From 40d5fa6fcfdff045bf6763242cecc10396fc847d Mon Sep 17 00:00:00 2001 From: Evgeny Kolesnikov Date: Tue, 6 Aug 2024 21:31:03 +0200 Subject: [PATCH] Add --raw switch to xccdf generate fix module The option would allow the user to generate fix scripts without headers and boilerplate. Currently implemented for Kickstart remediation type. --- src/XCCDF_POLICY/public/xccdf_policy.h | 2 +- src/XCCDF_POLICY/xccdf_policy_remediate.c | 32 ++++++++++++++--------- utils/oscap-tool.h | 1 + utils/oscap-xccdf.c | 8 +++--- 4 files changed, 26 insertions(+), 17 deletions(-) diff --git a/src/XCCDF_POLICY/public/xccdf_policy.h b/src/XCCDF_POLICY/public/xccdf_policy.h index 9cdde59a17..098c711132 100644 --- a/src/XCCDF_POLICY/public/xccdf_policy.h +++ b/src/XCCDF_POLICY/public/xccdf_policy.h @@ -520,7 +520,7 @@ OSCAP_API bool xccdf_policy_resolve(struct xccdf_policy * policy); * @param output_fd write prescription to this file descriptor * @returns zero on success, non-zero indicate partial (incomplete) output. */ -OSCAP_API int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result *result, const char *sys, const char *input_file_name, struct oscap_source *tailoring, int output_fd); +OSCAP_API int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result *result, const char *sys, const char *input_file_name, struct oscap_source *tailoring, int output_fd, int raw); /** * xccdf_policy_model_get_files and xccdf_item_get_files each return oscap_file_entries instead of raw strings diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c index 2b442837b5..acb63f9914 100644 --- a/src/XCCDF_POLICY/xccdf_policy_remediate.c +++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c @@ -1749,7 +1749,7 @@ static void logvol_cmd_free(void *ptr) free(cmd); } -static int _xccdf_policy_generate_fix_kickstart(struct oscap_list *rules_to_fix, struct xccdf_policy *policy, const char *sys, const char *input_file_name, struct oscap_source *tailoring, int output_fd) +static int _xccdf_policy_generate_fix_kickstart(struct oscap_list *rules_to_fix, struct xccdf_policy *policy, const char *sys, const char *input_file_name, struct oscap_source *tailoring, int raw, int output_fd) { int ret = 0; struct kickstart_commands cmds = { @@ -1786,7 +1786,9 @@ static int _xccdf_policy_generate_fix_kickstart(struct oscap_list *rules_to_fix, "rootpw changeme\n" "\n" ); - _write_text_to_fd(output_fd, common); + if (raw == 0) { + _write_text_to_fd(output_fd, common); + } _generate_kickstart_pre(&cmds, output_fd); @@ -1807,7 +1809,8 @@ static int _xccdf_policy_generate_fix_kickstart(struct oscap_list *rules_to_fix, _generate_kickstart_post(&cmds, output_fd); - _write_text_to_fd(output_fd, "# Reboot after the installation is complete\nreboot\n"); + if (raw == 0) + _write_text_to_fd(output_fd, "# Reboot after the installation is complete\nreboot\n"); oscap_list_free(cmds.package_install, free); oscap_list_free(cmds.package_remove, free); @@ -1822,7 +1825,7 @@ static int _xccdf_policy_generate_fix_kickstart(struct oscap_list *rules_to_fix, return ret; } -int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result *result, const char *sys, const char *input_file_name, struct oscap_source *tailoring, int output_fd) +int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result *result, const char *sys, const char *input_file_name, struct oscap_source *tailoring, int output_fd, int raw) { __attribute__nonnull__(policy); int ret = 0; @@ -1840,10 +1843,11 @@ int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result * return 1; } - if (_write_script_header_to_fd(policy, result, sys, input_file_name, tailoring_file_name, output_fd) != 0) { - oscap_list_free(rules_to_fix, NULL); - return 1; - } + if (raw == 0) + if (_write_script_header_to_fd(policy, result, sys, input_file_name, tailoring_file_name, output_fd) != 0) { + oscap_list_free(rules_to_fix, NULL); + return 1; + } struct xccdf_item_iterator *item_it = xccdf_benchmark_get_content(benchmark); while (xccdf_item_iterator_has_more(item_it)) { @@ -1857,10 +1861,11 @@ int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result * else { dI("Generating result-oriented fixes for policy(result/@id=%s)", xccdf_result_get_id(result)); - if (_write_script_header_to_fd(policy, result, sys, input_file_name, tailoring_file_name, output_fd) != 0) { - oscap_list_free(rules_to_fix, NULL); - return 1; - } + if (raw == 0) + if (_write_script_header_to_fd(policy, result, sys, input_file_name, tailoring_file_name, output_fd) != 0) { + oscap_list_free(rules_to_fix, NULL); + return 1; + } struct xccdf_rule_result_iterator *rr_it = xccdf_result_get_rule_results(result); while (xccdf_rule_result_iterator_has_more(rr_it)) { @@ -1880,7 +1885,7 @@ int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result * } else if (strcmp(sys, "urn:redhat:osbuild:blueprint") == 0) { ret = _xccdf_policy_generate_fix_blueprint(rules_to_fix, policy, sys, output_fd); } else if (strcmp(sys, "urn:xccdf:fix:script:kickstart") == 0) { - ret = _xccdf_policy_generate_fix_kickstart(rules_to_fix, policy, sys, input_file_name, tailoring, output_fd); + ret = _xccdf_policy_generate_fix_kickstart(rules_to_fix, policy, sys, input_file_name, tailoring, raw, output_fd); } else { ret = _xccdf_policy_generate_fix_other(rules_to_fix, policy, sys, output_fd); } @@ -1889,3 +1894,4 @@ int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result * return ret; } + diff --git a/utils/oscap-tool.h b/utils/oscap-tool.h index 6e13bb7132..6c6706c5b6 100644 --- a/utils/oscap-tool.h +++ b/utils/oscap-tool.h @@ -161,6 +161,7 @@ struct oscap_action { char *local_files; char *reference; int references; + int raw; }; int app_xslt(const char *infile, const char *xsltfile, const char *outfile, const char **params); diff --git a/utils/oscap-xccdf.c b/utils/oscap-xccdf.c index d4d191ea25..598234e709 100644 --- a/utils/oscap-xccdf.c +++ b/utils/oscap-xccdf.c @@ -283,6 +283,7 @@ static struct oscap_module XCCDF_GEN_FIX = { " --fix-type - Fix type. Should be one of: bash, ansible, puppet, anaconda, ignition, kubernetes,\n" " blueprint, kickstart (default: bash).\n" " --output - Write the script into file.\n" + " --raw - Don't write extra headers or boilerplate instructions, only compose the content snippets.\n" " --result-id - Fixes will be generated for failed rule-results of the specified TestResult.\n" " --benchmark-id - ID of XCCDF Benchmark in some component in the data stream that should be used.\n" " (only applicable for source data streams)\n" @@ -1041,7 +1042,7 @@ int app_generate_fix(const struct oscap_action *action) struct xccdf_policy *policy = xccdf_session_get_xccdf_policy(session); struct xccdf_result *result = xccdf_policy_get_result_by_id(policy, xccdf_session_get_result_id(session)); - if (xccdf_policy_generate_fix(policy, result, remediation_system, action->f_xccdf, tailoring, output_fd) == 0) + if (xccdf_policy_generate_fix(policy, result, remediation_system, action->f_xccdf, tailoring, output_fd, action->raw) == 0) ret = OSCAP_OK; } else { // Fallback to profile if result id is missing /* Profile-oriented fixes */ @@ -1055,7 +1056,7 @@ int app_generate_fix(const struct oscap_action *action) } } struct xccdf_policy *policy = xccdf_session_get_xccdf_policy(session); - if (xccdf_policy_generate_fix(policy, NULL, remediation_system, action->f_xccdf, tailoring, output_fd) == 0) + if (xccdf_policy_generate_fix(policy, NULL, remediation_system, action->f_xccdf, tailoring, output_fd, action->raw) == 0) ret = OSCAP_OK; } cleanup2: @@ -1243,8 +1244,9 @@ bool getopt_xccdf(int argc, char **argv, struct oscap_action *action) {"hide-profile-info", no_argument, &action->hide_profile_info, 1}, {"export-variables", no_argument, &action->export_variables, 1}, {"skip-schematron", no_argument, &action->schematron, 0}, - {"without-syschar", no_argument, &action->without_sys_chars, 1}, + {"without-syschar", no_argument, &action->without_sys_chars, 1}, {"thin-results", no_argument, &action->thin_results, 1}, + {"raw", no_argument, &action->raw, 1}, // end {0, 0, 0, 0} };