Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pass OSCAP_BOOTC_BUILD variable to SCE checks #2189

Open
wants to merge 1 commit into
base: maint-1.3
Choose a base branch
from

Conversation

jan-cerny
Copy link
Member

This change will cause that the OSCAP_BOOTC_BUILD environment variable will be passed from the external environment to the environment of SCE checks.

The outcome is that the OSCAP_BOOTC_BUILD environment variable can be used inside SCE checks to differentiate between code that is supposed to run only during building a bootable container image, the code that can't run during building a bootable container image and code that can run in any environment.

This change will cause that the `OSCAP_BOOTC_BUILD` environment variable
will be passed from the external environment to the environment of SCE
checks.

The outcome is that the `OSCAP_BOOTC_BUILD` environment variable can be
used inside SCE checks to differentiate between code that is supposed to
run only during building a bootable container image, the code that can't
run  during building a bootable container image and code that can run in
any environment.
@jan-cerny jan-cerny added the Image Mode Bootable containers and Image Mode RHEL label Dec 17, 2024
jan-cerny added a commit to jan-cerny/scap-security-guide that referenced this pull request Dec 17, 2024
This adds a new mechanism that allow content authors to control
the execution of SCE checks depending on environment. They can
use the `environment` key to disable running their SCE check during a build
of a bootable container image, or on contrary, disable running the
SCE check outside of the bootable container image build environment.

We need to distinguish generic SCE checks from SCE checks that are meant
to be executed only during the "podman build" phase of the bootable
containers. We need to have a way to specify that some code is special
for this environment. This way, we will prevent using SCE checks that
require DBUS or other special SCE checks. Also, it will prevent using
SCE checks that are designed only for the bootable containers to be
executed in other scenarios.

This change depends on this OpenSCAP PR:
OpenSCAP/openscap#2189
jan-cerny added a commit to jan-cerny/scap-security-guide that referenced this pull request Dec 18, 2024
This adds a new mechanism that allow content authors to control
the execution of SCE checks depending on environment. They can
use the `environment` key to disable running their SCE check during a build
of a bootable container image, or on contrary, disable running the
SCE check outside of the bootable container image build environment.

We need to distinguish generic SCE checks from SCE checks that are meant
to be executed only during the "podman build" phase of the bootable
containers. We need to have a way to specify that some code is special
for this environment. This way, we will prevent using SCE checks that
require DBUS or other special SCE checks. Also, it will prevent using
SCE checks that are designed only for the bootable containers to be
executed in other scenarios.

This change depends on this OpenSCAP PR:
OpenSCAP/openscap#2189
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Image Mode Bootable containers and Image Mode RHEL
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant