Skip to content

Commit

Permalink
Ignore prodtype when building Benchmark and include only rules that
Browse files Browse the repository at this point in the history 
are part of a Profile

WIP
  • Loading branch information
@evgenyz
evgenyz committed Dec 13, 2023
1 parent 4db8089 commit 5df35b5
Show file tree
Hide file tree
Showing 11 changed files with 356 additions and 49 deletions.
2 changes: 1 addition & 1 deletion ...ure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix2_chkpwd/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,4 +63,4 @@ ocil: |-
template:
name: audit_rules_privileged_commands
vars:
path@sle15: /sbin/unix2_chkpwd
path: /sbin/unix2_chkpwd
8 changes: 4 additions & 4 deletions ...are/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/oval/shared.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,17 @@
{{{ oval_metadata("Disable the GNOME Display Manager (GDM) ability to allow users to
automatically login.") }}}
<criteria operator="AND">
<criterion comment="Disable GDM Automatic Login" test_ref="test_disable_automatic_login" />
<criterion comment="Disable GDM Automatic Login" test_ref="test_disable_unattended_automatic_login" />
<criterion comment="Disable GDM Password Less Login" test_ref="test_disable_unattended_login" />
</criteria>
</definition>

<ind:textfilecontent54_test check="all" check_existence="all_exist"
comment="Disable GDM Automatic Login"
id="test_disable_automatic_login" version="1">
<ind:object object_ref="obj_disable_automatic_login" />
id="test_disable_unattended_automatic_login" version="1">
<ind:object object_ref="obj_disable_unattended_automatic_login" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_disable_automatic_login"
<ind:textfilecontent54_object id="obj_disable_unattended_automatic_login"
version="1">
<ind:filepath>/etc/sysconfig/displaymanager</ind:filepath>
<ind:pattern operation="pattern match">^DISPLAYMANAGER_AUTOLOGIN=""$</ind:pattern>
Expand Down
14 changes: 7 additions & 7 deletions linux_os/guide/system/software/updating/ensure_fedora_gpgkey_installed/oval/shared.xml
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
{{% macro fedora_gpgkey_criterion(fedora_version, pkg_release, pkg_version) %}}
<criterion comment="Fedora {{{ fedora_version }}} package gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}} is installed"
test_ref="test_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" />
test_ref="test_fedora_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" />
{{% endmacro %}}

{{% macro fedora_gpgkey_check(fedora_version, pkg_release, pkg_version) %}}
<!-- Test for Fedora {{{ fedora_version }}} release key -->
<linux:rpminfo_test check="only one" check_existence="at_least_one_exists"
id="test_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" version="1"
id="test_fedora_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" version="1"
comment="Fedora {{{ pkg_version }}} release key package is installed">
<linux:object object_ref="object_package_gpg-pubkey" />
<linux:state state_ref="state_package_gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}}" />
<linux:object object_ref="object_fedora_package_gpg-pubkey" />
<linux:state state_ref="state_fedora_package_gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}}" />
</linux:rpminfo_test>

<linux:rpminfo_state id="state_package_gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}}" version="1">
<linux:rpminfo_state id="state_fedora_package_gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}}" version="1">
<linux:release>{{{ pkg_release }}}</linux:release>
<linux:version>{{{ pkg_version }}}</linux:version>
</linux:rpminfo_state>
Expand All @@ -32,8 +32,8 @@
</criteria>
</definition>

<!-- First define global "object_package_gpg-pubkey" to be shared (reused) across multiple tests -->
<linux:rpminfo_object id="object_package_gpg-pubkey" version="1">
<!-- First define global "object_fedora_package_gpg-pubkey" to be shared (reused) across multiple tests -->
<linux:rpminfo_object id="object_fedora_package_gpg-pubkey" version="1">
<linux:name>gpg-pubkey</linux:name>
</linux:rpminfo_object>

Expand Down
24 changes: 12 additions & 12 deletions linux_os/guide/system/software/updating/ensure_oracle_gpgkey_installed/oval/shared.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,43 +9,43 @@
</criteria>
<criteria comment="Oracle Vendor Keys Installed" operator="OR">
<criterion comment="package gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}} is installed"
test_ref="test_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" />
test_ref="test_oracle_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" />
{{% if aux_pkg_version %}}
<criterion comment="package gpg-pubkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}} is installed"
test_ref="test_package_gpgkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}}_installed" />
test_ref="test_oracle_package_gpgkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}}_installed" />
{{% endif %}}
</criteria>
</criteria>
</definition>

