Skip to content

Commit

Permalink
collect ARF results from remediations instead of HTML reports
Browse files Browse the repository at this point in the history
Signed-off-by: Jiri Jaburek <[email protected]>
  • Loading branch information
comps authored and matusmarhefka committed Nov 25, 2024
1 parent 17a934a commit cfcb990
Show file tree
Hide file tree
Showing 10 changed files with 87 additions and 65 deletions.
8 changes: 4 additions & 4 deletions hardening/anaconda/test.py
Original file line number Diff line number Diff line change
Expand Up @@ -39,15 +39,15 @@
# scan the remediated system
proc, lines = g.ssh_stream(
f'oscap xccdf eval --profile {profile} --progress --report report.html'
f' --results-arf results-arf.xml scan-ds.xml'
f' --results-arf scan-arf.xml scan-ds.xml'
)
oscap.report_from_verbose(lines)
if proc.returncode not in [0,2]:
raise RuntimeError("post-reboot oscap failed unexpectedly")

g.copy_from('report.html')
g.copy_from('results-arf.xml')
g.copy_from('scan-arf.xml')

util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True)
util.subprocess_run(['gzip', '-9', 'scan-arf.xml'], check=True)

results.report_and_exit(logs=['report.html', 'results-arf.xml.gz'])
results.report_and_exit(logs=['report.html', 'scan-arf.xml.gz'])
8 changes: 4 additions & 4 deletions hardening/ansible/test.py
Original file line number Diff line number Diff line change
Expand Up @@ -51,15 +51,15 @@
g.copy_to(util.get_datastream(), 'scan-ds.xml')
proc, lines = g.ssh_stream(
f'oscap xccdf eval --profile {profile} --progress --report report.html'
f' --results-arf results-arf.xml scan-ds.xml'
f' --results-arf scan-arf.xml scan-ds.xml'
)
oscap.report_from_verbose(lines)
if proc.returncode not in [0,2]:
raise RuntimeError("post-reboot oscap failed unexpectedly")

g.copy_from('report.html')
g.copy_from('results-arf.xml')
g.copy_from('scan-arf.xml')

util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True)
util.subprocess_run(['gzip', '-9', 'scan-arf.xml'], check=True)

results.report_and_exit(logs=['report.html', 'results-arf.xml.gz'])
results.report_and_exit(logs=['report.html', 'scan-arf.xml.gz'])
15 changes: 10 additions & 5 deletions hardening/container/anaconda-ostree/test.py
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,8 @@
RUN dnf -y copr enable {copr} centos-stream-{versions.rhel.major}-x86_64
RUN dnf -y install openscap-utils
COPY remediation-ds.xml /root/.
RUN oscap-bootc --profile '{profile}' /root/remediation-ds.xml
RUN oscap-bootc --profile '{profile}' \
--results-arf /root/remediation-arf.xml /root/remediation-ds.xml
# hack sshd cmdline to allow root login
RUN echo "OPTIONS=-oPermitRootLogin=yes" >> /etc/sysconfig/sshd
''')
Expand Down Expand Up @@ -65,15 +66,19 @@
# scan the remediated system
proc, lines = guest.ssh_stream(
f'oscap xccdf eval --profile {profile} --progress --report report.html'
f' --results-arf results-arf.xml scan-ds.xml'
f' --results-arf scan-arf.xml scan-ds.xml'
)
oscap.report_from_verbose(lines)
if proc.returncode not in [0,2]:
raise RuntimeError("post-reboot oscap failed unexpectedly")

guest.copy_from('report.html')
guest.copy_from('results-arf.xml')
guest.copy_from('remediation-arf.xml')
guest.copy_from('scan-arf.xml')

util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True)
tar = [
'tar', '-cvJf', 'results-arf.tar.xz', 'remediation-arf.xml', 'scan-arf.xml',
]
util.subprocess_run(tar, check=True)

