Fix Blueprint template to be self-contained

Now the generated Blueprint file will be ready-to-use right after generation unless a custom data stream is used for hardening. There are also instructions on how to adapt the Blueprint for a custom data stream.
OpenSCAP · Jan 31, 2024 · 51faf9f · 51faf9f
1 parent 6506089
commit 51faf9f
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 4 deletions.
diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
@@ -1143,10 +1143,23 @@ static int _write_script_header_to_fd(struct xccdf_policy *policy, struct xccdf_
  } else if (oscap_streq(sys, "urn:redhat:osbuild:blueprint")) {
  char *blueprint_fix_header = oscap_sprintf(
  "%s"
- "name = \"%s\"\n"
+ "name = \"hardened_%s\"\n"
  "description = \"%s\"\n"
- "version = \"%s\"\n",
- fix_header, profile_id, profile_title, benchmark_version_info);
+ "version = \"%s\"\n\n"
+ "[customizations.openscap]\n"
+ "profile_id = \"%s\"\n"
+ "# If your hardening data stream is not part of the 'scap-security-guide' package\n"
+ "# provide the absolute path to it (from the root of the image filesystem).\n"
+ "# datastream = \"/usr/share/xml/scap/ssg/content/ssg-xxxxx-ds.xml\"\n\n"
+ "# If your hardening data stream is not part of the 'scap-security-guide' package\n"
+ "# you don't need this package to be part of the image (this section can be removed).\n"
+ "[[packages]]\n"
+ "name = \"scap-security-guide\"\n"
+ "version = \"*\"\n\n"
+ "[[packages]]\n"
+ "name = \"openscap-scanner\"\n"
+ "version = \"*\"\n\n",
+ fix_header, profile_id, profile_title, benchmark_version_info, profile_id);
  free(fix_header);
  free(profile_title);
  return _write_text_to_fd_and_free(output_fd, blueprint_fix_header);

diff --git a/tests/API/XCCDF/unittests/test_remediation_blueprint.toml b/tests/API/XCCDF/unittests/test_remediation_blueprint.toml
@@ -19,9 +19,26 @@
 #
 ###############################################################################
 
-name = "xccdf_moc.elpmaxe.www_profile_common"
+name = "hardened_xccdf_moc.elpmaxe.www_profile_common"
 description = "Profile title on one line"
 version = "1.0"
+
+[customizations.openscap]
+profile_id = "xccdf_moc.elpmaxe.www_profile_common"
+# If your hardening data stream is not part of the 'scap-security-guide' package
+# provide the absolute path to it (from the root of the image filesystem).
+# datastream = "/usr/share/xml/scap/ssg/content/ssg-xxxxx-ds.xml"
+
+# If your hardening data stream is not part of the 'scap-security-guide' package
+# you don't need this package to be part of the image (this section can be removed).
+[[packages]]
+name = "scap-security-guide"
+version = "*"
+
+[[packages]]
+name = "openscap-scanner"
+version = "*"
+
 distro = rhel-80
 
 [[packages]]