From fec94164331a2e6b9f9c056784aab98ea770ffbd Mon Sep 17 00:00:00 2001 From: Armando Acosta Date: Fri, 8 Nov 2024 16:58:27 -0600 Subject: [PATCH 1/6] Update link to track bugs in openscap_api.py Signed-off-by: Armando Acosta --- swig/openscap_api.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/swig/openscap_api.py b/swig/openscap_api.py index 2410e0a316..74612d1436 100755 --- a/swig/openscap_api.py +++ b/swig/openscap_api.py @@ -811,7 +811,7 @@ def init(self, path, paths={}): if OSCAP.oscap_err(): desc = OSCAP.oscap_err_desc() else: - desc = "Unknown error, please report this bug (http://bugzilla.redhat.com/)" + desc = "Unknown error, please report this bug (https://github.com/OpenSCAP/openscap/issues)" raise ImportError( "Benchmark \"%s\" loading failed: %s" % (f_XCCDF, desc)) @@ -832,7 +832,7 @@ def init(self, path, paths={}): if OSCAP.oscap_err(): desc = OSCAP.oscap_err_desc() else: - desc = "Unknown error,please report this bug (http://bugzilla.redhat.com/)" + desc = "Unknown error,please report this bug (https://github.com/OpenSCAP/openscap/issues)" raise ImportError( "Cannot import definition model for \"%s\": %s" % (f_OVAL, desc)) def_models.append(def_model) @@ -841,7 +841,7 @@ def init(self, path, paths={}): if OSCAP.oscap_err(): desc = OSCAP.oscap_err_desc() else: - desc = "Unknown error,please report this bug (http://bugzilla.redhat.com/)" + desc = "Unknown error,please report this bug (https://github.com/OpenSCAP/openscap/issues)" raise ImportError( "Cannot create agent session for \"%s\": %s" % (f_OVAL, desc)) sessions[file] = sess From 008fe4dfc03fa7f50ddd431201ef65b64c7b1a01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 11 Nov 2024 09:14:02 +0100 Subject: [PATCH 2/6] Build COPR builds for maint-1.3 This change will cause automatic building of COPR builds after committing to `maint-1.3` branch. The `maint-1.3` branch isn't the project default branch. Without specifying the branch, Packit builds after committing only to the project's default branch, which is the `main` branch at this moment. The `maint-1.3` branch used to be default branch, but after we switched the default branch to main, the COPR builds on maint-1.3 stopped to be built. Related documentation: https://packit.dev/docs/configuration/upstream/copr_build --- .packit.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.packit.yaml b/.packit.yaml index 634e2ffab7..dbf15f57fe 100644 --- a/.packit.yaml +++ b/.packit.yaml @@ -27,3 +27,5 @@ jobs: - <<: *build trigger: commit + metadata: + branch: maint-1.3 From 0ab817df58c2a181b943abae5bd6c52ec4e77d23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 12 Nov 2024 13:24:10 +0100 Subject: [PATCH 3/6] Request CentOS Stream builds explicitly The current configuration makes build Fedora builds on commit to the maint-1.3 branch. https://copr.fedorainfracloud.org/coprs/packit/OpenSCAP-openscap-maint-1.3/ But, we wanted to have CentOS Stream builds instead. --- .packit.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.packit.yaml b/.packit.yaml index dbf15f57fe..96981b11ab 100644 --- a/.packit.yaml +++ b/.packit.yaml @@ -10,8 +10,7 @@ srpm_build_deps: - bash jobs: -- &build - job: copr_build +- job: copr_build trigger: pull_request metadata: targets: @@ -25,7 +24,10 @@ jobs: - centos-stream-8-x86_64 - centos-stream-9-x86_64 -- <<: *build +- job: copr_build trigger: commit metadata: branch: maint-1.3 + targets: + - centos-stream-8-x86_64 + - centos-stream-9-x86_64 From c8a25177179306b4f3dc9452c5059e9f13234de4 Mon Sep 17 00:00:00 2001 From: Matus Marhefka Date: Tue, 26 Nov 2024 11:43:53 +0100 Subject: [PATCH 4/6] Update oscap-bootc to verify it runs in bootable container env The script is updated to first verify that it runs in a bootable container environment - `bootc` package must be installed and `/run/.containerenv` file must exist which indicates we are running inside a container. If it is not running inside a bootable container environment it informs user and exits. Another change is that installation of `openscap-engine-sce` package has been moved from specfile into the script as the script already installs other requirements which are needed by SCE checks from CaC/content. --- openscap.spec | 1 - utils/oscap-bootc | 20 +++++++++++++------- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/openscap.spec b/openscap.spec index 4cd0d87a48..fbc844192f 100644 --- a/openscap.spec +++ b/openscap.spec @@ -92,7 +92,6 @@ Summary: OpenSCAP Utilities Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} Requires: rpmdevtools rpm-build Requires: %{name}-scanner%{?