From 5cd77b3e1252786b288d255993f81d42c8b7157e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 29 Jul 2024 14:17:57 +0200 Subject: [PATCH] Solve situation when --profile isn't provided If an user doesn't provide `--profile`, the default XCCDF profile is used which is the standard behavior of all oscap xccdf modules. However, the generated remediation doesn't reflect that. This commit fixes it, namely the generated "oscap" commands. --- src/XCCDF_POLICY/xccdf_policy_remediate.c | 28 ++++++++++++++++------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c index a270ad19f6..2be53679d5 100644 --- a/src/XCCDF_POLICY/xccdf_policy_remediate.c +++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c @@ -1268,8 +1268,10 @@ static int _write_script_header_to_fd(struct xccdf_policy *policy, struct xccdf_ free(profile_description); const struct xccdf_version_info *xccdf_version = benchmark ? xccdf_benchmark_get_schema_version(benchmark) : NULL; + char *profile_id_banner = profile_id ? oscap_sprintf("# Profile ID: %s\n", profile_id) : strdup(""); const char *xccdf_version_name = xccdf_version ? xccdf_version_info_get_version(xccdf_version) : "Unknown"; char *tailoring_option = tailoring_file_name ? oscap_sprintf(" --tailoring-file %s", tailoring_file_name) : strdup(""); + char *profile_option = profile_id ? oscap_sprintf(" --profile %s", profile_id) : strdup(""); fix_header = oscap_sprintf( "%s" @@ -1280,13 +1282,13 @@ static int _write_script_header_to_fd(struct xccdf_policy *policy, struct xccdf_ "# Profile Description:\n" "# %s\n" "#\n" - "# Profile ID: %s\n" + "%s" "# Benchmark ID: %s\n" "# Benchmark Version: %s\n" "# XCCDF Version: %s\n" "#\n" "# This file was generated by OpenSCAP %s using:\n" - "# $ oscap xccdf generate fix%s --profile %s --fix-type %s %s\n" + "# $ oscap xccdf generate fix%s%s --fix-type %s %s\n" "#\n" "# This %s is generated from an OpenSCAP profile without preliminary evaluation.\n" "# It attempts to fix every selected rule, even if the system is already compliant.\n" @@ -1297,13 +1299,15 @@ static int _write_script_header_to_fd(struct xccdf_policy *policy, struct xccdf_ "###############################################################################\n\n", shebang_with_newline, remediation_type, profile_title, commented_profile_description, - profile_id, benchmark_id, benchmark_version_info, xccdf_version_name, - oscap_version, tailoring_option, profile_id, format, input_file_name, remediation_type, + profile_id_banner, benchmark_id, benchmark_version_info, xccdf_version_name, + oscap_version, tailoring_option, profile_option, format, input_file_name, remediation_type, remediation_type, how_to_apply ); + free(profile_id_banner); free(tailoring_option); free(commented_profile_description); + free(profile_option); } else { // Results-based remediation fix @@ -1557,16 +1561,24 @@ static int _generate_kickstart_oscap_post(struct kickstart_commands *cmds, const { _write_text_to_fd(output_fd, "# Perform OpenSCAP hardening (required for security compliance)\n"); _write_text_to_fd(output_fd, "%post --erroronfail\n"); - const char *fmt; + const char *fmt = "oscap xccdf eval --remediate%s--results-arf /root/oscap_arf.xml --report /root/oscap_report.html%s/usr/share/xml/scap/ssg/content/%s\n"; + const char *tailoring_part; if (tailoring != NULL) { - fmt = "oscap xccdf eval --remediate --tailoring-file /root/oscap_tailoring.xml --results-arf /root/oscap_arf.xml --report /root/oscap_report.html --profile '%s' /usr/share/xml/scap/ssg/content/%s\n"; + tailoring_part = " --tailoring-file /root/oscap_tailoring.xml "; + } else { + tailoring_part = " "; + } + char *profile_part; + if (profile_id != NULL) { + profile_part = oscap_sprintf(" --profile '%s' ", profile_id); } else { - fmt = "oscap xccdf eval --remediate --results-arf /root/oscap_arf.xml --report /root/oscap_report.html --profile '%s' /usr/share/xml/scap/ssg/content/%s\n"; + profile_part = strdup(" "); } char *dup = strdup(input_path); char *basename = oscap_basename(dup); free(dup); - char *oscap_command = oscap_sprintf(fmt, profile_id, basename); + char *oscap_command = oscap_sprintf(fmt, tailoring_part, profile_part, basename); + free(profile_part); free(basename); _write_tailoring_to_fd(tailoring, output_fd); _write_text_to_fd_and_free(output_fd, oscap_command);