account for fips=1 installs with a unique VM tag

Signed-off-by: Jiri Jaburek <[email protected]>
RHSecurityCompliance · Feb 3, 2025 · 4351160 · 4351160
1 parent b322cfa
commit 4351160
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 10 deletions.
diff --git a/hardening/anaconda/test.py b/hardening/anaconda/test.py
@@ -10,6 +10,7 @@
 g = virt.Guest()
 
 _, variant, profile = util.get_test_name().rsplit('/', 2)
+with_fips = os.environ.get('WITH_FIPS') == '1'
 
 # use kickstart from content, not ours
 ks_file = util.get_kickstart(profile)
@@ -34,7 +35,7 @@
 
     g.install(
         kickstart=ks,
-        kernel_args=['fips=1'] if os.environ.get('WITH_FIPS') == '1' else None,
+        kernel_args=['fips=1'] if with_fips else None,
     )
 
 with g.booted():

diff --git a/hardening/ansible/test.py b/hardening/ansible/test.py
@@ -10,19 +10,29 @@
 virt.Host.setup()
 
 _, variant, profile = util.get_test_name().rsplit('/', 2)
+with_fips = os.environ.get('WITH_FIPS') == '1'
 
 if variant == 'with-gui':
-    g = virt.Guest('gui_with_oscap')
+    guest_tag = 'gui_with_oscap'
 elif variant == 'uefi':
-    g = virt.Guest('uefi_with_oscap')
+    guest_tag = 'uefi_with_oscap'
 else:
-    g = virt.Guest('minimal_with_oscap')
+    guest_tag = 'minimal_with_oscap'
+
+if with_fips:
+    guest_tag += '_fips'
+
+g = virt.Guest(guest_tag)
 
 if not g.can_be_snapshotted():
     ks = virt.Kickstart(partitions=partitions.partitions)
     if variant == 'with-gui':
         ks.packages.append('@Server with GUI')
-    g.install(kickstart=ks, secure_boot=(variant == 'uefi'))
+    g.install(
+        kickstart=ks,
+        secure_boot=(variant == 'uefi'),
+        kernel_args=['fips=1'] if with_fips else None,
+    )
     g.prepare_for_snapshot()
 
 # the VM guest ssh code doesn't use $HOME/.known_hosts, so Ansible blocks

diff --git a/hardening/kickstart/test.py b/hardening/kickstart/test.py
@@ -10,6 +10,7 @@
 g = virt.Guest()
 
 _, variant, profile = util.get_test_name().rsplit('/', 2)
+with_fips = os.environ.get('WITH_FIPS') == '1'
 
 oscap.unselect_rules(util.get_datastream(), 'remediation-ds.xml', remediation.excludes())
 
@@ -32,7 +33,7 @@
 g.install(
     kickstart=ks, rpmpack=rpmpack,
     secure_boot=(variant == 'uefi'),
-    kernel_args=['fips=1'] if os.environ.get('WITH_FIPS') == '1' else None,
+    kernel_args=['fips=1'] if with_fips else None,
 )
 
 with g.booted():

diff --git a/hardening/oscap/test.py b/hardening/oscap/test.py
@@ -1,19 +1,27 @@
 #!/usr/bin/python3
 
+import os
+
 from lib import util, results, virt, oscap
 from conf import remediation, partitions
 
 
 virt.Host.setup()
 
 _, variant, profile = util.get_test_name().rsplit('/', 2)
+with_fips = os.environ.get('WITH_FIPS') == '1'
 
 if variant == 'with-gui':
-    g = virt.Guest('gui_with_oscap')
+    guest_tag = 'gui_with_oscap'
 elif variant == 'uefi':
-    g = virt.Guest('uefi_with_oscap')
+    guest_tag = 'uefi_with_oscap'
 else:
-    g = virt.Guest('minimal_with_oscap')
+    guest_tag = 'minimal_with_oscap'
+
+if with_fips:
+    guest_tag += '_fips'
+
+g = virt.Guest(guest_tag)
 
 if not g.can_be_snapshotted():
     ks = virt.Kickstart(partitions=partitions.partitions)
@@ -22,7 +30,7 @@
     g.install(
         kickstart=ks,
         secure_boot=(variant == 'uefi'),
-        kernel_args=['fips=1'] if os.environ.get('WITH_FIPS') == '1' else None,
+        kernel_args=['fips=1'] if with_fips else None,
     )
     g.prepare_for_snapshot()