Add debian10 content

[pschneiders]

Description:

• Adding content for Debian 10 "Buster" based on existing content for Debian 9 "Stretch"

Rationale:

• Content for auditing Debian 10 didn't exist.

[openscap-ci]

Can one of the admins verify this patch?

[pep8speaks]

Hello @pschneiders! Thanks for updating this PR. We checked the lines you've touched for PEP 8 issues, and found:

There are currently no PEP 8 issues detected in this Pull Request. Cheers! 🍻

Comment last updated at 2019-12-19 15:04:07 UTC

[redhatrises]

@openscap-ci test this please

[pschneiders]

I believe some of the tests that are failing on multiple separate debian environments (armhf and amd64) are old tests that are not relevant. Going to compare Debian 8, 9 and 10 and remove obsolete tests.

[redhatrises]

@pschneiders did you scan this as a root user? Some of the SSH errors look as if you scanned as a regular user and not a privileged user.

[pschneiders]

@pschneiders did you scan this as a root user? Some of the SSH errors look as if you scanned as a regular user and not a privileged user.

Yes. The scan was done with sudo locally. I performed the same scan on a second system with similar results. I have --verbose DEVEL output too, but I don't find it very helpful in determining a root cause.

[redhatrises]

@pschneiders did you scan this as a root user? Some of the SSH errors look as if you scanned as a regular user and not a privileged user.

Yes. The scan was done with sudo locally. I performed the same scan on a second system with similar results. I have --verbose DEVEL output too, but I don't find it very helpful in determining a root cause.

Can you sudo su - to first and then run a scan? Also add the --results, --report, and --oval-results flags and provide the .html and .xml file from the report flag.

[pschneiders]

output.zip
Github limits which extensions I can upload so here's a zip with the output. This was run on an amd64 debian 10 system as sudo su - and the command was:

/usr/bin/oscap xccdf eval --results target-results-`date "+%Y-%m-%d-%s"`.xml --report target-report-`date "+%Y-%m-%d-%s"`.html --profile xccdf_org.ssgproject.content_profile_anssi_np_nt28_high --oval-results /usr/local/share/xml/scap/ssg/content/ssg-debian10-ds.xml > output.log 2>&1

[pschneiders]

For consistency, here's output from the original armhf system with the same command also in a sudo su - shell.
armhf.zip

[yuumasato]

Looks like a bug in OpenSCAP. I find it suspicious that only some tests for package installed/removed are returning error.