_isa} = %{epoch}:%{version}-%{release} -Requires: %{name}-engine-sce%{?_isa} = %{epoch}:%{version}-%{release} %description utils The %{name}-utils package contains command-line tools build on top diff --git a/utils/oscap-bootc b/utils/oscap-bootc index 8ac7c17b87..4acb661716 100755 --- a/utils/oscap-bootc +++ b/utils/oscap-bootc @@ -21,6 +21,8 @@ import subprocess import sys import tempfile +from pathlib import Path + def parse_args(): parser = argparse.ArgumentParser( @@ -52,17 +54,21 @@ def parse_args(): return parser.parse_args() -def ensure_sce_installed(): - query_cmd = ["rpm", "-q", "openscap-engine-sce"] - query_process = subprocess.run(query_cmd, capture_output=True) - if query_process.returncode != 0: +def verify_bootc_build_env(): + rv = subprocess.run( + ["rpm", "-q", "bootc"], + stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) + bootc_env = (rv.returncode == 0) + container_env = Path("/run/.containerenv").exists() + if not bootc_env or not container_env: raise RuntimeError( - "The script requires to have the openscap-engine-sce package " - "installed.") + "This script is supposed to be used only in the bootable " + "container build environment.") def install_sce_dependencies(): required_packages = [ + "openscap-engine-sce", "setools-console" # seinfo is used by the sebool template ] install_cmd = ["dnf", "-y", "install"] + required_packages @@ -124,7 +130,7 @@ def scan_and_remediate(args): def main(): args = parse_args() - ensure_sce_installed() + verify_bootc_build_env() install_sce_dependencies() pre_scan_fix(args) scan_and_remediate(args) From 9917e9a1fa69126bb6addbdc47fcb2d0d80b1a6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 27 Nov 2024 11:09:43 +0100 Subject: [PATCH 5/6] Reduce oscap info output After we added SCE checks to ComplianceAsCode data streams we discovered that the oscap info output is appalling because it's polluted by all the SCE check information. In this commit, we will address this problem by removing SCE checks from the "Referenced check files:" section. Then, we will completely remove the "Checks:" and "Dictionaries:" sections because they only list crefs and crefs are internal data stream identifiers that noone should be interested in. --- docs/manual/manual.adoc | 9 --------- utils/oscap-info.c | 27 +++++---------------------- 2 files changed, 5 insertions(+), 31 deletions(-) diff --git a/docs/manual/manual.adoc b/docs/manual/manual.adoc index 9dd4e60563..b03a06f29d 100644 --- a/docs/manual/manual.adoc +++ b/docs/manual/manual.adoc @@ -198,13 +198,6 @@ Checklists: system: http://scap.nist.gov/schema/ocil/2 security-data-oval-com.redhat.rhsa-RHEL8.xml system: http://oval.mitre.org/XMLSchema/oval-definitions-5 -Checks: - Ref-Id: scap_org.open-scap_cref_ssg-rhel8-oval.xml - Ref-Id: scap_org.open-scap_cref_ssg-rhel8-ocil.xml - Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-oval.xml - Ref-Id: scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml -Dictionaries: - Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-dictionary.xml ---- * **Document type** describes what format the file is in. Common types include @@ -225,8 +218,6 @@ shown for XCCDF files and Checklists and is sourced from the XCCDF **Status** element. * **Profiles** lists available profiles, their titles and IDs that you can use for the `--profile` command line attribute. -* **Checks** and **Dictionaries** lists OVAL checks components and CPE -dictionaries components in the given data stream. To display more detailed information about a profile including the profile description, use the `--profile` option followed by the profile ID. diff --git a/utils/oscap-info.c b/utils/oscap-info.c index 0f2f158766..4f785d95b7 100644 --- a/utils/oscap-info.c +++ b/utils/oscap-info.c @@ -209,8 +209,11 @@ static