<!-- First define global "object_package_gpg-pubkey" to be shared (reused) across multiple tests -->
<linux:rpminfo_object id="object_package_gpg-pubkey" version="1">
<!-- First define global "object_oracle_package_gpg-pubkey" to be shared (reused) across multiple tests -->
<linux:rpminfo_object id="object_oracle_package_gpg-pubkey" version="1">
<linux:name>gpg-pubkey</linux:name>
</linux:rpminfo_object>

<!-- Test for Oracle release key -->
<linux:rpminfo_test check="only one" check_existence="at_least_one_exists"
id="test_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" version="1"
id="test_oracle_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" version="1"
comment="Oracle release key package is installed">
<linux:object object_ref="object_package_gpg-pubkey" />
<linux:state state_ref="state_package_gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}}" />
<linux:object object_ref="object_oracle_package_gpg-pubkey" />
<linux:state state_ref="state_oracle_package_gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}}" />
</linux:rpminfo_test>

<linux:rpminfo_state id="state_package_gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}}" version="1">
<linux:rpminfo_state id="state_oracle_package_gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}}" version="1">
<linux:release>{{{ pkg_release }}}</linux:release>
<linux:version>{{{ pkg_version }}}</linux:version>
</linux:rpminfo_state>

<!-- Test for Oracle auxiliary key -->
{{% if aux_pkg_version %}}
<linux:rpminfo_test check="only one" check_existence="at_least_one_exists"
id="test_package_gpgkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}}_installed" version="1"
id="test_oracle_package_gpgkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}}_installed" version="1"
comment="Oracle auxiliary key package is installed">
<linux:object object_ref="object_package_gpg-pubkey" />
<linux:state state_ref="state_package_gpg-pubkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}}" />
<linux:object object_ref="object_oracle_package_gpg-pubkey" />
<linux:state state_ref="state_oracle_package_gpg-pubkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}}" />
</linux:rpminfo_test>

<linux:rpminfo_state id="state_package_gpg-pubkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}}" version="1">
<linux:rpminfo_state id="state_oracle_package_gpg-pubkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}}" version="1">
<linux:release>{{{ aux_pkg_release }}}</linux:release>
<linux:version>{{{ aux_pkg_version }}}</linux:version>
</linux:rpminfo_state>
Expand Down
34 changes: 17 additions & 17 deletions linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,63 +12,63 @@
<extend_definition comment="{{{ product }}} installed" definition_ref="installed_OS_is_{{{ product }}}" />
</criteria>
<criterion comment="package gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}} is installed"
test_ref="test_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" />
test_ref="test_redhat_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" />
<criteria comment="Auxiliary Red Hat Key Installed" operator="OR">
<criterion comment="package gpg-pubkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}} is installed"
test_ref="test_package_gpgkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}}_installed" />
test_ref="test_redhat_package_gpgkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}}_installed" />
</criteria>
</criteria>
{{%- if centos_major_version %}}
<criteria comment="CentOS Vendor Keys" operator="AND">
<extend_definition comment="CentOS{{{ centos_major_version }}} installed" definition_ref="installed_OS_is_centos{{{ centos_major_version }}}" />
<criterion comment="package gpg-pubkey-{{{ centos_pkg_version }}}-{{{ centos_pkg_release }}} is installed"
test_ref="test_package_gpgkey-{{{ centos_pkg_version }}}-{{{ centos_pkg_release }}}_installed" />
test_ref="test_redhat_package_gpgkey-{{{ centos_pkg_version }}}-{{{ centos_pkg_release }}}_installed" />
</criteria>
{{%- endif %}}
</criteria>
</definition>

<!-- First define global "object_package_gpg-pubkey" to be shared (reused) across multiple tests -->
<linux:rpminfo_object id="object_package_gpg-pubkey" version="1">
<!-- First define global "object_redhat_package_gpg-pubkey" to be shared (reused) across multiple tests -->
<linux:rpminfo_object id="object_redhat_package_gpg-pubkey" version="1">
<linux:name>gpg-pubkey</linux:name>
</linux:rpminfo_object>

