Add --raw switch to xccdf generate fix module

The option would allow the user to generate fix scripts without headers and boilerplate. Currently implemented for Kickstart remediation type.
OpenSCAP · Aug 13, 2024 · 738fd0f · 738fd0f
1 parent fbf3e3c
commit 738fd0f
Show file tree

Hide file tree

Showing 8 changed files with 163 additions and 59 deletions.
diff --git a/src/XCCDF_POLICY/public/xccdf_policy.h b/src/XCCDF_POLICY/public/xccdf_policy.h
@@ -518,9 +518,10 @@ OSCAP_API bool xccdf_policy_resolve(struct xccdf_policy * policy);
  * @param input_file_name file name of the input SCAP file
  * @param tailoring input tailoring file (parsed as oscap source)
  * @param output_fd write prescription to this file descriptor
+ * @param raw controls verbosiness of generated remediation files (if greater than zero, the function won't add commentaries and optional boilerplate instructions)
  * @returns zero on success, non-zero indicate partial (incomplete) output.
  */
-OSCAP_API int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result *result, const char *sys, const char *input_file_name, struct oscap_source *tailoring, int output_fd);
+OSCAP_API int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result *result, const char *sys, const char *input_file_name, struct oscap_source *tailoring, int output_fd, int raw);
 
 /**
  * xccdf_policy_model_get_files and xccdf_item_get_files each return oscap_file_entries instead of raw strings

diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
diff --git a/tests/API/XCCDF/unittests/CMakeLists.txt b/tests/API/XCCDF/unittests/CMakeLists.txt
@@ -78,6 +78,7 @@ add_oscap_test("test_single_rule_stigw.sh")
 add_oscap_test("test_remediation_simple.sh")
 add_oscap_test("test_remediation_offline.sh")
 add_oscap_test("test_remediation_kickstart.sh")
+add_oscap_test("test_remediation_kickstart_raw.sh")
 add_oscap_test("test_remediation_metadata.sh")
 add_oscap_test("test_remediation_blueprint.sh")
 add_oscap_test("test_remediation_bad_fix.sh")

diff --git a/tests/API/XCCDF/unittests/test_remediation_kickstart_expected.cfg b/tests/API/XCCDF/unittests/test_remediation_kickstart_expected.cfg
@@ -24,12 +24,12 @@
 ###############################################################################
 
 
-# Default values for automated installation
+# Default values for automated installation (optional)
 lang en_US.UTF-8
 keyboard --vckeymap us
 timezone --utc America/New_York
 
-# Root password is required for system rescue tasks
+# Root password is required for system rescue tasks (optional)
 rootpw changeme
 
 # Create partition layout scheme (required for security compliance)

diff --git a/tests/API/XCCDF/unittests/test_remediation_kickstart_expected_raw.cfg b/tests/API/XCCDF/unittests/test_remediation_kickstart_expected_raw.cfg
@@ -0,0 +1,49 @@
+# %partitions
+zerombr
+clearpart --all --initlabel
+reqpart --add-boot
+part pv.01 --grow --size=1
+volgroup system pv.01
+logvol / --name=root --vgname=system --size=2000 --grow
+logvol swap --name=swap --vgname=system --size=1000
+# %logvols
+logvol /var/tmp --name=vartmp --vgname=system --size=1024
+# %end
+
+bootloader --append="quick audit=1"
+
+%addon com_redhat_kdump --disable
+%end
+
+firewall --remove-service=httpd --service=sshd
+
+services --disabled=telnet,httpd --enabled=auditd,rsyslog,sshd
+
+%packages
+openscap-scanner
+scap-security-guide
+rsyslog
+openssh-server
+podman
+-usbguard
+%end
+
+%post --erroronfail
+oscap xccdf eval --remediate --results-arf /root/oscap_arf.xml --report /root/oscap_report.html --profile 'xccdf_org.openscap.www_profile_common' /usr/share/xml/scap/ssg/content/test_remediation_kickstart.ds.xml
+[ $? -eq 0 -o $? -eq 2 ] || exit 1
+%end
+
+%post --nochroot
+          mkdir -p /etc/ddfds
+%end
+
+%post --nochroot
+          mkdir -p /etc/abcd
+%end
+
+%post
+          rm -rf /etc/xyz
+          # create a new path
+          feel /etc/xyz
+%end
+
diff --git a/tests/API/XCCDF/unittests/test_remediation_kickstart_raw.sh b/tests/API/XCCDF/unittests/test_remediation_kickstart_raw.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+. $builddir/tests/test_common.sh
+
+set -e -o pipefail
+
+function test_raw {
+    kickstart=$(mktemp)
+    stderr=$(mktemp)
+    expected_modified=$(mktemp)
+
+    sed "s;TEST_DATA_STREAM_PATH;$srcdir/test_remediation_kickstart.ds.xml;" "$srcdir/test_remediation_kickstart_expected_raw.cfg" > "$expected_modified"
+
+    $OSCAP xccdf generate fix --fix-type kickstart --raw --output "$kickstart" --profile common "$srcdir/test_remediation_kickstart.ds.xml"
+
+    diff -u "$expected_modified" "$kickstart"
+
+    rm -rf "$kickstart"
+    rm -rf "$stderr"
+    rm -rf "$expected_modified"
+    rm -rf "$kickstart_modified"
+}
+
+test_raw
diff --git a/utils/oscap-tool.h b/utils/oscap-tool.h
@@ -161,6 +161,7 @@ struct oscap_action {
 	char *local_files;
 	char *reference;
 	int references;
+	int raw;
 };
 
