}
| {{result|none}}
| {{result|none}}
Line 118: Line 127:
| [[User:omoris|Ondrej Moriš]]
| [[User:omoris|Ondrej Moriš]]
| {{result|fail|omoris}}<ref>test finished (fixed pkgs from koji) with several fails: http://fpaste.org/Sgys/</ref>
| {{result|fail|omoris}}<ref>test finished (fixed pkgs from koji) with several fails: http://fpaste.org/Sgys/</ref>
| {{result|none}}
| {{result|none}}
| {{result|none}}
| {{result|none}}
| {{result|none}}
Line 124: Line 134:
| [[User:masami|Masami Ichikawa]]
| [[User:masami|Masami Ichikawa]]
| {{result|fail|masami}}<ref>same problem - buffer overflowed on x86 F14 - {{bz|627488}}</ref>
| {{result|fail|masami}}<ref>same problem - buffer overflowed on x86 F14 - {{bz|627488}}</ref>
| {{result|none}}
| {{result|none}}
| {{result|none}}
| {{result|none}}
| {{result|none}}

Revision as of 13:15, 26 August 2010

DATE TIME WHERE
2010-08-26 From 9:00 to 17:00 UTC #fedora-test-day (webirc)
Can't make the date?
If you come to this page before or after the test day is completed, your testing is still valuable, and you can use the information on this page to test, file any bugs you find at Bugzilla, and add your results to the results section. If this page is more than a month old when you arrive here, please check the current schedule and see if a similar but more recent Test Day is planned or has already happened.

What to test?

Have you ever used any security scanning application? Does the security configuration of your box matters? Do you want to keep you system in consistent state? If you have positive answer to any of these questions then it's probably worth to joint this Fedora Test Day that will focus on OpenSCAP feature.

What is SCAP? It is a line of standards managed by NIST. It was created to provide a standardized approach to maintaining the security of systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.

The SCAP suite contains multiple complex data exchange formats that are to be used to transmit important vulnerability, configuration, and other security data. Historically, there have been few tools that provide a way to query this data in the needed format. This lack of tools makes the barrier to entry very high and discourages adoption of these protocols by the community. It's a goal of OpenSCAP project to create a framework of libraries to improve the accessibility of SCAP and enhance the usability of the information it represents.

Who's available

The following cast of characters will be available testing, workarounds, bug fixes, and general discussion:

  • Development - Peter Vrabec (wrabco), Tomas Heinrich (theinric), Maros Barabas (mbarabas), Daniel Kopecek (dkopecek), Lukas Kuklinek (lkukline)
  • FirstAidKit development - Martin Sivák (msivak)
  • Quality Assurance - Kamil Páral (kparal), Ondrej Moris (omoris)

Prerequisite for Test Day

  • A fully updated Fedora 13 or 14.
    • This must be a real installation, live CDs are unfortunately not suitable for this test day.
    • We are interested in different software setups, so if possible please use your real workstation, rather than clean install of F13 or F14. You don't have to be afraid, this software is not destructive in any way.

How to test?

  1. Fully update your Fedora 13 or Fedora 14.
  2. Install openscap, openscap-utils and openscap-python packages version 0.6.1-1. Download them from: http://people.redhat.com/pvrabec/openscap/
    Packages updated
    Packages have been updated to fix 'buffer overflow' error. Please update if you've downloaded the old ones.
  3. Download required SCAP content: http://people.redhat.com/pvrabec/openscap/content
    Files updated
    SCAP content was updated during this test day. Please update if you've downloaded the old one.
  4. Follow the test cases below.
  5. Write your results to the result matrix.

Test Cases

Please execute as many test cases from the following list of OpenSCAP Test Cases as possible:

Test Results

If you have problems with any of the tests, report a bug to Bugzilla for the openscap component. If you are unsure about exactly how to file the report or what other information to include, just ask on IRC and we will help you. Once you have completed the tests, add your results to the Results table below, following the example results from the first line as a template.

User Fedora default settings Fedora adjusted settings secstate tool FAK plugin References
Sample User
Pass pass
Warning warn
[1]
Fail fail
[2]
none
  1. Test pass, but also encountered RHBZ #54321
  2. RHBZ #12345
newgle1
Fail fail newgle1
[1]
Fail fail newgle1
[1]
none
none
  1. 1.0 1.1 err:*** buffer overflow detected ***: oscap terminated
He Rui
Fail fail rhe
[1]
Fail fail rhe
[2]
none
none
  1. buffer overflowed and some rules failed: http://fpaste.org/wSvq/
  2. tested the rule-2.2.2.3.a (Disable the Automounter if Possible), when I stopped the autofs service as the rules suggested, the result was still 'fail'.(Yum remove autofs can get a 'pass' result)
Jan Kaluza
Fail fail jkaluza
[1]
none
none
none
  1. buffer overflowed - RHBZ #627488
Petr Pisar
Fail fail ppisar
[1]
Fail fail ppisar
[2]
Fail fail ppisar
[3]
Pass pass ppisar
[4]
Fail fail ppisar
[5]
Fail fail ppisar
[6]
none
none
  1. Tests checking file permissions (rule-2.2.3.3.a, rule-2.2.3.4.a, rule-2.2.3.4.b, rule-2.2.3.5.a, rule-2.2.3.5.b, rule-2.2.3.6.a) eats all memory (4 GiB) and are terminated by kernel – RHBZ #565691
  2. Test rule-2.1.2.3.4.a (Ensure Package Signature Checking is Not Disabled For Any Repos) fails because I have defined rawhide repositories with disabled signature checking and disabled for installation. I think disabled repositories should not be considered in this test.
  3. Test rule-2.5.1.2.b (Set net.ipv4.conf.all.accept_redirects for Hosts and Routers) fails. This is default value for F13. F13 should be fixed (/etc/sysctl.conf) or the test removed as far as it can be useful in some scenarios (link with more routers, link with more IP networks).
  4. Other tests passed
  5. Test rule-3.6.1.1.a (Disable X Windows at System Boot) fails if enabled despite my inittab has default runlevel 3. Test is defined as equality to number 5 in oval file. More ever X Windows' is nonsense. Correct name is X Window' without the `s' suffix. See X(7) manual page. You are breaking trade mark ;)
  6. Test rule-3.7.1.1.a (Disable Avahi Server Software) fails even if avahi-deamon is disabled in all runlevels and none is running
Jan Gorig
Fail fail jgorig
[1]
none
none
none
  1. same problem - buffer overflowed on x86_64 F13 - RHBZ #627488
Kushal Das
Fail fail kushal
[1]
none
none
none
  1. same problem - buffer overflowed on x86 F13 - RHBZ #627488
Miroslav Grepl
Fail fail mgrepl
[1]
none
none
none
  1. same problem - buffer overflowed on x86 F13 - RHBZ #627488. Test finished (fixed pkgs from koji)
Ondrej Moriš
Fail fail omoris
[1]
none
none
none
  1. test finished (fixed pkgs from koji) with several fails: http://fpaste.org/Sgys/
Masami Ichikawa
Fail fail masami
[1]
none
none
none
  1. same problem - buffer overflowed on x86 F14 - RHBZ #627488