results.report_and_exit(logs=['report.html', 'results-arf.xml.gz'])
results.report_and_exit(logs=['report.html', 'results-arf.tar.xz'])
15 changes: 10 additions & 5 deletions hardening/container/bootc-image-builder/test.py
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,8 @@
RUN dnf -y copr enable {copr} centos-stream-{versions.rhel.major}-x86_64
RUN dnf -y install openscap-utils
COPY remediation-ds.xml /root/.
RUN oscap-bootc --profile '{profile}' /root/remediation-ds.xml
RUN oscap-bootc --profile '{profile}' \
--results-arf /root/remediation-arf.xml /root/remediation-ds.xml
# hack sshd cmdline to allow root login
RUN echo "OPTIONS=-oPermitRootLogin=yes" >> /etc/sysconfig/sshd
''')
Expand Down Expand Up @@ -80,15 +81,19 @@
# scan the remediated system
proc, lines = guest.ssh_stream(
f'oscap xccdf eval --profile {profile} --progress --report report.html'
f' --results-arf results-arf.xml scan-ds.xml'
f' --results-arf scan-arf.xml scan-ds.xml'
)
oscap.report_from_verbose(lines)
if proc.returncode not in [0,2]:
raise RuntimeError("post-reboot oscap failed unexpectedly")

guest.copy_from('report.html')
guest.copy_from('results-arf.xml')
guest.copy_from('remediation-arf.xml')
guest.copy_from('scan-arf.xml')

util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True)
tar = [
'tar', '-cvJf', 'results-arf.tar.xz', 'remediation-arf.xml', 'scan-arf.xml',
]
util.subprocess_run(tar, check=True)

results.report_and_exit(logs=['report.html', 'results-arf.xml.gz'])
results.report_and_exit(logs=['report.html', 'results-arf.tar.xz'])
6 changes: 3 additions & 3 deletions hardening/host-os/ansible/test.py
Original file line number Diff line number Diff line change
Expand Up @@ -42,14 +42,14 @@
# scan the remediated system
cmd = [
'oscap', 'xccdf', 'eval', '--profile', profile, '--progress',
'--report', 'report.html', '--results-arf', 'results-arf.xml',
'--report', 'report.html', '--results-arf', 'scan-arf.xml',
util.get_datastream(),
]
proc, lines = util.subprocess_stream(cmd)
oscap.report_from_verbose(lines)
if proc.returncode not in [0,2]:
raise RuntimeError("post-reboot oscap failed unexpectedly")

util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True)
util.subprocess_run(['gzip', '-9', 'scan-arf.xml'], check=True)

results.report_and_exit(logs=['report.html', 'results-arf.xml.gz'])
results.report_and_exit(logs=['report.html', 'scan-arf.xml.gz'])
24 changes: 15 additions & 9 deletions hardening/host-os/oscap/test.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,10 @@
remediation_ds = tmpdir / 'remediation-ds.xml'


def do_one_remediation(ds, profile, html_report):
def do_one_remediation(ds, profile, arf_results):
cmd = [
'oscap', 'xccdf', 'eval', '--profile', profile, '--progress',
'--report', html_report, '--remediate', ds,
'--results-arf', arf_results, '--remediate', ds,
]
proc = util.subprocess_run(cmd)
if proc.returncode not in [0,2]:
Expand All @@ -41,7 +41,7 @@ def do_one_remediation(ds, profile, html_report):

oscap.unselect_rules(util.get_datastream(), remediation_ds, remediation.excludes())

do_one_remediation(remediation_ds, profile, tmpdir / 'remediation.html')
do_one_remediation(remediation_ds, profile, tmpdir / 'remediation-arf.xml')

util.reboot()

Expand All @@ -50,7 +50,7 @@ def do_one_remediation(ds, profile, html_report):
elif util.get_reboot_count() == 1:
util.log("second boot, doing second remediation")

do_one_remediation(remediation_ds, profile, tmpdir / 'remediation2.html')
do_one_remediation(remediation_ds, profile, tmpdir / 'remediation2-arf.xml')

util.reboot()