 int app_xslt(const char *infile, const char *xsltfile, const char *outfile, const char **params);

diff --git a/utils/oscap-xccdf.c b/utils/oscap-xccdf.c
@@ -283,6 +283,7 @@ static struct oscap_module XCCDF_GEN_FIX = {
 		"   --fix-type <type>             - Fix type. Should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes,\n"
 		"                                   blueprint, kickstart (default: bash).\n"
 		"   --output <file>               - Write the script into file.\n"
+		"   --raw                         - Don't write extra headers or boilerplate instructions, only compose the content snippets.\n"
 		"   --result-id <id>              - Fixes will be generated for failed rule-results of the specified TestResult.\n"
 		"   --benchmark-id <id>           - ID of XCCDF Benchmark in some component in the data stream that should be used.\n"
 		"                                   (only applicable for source data streams)\n"
@@ -1041,7 +1042,7 @@ int app_generate_fix(const struct oscap_action *action)
 
 		struct xccdf_policy *policy = xccdf_session_get_xccdf_policy(session);
 		struct xccdf_result *result = xccdf_policy_get_result_by_id(policy, xccdf_session_get_result_id(session));
-		if (xccdf_policy_generate_fix(policy, result, remediation_system, action->f_xccdf, tailoring, output_fd) == 0)
+		if (xccdf_policy_generate_fix(policy, result, remediation_system, action->f_xccdf, tailoring, output_fd, action->raw) == 0)
 			ret = OSCAP_OK;
 	} else { // Fallback to profile if result id is missing
 		/* Profile-oriented fixes */
@@ -1055,7 +1056,7 @@ int app_generate_fix(const struct oscap_action *action)
 			}
 		}
 		struct xccdf_policy *policy = xccdf_session_get_xccdf_policy(session);
-		if (xccdf_policy_generate_fix(policy, NULL, remediation_system, action->f_xccdf, tailoring, output_fd) == 0)
+		if (xccdf_policy_generate_fix(policy, NULL, remediation_system, action->f_xccdf, tailoring, output_fd, action->raw) == 0)
 			ret = OSCAP_OK;
 	}
 cleanup2:
@@ -1243,8 +1244,9 @@ bool getopt_xccdf(int argc, char **argv, struct oscap_action *action)
 		{"hide-profile-info",	no_argument, &action->hide_profile_info, 1},
 		{"export-variables",	no_argument, &action->export_variables, 1},
 		{"skip-schematron",     no_argument, &action->schematron, 0},
-		{"without-syschar",    no_argument, &action->without_sys_chars, 1},
+		{"without-syschar",     no_argument, &action->without_sys_chars, 1},
 		{"thin-results",        no_argument, &action->thin_results, 1},
+		{"raw",                 no_argument, &action->raw, 1},
 	// end
 		{0, 0, 0, 0}
 	};