From f827978e1065ebde1771360002658e067ff7500d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 10 Oct 2024 11:26:45 +0200 Subject: [PATCH 1/2] Allow preferring SCE This commit introduces a new environment variable `OSCAP_PREFERRED_ENGINE`. This variable allows users to set a preffered check engine for XCCDF rules. If a rule has multiple checks, the checks for the preffered check engine will be used. Allowed values: `SCE`, `OVAL`. If this variable is set to `SCE` and a rule has both SCE and OVAL checks the SCE check will be used. If this variable is set to `OVAL` and a rule has both SCE and OVAL checks the OVAL check will be used. If this environment variable isn't set, the standard XCCDF mechanism will be used for check selection. This will allow us to explicitely prefer SCE checks when executing `oscap` in Containerfile in the `podman build` process when building hardened bootc images. Also a small test is added to test this feature. --- docs/manual/manual.adoc | 1 + src/SCE/sce_engine.c | 1 + src/XCCDF_POLICY/xccdf_policy.c | 10 ++++ src/common/debug.c | 1 + tests/sce/CMakeLists.txt | 1 + tests/sce/test_prefer_sce.ds.xml | 78 ++++++++++++++++++++++++++++++++ tests/sce/test_prefer_sce.sh | 50 ++++++++++++++++++++ 7 files changed, 142 insertions(+) create mode 100644 tests/sce/test_prefer_sce.ds.xml create mode 100755 tests/sce/test_prefer_sce.sh diff --git a/docs/manual/manual.adoc b/docs/manual/manual.adoc index 1a78406dd2..5b96000858 100644 --- a/docs/manual/manual.adoc +++ b/docs/manual/manual.adoc @@ -1658,6 +1658,7 @@ If OpenSCAP is executed with verbosity level INFO or DEVEL their runtime values * `OSCAP_PROBE_MEMORY_USAGE_RATIO` - maximum memory usage ratio (used/total) for OpenSCAP probes, default: 0.1 * `OSCAP_PROBE_MAX_COLLECTED_ITEMS` - maximal count of collected items by OpenSCAP probe for a single OVAL object evaluation * `OSCAP_PROBE_IGNORE_PATHS` - Skip given paths during evaluation. If multiple paths should be skipped they need to be separated by a colon. The paths should be absolute canonical paths. +* `OSCAP_PREFERRED_ENGINE` - Set a preffered check engine for XCCDF rules. If a rule has multiple checks, the checks for the preffered check engine will be used. Allowed values: `SCE`, `OVAL`. If this variable is set to `SCE` and a rule has both SCE and OVAL checks the SCE check will be used. If this variable is set to `OVAL` and a rule has both SCE and OVAL checks the OVAL check will be used. If this environment variable isn't set, the standard XCCDF mechanism will be used for check selection. Also, OpenSCAP uses `libcurl` library which also can be configured using environment variables. See https://curl.se/libcurl/c/libcurl-env.html[the list of libcurl environment variables]. diff --git a/src/SCE/sce_engine.c b/src/SCE/sce_engine.c index 962e409885..70670975b6 100644 --- a/src/SCE/sce_engine.c +++ b/src/SCE/sce_engine.c @@ -370,6 +370,7 @@ xccdf_test_result_type_t sce_engine_eval_rule(struct xccdf_policy *policy, const struct xccdf_check_import_iterator *check_import_it, void *usr) { + dI("Executing SCE check '%s'", href); struct sce_parameters* parameters = (struct sce_parameters*)usr; const char* xccdf_directory = parameters->xccdf_directory; bool use_sce_wrapper = false; // use osca-run-sce-script ? diff --git a/src/XCCDF_POLICY/xccdf_policy.c b/src/XCCDF_POLICY/xccdf_policy.c index f12b046baf..5ab9b16090 100644 --- a/src/XCCDF_POLICY/xccdf_policy.c +++ b/src/XCCDF_POLICY/xccdf_policy.c @@ -588,6 +588,16 @@ _xccdf_policy_rule_get_applicable_check(struct xccdf_policy *policy, struct xccd struct xccdf_check *check = xccdf_check_iterator_next(candidate_it); if (_xccdf_policy_is_engine_registered(policy, (char *) xccdf_check_get_system(check))) { result = check; + char *preferred_engine = getenv("OSCAP_PREFERRED_ENGINE"); + if (preferred_engine) { + if (strcmp("SCE", preferred_engine) && strcmp("OVAL", preferred_engine)) { + dW("Unknown value of OSCAP_PREFFERED_ENGINE: '%s'. It will be ignored.", preferred_engine); + } + if ((!strcmp("SCE", preferred_engine) && !strcmp("http://open-scap.org/page/SCE", check->system)) || + (!strcmp("OVAL", preferred_engine) && !strcmp("http://oval.mitre.org/XMLSchema/oval-definitions-5", check->system))) { + break; + } + } } else if (strcmp("http://oval.mitre.org/XMLSchema/oval-definitions-5", check->system) == 0) { print_oval_warning = true; } else if (strcmp("http://scap.nist.gov/schema/ocil/2", check->system) == 0) { diff --git a/src/common/debug.c b/src/common/debug.c index 30d37845dc..dc56874fb2 100644 --- a/src/common/debug.c +++ b/src/common/debug.c @@ -311,6 +311,7 @@ void oscap_print_env_vars() "OSCAP_PROBE_MEMORY_USAGE_RATIO", "OSCAP_PROBE_MAX_COLLECTED_ITEMS", "OSCAP_PROBE_IGNORE_PATHS", + "OSCAP_PREFERRED_ENGINE", NULL }; dI("Using environment variables:"); diff --git a/tests/sce/CMakeLists.txt b/tests/sce/CMakeLists.txt index 30f3d62ea7..dc5915099e 100644 --- a/tests/sce/CMakeLists.txt +++ b/tests/sce/CMakeLists.txt @@ -1,4 +1,5 @@ if(ENABLE_SCE) + add_oscap_test("test_prefer_sce.sh") if(${PYTHON_VERSION_MAJOR} EQUAL "3") add_oscap_test("test_sce.sh") endif() diff --git a/tests/sce/test_prefer_sce.ds.xml b/tests/sce/test_prefer_sce.ds.xml new file mode 100644 index 0000000000..e95c666397 --- /dev/null +++ b/tests/sce/test_prefer_sce.ds.xml @@ -0,0 +1,78 @@ + + + + + + + + + + + + + + + + + + + + 5.11.2 + 2021-02-01T08:07:06+01:00 + + + + + OVAL check for rule 1 + pass + + + + + + + + + + + + + + oval:org.openscap.www:var:1 + + + + + 100 + + + + + + + accepted + 1.0 + + Common hardening profile + This is a very cool profile +