Merge maint-1.3 to main

.github/workflows/build.yml

@@ -6,9 +6,9 @@ name: Gating
 # events but only for the main branch
 on:
   push:
-    branches: [ '*' ]
+    branches: [ maint-1.3 ]
   pull_request:
-    branches: [ main, maint-1.3 ]
+    branches: [ maint-1.3 ]
 
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
@@ -21,7 +21,7 @@ jobs:
 
     strategy:
       matrix:
-        os: [ubuntu-20.04, ubuntu-latest]
+        os: [ubuntu-22.04]
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
@@ -148,7 +148,7 @@ jobs:
         path: ${{ github.workspace }}/vcpkg
         repository: microsoft/vcpkg
         fetch-depth: 1
-    
+
     - name: Bootstrap vcpkg
       shell: pwsh
       run: "${{ github.workspace }}\\vcpkg\\scripts\\bootstrap.ps1 -disableMetrics"
@@ -159,9 +159,8 @@ jobs:
         script: |
           core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL || '');
           core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
-
     - name: Install Deps
-      run: "${{ github.workspace }}\\vcpkg\\vcpkg.exe install curl libxml2 libxslt bzip2 pcre2 pthreads zlib getopt-win32 xmlsec --triplet x64-windows"
+      run: "${{ github.workspace }}\\vcpkg\\vcpkg.exe install curl libxml2 libxslt bzip2 pcre pthreads zlib getopt-win32 xmlsec --triplet x64-windows"
 
     - name: Configure
       working-directory: ./build
@@ -170,7 +169,7 @@ jobs:
     - name: Build
       run: cmake --build . --config Release
       working-directory: ./build
-    
+
     - name: Package
       run: cpack
       working-directory: build

.github/workflows/codeql.yml

@@ -54,6 +54,6 @@ jobs:
         make all
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
       with:
         category: "/language:${{matrix.language}}"

CMakeLists.txt

@@ -330,6 +330,7 @@ cmake_dependent_option(ENABLE_OSCAP_UTIL_AS_RPM "enable the scap-as-rpm utility,
 cmake_dependent_option(ENABLE_OSCAP_UTIL_SSH "enables the oscap-ssh utility, this lets you scan remote machines over ssh" ON "NOT WIN32" OFF)
 cmake_dependent_option(ENABLE_OSCAP_UTIL_VM "enables the oscap-vm utility, this lets you scan VMs and VM storage images" ON "NOT WIN32" OFF)
 cmake_dependent_option(ENABLE_OSCAP_UTIL_PODMAN "enables the oscap-podman utility, this lets you scan Podman containers and container images" ON "NOT WIN32" OFF)
+cmake_dependent_option(ENABLE_OSCAP_UTIL_BOOTC "enables the oscap-bootc utility, this lets you build hardened bootable container images" ON "NOT WIN32" OFF)
 cmake_dependent_option(ENABLE_OSCAP_UTIL_CHROOT "enables the oscap-chroot utility, this lets you scan entire chroots using offline scanning" ON "NOT WIN32" OFF)
 option(ENABLE_OSCAP_UTIL_AUTOTAILOR "enables the autotailor utility that is able to perform command-line tailoring" TRUE)
 option(ENABLE_OSCAP_REMEDIATE_SERVICE "enables the oscap-remediate service" FALSE)
@@ -467,6 +468,7 @@ message(STATUS "scap-as-rpm: ${ENABLE_OSCAP_UTIL_AS_RPM}")
 message(STATUS "oscap-ssh: ${ENABLE_OSCAP_UTIL_SSH}")
 message(STATUS "oscap-vm: ${ENABLE_OSCAP_UTIL_VM}")
 message(STATUS "oscap-podman: ${ENABLE_OSCAP_UTIL_PODMAN}")
+message(STATUS "oscap-bootc: ${ENABLE_OSCAP_UTIL_BOOTC}")
 message(STATUS "oscap-chroot: ${ENABLE_OSCAP_UTIL_CHROOT}")
 message(STATUS "autotailor: ${ENABLE_OSCAP_UTIL_AUTOTAILOR}")
 message(STATUS " ")

