From 78a414fbfac420decbac30887cfd1223165c14cd Mon Sep 17 00:00:00 2001 From: Evgeny Kolesnikov Date: Thu, 25 Jan 2024 21:04:05 +0100 Subject: [PATCH] Introduce JSON tailoring import option for autotailor The --json-tailoring option will provide support for importing https://github.com/ComplianceAsCode/schemas/tree/main/tailoring. --- .gitignore | 1 + docs/manual/manual.adoc | 7 + tests/utils/autotailor_integration_test.sh | 25 ++- tests/utils/custom.json | 23 +++ tests/utils/data_stream.xml | 10 +- utils/autotailor | 174 ++++++++++++++++----- utils/autotailor.8 | 22 ++- 7 files changed, 218 insertions(+), 44 deletions(-) create mode 100644 tests/utils/custom.json diff --git a/.gitignore b/.gitignore index b1690d5a9a..4a399446ce 100644 --- a/.gitignore +++ b/.gitignore @@ -17,6 +17,7 @@ build/ *.a *.la .cproject +.idea .project .settings/language.settings.xml diff --git a/docs/manual/manual.adoc b/docs/manual/manual.adoc index a30ec8f3e5..1a78406dd2 100644 --- a/docs/manual/manual.adoc +++ b/docs/manual/manual.adoc @@ -1,6 +1,7 @@ = OpenSCAP User Manual :imagesdir: ./images :workbench_url: https://www.open-scap.org/tools/scap-workbench/ +:json_tailoring_url: https://github.com/ComplianceAsCode/schemas/tree/main/tailoring :sce_web: https://www.open-scap.org/features/other-standards/sce/ :openscap_web: https://open-scap.org/ :oscap_git: https://github.com/OpenSCAP/openscap @@ -868,6 +869,12 @@ $ autotailor --unselect service_usbguard_enabled --output /tmp/tailoring.xml \ --new-profile-id custom /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml ospp ---- +The `autotailor` tool can also consume {json_tailoring_url}[JSON tailoring] files and convert them into XCCDF Tailoring. + +---- +$ autotailor --json-tailoring custom.json /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml +---- + For more details about other options of the `autotailor` program please read the `autotailor(8)` man page or run `autotailor --help`. diff --git a/tests/utils/autotailor_integration_test.sh b/tests/utils/autotailor_integration_test.sh index 92ef0a2288..815b9b9bbc 100755 --- a/tests/utils/autotailor_integration_test.sh +++ b/tests/utils/autotailor_integration_test.sh @@ -7,6 +7,7 @@ set -e -o pipefail autotailor="$top_srcdir/utils/autotailor" tailoring="$(mktemp)" ds="$srcdir/data_stream.xml" +json_tailoring="$srcdir/custom.json" stdout="$(mktemp)" original_profile="P1" result="$(mktemp)" @@ -93,7 +94,7 @@ assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3"]/result[text()="pass"]' assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4"]/result[text()="notselected"]' -# refine value v1 to 30 +# set value v1 to thirty python3 $autotailor --id-namespace "com.example.www" --var-value V1=thirty $ds $original_profile > $tailoring $OSCAP xccdf eval --profile P1_customized --progress --tailoring-file $tailoring --results $result $ds assert_exists 1 '/Benchmark/TestResult/set-value[@idref="xccdf_com.example.www_value_V1" and text()="thirty"]' @@ -101,3 +102,25 @@ assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R2"]/result[text()="pass"]' assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3"]/result[text()="notselected"]' assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4"]/result[text()="notselected"]' + +# refine value v1 to 'thirty' (30) and v2 to 'other' (Other Value) +python3 $autotailor --id-namespace "com.example.www" --var-select V1=thirty --var-select V2=other $ds $original_profile > $tailoring +$OSCAP xccdf eval --profile P1_customized --progress --tailoring-file $tailoring --results $result $ds +assert_exists 1 '/Benchmark/TestResult/set-value[@idref="xccdf_com.example.www_value_V1" and text()="30"]' +assert_exists 1 '/Benchmark/TestResult/set-value[@idref="xccdf_com.example.www_value_V2" and text()="Other Value"]' +assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R1"]/result[text()="pass"]' +assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R2"]/result[text()="pass"]' +assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3"]/result[text()="notselected"]' +assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4"]/result[text()="notselected"]' + +# use JSON tailoring +python3 $autotailor $ds --id-namespace "com.example.www" --json-tailoring $json_tailoring > $tailoring +$OSCAP xccdf eval --profile JSON_P1 --progress --tailoring-file $tailoring --results $result $ds +assert_exists 1 '/Benchmark/TestResult/set-value[@idref="xccdf_com.example.www_value_V1" and text()="New Value"]' +assert_exists 1 '/Benchmark/TestResult/set-value[@idref="xccdf_com.example.www_value_V2" and text()="Some Value"]' +assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R1"]/result[text()="notselected"]' +assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R2"]/result[text()="pass"]' +assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3"]/result[text()="notchecked"]' +assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3" and @role="unchecked"]' +assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3" and @severity="unknown"]' +assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4"]/result[text()="notselected"]' diff --git a/tests/utils/custom.json b/tests/utils/custom.json new file mode 100644 index 0000000000..7fc06f8f1a --- /dev/null +++ b/tests/utils/custom.json @@ -0,0 +1,23 @@ +{ + "id": "JSON_P1", + "title": "JSON Tailored Profile P1", + "base_profile_id": "P1", + "rules": { + "R1": { + "selected": false + }, + "R3": { + "selected": true, + "role": "unchecked", + "severity": "unknown" + } + }, + "variables": { + "V1": { + "value": "New Value" + }, + "V2": { + "select": "some" + } + } +} diff --git a/tests/utils/data_stream.xml b/tests/utils/data_stream.xml index 7f748d839f..5ebf4dc2b0 100644 --- a/tests/utils/data_stream.xml +++ b/tests/utils/data_stream.xml @@ -65,12 +65,20 @@