Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSCAP tailoring: add key/value rule overrides #300

Closed
wants to merge 9 commits into from
Closed

OpenSCAP tailoring: add key/value rule overrides #300

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
68fdf42
schutz: update `osbuild` commit
kingsleyzissou Dec 4, 2023
2e725fc
pkg/distro: generalise default datastream
kingsleyzissou Dec 13, 2023
bd12442
pkg/distro: simplify directory creation
kingsleyzissou Dec 13, 2023
ee3e8c3
pkg/distro: simplify tailoring stage options
kingsleyzissou Dec 13, 2023
a03aaa8
pkg/distro: simplify remediation stage options
kingsleyzissou Dec 13, 2023
770a6c7
pkg/blueprints: add tailoring overrides
kingsleyzissou Dec 4, 2023
fefcc4c
pkg/osbuild: enable OpenSCAP tailoring overrides
kingsleyzissou Dec 4, 2023
be317b5
pkg/customizations: enable tailor overrides
kingsleyzissou Dec 13, 2023
3b6b310
test/configs: update OpenSCAP tests
kingsleyzissou Dec 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 4 additions & 10 deletions pkg/customizations/oscap/oscap.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ import (
"path/filepath"
"strings"

"github.com/osbuild/images/pkg/customizations/fsnode"
"github.com/osbuild/images/pkg/distro"
)

Expand Down Expand Up @@ -41,7 +40,8 @@ const (
defaultRHEL8Datastream string = "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml"
defaultRHEL9Datastream string = "/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml"

// tailoring directory path
// directory paths
dataDirPath string = "/oscap_data"
tailoringDirPath string = "/usr/share/xml/osbuild-openscap-data"
)

Expand Down Expand Up @@ -92,14 +92,8 @@ func IsProfileAllowed(profile string, allowlist []Profile) bool {
return false
}

func GetTailoringFile(profile string) (string, string, *fsnode.Directory, error) {
func GetTailoringFile(profile string) (string, string) {
newProfile := fmt.Sprintf("%s_osbuild_tailoring", profile)
path := filepath.Join(tailoringDirPath, "tailoring.xml")

tailoringDir, err := fsnode.NewDirectory(tailoringDirPath, nil, nil, nil, true)
if err != nil {
return "", "", nil, err
}

return newProfile, path, tailoringDir, nil
return newProfile, path
}
31 changes: 31 additions & 0 deletions pkg/customizations/oscap/stage_options.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
package oscap

import (
"fmt"

"github.com/osbuild/images/pkg/customizations/fsnode"
)

func CreateRequiredDirectories(createTailoring bool) ([]*fsnode.Directory, error) {
var directories []*fsnode.Directory

// although the osbuild stage will create this directory,
// it's probably better to ensure that it is created here
Comment on lines +16 to +17
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had to double-check. Because the directory is technically not created here, but in the OS pipeline implementation which generates the osbuild pipeline. Directories are created before the OSCAP stage is added to the pipeline, so this is all fine in the end.

dataDirNode, err := fsnode.NewDirectory(dataDirPath, nil, nil, nil, true)
if err != nil {
return nil, fmt.Errorf("unexpected error creating OpenSCAP data directory: %s", err)
}

directories = append(directories, dataDirNode)

if createTailoring {
tailoringDirNode, err := fsnode.NewDirectory(tailoringDirPath, nil, nil, nil, true)
if err != nil {
return nil, fmt.Errorf("unexpected error creating OpenSCAP tailoring directory: %s", err)
}

directories = append(directories, tailoringDirNode)
}

return directories, nil
}
24 changes: 9 additions & 15 deletions pkg/distro/fedora/images.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,15 +166,6 @@ func osCustomizations(
panic("unexpected oscap options for ostree image type")
}

// although the osbuild stage will create this directory,
// it's probably better to ensure that it is created here
dataDirNode, err := fsnode.NewDirectory(oscapDataDir, nil, nil, nil, true)
if err != nil {
panic("unexpected error creating OpenSCAP data directory")
}

osc.Directories = append(osc.Directories, dataDirNode)

datastream := oscap.GetDatastream(oscapConfig.Datastream, t.arch.distro)

oscapStageOptions := osbuild.OscapConfig{
Expand All @@ -184,10 +175,7 @@ func osCustomizations(
}

if oscapConfig.Tailoring != nil {
newProfile, tailoringFilepath, tailoringDir, err := oscap.GetTailoringFile(oscapConfig.ProfileID)
if err != nil {
panic(fmt.Sprintf("unexpected error creating tailoring file options: %v", err))
}
newProfile, tailoringFilepath := oscap.GetTailoringFile(oscapConfig.ProfileID)

tailoringOptions := osbuild.OscapAutotailorConfig{
NewProfile: newProfile,
Expand All @@ -205,9 +193,15 @@ func osCustomizations(
// overwrite the profile id with the new tailoring id
oscapStageOptions.ProfileID = newProfile
oscapStageOptions.Tailoring = tailoringFilepath
}

directories, err := oscap.CreateRequiredDirectories(oscapConfig.Tailoring != nil)
if err != nil {
panic(err)
}