docs/manual/manual.adoc

@@ -1614,6 +1614,7 @@ If OpenSCAP is executed with verbosity level INFO or DEVEL their runtime values
 * `OSCAP_PROBE_MEMORY_USAGE_RATIO` - maximum memory usage ratio (used/total) for OpenSCAP probes, default: 0.1
 * `OSCAP_PROBE_MAX_COLLECTED_ITEMS` - maximal count of collected items by OpenSCAP probe for a single OVAL object evaluation
 * `OSCAP_PROBE_IGNORE_PATHS` - Skip given paths during evaluation. If multiple paths should be skipped they need to be separated by a colon. The paths should be absolute canonical paths.
+* `OSCAP_PREFERRED_ENGINE` - Set a preffered check engine for XCCDF rules. If a rule has multiple checks, the checks for the preffered check engine will be used. Allowed values: `SCE`, `OVAL`. If this variable is set to `SCE` and a rule has both SCE and OVAL checks the SCE check will be used. If this variable is set to `OVAL` and a rule has both SCE and OVAL checks the OVAL check will be used. If this environment variable isn't set, the standard XCCDF mechanism will be used for check selection.
 
 Also, OpenSCAP uses `libcurl` library which also can be configured using environment variables. See https://curl.se/libcurl/c/libcurl-env.html[the list of libcurl environment variables].
 
@@ -1839,6 +1840,43 @@ registry.access.redhat.com/ubi8  latest  3269c37eae33  2 months ago  208 MB
 
 Note that the `oscap-podman` command requires root privileges.
 
+=== Building hardened bootable container images using oscap-bootc
+
+The `oscap-bootc` tool is a convenience script that makes building hardened bootable container images easier.
+This tool is designed to be used during the build of the bootable container image.
+
+Include `oscap-bootc` in your `Containerfile` that will be used to build your bootable container image.
+The `Containerfile` first needs to install the `openscap-utils` package which ships the `oscap-bootc` tool.
+
+Also, SCAP content needs to be installed to the image before `oscap-bootc` will be run.
+Although any SCAP content can be consumed by the tool, the SCAP source data streams shipped in `scap-security-guide` are specially cared to be compatible with bootable containers.
+
+Example `Containerfile`:
+
+----
+FROM quay.io/centos-bootc/centos-bootc:stream9
+
+RUN dnf install -y openscap-utils scap-security-guide
+
+RUN oscap-bootc --profile stig /usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml
+----
+
+Once you have your `Containerfile`, execute the image build:
+
+----
+podman build -t hardened_image .
+----
+
+The `oscap-bootc` tool installs and removes all packages required by the selected profile to or from the image.
+Then, it runs a scan and remediation with the selected profile.
+It doesn't use offline scanning.
+The configuration files and other content in the image are modified by this process, depending on the used SCAP content.
+
+The built bootable container image can be then deployed and booted.
+After booting the image, the state of the resulting system will be in line with the selected security profile.
+
+The `oscap-bootc` tool can't be used anywhere else than in a `Containerfile`.
+
 === Scanning of Docker containers and images using oscap-docker
 
 The `oscap-docker` is used to scan Docker containers and images. It can

openscap.spec

@@ -88,6 +88,7 @@ Summary:        OpenSCAP Utilities
 Requires:       %{name}%{?_isa} = %{epoch}:%{version}-%{release}
 Requires:       rpmdevtools rpm-build
 Requires:       %{name}-scanner%{?_isa} = %{epoch}:%{version}-%{release}
+Requires:       %{name}-engine-sce%{?_isa} = %{epoch}:%{version}-%{release}
 
 %description    utils
 The %{name}-utils package contains command-line tools build on top