<!-- Perform the particular tests themselves -->
<!-- Test for Red Hat release key -->
<linux:rpminfo_test check="only one" check_existence="at_least_one_exists"
id="test_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" version="1"
id="test_redhat_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" version="1"
comment="Red Hat release key package is installed">
<linux:object object_ref="object_package_gpg-pubkey" />
<linux:state state_ref="state_package_gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}}" />
<linux:object object_ref="object_redhat_package_gpg-pubkey" />
<linux:state state_ref="state_redhat_package_gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}}" />
</linux:rpminfo_test>

<linux:rpminfo_state id="state_package_gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}}" version="1">
<linux:rpminfo_state id="state_redhat_package_gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}}" version="1">
<linux:release>{{{ pkg_release }}}</linux:release>
<linux:version>{{{ pkg_version }}}</linux:version>
</linux:rpminfo_state>

<!-- Test for Red Hat auxiliary key -->
<linux:rpminfo_test check="only one" check_existence="at_least_one_exists"
id="test_package_gpgkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}}_installed" version="1"
id="test_redhat_package_gpgkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}}_installed" version="1"
comment="Red Hat auxiliary key package is installed">
<linux:object object_ref="object_package_gpg-pubkey" />
<linux:state state_ref="state_package_gpg-pubkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}}" />
<linux:object object_ref="object_redhat_package_gpg-pubkey" />
<linux:state state_ref="state_redhat_package_gpg-pubkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}}" />
</linux:rpminfo_test>

<linux:rpminfo_state id="state_package_gpg-pubkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}}" version="1">
<linux:rpminfo_state id="state_redhat_package_gpg-pubkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}}" version="1">
<linux:release>{{{ aux_pkg_release }}}</linux:release>
<linux:version>{{{ aux_pkg_version }}}</linux:version>
</linux:rpminfo_state>

{{%- if centos_major_version %}}
<linux:rpminfo_test check="only one" check_existence="at_least_one_exists"
id="test_package_gpgkey-{{{ centos_pkg_version }}}-{{{ centos_pkg_release }}}_installed" version="1"
id="test_redhat_package_gpgkey-{{{ centos_pkg_version }}}-{{{ centos_pkg_release }}}_installed" version="1"
comment="CentOS{{{ centos_major_version }}} key package is installed">
<linux:object object_ref="object_package_gpg-pubkey" />
<linux:state state_ref="state_package_gpg-pubkey-{{{ centos_pkg_version }}}-{{{ centos_pkg_release }}}" />
<linux:object object_ref="object_redhat_package_gpg-pubkey" />
<linux:state state_ref="state_redhat_package_gpg-pubkey-{{{ centos_pkg_version }}}-{{{ centos_pkg_release }}}" />
</linux:rpminfo_test>

<linux:rpminfo_state id="state_package_gpg-pubkey-{{{ centos_pkg_version }}}-{{{ centos_pkg_release }}}" version="1">
<linux:rpminfo_state id="state_redhat_package_gpg-pubkey-{{{ centos_pkg_version }}}-{{{ centos_pkg_release }}}" version="1">
<linux:release>{{{ centos_pkg_release }}}</linux:release>
<linux:version>{{{ centos_pkg_version }}}</linux:version>
</linux:rpminfo_state>
Expand Down
14 changes: 7 additions & 7 deletions linux_os/guide/system/software/updating/ensure_suse_gpgkey_installed/oval/shared.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,26 +9,26 @@
<extend_definition comment="{{{ product }}} installed" definition_ref="installed_OS_is_{{{ product }}}" />
</criteria>
<criterion comment="package gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}} is installed"
test_ref="test_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" />
test_ref="test_suse_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" />
</criteria>
</criteria>
</definition>

<!-- First define global "object_package_gpg-pubkey" to be shared (reused) across multiple tests -->
<linux:rpminfo_object id="object_package_gpg-pubkey" version="1">
<!-- First define global "object_suse_package_gpg-pubkey" to be shared (reused) across multiple tests -->
<linux:rpminfo_object id="object_suse_package_gpg-pubkey" version="1">
<linux:name>gpg-pubkey</linux:name>
</linux:rpminfo_object>

<!-- Perform the particular tests themselves -->
<!-- Test for SUSE release key -->
<linux:rpminfo_test check="only one" check_existence="at_least_one_exists"
id="test_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" version="1"
id="test_suse_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" version="1"
comment="SUSE build key package is installed">
<linux:object object_ref="object_package_gpg-pubkey" />
<linux:state state_ref="state_package_gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}}" />
<linux:object object_ref="object_suse_package_gpg-pubkey" />
<linux:state state_ref="state_suse_package_gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}}" />
</linux:rpminfo_test>

