Skip to content

Commit

Permalink
Merge pull request #2192 from jan-cerny/merge_20250107
Browse files Browse the repository at this point in the history
Merge branch maint-1.3 to main
  • Loading branch information
evgenyz authored Jan 7, 2025
2 parents e90df48 + 7bdecd0 commit 3ef3f34
Show file tree
Hide file tree
Showing 8 changed files with 41 additions and 62 deletions.
4 changes: 2 additions & 2 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -330,7 +330,7 @@ cmake_dependent_option(ENABLE_OSCAP_UTIL_AS_RPM "enable the scap-as-rpm utility,
cmake_dependent_option(ENABLE_OSCAP_UTIL_SSH "enables the oscap-ssh utility, this lets you scan remote machines over ssh" ON "NOT WIN32" OFF)
cmake_dependent_option(ENABLE_OSCAP_UTIL_VM "enables the oscap-vm utility, this lets you scan VMs and VM storage images" ON "NOT WIN32" OFF)
cmake_dependent_option(ENABLE_OSCAP_UTIL_PODMAN "enables the oscap-podman utility, this lets you scan Podman containers and container images" ON "NOT WIN32" OFF)
cmake_dependent_option(ENABLE_OSCAP_UTIL_BOOTC "enables the oscap-bootc utility, this lets you build hardened bootable container images" ON "NOT WIN32" OFF)
cmake_dependent_option(ENABLE_OSCAP_UTIL_IM "enables the oscap-im utility, this lets you build hardened bootable container images" ON "NOT WIN32" OFF)
cmake_dependent_option(ENABLE_OSCAP_UTIL_CHROOT "enables the oscap-chroot utility, this lets you scan entire chroots using offline scanning" ON "NOT WIN32" OFF)
option(ENABLE_OSCAP_UTIL_AUTOTAILOR "enables the autotailor utility that is able to perform command-line tailoring" TRUE)
option(ENABLE_OSCAP_REMEDIATE_SERVICE "enables the oscap-remediate service" FALSE)
Expand Down Expand Up @@ -468,7 +468,7 @@ message(STATUS "scap-as-rpm: ${ENABLE_OSCAP_UTIL_AS_RPM}")
message(STATUS "oscap-ssh: ${ENABLE_OSCAP_UTIL_SSH}")
message(STATUS "oscap-vm: ${ENABLE_OSCAP_UTIL_VM}")
message(STATUS "oscap-podman: ${ENABLE_OSCAP_UTIL_PODMAN}")
message(STATUS "oscap-bootc: ${ENABLE_OSCAP_UTIL_BOOTC}")
message(STATUS "oscap-im: ${ENABLE_OSCAP_UTIL_IM}")
message(STATUS "oscap-chroot: ${ENABLE_OSCAP_UTIL_CHROOT}")
message(STATUS "autotailor: ${ENABLE_OSCAP_UTIL_AUTOTAILOR}")
message(STATUS " ")
Expand Down
25 changes: 8 additions & 17 deletions docs/manual/manual.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -189,13 +189,6 @@ Checklists:
system: http://scap.nist.gov/schema/ocil/2
security-data-oval-com.redhat.rhsa-RHEL8.xml
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
Ref-Id: scap_org.open-scap_cref_ssg-rhel8-oval.xml
Ref-Id: scap_org.open-scap_cref_ssg-rhel8-ocil.xml
Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-oval.xml
Ref-Id: scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml
Dictionaries:
Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-dictionary.xml
----

* **Document type** describes what format the file is in. Common types include
Expand All @@ -216,8 +209,6 @@ shown for XCCDF files and Checklists and is sourced from the XCCDF **Status**
element.
* **Profiles** lists available profiles, their titles and IDs that you can use for
the `--profile` command line attribute.
* **Checks** and **Dictionaries** lists OVAL checks components and CPE
dictionaries components in the given data stream.

To display more detailed information about a profile including the profile
description, use the `--profile` option followed by the profile ID.
Expand Down Expand Up @@ -1840,15 +1831,15 @@ registry.access.redhat.com/ubi8 latest 3269c37eae33 2 months ago 208 MB

Note that the `oscap-podman` command requires root privileges.

=== Building hardened bootable container images using oscap-bootc
=== Building hardened bootable container images using oscap-im

The `oscap-bootc` tool is a convenience script that makes building hardened bootable container images easier.
The `oscap-im` tool is a convenience script that makes building hardened bootable container images easier.
This tool is designed to be used during the build of the bootable container image.

Include `oscap-bootc` in your `Containerfile` that will be used to build your bootable container image.
The `Containerfile` first needs to install the `openscap-utils` package which ships the `oscap-bootc` tool.
Include `oscap-im` in your `Containerfile` that will be used to build your bootable container image.
The `Containerfile` first needs to install the `openscap-utils` package which ships the `oscap-im` tool.

