Improve Kickstart remediations #2147
Conversation
evgenyz
force-pushed
the
add-generate-raw-fix
branch
2 times, most recently
from
d1ec3ed
to
40d5fa6
Compare
|
@evgenyz Nice idea! I think that we can go this way. Please be aware that for some remediation types (Ansible, Kickstart) the "header" also contains essential parts of the output that shouldn't be removed. On the other hand, in some remediation types (Bash, Kickstart) additional comments are added also in a lower part of the generated output and these are not essential so we can remove these in the |
|
Come to think about it, if we are going to backport it we'd better not break the API in this change. Hmm. |
|
OTOH, we already broke it in the initial PR with the Kickstart remediation. |
evgenyz
force-pushed
the
add-generate-raw-fix
branch
2 times, most recently
from
3685163
to
23f655a
Compare
| if (raw == 0) { | ||
| char *password = oscap_generate_random_string(24, NULL); | ||
| char *common = oscap_sprintf(common_template, password); | ||
| _write_text_to_fd(output_fd, common); |
There was a problem hiding this comment.
But without the items from the common_template, the generated kickstart won't be sufficient for automated installation of the operating system, in other words the installation will require user interaction.
There was a problem hiding this comment.
The raw form is not meant to be easy-consumable, its purpose is to be convenient for parsing and customization using automation tools. It is going to be tools-friendly, not user-friendly.
| @@ -0,0 +1,56 @@ | |||
| # Create partition layout scheme (required for security compliance) | |||
There was a problem hiding this comment.
Why are these headers kept in the raw output?
There was a problem hiding this comment.
After another round of discussion with Satellite , I've changed the way we format sections in raw mode. It does not have comment headers now, but for partitioning scheme it has pseudo-sections # %partitions, # %logvols closed with # %end to make it easier for them to parse.
tests/API/XCCDF/unittests/test_remediation_kickstart_expected_raw.cfg
Outdated
Show resolved
Hide resolved
| return 1; | ||
| } | ||
| if (raw == 0) | ||
| if (_write_script_header_to_fd(policy, result, sys, input_file_name, tailoring_file_name, output_fd) != 0) { |
There was a problem hiding this comment.
When generating Ansible Playbooks the output is invalid because this part contains essential part of the output.
| @@ -520,7 +520,7 @@ OSCAP_API bool xccdf_policy_resolve(struct xccdf_policy * policy); | |||
| * @param output_fd write prescription to this file descriptor | |||
| * @returns zero on success, non-zero indicate partial (incomplete) output. | |||
| */ | |||
| OSCAP_API int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result *result, const char *sys, const char *input_file_name, struct oscap_source *tailoring, int output_fd); | |||
| OSCAP_API int xccdf_policy_generate_fix(struct xccdf_policy *policy, struct xccdf_result *result, const char *sys, const char *input_file_name, struct oscap_source *tailoring, int output_fd, int raw); | |||
There was a problem hiding this comment.
missing Doxygen text for the new raw parameter
The option would allow the user to generate fix scripts without headers and boilerplate. Currently implemented for Kickstart remediation type.
evgenyz
force-pushed
the
add-generate-raw-fix
branch
from
23f655a
to
738fd0f
Compare
Add header-less variant via
--rawswitch.The purpose of the
rawmode is to be tools, integrations and customization-friendly. It is not meant to be directly consumable by a user.For now the behavior is implemented only for Kickstart remediation type. We'll derefine the
rawshape of others later.