Expand All @@ -61,20 +61,26 @@ def do_one_remediation(ds, profile, html_report):
# - use the original unmodified datastream
cmd = [
'oscap', 'xccdf', 'eval', '--profile', profile, '--progress',
'--report', 'report.html', '--results-arf', 'results-arf.xml',
'--report', 'report.html', '--results-arf', 'scan-arf.xml',
util.get_datastream(),
]
proc, lines = util.subprocess_stream(cmd)
oscap.report_from_verbose(lines)
if proc.returncode not in [0,2]:
raise RuntimeError("post-reboot oscap failed unexpectedly")

util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True)
# TODO: str() because of python 3.6 shutil.move() not supporting Path
shutil.move(str(tmpdir / 'remediation-arf.xml'), '.')
shutil.move(str(tmpdir / 'remediation2-arf.xml'), '.')

tar = [
'tar', '-cvJf', 'results-arf.tar.xz',
'remediation-arf.xml', 'remediation2-arf.xml', 'scan-arf.xml',
]
util.subprocess_run(tar, check=True)

logs = [
'report.html',
'results-arf.xml.gz',
tmpdir / 'remediation.html',
tmpdir / 'remediation2.html',
'results-arf.tar.xz',
]
results.report_and_exit(logs=logs)
8 changes: 4 additions & 4 deletions hardening/image-builder/test.py
Original file line number Diff line number Diff line change
Expand Up @@ -33,15 +33,15 @@
# scan the remediated system
proc, lines = g.ssh_stream(
f'oscap xccdf eval --profile {profile} --progress --report report.html'
f' --results-arf results-arf.xml scan-ds.xml'
f' --results-arf scan-arf.xml scan-ds.xml'
)
oscap.report_from_verbose(lines)
if proc.returncode not in [0,2]:
raise RuntimeError("post-reboot oscap failed unexpectedly")

g.copy_from('report.html')
g.copy_from('results-arf.xml')
g.copy_from('scan-arf.xml')

util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True)
util.subprocess_run(['gzip', '-9', 'scan-arf.xml'], check=True)

results.report_and_exit(logs=['report.html', 'results-arf.xml.gz', g.osbuild_log])
results.report_and_exit(logs=['report.html', 'scan-arf.xml.gz', g.osbuild_log])
8 changes: 4 additions & 4 deletions hardening/kickstart/test.py
Original file line number Diff line number Diff line change
Expand Up @@ -36,15 +36,15 @@
# scan the remediated system
proc, lines = g.ssh_stream(
f'oscap xccdf eval --profile {profile} --progress --report report.html'
f' --results-arf results-arf.xml scan-ds.xml'
f' --results-arf scan-arf.xml scan-ds.xml'
)
oscap.report_from_verbose(lines)
if proc.returncode not in [0,2]:
raise RuntimeError("post-reboot oscap failed unexpectedly")

g.copy_from('report.html')
g.copy_from('results-arf.xml')
g.copy_from('scan-arf.xml')

util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True)
util.subprocess_run(['gzip', '-9', 'scan-arf.xml'], check=True)

results.report_and_exit(logs=['report.html', 'results-arf.xml.gz'])
results.report_and_exit(logs=['report.html', 'scan-arf.xml.gz'])
38 changes: 21 additions & 17 deletions hardening/oscap/old-new/test.py
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,13 @@
oscap.unselect_rules(util.get_datastream(), 'remediation-new.xml', remediation.excludes())
g.copy_to('remediation-new.xml')

def remediate(datastream, html_report, html_report2):
def remediate(datastream, arf_results, arf_results2):
# remediate twice due to some rules being 'notapplicable'
# on the first pass
for html_report in [html_report, html_report2]:
for arf_output in [arf_results, arf_results2]:
cmd = [
'oscap', 'xccdf', 'eval', '--profile', profile,
'--progress', '--report', html_report,
'--progress', '--results-arf', arf_output,
'--remediate', datastream,
]
proc = g.ssh(' '.join(cmd))
Expand All @@ -38,34 +38,38 @@ def remediate(datastream, html_report, html_report2):