Also, SCAP content needs to be installed to the image before `oscap-bootc` will be run.
Also, SCAP content needs to be installed to the image before `oscap-im` will be run.
Although any SCAP content can be consumed by the tool, the SCAP source data streams shipped in `scap-security-guide` are specially cared to be compatible with bootable containers.

Example `Containerfile`:
Expand All @@ -1858,7 +1849,7 @@ FROM quay.io/centos-bootc/centos-bootc:stream9
RUN dnf install -y openscap-utils scap-security-guide
RUN oscap-bootc --profile stig /usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml
RUN oscap-im --profile stig /usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml
----

Once you have your `Containerfile`, execute the image build:
Expand All @@ -1867,15 +1858,15 @@ Once you have your `Containerfile`, execute the image build:
podman build -t hardened_image .
----

The `oscap-bootc` tool installs and removes all packages required by the selected profile to or from the image.
The `oscap-im` tool installs and removes all packages required by the selected profile to or from the image.
Then, it runs a scan and remediation with the selected profile.
It doesn't use offline scanning.
The configuration files and other content in the image are modified by this process, depending on the used SCAP content.

The built bootable container image can be then deployed and booted.
After booting the image, the state of the resulting system will be in line with the selected security profile.

The `oscap-bootc` tool can't be used anywhere else than in a `Containerfile`.
The `oscap-im` tool can't be used anywhere else than in a `Containerfile`.

=== Scanning of Docker containers and images using oscap-docker

Expand Down
1 change: 0 additions & 1 deletion openscap.spec
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,6 @@ Summary: OpenSCAP Utilities
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
Requires: rpmdevtools rpm-build
Requires: %{name}-scanner%{?_isa} = %{epoch}:%{version}-%{release}
Requires: %{name}-engine-sce%{?_isa} = %{epoch}:%{version}-%{release}

%description utils
The %{name}-utils package contains command-line tools build on top
Expand Down
6 changes: 3 additions & 3 deletions swig/openscap_api.py
Original file line number Diff line number Diff line change
Expand Up @@ -811,7 +811,7 @@ def init(self, path, paths={}):
if OSCAP.oscap_err():
desc = OSCAP.oscap_err_desc()
else:
desc = "Unknown error, please report this bug (http://bugzilla.redhat.com/)"
desc = "Unknown error, please report this bug (https://github.com/OpenSCAP/openscap/issues)"
raise ImportError(
"Benchmark \"%s\" loading failed: %s" % (f_XCCDF, desc))

Expand All @@ -832,7 +832,7 @@ def init(self, path, paths={}):
if OSCAP.oscap_err():
desc = OSCAP.oscap_err_desc()
else:
desc = "Unknown error,please report this bug (http://bugzilla.redhat.com/)"
desc = "Unknown error,please report this bug (https://github.com/OpenSCAP/openscap/issues)"
raise ImportError(
"Cannot import definition model for \"%s\": %s" % (f_OVAL, desc))
def_models.append(def_model)
Expand All @@ -841,7 +841,7 @@ def init(self, path, paths={}):
if OSCAP.oscap_err():
desc = OSCAP.oscap_err_desc()
else:
desc = "Unknown error,please report this bug (http://bugzilla.redhat.com/)"
desc = "Unknown error,please report this bug (https://github.com/OpenSCAP/openscap/issues)"
raise ImportError(
"Cannot create agent session for \"%s\": %s" % (f_OVAL, desc))
sessions[file] = sess
Expand Down
6 changes: 3 additions & 3 deletions utils/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -139,11 +139,11 @@ if(ENABLE_OSCAP_UTIL_PODMAN)
DESTINATION "${CMAKE_INSTALL_MANDIR}/man8"
)
endif()
if(ENABLE_OSCAP_UTIL_BOOTC)
install(PROGRAMS "oscap-bootc"
if(ENABLE_OSCAP_UTIL_IM)
install(PROGRAMS "oscap-im"
DESTINATION ${CMAKE_INSTALL_BINDIR}
)
install(FILES "oscap-bootc.8"
install(FILES "oscap-im.8"
DESTINATION "${CMAKE_INSTALL_MANDIR}/man8"
)
endif()
Expand Down
20 changes: 13 additions & 7 deletions utils/oscap-bootc → utils/oscap-im
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ import subprocess
import sys
import tempfile

from pathlib import Path


def parse_args():
parser = argparse.ArgumentParser(
Expand Down Expand Up @@ -55,17 +57,21 @@ def parse_args():
return parser.parse_args()


def ensure_sce_installed():
query_cmd = ["rpm", "-q", "openscap-engine-sce"]
query_process = subprocess.run(query_cmd, capture_output=True)
if query_process.returncode != 0:
def verify_bootc_build_env():
rv = subprocess.run(
["rpm", "-q", "bootc"],
stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
bootc_env = (rv.returncode == 0)
container_env = Path("/run/.containerenv").exists()
if not bootc_env or not container_env:
raise RuntimeError(
"The script requires to have the openscap-engine-sce package "
"installed.")
"This script is supposed to be used only in the bootable "
"container build environment.")


