Skip to content

Commit

Permalink
Add --raw switch to xccdf generate fix module
Browse files Browse the repository at this point in the history
The option would allow the user to generate fix scripts
without headers and boilerplate. Currently implemented
for Kickstart remediation type.
  • Loading branch information
evgenyz committed Aug 6, 2024
1 parent 66b58f1 commit 40d5fa6
Show file tree
Hide file tree
Showing 4 changed files with 26 additions and 17 deletions.
2 changes: 1 addition & 1 deletion src/XCCDF_POLICY/public/xccdf_policy.h
Original file line number Diff line number Diff line change
Expand Up @@ -520,7 +520,7 @@ OSCAP_API bool xccdf_policy_resolve(struct xccdf_policy * policy);
* @param output_fd write prescription to this file descriptor
* @returns zero on success, non-zero indicate partial (incomplete) output.
*/
OSCAP_API int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result *result, const char *sys, const char *input_file_name, struct oscap_source *tailoring, int output_fd);
OSCAP_API int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result *result, const char *sys, const char *input_file_name, struct oscap_source *tailoring, int output_fd, int raw);

/**
* xccdf_policy_model_get_files and xccdf_item_get_files each return oscap_file_entries instead of raw strings
Expand Down
32 changes: 19 additions & 13 deletions src/XCCDF_POLICY/xccdf_policy_remediate.c
Original file line number Diff line number Diff line change
Expand Up @@ -1749,7 +1749,7 @@ static void logvol_cmd_free(void *ptr)
free(cmd);
}

static int _xccdf_policy_generate_fix_kickstart(struct oscap_list *rules_to_fix, struct xccdf_policy *policy, const char *sys, const char *input_file_name, struct oscap_source *tailoring, int output_fd)
static int _xccdf_policy_generate_fix_kickstart(struct oscap_list *rules_to_fix, struct xccdf_policy *policy, const char *sys, const char *input_file_name, struct oscap_source *tailoring, int raw, int output_fd)
{
int ret = 0;
struct kickstart_commands cmds = {
Expand Down Expand Up @@ -1786,7 +1786,9 @@ static int _xccdf_policy_generate_fix_kickstart(struct oscap_list *rules_to_fix,
"rootpw changeme\n"
"\n"
);
_write_text_to_fd(output_fd, common);
if (raw == 0) {
_write_text_to_fd(output_fd, common);
}

_generate_kickstart_pre(&cmds, output_fd);

Expand All @@ -1807,7 +1809,8 @@ static int _xccdf_policy_generate_fix_kickstart(struct oscap_list *rules_to_fix,

_generate_kickstart_post(&cmds, output_fd);

_write_text_to_fd(output_fd, "# Reboot after the installation is complete\nreboot\n");
if (raw == 0)
_write_text_to_fd(output_fd, "# Reboot after the installation is complete\nreboot\n");

oscap_list_free(cmds.package_install, free);
oscap_list_free(cmds.package_remove, free);
Expand All @@ -1822,7 +1825,7 @@ static int _xccdf_policy_generate_fix_kickstart(struct oscap_list *rules_to_fix,
return ret;
}

int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result *result, const char *sys, const char *input_file_name, struct oscap_source *tailoring, int output_fd)
int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result *result, const char *sys, const char *input_file_name, struct oscap_source *tailoring, int output_fd, int raw)
{
__attribute__nonnull__(policy);
int ret = 0;
Expand All @@ -1840,10 +1843,11 @@ int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result *
return 1;
}

if (_write_script_header_to_fd(policy, result, sys, input_file_name, tailoring_file_name, output_fd) != 0) {
oscap_list_free(rules_to_fix, NULL);
return 1;
}
if (raw == 0)
if (_write_script_header_to_fd(policy, result, sys, input_file_name, tailoring_file_name, output_fd) != 0) {
oscap_list_free(rules_to_fix, NULL);
return 1;
}

struct xccdf_item_iterator *item_it = xccdf_benchmark_get_content(benchmark);
while (xccdf_item_iterator_has_more(item_it)) {
Expand All @@ -1857,10 +1861,11 @@ int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result *
else {
dI("Generating result-oriented fixes for policy(result/@id=%s)", xccdf_result_get_id(result));