grep -P "<test.*package.*(installed|removed).*result=" ssg-debian10-oval.xml.result.xml 
        <test test_id="oval:ssg-test_package_GConf2_installed:tst:1" version="1" check_existence="all_exist" check="all" result="not evaluated"/>
        <test test_id="oval:ssg-test_package_audit_installed:tst:1" version="1" check_existence="all_exist" check="all" result="false"/>
        <test test_id="oval:ssg-test_package_avahi_installed:tst:1" version="1" check_existence="all_exist" check="all" result="not evaluated"/>
        <test test_id="oval:ssg-test_package_cron_installed:tst:1" version="1" check_existence="all_exist" check="all" result="error"/>
        <test test_id="oval:ssg-test_package_dconf_installed:tst:1" version="1" check_existence="all_exist" check="all" result="not evaluated"/>
        <test test_id="oval:ssg-test_package_esc_installed:tst:1" version="1" check_existence="all_exist" check="all" result="not evaluated"/>
        <test test_id="oval:ssg-test_package_gdm_installed:tst:1" version="1" check_existence="all_exist" check="all" result="not evaluated"/>
        <test test_id="oval:ssg-test_package_gnutls-utils_installed:tst:1" version="1" check_existence="all_exist" check="all" result="not evaluated"/>
        <test test_id="oval:ssg-test_package_inetutils-telnetd_removed:tst:1" version="1" check_existence="none_exist" check="all" result="true"/>
        <test test_id="oval:ssg-test_package_nis_removed:tst:1" version="1" check_existence="none_exist" check="all" result="true"/>
        <test test_id="oval:ssg-test_package_nss-tools_installed:tst:1" version="1" check_existence="all_exist" check="all" result="not evaluated"/>
        <test test_id="oval:ssg-test_package_ntp_installed:tst:1" version="1" check_existence="all_exist" check="all" result="false"/>
        <test test_id="oval:ssg-test_package_ntpdate_removed:tst:1" version="1" check_existence="none_exist" check="all" result="true"/>
        <test test_id="oval:ssg-test_package_openssh-server_installed:tst:1" version="1" check_existence="all_exist" check="all" result="error"/>
        <test test_id="oval:ssg-test_package_openssh-server_removed:tst:1" version="1" check_existence="none_exist" check="all" result="error"/>
        <test test_id="oval:ssg-test_package_pam_ldap_removed:tst:1" version="1" check_existence="none_exist" check="all" result="not evaluated"/>
        <test test_id="oval:ssg-test_package_pam_pkcs11_installed:tst:1" version="1" check_existence="all_exist" check="all" result="not evaluated"/>
        <test test_id="oval:ssg-test_package_prelink_removed:tst:1" version="1" check_existence="none_exist" check="all" result="not evaluated"/>
        <test test_id="oval:ssg-test_package_rsyslog-gnutls_installed:tst:1" version="1" check_existence="all_exist" check="all" result="not evaluated"/>
        <test test_id="oval:ssg-test_package_rsyslog_installed:tst:1" version="1" check_existence="all_exist" check="all" result="error"/>
        <test test_id="oval:ssg-test_package_samba-common_removed:tst:1" version="1" check_existence="none_exist" check="all" result="not evaluated"/>
        <test test_id="oval:ssg-test_package_snmp_removed:tst:1" version="1" check_existence="none_exist" check="all" result="not evaluated"/>
        <test test_id="oval:ssg-test_package_syslogng_installed:tst:1" version="1" check_existence="all_exist" check="all" result="false"/>
        <test test_id="oval:ssg-test_package_telnetd-ssl_removed:tst:1" version="1" check_existence="none_exist" check="all" result="true"/>
        <test test_id="oval:ssg-test_package_telnetd_removed:tst:1" version="1" check_existence="none_exist" check="all" result="true"/>
        <test test_id="oval:ssg-test_service_auditd_package_auditd_installed:tst:1" version="1" check_existence="all_exist" check="all" result="error"/>
        <test test_id="oval:ssg-test_service_chronyd_package_chrony_installed:tst:1" version="1" check_existence="all_exist" check="all" result="not evaluated"/>
        <test test_id="oval:ssg-test_service_cron_package_cron_installed:tst:1" version="1" check_existence="all_exist" check="all" result="not evaluated"/>
        <test test_id="oval:ssg-test_service_ip6tables_package_iptables-ipv6_installed:tst:1" version="1" check_existence="all_exist" check="all" result="not evaluated"/>
        <test test_id="oval:ssg-test_service_iptables_package_iptables_installed:tst:1" version="1" check_existence="all_exist" check="all" result="not evaluated"/>
        <test test_id="oval:ssg-test_service_netfs_package_netfs_removed:tst:1" version="1" check_existence="none_exist" check="all" result="not evaluated"/>
        <test test_id="oval:ssg-test_service_ntp_package_ntp_installed:tst:1" version="1" check_existence="all_exist" check="all" result="false"/>
        <test test_id="oval:ssg-test_service_ntpd_package_ntp_installed:tst:1" version="1" check_existence="all_exist" check="all" result="not evaluated"/>
        <test test_id="oval:ssg-test_service_rsyslog_package_rsyslog_installed:tst:1" version="1" check_existence="all_exist" check="all" result="error"/>
        <test test_id="oval:ssg-test_service_snmpd_package_snmpd_removed:tst:1" version="1" check_existence="none_exist" check="all" result="not evaluated"/>
        <test test_id="oval:ssg-test_service_sshd_package_openssh-server_removed:tst:1" version="1" check_existence="none_exist" check="all" result="not evaluated"/>
        <test test_id="oval:ssg-test_service_sssd_package_sssd-common_removed:tst:1" version="1" check_existence="none_exist" check="all" result="not evaluated"/>
        <test test_id="oval:ssg-test_service_syslogng_package_syslogng_installed:tst:1" version="1" check_existence="all_exist" check="all" result="false"/>

The probe for dpkg_info may be hitting a corner case with following packages and returning an invalid syschar flag.
rsyslog, auditd, cron and openssh-server.

[jan-cerny]

It looks like a bug in OpenSCAP in dpkg_info probe.

Could you try to use latest version of OpenSCAP instead of 1.2.16? There were some fixes in the last year?

[pschneiders]

It looks like a bug in OpenSCAP in dpkg_info probe.

Could you try to use latest version of OpenSCAP instead of 1.2.16? There were some fixes in the last year?

I'm working on that now. I can't find a newer deb package and building openscap from source fails multiple tests in the build process.

[ggbecker]

@openscap-ci test this please

[pschneiders]

This content appears to run without errors if I build against this PR branch: OpenSCAP/openscap#1387

[pschneiders]

OpenSCAP/openscap#1387 was merged into the current maint-1.3 branch

[pschneiders]

2019-12-17_output.zip

Attached is output from a successful run without errors or unknowns.

[redhatrises]

@openscap-ci test this please

[redhatrises]

@openscap-ci add to whitelist

[jan-cerny]

LGTM, scanning works for me on my Debian 10 VM with OpenSCAP compiled from git.

@redhatrises Do you need more changes or can we merge it?

[redhatrises]

Thanks @pschneiders merging