src/OVAL/probes/unix/linux/rpm-helper.c

@@ -51,3 +51,32 @@ void rpmLibsPreload()
 	const char* rcfiles = "";
 	rpmReadConfigFiles(rcfiles, NULL);
 }
+
+void set_rpm_db_path()
+{
+	/*
+	 * Fedora >=36 changed the default dbpath in librpm from /var/lib/rpm to /usr/lib/sysimage/rpm.
+	 * See: https://fedoraproject.org/wiki/Changes/RelocateRPMToUsr
+	 *
+	 * Therefore, when running openscap on a Fedora >=36 system scanning another systems (such as RHEL, SLES, Fedora<36)
+	 * openscap's librpm will try to read the rpm db from /usr/lib/sysimage/rpm which doesn't exist and therefore won't work.
+	 * On many systems, /var/lib/rpm is still a symlink to /usr/lib/sysimage/rpm, so using /var/lib/rpm can work there.
+	 * However, on some systems, eg. bootc images, /var/lib/rpm isn't a symlink and doesn't contain the RPM database.
+	 *
+	 * We will first try if the "new" location /usr/lib/sysimage/rpm exists, and use it only if it exists.
+	 * If it doesn't exist, we will fall back to the "old" location /var/lib/rpm.
+	 */
+
+	struct stat sb;
+	const char *dbpath;
+	const char *prefix = getenv("OSCAP_PROBE_ROOT");
+	char *path_with_prefix = oscap_path_join(prefix, "/usr/lib/sysimage/rpm");
+	if (stat(path_with_prefix, &sb) == 0) {
+		dbpath = "/usr/lib/sysimage/rpm";
+	} else {
+		dbpath = "/var/lib/rpm";
+	}
+	free(path_with_prefix);
+	dI("Using %s as rpm database.", dbpath);
+	rpmPushMacro(NULL, "_dbpath", NULL, dbpath, RMIL_CMDLINE);
+}

src/OVAL/probes/unix/linux/rpm-helper.h

@@ -99,4 +99,7 @@ int rpmVerifyFile(const rpmts ts, const rpmfi fi,
  */
 void rpmLibsPreload(void);
 
+void set_rpm_db_path(void);
+
+
 #endif

src/OVAL/probes/unix/linux/rpminfo_probe.c

@@ -294,17 +294,7 @@ void *rpminfo_probe_init(void)
 		return ((void *)g_rpm);
         }
 
-        /*
-        * Fedora >=36 changed the default dbpath in librpm from /var/lib/rpm to /usr/lib/sysimage/rpm
-        * See: https://fedoraproject.org/wiki/Changes/RelocateRPMToUsr
-        * Therefore, when running openscap on a Fedora >=36 system scanning another systems (such as RHEL, SLES, Fedora<36)
-        * openscap's librpm will try to read the rpm db from /usr/lib/sysimage/rpm which doesn't exist and therefore won't work.
-        * In implementing this change, /var/lib/rpm is still a symlink to /usr/lib/sysimage/rpm
-        * so /var/lib/rpm still works. So /var/lib/rpm is a dbpath that will work on all systems.
-        * Therefore, set the dbpath to be /var/lib/rpm, allow openscap running on any system to scan any system.
-        */
-        rpmPushMacro(NULL, "_dbpath", NULL, "/var/lib/rpm", RMIL_CMDLINE);
-
+	set_rpm_db_path();
 	g_rpm->rpmts = rpmtsCreate();
 	pthread_mutex_init (&(g_rpm->mutex), NULL);
 

src/OVAL/probes/unix/linux/rpmverify_probe.c

@@ -236,16 +236,7 @@ void *rpmverify_probe_init(void)
                 return (NULL);
         }
 
-        /*
-        * Fedora >=36 changed the default dbpath in librpm from /var/lib/rpm to /usr/lib/sysimage/rpm
-        * See: https://fedoraproject.org/wiki/Changes/RelocateRPMToUsr
-        * Therefore, when running openscap on a Fedora >=36 system scanning another systems (such as RHEL, SLES, Fedora<36)
-        * openscap's librpm will try to read the rpm db from /usr/lib/sysimage/rpm which doesn't exist and therefore won't work.
-        * In implementing this change, /var/lib/rpm is still a symlink to /usr/lib/sysimage/rpm
-        * so /var/lib/rpm still works. So /var/lib/rpm is a dbpath that will work on all systems.
-        * Therefore, set the dbpath to be /var/lib/rpm, allow openscap running on any system to scan any system.
-        */
-        rpmPushMacro(NULL, "_dbpath", NULL, "/var/lib/rpm", RMIL_CMDLINE);
+	set_rpm_db_path();
 
 	struct rpm_probe_global *g_rpm = malloc(sizeof(struct rpm_probe_global));
 	g_rpm->rpmts = rpmtsCreate();

src/OVAL/probes/unix/linux/rpmverifyfile_probe.c

@@ -358,16 +358,7 @@ void *rpmverifyfile_probe_init(void)
 
 	struct rpm_probe_global *g_rpm = malloc(sizeof(struct rpm_probe_global));
 