# remediate using old content,
# then remediate using new content
remediate('remediation-old.xml', 'remediation-old.html', 'remediation-old2.html')
remediate('remediation-new.xml', 'remediation-new.html', 'remediation-new2.html')
remediate('remediation-old.xml', 'remediation-arf-old.xml', 'remediation-arf-old2.xml')
remediate('remediation-new.xml', 'remediation-arf-new.xml', 'remediation-arf-new2.xml')

# scan using new content
g.copy_to(util.get_datastream(), 'scan-new.xml')
proc, lines = g.ssh_stream(
f'oscap xccdf eval --profile {profile} --progress --report report.html'
f' --results-arf results-arf.xml scan-new.xml'
f' --results-arf scan-arf.xml scan-new.xml'
)
oscap.report_from_verbose(lines)
if proc.returncode not in [0,2]:
raise RuntimeError("post-reboot oscap failed unexpectedly")

g.copy_from('report.html')
g.copy_from('results-arf.xml')
g.copy_from('remediation-old.html')
g.copy_from('remediation-old2.html')
g.copy_from('remediation-new.html')
g.copy_from('remediation-new2.html')
g.copy_from('scan-arf.xml')
g.copy_from('remediation-arf-old.xml')
g.copy_from('remediation-arf-old2.xml')
g.copy_from('remediation-arf-new.xml')
g.copy_from('remediation-arf-new2.xml')

util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True)
tar = [
'tar', '-cvJf', 'results-arf.tar.xz',
'scan-arf.xml',
'remediation-arf-old.xml',
'remediation-arf-old2.xml',
'remediation-arf-new.xml',
'remediation-arf-new2.xml',
]
util.subprocess_run(tar, check=True)

logs = [
'report.html',
'results-arf.xml.gz',
'remediation-old.html',
'remediation-old2.html',
'remediation-new.html',
'remediation-new2.html',
'results-arf.tar.xz',
]
results.report_and_exit(logs=logs)
22 changes: 12 additions & 10 deletions hardening/oscap/test.py
Original file line number Diff line number Diff line change
Expand Up @@ -29,10 +29,10 @@

# - remediate twice due to some rules being 'notapplicable'
# on the first pass
for html_report in ['remediation.html', 'remediation2.html']:
for arf_results in ['remediation-arf.xml', 'remediation2-arf.xml']:
cmd = [
'oscap', 'xccdf', 'eval', '--profile', profile,
'--progress', '--report', html_report,
'--progress', '--results-arf', arf_results,
'--remediate', 'remediation-ds.xml',
]
proc = g.ssh(' '.join(cmd))
Expand All @@ -45,23 +45,25 @@
# scan the remediated system
proc, lines = g.ssh_stream(
f'oscap xccdf eval --profile {profile} --progress --report report.html'
f' --results-arf results-arf.xml scan-ds.xml'
f' --results-arf scan-arf.xml scan-ds.xml'
)
oscap.report_from_verbose(lines)
if proc.returncode not in [0,2]:
raise RuntimeError("post-reboot oscap failed unexpectedly")

g.copy_from('report.html')
g.copy_from('results-arf.xml')
g.copy_from('remediation.html')
g.copy_from('remediation2.html')
g.copy_from('remediation-arf.xml')
g.copy_from('remediation2-arf.xml')
g.copy_from('scan-arf.xml')

util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True)
tar = [
'tar', '-cvJf', 'results-arf.tar.xz',
'remediation-arf.xml', 'remediation2-arf.xml', 'scan-arf.xml',
]
util.subprocess_run(tar, check=True)

logs = [
'report.html',
'results-arf.xml.gz',
'remediation.html',
'remediation2.html',
'results-arf.tar.xz',
]
results.report_and_exit(logs=logs)

0 comments on commit cfcb990

Please sign in to comment.