if (_write_script_header_to_fd(policy, result, sys, input_file_name, tailoring_file_name, output_fd) != 0) {
oscap_list_free(rules_to_fix, NULL);
return 1;
}
if (raw == 0)
if (_write_script_header_to_fd(policy, result, sys, input_file_name, tailoring_file_name, output_fd) != 0) {
oscap_list_free(rules_to_fix, NULL);
return 1;
}

struct xccdf_rule_result_iterator *rr_it = xccdf_result_get_rule_results(result);
while (xccdf_rule_result_iterator_has_more(rr_it)) {
Expand All @@ -1880,7 +1885,7 @@ int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result *
} else if (strcmp(sys, "urn:redhat:osbuild:blueprint") == 0) {
ret = _xccdf_policy_generate_fix_blueprint(rules_to_fix, policy, sys, output_fd);
} else if (strcmp(sys, "urn:xccdf:fix:script:kickstart") == 0) {
ret = _xccdf_policy_generate_fix_kickstart(rules_to_fix, policy, sys, input_file_name, tailoring, output_fd);
ret = _xccdf_policy_generate_fix_kickstart(rules_to_fix, policy, sys, input_file_name, tailoring, raw, output_fd);
} else {
ret = _xccdf_policy_generate_fix_other(rules_to_fix, policy, sys, output_fd);
}
Expand All @@ -1889,3 +1894,4 @@ int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result *

return ret;
}

1 change: 1 addition & 0 deletions utils/oscap-tool.h
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,7 @@ struct oscap_action {
char *local_files;
char *reference;
int references;
int raw;
};

int app_xslt(const char *infile, const char *xsltfile, const char *outfile, const char **params);
Expand Down
8 changes: 5 additions & 3 deletions utils/oscap-xccdf.c
Original file line number Diff line number Diff line change
Expand Up @@ -283,6 +283,7 @@ static struct oscap_module XCCDF_GEN_FIX = {
" --fix-type <type> - Fix type. Should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes,\n"
" blueprint, kickstart (default: bash).\n"
" --output <file> - Write the script into file.\n"
" --raw - Don't write extra headers or boilerplate instructions, only compose the content snippets.\n"
" --result-id <id> - Fixes will be generated for failed rule-results of the specified TestResult.\n"
" --benchmark-id <id> - ID of XCCDF Benchmark in some component in the data stream that should be used.\n"
" (only applicable for source data streams)\n"
Expand Down Expand Up @@ -1041,7 +1042,7 @@ int app_generate_fix(const struct oscap_action *action)

struct xccdf_policy *policy = xccdf_session_get_xccdf_policy(session);
struct xccdf_result *result = xccdf_policy_get_result_by_id(policy, xccdf_session_get_result_id(session));
if (xccdf_policy_generate_fix(policy, result, remediation_system, action->f_xccdf, tailoring, output_fd) == 0)
if (xccdf_policy_generate_fix(policy, result, remediation_system, action->f_xccdf, tailoring, output_fd, action->raw) == 0)
ret = OSCAP_OK;
} else { // Fallback to profile if result id is missing
/* Profile-oriented fixes */
Expand All @@ -1055,7 +1056,7 @@ int app_generate_fix(const struct oscap_action *action)
}
}
struct xccdf_policy *policy = xccdf_session_get_xccdf_policy(session);
if (xccdf_policy_generate_fix(policy, NULL, remediation_system, action->f_xccdf, tailoring, output_fd) == 0)
if (xccdf_policy_generate_fix(policy, NULL, remediation_system, action->f_xccdf, tailoring, output_fd, action->raw) == 0)
ret = OSCAP_OK;
}
cleanup2:
Expand Down Expand Up @@ -1243,8 +1244,9 @@ bool getopt_xccdf(int argc, char **argv, struct oscap_action *action)
{"hide-profile-info", no_argument, &action->hide_profile_info, 1},
{"export-variables", no_argument, &action->export_variables, 1},
{"skip-schematron", no_argument, &action->schematron, 0},
{"without-syschar", no_argument, &action->without_sys_chars, 1},
{"without-syschar", no_argument, &action->without_sys_chars, 1},
{"thin-results", no_argument, &action->thin_results, 1},
{"raw", no_argument, &action->raw, 1},
// end
{0, 0, 0, 0}
};
Expand Down

0 comments on commit 40d5fa6

Please sign in to comment.