def install_sce_dependencies():
required_packages = [
"openscap-engine-sce",
"setools-console" # seinfo is used by the sebool template
]
install_cmd = ["dnf", "-y", "install"] + required_packages
Expand Down Expand Up @@ -129,7 +135,7 @@ def scan_and_remediate(args):

def main():
args = parse_args()
ensure_sce_installed()
verify_bootc_build_env()
install_sce_dependencies()
pre_scan_fix(args)
scan_and_remediate(args)
Expand Down
14 changes: 7 additions & 7 deletions utils/oscap-bootc.8 → utils/oscap-im.8
Original file line number Diff line number Diff line change
@@ -1,19 +1,19 @@
.TH oscap-bootc "8" "November 2024" "Red Hat, Inc." "System Administration Utilities"
.TH oscap-im "8" "January 2025" "Red Hat, Inc." "System Administration Utilities"

.SH NAME
oscap-bootc \- Tool for building hardened bootable container images
oscap-im \- Tool for building hardened bootable container images

.SH DESCRIPTION
The oscap-bootc tool is a convenience script that makes building hardened bootable container images easier.
The oscap-im tool is a convenience script that makes building hardened bootable container images easier.
This tool is designed to be used during the build of the bootable container image.
Include oscap-bootc in your Containerfile that will be used to build your bootable container image.
The oscap-bootc runs oscap tool on a given container image.
Include oscap-im in your Containerfile that will be used to build your bootable container image.
The oscap-im runs oscap tool on a given container image.

The oscap-bootc tool can't be used anywhere else than in a Containerfile.
The oscap-im tool can't be used anywhere else than in a Containerfile.

.SH USAGE

oscap-bootc [OPTION...] DATASTREAM_FILE
oscap-im [OPTION...] DATASTREAM_FILE

Usage of the tool mimics usage and options of oscap(8) tool.

Expand Down
27 changes: 5 additions & 22 deletions utils/oscap-info.c
Original file line number Diff line number Diff line change
Expand Up @@ -209,8 +209,11 @@ static inline void _print_xccdf_referenced_files(struct xccdf_policy_model *poli
printf("%sReferenced check files:\n", prefix);
while (oscap_file_entry_iterator_has_more(files_it)) {
struct oscap_file_entry *file_entry = (struct oscap_file_entry *) oscap_file_entry_iterator_next(files_it);
printf("%s\t%s\n", prefix, oscap_file_entry_get_file(file_entry));
printf("%s\t\tsystem: %s\n", prefix, oscap_file_entry_get_system(file_entry));
const char *system = oscap_file_entry_get_system(file_entry);
if (strcmp(system, "http://open-scap.org/page/SCE")) {
printf("%s\t%s\n", prefix, oscap_file_entry_get_file(file_entry));
printf("%s\t\tsystem: %s\n", prefix, oscap_file_entry_get_system(file_entry));
}
}
oscap_file_entry_iterator_free(files_it);
oscap_file_entry_list_free(referenced_files);
Expand Down Expand Up @@ -490,26 +493,6 @@ static int app_info_single_ds_all(struct ds_stream_index_iterator* sds_it, struc
ds_sds_session_reset(session);
}
oscap_string_iterator_free(checklist_it);

printf("Checks:\n");
struct oscap_string_iterator* checks_it = ds_stream_index_get_checks(stream);
while (oscap_string_iterator_has_more(checks_it)) {
const char * id = oscap_string_iterator_next(checks_it);
printf("\tRef-Id: %s\n", id);
}
oscap_string_iterator_free(checks_it);

struct oscap_string_iterator* dict_it = ds_stream_index_get_dictionaries(stream);
if (oscap_string_iterator_has_more(dict_it)) {
printf("Dictionaries:\n");
} else {
printf("No dictionaries.\n");
}
while (oscap_string_iterator_has_more(dict_it)) {
const char * id = oscap_string_iterator_next(dict_it);
printf("\tRef-Id: %s\n", id);
}
oscap_string_iterator_free(dict_it);
return OSCAP_OK;
}

Expand Down

0 comments on commit 3ef3f34

Please sign in to comment.