diff --git a/.fixtures.yml b/.fixtures.yml index cbba12d..c8c980f 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -7,6 +7,3 @@ fixtures: disa_stig-el7-baseline: repo: https://github.com/mitre/redhat-enterprise-linux-7-stig-baseline target: spec/fixtures/inspec_deps/inspec_profiles/profiles - disa_stig-el8-baseline: - repo: https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline - target: spec/fixtures/inspec_deps/inspec_profiles/profiles diff --git a/.github/workflows/pr_acceptance.yml b/.github/workflows/pr_acceptance.yml index 35a010c..e4dce4a 100644 --- a/.github/workflows/pr_acceptance.yml +++ b/.github/workflows/pr_acceptance.yml @@ -1,5 +1,5 @@ # Run all tests as GitHub Actions -name: Unit Tests +name: Acceptance Tests on: push: branches: diff --git a/CHANGELOG.md b/CHANGELOG.md index d7f63b1..dcaf052 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +### 1.24.2 / 2022-02-20 +* Fixed: + * Update the derivatives workaround to insert an inert line instead of + commenting out the previous line to allow for logic updates + * Addressed a bug where passing an empty exceptions array would produce an + invalid xpath query + * Ensure that the new SIMP community RPMs are used + ### 1.24.1 / 2021-10-27 * Fixed: * Worked around a bug in 'puppet lookup' - PUP-11402 diff --git a/lib/simp/beaker_helpers.rb b/lib/simp/beaker_helpers.rb index 45686a7..76d423d 100644 --- a/lib/simp/beaker_helpers.rb +++ b/lib/simp/beaker_helpers.rb @@ -1498,10 +1498,12 @@ def install_simp_repos(suts, disable = []) block_on(suts, :run_in_parallel => parallel) do |sut| install_package_unless_present_on(sut, 'yum-utils') + release = fact_on(sut, 'os.release.major') + install_package_unless_present_on( sut, 'simp-release-community', - "https://download.simp-project.com/simp-release-community.rpm", + "https://download.simp-project.com/simp-release-community.el#{release}.rpm" ) to_disable = disable.dup diff --git a/lib/simp/beaker_helpers/inspec.rb b/lib/simp/beaker_helpers/inspec.rb index 23df7a4..e39cc9f 100644 --- a/lib/simp/beaker_helpers/inspec.rb +++ b/lib/simp/beaker_helpers/inspec.rb @@ -34,9 +34,7 @@ def self.enable_repo_on(suts) # The name of the profile against which to run # def initialize(sut, profile) - # The 4.41 release is currently broken - # @inspec_version = ENV['BEAKER_inspec_version'] || 'latest' - @inspec_version = ENV['BEAKER_inspec_version'] || '4.39.0' + @inspec_version = ENV['BEAKER_inspec_version'] || 'latest' @sut = sut diff --git a/lib/simp/beaker_helpers/ssg.rb b/lib/simp/beaker_helpers/ssg.rb index 7c46eb2..cb8203f 100644 --- a/lib/simp/beaker_helpers/ssg.rb +++ b/lib/simp/beaker_helpers/ssg.rb @@ -278,9 +278,8 @@ def self.process_ssg_results(result_file, filter=nil, exclusions=nil) xpath_query << ')' if filter.size > 1 - if exclusions - exclusions = Array(exclusions) - + exclusions = Array(exclusions) + unless exclusions.empty? xpath_query << 'and not(' xpath_query << exclusions.map do |exl| @@ -419,7 +418,7 @@ def get_ssg_datastream # # This isn't 100% correct but it's "good enough" for an automated CI # environment to tell us if something is critically out of alignment. - on(@sut, %(cd scap-content/build-scripts; sed -ci 's/ssg.build_derivatives.profile_handling/#ssg.build_derivatives.profile_handling/g' enable_derivatives.py)) + on(@sut, %(cd scap-content/build-scripts; sed -ci 's/ssg.build_derivatives.profile_handling/__simp_dontcare__ = None #ssg.build_derivatives.profile_handling/g' enable_derivatives.py)) on(@sut, %(cd scap-content/build; cmake ../; make -j4 #{OS_INFO[@os][@os_rel]['ssg']['build_target']}-content && cp *ds.xml #{@scap_working_dir})) end diff --git a/lib/simp/beaker_helpers/version.rb b/lib/simp/beaker_helpers/version.rb index 232b8a7..16ccff0 100644 --- a/lib/simp/beaker_helpers/version.rb +++ b/lib/simp/beaker_helpers/version.rb @@ -1,5 +1,5 @@ module Simp; end module Simp::BeakerHelpers - VERSION = '1.24.1' + VERSION = '1.24.2' end diff --git a/spec/fixtures/inspec_profiles/CentOS-8-disa_stig b/spec/fixtures/inspec_profiles/CentOS-8-disa_stig deleted file mode 120000 index 77915d4..0000000 --- a/spec/fixtures/inspec_profiles/CentOS-8-disa_stig +++ /dev/null @@ -1 +0,0 @@ -RedHat-8-disa_stig \ No newline at end of file diff --git a/spec/fixtures/inspec_profiles/RedHat-8-disa_stig/controls/00_Control_Selector.rb b/spec/fixtures/inspec_profiles/RedHat-8-disa_stig/controls/00_Control_Selector.rb deleted file mode 100644 index 33bee36..0000000 --- a/spec/fixtures/inspec_profiles/RedHat-8-disa_stig/controls/00_Control_Selector.rb +++ /dev/null @@ -1,45 +0,0 @@ -skips = { - 'V-72209' => 'Cannot guarantee a remote syslog server during test' -} -overrides = [ 'V-72091' ] -subsystems = [] - -require_controls 'disa_stig-el8-baseline' do - skips.each_pair do |ctrl, reason| - control ctrl do - describe "Skip #{ctrl}" do - skip "Reason: #{skips[ctrl]}" do - end - end - end - end - - @conf['profile'].info[:controls].each do |ctrl| - next if (overrides + skips.keys).include?(ctrl[:id]) - - if subsystems.empty? - control ctrl[:id] - else - tags = ctrl[:tags] - if tags && tags[:subsystems] - subsystems.each do |subsystem| - if tags[:subsystems].include?(subsystem) - control ctrl[:id] - end - end - end - end - end - - ## Overrides ## - - # There's no email server to send anything to by default so syslog is a safer - # default for processing. - control 'V-72091' do - overrides << self.to_s - - describe auditd_conf do - its('space_left_action.downcase') { should cmp 'syslog' } - end - end -end diff --git a/spec/fixtures/inspec_profiles/RedHat-8-disa_stig/inspec.yml b/spec/fixtures/inspec_profiles/RedHat-8-disa_stig/inspec.yml deleted file mode 100644 index dc84e56..0000000 --- a/spec/fixtures/inspec_profiles/RedHat-8-disa_stig/inspec.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: EL8 STIG -title: STIG for EL 8 -supports: - - os-family: redhat -maintainer: SIMP Team -copyright: Onyx Point, Inc. -copyright_email: simp@onyxpoint.com -license: Apache-2.0 -summary: | - A collection of InSpec tests -version: 0.0.1 -depends: - - name: disa_stig-el8-baseline - path: ../../inspec_deps/inspec_profiles/profiles/disa_stig-el8-baseline