[Open-scap] Passing bash variables to Script Check Engine based checks.
S, Gautam
gautams at hpe.com
Wed Jan 13 11:02:09 UTC 2016
Hello Martin,
Thank you for looking into this. That makes sense!
Is there any mechanism you would recommend for handling sensitive inputs such as passphrases? Or is oscap perhaps not the right tool for such evaluations?
Thank you.
Regards,
Gautam.
-----Original Message-----
From: Martin Preisler [mailto:mpreisle at redhat.com]
Sent: Wednesday, January 13, 2016 4:25 PM
To: S, Gautam
Cc: open-scap-list at redhat.com
Subject: Re: [Open-scap] Passing bash variables to Script Check Engine based checks.
----- Original Message -----
> From: "S, Gautam" <gautams at hpe.com>
> To: open-scap-list at redhat.com
> Sent: Wednesday, January 13, 2016 9:37:28 AM
> Subject: [Open-scap] Passing bash variables to Script Check Engine based checks.
>
> Hello folks,
>
> [snip]
>
> In both cases, the grandparent is my Bash shell where I export
> local_private and can translate ORACLE_HOME. While the process forked
> by oscap cannot resolve the variables, the one forked by Python can.
> Why does oscap not share environment with its children? Is this
> because of any security restrictions or can we change this?
This is a restriction designed to improve portability and security. When starting SCE scripts OpenSCAP constructs a canon environment without inheriting anything from the parent process. See
https://github.com/OpenSCAP/openscap/blob/maint-1.2/src/SCE/sce_engine.c#L352
Consider that users can evaluate using oscap, SCAP Workbench, Satellite 6 or even other tools. If we inherited the environment and content writers relied on it, users wouldn't be able to use that content consistently.
--
Martin Preisler
Security Technologies | Red Hat, Inc.
More information about the Open-scap-list
mailing list