// add the parent directory for the tailoring file
osc.Directories = append(osc.Directories, tailoringDir)
if len(directories) > 0 {
osc.Directories = append(osc.Directories, directories...)
}

osc.OpenSCAPConfig = osbuild.NewOscapRemediationStageOptions(oscapDataDir, oscapStageOptions)
Expand Down
23 changes: 8 additions & 15 deletions pkg/distro/rhel8/images.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,15 +187,6 @@ func osCustomizations(
panic("unexpected oscap options for ostree image type")
}

// although the osbuild stage will create this directory,
// it's probably better to ensure that it is created here
dataDirNode, err := fsnode.NewDirectory(oscapDataDir, nil, nil, nil, true)
if err != nil {
panic("unexpected error creating OpenSCAP data directory")
}

osc.Directories = append(osc.Directories, dataDirNode)

datastream := oscap.GetDatastream(oscapConfig.Datastream, t.arch.distro)

oscapStageOptions := osbuild.OscapConfig{
Expand All @@ -205,10 +196,7 @@ func osCustomizations(
}

if oscapConfig.Tailoring != nil {
newProfile, tailoringFilepath, tailoringDir, err := oscap.GetTailoringFile(oscapConfig.ProfileID)
if err != nil {
panic(fmt.Sprintf("unexpected error creating tailoring file options: %v", err))
}
newProfile, tailoringFilepath := oscap.GetTailoringFile(oscapConfig.ProfileID)

tailoringOptions := osbuild.OscapAutotailorConfig{
NewProfile: newProfile,
Expand All @@ -226,11 +214,16 @@ func osCustomizations(
// overwrite the profile id with the new tailoring id
oscapStageOptions.ProfileID = newProfile
oscapStageOptions.Tailoring = tailoringFilepath
}

// add the parent directory for the tailoring file
osc.Directories = append(osc.Directories, tailoringDir)
directories, err := oscap.CreateRequiredDirectories(oscapConfig.Tailoring != nil)
if err != nil {
panic(err)
}

if len(directories) > 0 {
osc.Directories = append(osc.Directories, directories...)
}
osc.OpenSCAPConfig = osbuild.NewOscapRemediationStageOptions(oscapDataDir, oscapStageOptions)
}

Expand Down
24 changes: 9 additions & 15 deletions pkg/distro/rhel9/images.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -184,15 +184,6 @@ func osCustomizations(
panic("unexpected oscap options for ostree image type")
}

// although the osbuild stage will create this directory,
// it's probably better to ensure that it is created here
dataDirNode, err := fsnode.NewDirectory(oscapDataDir, nil, nil, nil, true)
if err != nil {
panic("unexpected error creating OpenSCAP data directory")
}

osc.Directories = append(osc.Directories, dataDirNode)

var datastream = oscap.GetDatastream(oscapConfig.Datastream, t.arch.distro)

oscapStageOptions := osbuild.OscapConfig{
Expand All @@ -202,10 +193,7 @@ func osCustomizations(
}

if oscapConfig.Tailoring != nil {
newProfile, tailoringFilepath, tailoringDir, err := oscap.GetTailoringFile(oscapConfig.ProfileID)
if err != nil {
panic(fmt.Sprintf("unexpected error creating tailoring file options: %v", err))
}
newProfile, tailoringFilepath := oscap.GetTailoringFile(oscapConfig.ProfileID)

tailoringOptions := osbuild.OscapAutotailorConfig{
NewProfile: newProfile,
Expand All @@ -223,9 +211,15 @@ func osCustomizations(
// overwrite the profile id with the new tailoring id
oscapStageOptions.ProfileID = newProfile
oscapStageOptions.Tailoring = tailoringFilepath
}

directories, err := oscap.CreateRequiredDirectories(oscapConfig.Tailoring == nil)
if err != nil {
panic(err)
}

// add the parent directory for the tailoring file
osc.Directories = append(osc.Directories, tailoringDir)
if len(directories) > 0 {
osc.Directories = append(osc.Directories, directories...)
}

osc.OpenSCAPConfig = osbuild.NewOscapRemediationStageOptions(oscapDataDir, oscapStageOptions)
Expand Down