Skip to content

Commit

Permalink
Merge pull request #2079 from evgenyz/add-json-to-autotailor
Browse files Browse the repository at this point in the history
Introduce JSON tailoring import option for `autotailor`
  • Loading branch information
jan-cerny authored Feb 28, 2024
2 parents 7b45a7e + dbab0f7 commit 8fedd96
Show file tree
Hide file tree
Showing 7 changed files with 288 additions and 59 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ build/
*.a
*.la
.cproject
.idea
.project
.settings/language.settings.xml

Expand Down
7 changes: 7 additions & 0 deletions docs/manual/manual.adoc
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
= OpenSCAP User Manual
:imagesdir: ./images
:workbench_url: https://www.open-scap.org/tools/scap-workbench/
:json_tailoring_url: https://github.com/ComplianceAsCode/schemas/tree/main/tailoring
:sce_web: https://www.open-scap.org/features/other-standards/sce/
:openscap_web: https://open-scap.org/
:oscap_git: https://github.com/OpenSCAP/openscap
Expand Down Expand Up @@ -868,6 +869,12 @@ $ autotailor --unselect service_usbguard_enabled --output /tmp/tailoring.xml \
--new-profile-id custom /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml ospp
----

The `autotailor` tool can also consume {json_tailoring_url}[JSON tailoring] files and convert them into XCCDF Tailoring.

----
$ autotailor --json-tailoring custom.json /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
----

For more details about other options of the `autotailor` program please read the `autotailor(8)` man page or run `autotailor --help`.


Expand Down
25 changes: 24 additions & 1 deletion tests/utils/autotailor_integration_test.sh
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ set -e -o pipefail
autotailor="$top_srcdir/utils/autotailor"
tailoring="$(mktemp)"
ds="$srcdir/data_stream.xml"
json_tailoring="$srcdir/custom.json"
stdout="$(mktemp)"
original_profile="P1"
result="$(mktemp)"
Expand Down Expand Up @@ -93,11 +94,33 @@ assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www
assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3"]/result[text()="pass"]'
assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4"]/result[text()="notselected"]'

# refine value v1 to 30
# set value v1 to thirty
python3 $autotailor --id-namespace "com.example.www" --var-value V1=thirty $ds $original_profile > $tailoring
$OSCAP xccdf eval --profile P1_customized --progress --tailoring-file $tailoring --results $result $ds
assert_exists 1 '/Benchmark/TestResult/set-value[@idref="xccdf_com.example.www_value_V1" and text()="thirty"]'
assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R1"]/result[text()="pass"]'
assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R2"]/result[text()="pass"]'
assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3"]/result[text()="notselected"]'
assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4"]/result[text()="notselected"]'

# refine value v1 to 'thirty' (30) and v2 to 'other' (Other Value)
python3 $autotailor --id-namespace "com.example.www" --var-select V1=thirty --var-select V2=other $ds $original_profile > $tailoring
$OSCAP xccdf eval --profile P1_customized --progress --tailoring-file $tailoring --results $result $ds
assert_exists 1 '/Benchmark/TestResult/set-value[@idref="xccdf_com.example.www_value_V1" and text()="30"]'
assert_exists 1 '/Benchmark/TestResult/set-value[@idref="xccdf_com.example.www_value_V2" and text()="Other Value"]'
assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R1"]/result[text()="pass"]'
assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R2"]/result[text()="pass"]'
assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3"]/result[text()="notselected"]'
assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4"]/result[text()="notselected"]'

# use JSON tailoring
python3 $autotailor $ds --id-namespace "com.example.www" --json-tailoring $json_tailoring > $tailoring
$OSCAP xccdf eval --profile JSON_P1 --progress --tailoring-file $tailoring --results $result $ds
assert_exists 1 '/Benchmark/TestResult/set-value[@idref="xccdf_com.example.www_value_V1" and text()="New Value"]'
assert_exists 1 '/Benchmark/TestResult/set-value[@idref="xccdf_com.example.www_value_V2" and text()="Some Value"]'
assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R1"]/result[text()="notselected"]'
assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R2"]/result[text()="pass"]'
assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3"]/result[text()="notselected"]'
assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R3" and @severity="unknown"]'
assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4"]/result[text()="notselected"]'
assert_exists 1 '/Benchmark/TestResult/rule-result[@idref="xccdf_com.example.www_rule_R4" and @role="unchecked"]'
35 changes: 35 additions & 0 deletions tests/utils/custom.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
{
"profiles": [
{
"id": "JSON_P1",
"title": "JSON Tailored Profile P1",
"base_profile_id": "P1",
"groups": {
"G34": {
"evaluate": false
}
},
"rules": {
"R1": {
"evaluate": false
},
"R3": {
"evaluate": true,
"severity": "unknown"
},
"R4": {
"evaluate": true,
"role": "unchecked"
}
},
"variables": {
"V1": {
"value": "New Value"
},
"V2": {
"option_id": "some"
}
}
}
]
}
44 changes: 28 additions & 16 deletions tests/utils/data_stream.xml
Original file line number Diff line number Diff line change
Expand Up @@ -65,12 +65,20 @@
<select idref="xccdf_com.example.www_rule_R2" selected="true"/>
</Profile>
<Value id="xccdf_com.example.www_value_V1" operator="equals" type="number">
<title>value</title>
<title>value 1</title>
<description xml:lang="en">cccc</description>
<question xml:lang="en">ssss</question>
<value>5</value>
<value selector="thirty">30</value>
</Value>
<Value id="xccdf_com.example.www_value_V2" operator="equals" type="string">
<title>value 2</title>
<description xml:lang="en">22222</description>
<question xml:lang="en">Q2</question>
<value>Default</value>
<value selector="some">Some Value</value>
<value selector="other">Other Value</value>
</Value>
<Rule selected="false" id="xccdf_com.example.www_rule_R1">
<title>Rule R1</title>
<description>Description</description>
Expand All @@ -85,20 +93,24 @@
<check-content-ref href="test_single_rule.oval.xml" name="oval:x:def:1"/>
</check>
</Rule>
<Rule selected="false" id="xccdf_com.example.www_rule_R3">
<title>Rule R3</title>
<description>Description</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref href="test_single_rule.oval.xml" name="oval:x:def:1"/>
</check>
</Rule>
<Rule selected="false" id="xccdf_com.example.www_rule_R4">
<title>Rule R4</title>
<description>Description</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref href="test_single_rule.oval.xml" name="oval:x:def:1"/>
</check>
</Rule>
</Benchmark>
<Group selected="true" id="xccdf_com.example.www_group_G34">
<title>group R3, R4</title>
<description>description</description>
<Rule selected="false" id="xccdf_com.example.www_rule_R3">
<title>Rule R3</title>
<description>Description</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref href="test_single_rule.oval.xml" name="oval:x:def:1"/>
</check>
</Rule>
<Rule selected="false" id="xccdf_com.example.www_rule_R4">
<title>Rule R4</title>
<description>Description</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref href="test_single_rule.oval.xml" name="oval:x:def:1"/>
</check>
</Rule>
</Group>
</Benchmark>
</ds:component>
</ds:data-stream-collection>
Loading

0 comments on commit 8fedd96

Please sign in to comment.