-	/*
-	* Fedora >=36 changed the default dbpath in librpm from /var/lib/rpm to /usr/lib/sysimage/rpm
-	* See: https://fedoraproject.org/wiki/Changes/RelocateRPMToUsr
-	* Therefore, when running openscap on a Fedora >=36 system scanning another systems (such as RHEL, SLES, Fedora<36)
-	* openscap's librpm will try to read the rpm db from /usr/lib/sysimage/rpm which doesn't exist and therefore won't work.
-	* In implementing this change, /var/lib/rpm is still a symlink to /usr/lib/sysimage/rpm
-	* so /var/lib/rpm still works. So /var/lib/rpm is a dbpath that will work on all systems.
-	* Therefore, set the dbpath to be /var/lib/rpm, allow openscap running on any system to scan any system.
-	*/
-	rpmPushMacro(NULL, "_dbpath", NULL, "/var/lib/rpm", RMIL_CMDLINE);
+	set_rpm_db_path();
 
 	g_rpm->rpmts = rpmtsCreate();
 

src/OVAL/probes/unix/linux/rpmverifypackage_probe.c

@@ -354,16 +354,6 @@ void *rpmverifypackage_probe_init(void)
 		return ((void *)g_rpm);
 	}
 
-	/*
-	* Fedora >=36 changed the default dbpath in librpm from /var/lib/rpm to /usr/lib/sysimage/rpm
-	* See: https://fedoraproject.org/wiki/Changes/RelocateRPMToUsr
-	* Therefore, when running openscap on a Fedora >=36 system scanning another systems (such as RHEL, SLES, Fedora<36)
-	* openscap's librpm will try to read the rpm db from /usr/lib/sysimage/rpm which doesn't exist and therefore won't work.
-	* In implementing this change, /var/lib/rpm is still a symlink to /usr/lib/sysimage/rpm
-	* so /var/lib/rpm still works. So /var/lib/rpm is a dbpath that will work on all systems.
-	* Therefore, set the dbpath to be /var/lib/rpm, allow openscap running on any system to scan any system.
-	*/
-	rpmPushMacro(NULL, "_dbpath", NULL, "/var/lib/rpm", RMIL_CMDLINE);
 
 	g_rpm->rpm.rpmts = rpmtsCreate();
 
@@ -377,6 +367,7 @@ void *rpmverifypackage_probe_init(void)
 		rpmtsSetRootDir(g_rpm->rpm.rpmts, CHROOT_PATH());
 	}
 
+	set_rpm_db_path();
 	pthread_mutex_init(&(g_rpm->rpm.mutex), NULL);
 	return ((void *)g_rpm);
 }

src/SCE/sce_engine.c

@@ -370,6 +370,7 @@ xccdf_test_result_type_t sce_engine_eval_rule(struct xccdf_policy *policy, const
 		struct xccdf_check_import_iterator *check_import_it,
 		void *usr)
 {
+	dI("Executing SCE check '%s'", href);
 	struct sce_parameters* parameters = (struct sce_parameters*)usr;
 	const char* xccdf_directory = parameters->xccdf_directory;
 	bool use_sce_wrapper = false; // use osca-run-sce-script ?

src/XCCDF_POLICY/xccdf_policy.c

@@ -588,6 +588,16 @@ _xccdf_policy_rule_get_applicable_check(struct xccdf_policy *policy, struct xccd
 			struct xccdf_check *check = xccdf_check_iterator_next(candidate_it);
 			if (_xccdf_policy_is_engine_registered(policy, (char *) xccdf_check_get_system(check))) {
 				result = check;
+				char *preferred_engine = getenv("OSCAP_PREFERRED_ENGINE");
+				if (preferred_engine) {
+					if (strcmp("SCE", preferred_engine) && strcmp("OVAL", preferred_engine))  {
+						dW("Unknown value of OSCAP_PREFFERED_ENGINE: '%s'. It will be ignored.", preferred_engine);
+					}
+					if ((!strcmp("SCE", preferred_engine) && !strcmp("http://open-scap.org/page/SCE", check->system)) ||
+							(!strcmp("OVAL", preferred_engine) && !strcmp("http://oval.mitre.org/XMLSchema/oval-definitions-5", check->system))) {
+						break;
+					}
+				}
 			} else if (strcmp("http://oval.mitre.org/XMLSchema/oval-definitions-5", check->system) == 0) {
 				print_oval_warning = true;
 			} else if (strcmp("http://scap.nist.gov/schema/ocil/2", check->system) == 0) {