Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow preferring SCE #2165

Merged
merged 2 commits into from
Oct 17, 2024
Merged

Allow preferring SCE #2165

merged 2 commits into from
Oct 17, 2024

Conversation

jan-cerny
Copy link
Member

This commit introduces a new environment variable
OSCAP_PREFERRED_ENGINE. This variable allows users to set a preffered check engine for XCCDF rules. If a rule has multiple checks, the checks for the preffered check engine will be used. Allowed values: SCE, OVAL. If this variable is set to SCE and a rule has both SCE and OVAL checks the SCE check will be used. If this variable is set to OVAL and a rule has both SCE and OVAL checks the OVAL check will be used. If this environment variable isn't set, the standard XCCDF mechanism will be used for check selection.

This will allow us to explicitely prefer SCE checks when executing oscap in Containerfile in the podman build process when building hardened bootc images.

Also a small test is added to test this feature.

@jan-cerny
Allow preferring SCE
f827978 
This commit introduces a new environment variable
`OSCAP_PREFERRED_ENGINE`. This variable allows users to set a preffered
check engine for XCCDF rules. If a rule has multiple checks, the checks
for the preffered check engine will be used. Allowed values: `SCE`,
`OVAL`. If this variable is set to `SCE` and a rule has both SCE and
OVAL checks the SCE check will be used. If this variable is set to
`OVAL` and a rule has both SCE and OVAL checks the OVAL check will be
used. If this environment variable isn't set, the standard XCCDF
mechanism will be used for check selection.

This will allow us to explicitely prefer SCE checks when executing
`oscap` in Containerfile in the `podman build` process when building
hardened bootc images.

Also a small test is added to test this feature.
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 10, 2024
View reviewed changes
src/XCCDF_POLICY/xccdf_policy.c Dismissed Show dismissed Hide dismissed
@jan-cerny jan-cerny mentioned this pull request Oct 11, 2024
Merged
@jan-cerny jan-cerny added the Image Mode Bootable containers and Image Mode RHEL label Oct 15, 2024
@jan-cerny jan-cerny marked this pull request as ready for review October 15, 2024 09:23
@jan-cerny
Copy link
Member Author

I have add a test for the unknown value.
I have marked this PR as a ready for review.

@matusmarhefka matusmarhefka self-assigned this Oct 16, 2024
@matusmarhefka matusmarhefka added this to the 1.3.11 milestone Oct 16, 2024
@matusmarhefka matusmarhefka merged commit 97d8831 into OpenSCAP:maint-1.3 Oct 17, 2024
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matusmarhefka matusmarhefka matusmarhefka approved these changes

Assignees

@matusmarhefka matusmarhefka

Labels
Image Mode Bootable containers and Image Mode RHEL
Projects
None yet
Milestone
1.3.11
Development

Successfully merging this pull request may close these issues.
2 participants
@jan-cerny @matusmarhefka