<linux:rpminfo_state id="state_package_gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}}" version="1">
<linux:rpminfo_state id="state_suse_package_gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}}" version="1">
<linux:release>{{{ pkg_release }}}</linux:release>
<linux:version>{{{ pkg_version }}}</linux:version>
</linux:rpminfo_state>
Expand Down
18 changes: 17 additions & 1 deletion ssg/build_yaml.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -336,6 +336,13 @@ def unselect_empty_groups(self):
for p in self.profiles:
p.unselect_empty_groups(self)

def drop_rules_not_included_in_a_profile(self):
selected_profiles = set()
for p in self.profiles:
selected_profiles.update(p.selected)
for g in self.groups.values():
g.remove_rules_with_ids_not_listed(selected_profiles)

def to_xml_element(self, env_yaml=None, product_cpes=None):
root = ET.Element('{%s}Benchmark' % XCCDF12_NS)
root.set('id', OSCAP_BENCHMARK + self.id_)
Expand Down Expand Up @@ -631,6 +638,11 @@ def _add_child(self, child, childs, env_yaml=None, product_cpes=None):
child.inherited_platforms.update(self.platforms, self.inherited_platforms)
childs[child.id_] = child

def remove_rules_with_ids_not_listed(self, rule_ids_list):
self.rules = dict(filter(lambda el, ids=rule_ids_list: el[0] in ids, self.rules.items()))
for group in self.groups.values():
group.remove_rules_with_ids_not_listed(rule_ids_list)

def __str__(self):
return self.id_

Expand Down Expand Up @@ -1364,7 +1376,10 @@ def _process_rule(self, rule):
(rule.id_, self.components_dir))
prodtypes = parse_prodtype(rule.prodtype)
if "all" not in prodtypes and self.product not in prodtypes:
return False
pass
# print(f"Rule prodtype is not compatible: {rule.id_}")
# rule.incompatible = True
# rule.conflicts.append('prodtype')
self.all_rules[rule.id_] = rule
self.loaded_group.add_rule(
rule, env_yaml=self.env_yaml, product_cpes=self.product_cpes)
Expand Down Expand Up @@ -1456,6 +1471,7 @@ def load_benchmark(self, directory):
except KeyError as exc:
# Add only the groups we have compiled and loaded
pass
self.benchmark.drop_rules_not_included_in_a_profile()
self.benchmark.unselect_empty_groups()

def load_compiled_content(self):
Expand Down
8 changes: 8 additions & 0 deletions ssg/entities/profile_base.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ class Profile(XCCDFEntity, SelectionHandler):
KEYS = dict(
description=lambda: "",
extends=lambda: "",
hidden=lambda: "",
metadata=lambda: None,
reference=lambda: None,
selections=lambda: list(),
Expand Down Expand Up @@ -112,6 +113,9 @@ def _should_have_version(self):
'version'] is not None

def to_xml_element(self):
if self.hidden:
return ET.Comment('Default Profile')

element = ET.Element('{%s}Profile' % XCCDF12_NS)
element.set("id", OSCAP_PROFILE + self.id_)
if self._should_have_version():
Expand Down Expand Up @@ -207,6 +211,7 @@ def validate_variables(self, variables):

def validate_rules(self, rules, groups):
existing_rule_ids = [r.id_ for r in rules]
# prodtype_conflicting_rules = [r.id_ for r in rules if 'prodtype' in r.conflicts]
rule_selectors = self.get_rule_selectors()
for id_ in rule_selectors:
if id_ in groups:
Expand All @@ -226,6 +231,8 @@ def validate_rules(self, rules, groups):
.format(rule_id=id_, profile_id=self.id_)
)
raise ValueError(msg)
# if id_ in prodtype_conflicting_rules:
# print(f"We have a prodtype conflict in profile {self.id_}, rule: {id_}")

def _find_empty_groups(self, group, profile_rules):
is_empty = True
Expand Down Expand Up @@ -262,6 +269,7 @@ def __sub__(self, other):
profile.extends = self.extends
profile.platforms = self.platforms
profile.platform = self.platform
profile.hidden = self.hidden
profile.selected = list(set(self.selected) - set(other.selected))
profile.selected.sort()
profile.unselected = list(set(self.unselected) - set(other.unselected))
Expand Down
Loading

0 comments on commit 5df35b5

Please sign in to comment.