Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve Kickstart remediations #2147

Merged
merged 1 commit into from
Aug 13, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion src/XCCDF_POLICY/public/xccdf_policy.h
Original file line number Diff line number Diff line change
Expand Up @@ -518,9 +518,10 @@ OSCAP_API bool xccdf_policy_resolve(struct xccdf_policy * policy);
* @param input_file_name file name of the input SCAP file
* @param tailoring input tailoring file (parsed as oscap source)
* @param output_fd write prescription to this file descriptor
* @param raw controls verbosiness of generated remediation files (if greater than zero, the function won't add commentaries and optional boilerplate instructions)
* @returns zero on success, non-zero indicate partial (incomplete) output.
*/
OSCAP_API int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result *result, const char *sys, const char *input_file_name, struct oscap_source *tailoring, int output_fd);
OSCAP_API int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result *result, const char *sys, const char *input_file_name, struct oscap_source *tailoring, int output_fd, int raw);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing Doxygen text for the new raw parameter

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.


/**
* xccdf_policy_model_get_files and xccdf_item_get_files each return oscap_file_entries instead of raw strings
Expand Down
133 changes: 80 additions & 53 deletions src/XCCDF_POLICY/xccdf_policy_remediate.c

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions tests/API/XCCDF/unittests/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ add_oscap_test("test_single_rule_stigw.sh")
add_oscap_test("test_remediation_simple.sh")
add_oscap_test("test_remediation_offline.sh")
add_oscap_test("test_remediation_kickstart.sh")
add_oscap_test("test_remediation_kickstart_raw.sh")
add_oscap_test("test_remediation_metadata.sh")
add_oscap_test("test_remediation_blueprint.sh")
add_oscap_test("test_remediation_bad_fix.sh")
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,12 +24,12 @@
###############################################################################


# Default values for automated installation
# Default values for automated installation (optional)
lang en_US.UTF-8
keyboard --vckeymap us
timezone --utc America/New_York

# Root password is required for system rescue tasks
# Root password is required for system rescue tasks (optional)
rootpw changeme

# Create partition layout scheme (required for security compliance)
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
# %partitions
zerombr
clearpart --all --initlabel
reqpart --add-boot
part pv.01 --grow --size=1
volgroup system pv.01
logvol / --name=root --vgname=system --size=2000 --grow
logvol swap --name=swap --vgname=system --size=1000
# %logvols
logvol /var/tmp --name=vartmp --vgname=system --size=1024
# %end

bootloader --append="quick audit=1"

%addon com_redhat_kdump --disable
%end

firewall --remove-service=httpd --service=sshd

services --disabled=telnet,httpd --enabled=auditd,rsyslog,sshd

%packages
openscap-scanner
scap-security-guide
rsyslog
openssh-server
podman
-usbguard
%end

%post --erroronfail
oscap xccdf eval --remediate --results-arf /root/oscap_arf.xml --report /root/oscap_report.html --profile 'xccdf_org.openscap.www_profile_common' /usr/share/xml/scap/ssg/content/test_remediation_kickstart.ds.xml
[ $? -eq 0 -o $? -eq 2 ] || exit 1
%end

%post --nochroot
mkdir -p /etc/ddfds
%end

%post --nochroot
mkdir -p /etc/abcd
%end

%post
rm -rf /etc/xyz
# create a new path
feel /etc/xyz
%end

23 changes: 23 additions & 0 deletions tests/API/XCCDF/unittests/test_remediation_kickstart_raw.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#!/usr/bin/env bash
. $builddir/tests/test_common.sh

set -e -o pipefail

function test_raw {
kickstart=$(mktemp)
stderr=$(mktemp)
expected_modified=$(mktemp)

sed "s;TEST_DATA_STREAM_PATH;$srcdir/test_remediation_kickstart.ds.xml;" "$srcdir/test_remediation_kickstart_expected_raw.cfg" > "$expected_modified"

$OSCAP xccdf generate fix --fix-type kickstart --raw --output "$kickstart" --profile common "$srcdir/test_remediation_kickstart.ds.xml"

diff -u "$expected_modified" "$kickstart"

rm -rf "$kickstart"
rm -rf "$stderr"
rm -rf "$expected_modified"
rm -rf "$kickstart_modified"
}

test_raw
1 change: 1 addition & 0 deletions utils/oscap-tool.h
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,7 @@ struct oscap_action {
char *local_files;
char *reference;
int references;
int raw;
};

int app_xslt(const char *infile, const char *xsltfile, const char *outfile, const char **params);
Expand Down
8 changes: 5 additions & 3 deletions utils/oscap-xccdf.c
Original file line number Diff line number Diff line change
Expand Up @@ -283,6 +283,7 @@ static struct oscap_module XCCDF_GEN_FIX = {
" --fix-type <type> - Fix type. Should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes,\n"
" blueprint, kickstart (default: bash).\n"
" --output <file> - Write the script into file.\n"
" --raw - Don't write extra headers or boilerplate instructions, only compose the content snippets.\n"
" --result-id <id> - Fixes will be generated for failed rule-results of the specified TestResult.\n"
" --benchmark-id <id> - ID of XCCDF Benchmark in some component in the data stream that should be used.\n"
" (only applicable for source data streams)\n"
Expand Down Expand Up @@ -1041,7 +1042,7 @@ int app_generate_fix(const struct oscap_action *action)

struct xccdf_policy *policy = xccdf_session_get_xccdf_policy(session);
struct xccdf_result *result = xccdf_policy_get_result_by_id(policy, xccdf_session_get_result_id(session));
if (xccdf_policy_generate_fix(policy, result, remediation_system, action->f_xccdf, tailoring, output_fd) == 0)
if (xccdf_policy_generate_fix(policy, result, remediation_system, action->f_xccdf, tailoring, output_fd, action->raw) == 0)
ret = OSCAP_OK;
} else { // Fallback to profile if result id is missing
/* Profile-oriented fixes */
Expand All @@ -1055,7 +1056,7 @@ int app_generate_fix(const struct oscap_action *action)
}
}
struct xccdf_policy *policy = xccdf_session_get_xccdf_policy(session);
if (xccdf_policy_generate_fix(policy, NULL, remediation_system, action->f_xccdf, tailoring, output_fd) == 0)
if (xccdf_policy_generate_fix(policy, NULL, remediation_system, action->f_xccdf, tailoring, output_fd, action->raw) == 0)
ret = OSCAP_OK;
}
cleanup2:
Expand Down Expand Up @@ -1243,8 +1244,9 @@ bool getopt_xccdf(int argc, char **argv, struct oscap_action *action)
{"hide-profile-info", no_argument, &action->hide_profile_info, 1},
{"export-variables", no_argument, &action->export_variables, 1},
{"skip-schematron", no_argument, &action->schematron, 0},
{"without-syschar", no_argument, &action->without_sys_chars, 1},
{"without-syschar", no_argument, &action->without_sys_chars, 1},
{"thin-results", no_argument, &action->thin_results, 1},
{"raw", no_argument, &action->raw, 1},
// end
{0, 0, 0, 0}
};
Expand Down
Loading