[Open-scap] Implementation for an AppArmor probe.
Jan Cerny
jcerny at redhat.com
Fri Sep 15 11:23:31 UTC 2017
Hi,
I have reviewed your patch. I have tested it on my Ubuntu Server 16.04.3, and it works great.
The patch overall looks good, but I have a few minor findings:
src/OVAL/probes/unix/linux/apparmorstatus.c :
* It shouldn't fail hard if you don't run it as root. In general OpenSCAP doesn't terminate
just because it couldn't get some data. I suggest `return 0` on line 362.
* Please use `snprintf` instead of `sprintf`. It's safer.
* On line 320, SEXP_free(item) shouldn't be commented out. But please make sure
everything is freed properly then.
* Please don't mix spaces and tabs. Tabs should be used to indent everywhere in C code.
* On line 200 you close a file that was already closed on line 177.
* I guess that the sizeof operator on line 273 should take "struct aa_profile".
* Compiler reports some warnings:
```
unix/linux/apparmorstatus.c: In function ‘probe_main’:
unix/linux/apparmorstatus.c:330:24: warning: variable ‘over’ set but not used [-Wunused-but-set-variable]
oval_schema_version_t over;
^
unix/linux/apparmorstatus.c: In function ‘aa_isenabled’:
unix/linux/apparmorstatus.c:90:2: warning: ignoring return value of ‘read’, declared with attribute warn_unused_result [-Wunused-result]
(void) read(fd, &status, 1);
```
Regards
Jan Černý
Security Technologies | Red Hat, Inc.
----- Original Message -----
> From: "Jan Cerny" <jcerny at redhat.com>
> To: "Bruno Ducrot" <bruno at poupinou.org>
> Cc: open-scap-list at redhat.com
> Sent: Friday, September 15, 2017 10:26:28 AM
> Subject: Re: [Open-scap] Implementation for an AppArmor probe.
>
> Hi,
>
> The new patch looks great. I'll review and test. I'll let you know.
>
> Thanks
>
> Regards
>
> Jan Černý
> Security Technologies | Red Hat, Inc.
>
> ----- Original Message -----
> > From: "Bruno Ducrot" <bruno at poupinou.org>
> > To: "Jan Cerny" <jcerny at redhat.com>
> > Cc: open-scap-list at redhat.com, "William Munyan"
> > <William.Munyan at cisecurity.org>
> > Sent: Monday, September 11, 2017 6:18:59 PM
> > Subject: Re: [Open-scap] Implementation for an AppArmor probe.
> >
> > Hi Jan,
> >
> > On Mon, Sep 11, 2017 at 09:44:40AM -0400, Jan Cerny wrote:
> > > Hi Bruno,
> > >
> > > this is awesome.
> > >
> > > However, as Bill pointed out, AppArmor support was added to OVAL standard
> > > in version 5.11.2.
> >
> > Indeed.
> >
> > >
> > > If you remove the schema changes of 5.11.0 it would be better.
> > > We already have 5.11.2 schemas in the repository, so it should be enough
> > > to change the version in your OVAL files.
> > > I think we shouldn't add any custom extensions to the schemas in
> > > schemas/oval
> > > directory in OpenSCAP repository. One of the use-cases of oscap is to
> > > verify whether the content complies with OVAL standard, which would be
> > > broken with the patch :-)
> > >
> > > Also, since AppArmor probe is in Linux namespace, I don't see a need to
> > > create any new options in ./configure. The probes aren't Red Hat
> > > specific.
> > > For example we have DPKG info probe, which is used only on Ubuntu and
> > > Debian,
> > > and we don't have a special option for that. It just doesn't compile the
> > > probe
> > > binary on RHEL/Fedora. I think AppArmor probe is a similar case.
> >
> > Ok. But there is no real library dependancies, so it will be
> > compiled under systems without AppArmor.
> >
> > The next iteration can be found here :
> > http://poupinou.org/SCAP/openscap-apparmor-20170911.diff
> >
> > That one is against current git, instead of 1.2.15. I'm planing to clone
> > the
> > openscap
> > git, just in case I'll have to do more stuff.
> >
> > There is still the unit tests to be written though. I hope doing so
> > this week, but I'm a bit busy atm.
> >
> > >
> > > Overall, I think that there is a very high chance to include the probe to
> > > upstream.
> > > I'm looking forward to your contributions.
> >
> > Thanks !
> >
> >
> > --
> > Bruno Ducrot
> >
> > -- Which is worse: ignorance or apathy?
> > -- Don't know. Don't care.
> >
>
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list
More information about the Open-scap-list
mailing list