Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Blueprint template to be self-contained #2081

Merged
merged 2 commits into from
Feb 21, 2024
Merged

Fix Blueprint template to be self-contained #2081

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d5204de
Fix Blueprint template to be self-contained
evgenyz Jan 31, 2024
0933cfe
Fix Blueprint template to be self-contained
evgenyz Feb 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 16 additions & 3 deletions src/XCCDF_POLICY/xccdf_policy_remediate.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1143,10 +1143,23 @@ static int _write_script_header_to_fd(struct xccdf_policy *policy, struct xccdf_
} else if (oscap_streq(sys, "urn:redhat:osbuild:blueprint")) {
char *blueprint_fix_header = oscap_sprintf(
"%s"
"name = \"%s\"\n"
"name = \"hardened_%s\"\n"
"description = \"%s\"\n"
"version = \"%s\"\n",
fix_header, profile_id, profile_title, benchmark_version_info);
"version = \"%s\"\n\n"
"[customizations.openscap]\n"
"profile_id = \"%s\"\n"
"# If your hardening data stream is not part of the 'scap-security-guide' package\n"
"# provide the absolute path to it (from the root of the image filesystem).\n"
"# datastream = \"/usr/share/xml/scap/ssg/content/ssg-xxxxx-ds.xml\"\n\n"
"# If your hardening data stream is not part of the 'scap-security-guide' package\n"
"# you don't need this package to be installed in the image (section can be removed).\n"
"[[packages]]\n"
"name = \"scap-security-guide\"\n"
"version = \"*\"\n\n"
"[[packages]]\n"
"name = \"openscap-scanner\"\n"
"version = \"*\"\n\n",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I probably wouldn't do this.

The target system doesn't need scap-security-guide or openscap-scanner since the changes were already applied during image creation. It might be convenient in case the admin wants to run oscap from CLI to double-check, but it unnecessarily bloats the image.

Plus it might provide confusing results if the admin used datastream = for [customizations.openscap] since the installed scap-security-guide RPM will likely have different content version.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've removed these sections. By the time it hits downstream they won't be needed (they are implicit in the upstream of IB now).

fix_header, profile_id, profile_title, benchmark_version_info, profile_id);
free(fix_header);
free(profile_title);
return _write_text_to_fd_and_free(output_fd, blueprint_fix_header);
Expand Down
19 changes: 18 additions & 1 deletion tests/API/XCCDF/unittests/test_remediation_blueprint.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,26 @@
#
###############################################################################

name = "xccdf_moc.elpmaxe.www_profile_common"
name = "hardened_xccdf_moc.elpmaxe.www_profile_common"
description = "Profile title on one line"
version = "1.0"

[customizations.openscap]
profile_id = "xccdf_moc.elpmaxe.www_profile_common"
# If your hardening data stream is not part of the 'scap-security-guide' package
# provide the absolute path to it (from the root of the image filesystem).
# datastream = "/usr/share/xml/scap/ssg/content/ssg-xxxxx-ds.xml"

# If your hardening data stream is not part of the 'scap-security-guide' package
# you don't need this package to be installed in the image (section can be removed).
[[packages]]
name = "scap-security-guide"
version = "*"

[[packages]]
name = "openscap-scanner"
version = "*"

distro = rhel-80

[[packages]]
Expand Down
Loading