inline void _print_xccdf_referenced_files(struct xccdf_policy_model *poli printf("%sReferenced check files:\n", prefix); while (oscap_file_entry_iterator_has_more(files_it)) { struct oscap_file_entry *file_entry = (struct oscap_file_entry *) oscap_file_entry_iterator_next(files_it); - printf("%s\t%s\n", prefix, oscap_file_entry_get_file(file_entry)); - printf("%s\t\tsystem: %s\n", prefix, oscap_file_entry_get_system(file_entry)); + const char *system = oscap_file_entry_get_system(file_entry); + if (strcmp(system, "http://open-scap.org/page/SCE")) { + printf("%s\t%s\n", prefix, oscap_file_entry_get_file(file_entry)); + printf("%s\t\tsystem: %s\n", prefix, oscap_file_entry_get_system(file_entry)); + } } oscap_file_entry_iterator_free(files_it); oscap_file_entry_list_free(referenced_files); @@ -490,26 +493,6 @@ static int app_info_single_ds_all(struct ds_stream_index_iterator* sds_it, struc ds_sds_session_reset(session); } oscap_string_iterator_free(checklist_it); - - printf("Checks:\n"); - struct oscap_string_iterator* checks_it = ds_stream_index_get_checks(stream); - while (oscap_string_iterator_has_more(checks_it)) { - const char * id = oscap_string_iterator_next(checks_it); - printf("\tRef-Id: %s\n", id); - } - oscap_string_iterator_free(checks_it); - - struct oscap_string_iterator* dict_it = ds_stream_index_get_dictionaries(stream); - if (oscap_string_iterator_has_more(dict_it)) { - printf("Dictionaries:\n"); - } else { - printf("No dictionaries.\n"); - } - while (oscap_string_iterator_has_more(dict_it)) { - const char * id = oscap_string_iterator_next(dict_it); - printf("\tRef-Id: %s\n", id); - } - oscap_string_iterator_free(dict_it); return OSCAP_OK; } From e20fcfe56256f5218585b5480b80633efdf45903 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 7 Jan 2025 11:19:18 +0100 Subject: [PATCH 6/6] Rename oscap-bootc to oscap-im This commit renames the `oscap-bootc` tool to `oscap-im`. IM stands for Image Mode. The `bootc` is just one of the tools that participate on the Image Mode Operating System experience, therefore, it's more appropriate to use Image Mode than bootc in the tooling naming. It should be safe to rename it now because the `oscap-bootc` hasn't been released in upstream nor in downstream. --- CMakeLists.txt | 4 ++-- docs/manual/manual.adoc | 16 ++++++++-------- utils/CMakeLists.txt | 6 +++--- utils/{oscap-bootc => oscap-im} | 0 utils/{oscap-bootc.8 => oscap-im.8} | 14 +++++++------- 5 files changed, 20 insertions(+), 20 deletions(-) rename utils/{oscap-bootc => oscap-im} (100%) rename utils/{oscap-bootc.8 => oscap-im.8} (69%) diff --git a/CMakeLists.txt b/CMakeLists.txt index 76f70d015e..631af04661 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -337,7 +337,7 @@ cmake_dependent_option(ENABLE_OSCAP_UTIL_AS_RPM "enable the scap-as-rpm utility, cmake_dependent_option(ENABLE_OSCAP_UTIL_SSH "enables the oscap-ssh utility, this lets you scan remote machines over ssh" ON "NOT WIN32" OFF) cmake_dependent_option(ENABLE_OSCAP_UTIL_VM "enables the oscap-vm utility, this lets you scan VMs and VM storage images" ON "NOT WIN32" OFF) cmake_dependent_option(ENABLE_OSCAP_UTIL_PODMAN "enables the oscap-podman utility, this lets you scan Podman containers and container images" ON "NOT WIN32" OFF) -cmake_dependent_option(ENABLE_OSCAP_UTIL_BOOTC "enables the oscap-bootc utility, this lets you build hardened bootable container images" ON "NOT WIN32" OFF) +cmake_dependent_option(ENABLE_OSCAP_UTIL_IM "enables the oscap-im utility, this lets you build hardened bootable container images" ON "NOT WIN32" OFF) cmake_dependent_option(ENABLE_OSCAP_UTIL_CHROOT "enables the oscap-chroot utility, this lets you scan entire chroots using offline scanning" ON "NOT WIN32" OFF) option(ENABLE_OSCAP_UTIL_AUTOTAILOR "enables the autotailor utility that is able to perform command-line tailoring" TRUE) option(ENABLE_OSCAP_REMEDIATE_SERVICE "enables the oscap-remediate service" FALSE) @@ -477,7 +477,7 @@ message(STATUS "scap-as-rpm: ${ENABLE_OSCAP_UTIL_AS_RPM}") message(STATUS "oscap-ssh: ${ENABLE_OSCAP_UTIL_SSH}") message(STATUS "oscap-vm: ${ENABLE_OSCAP_UTIL_VM}") message(STATUS "oscap-podman: ${ENABLE_OSCAP_UTIL_PODMAN}") -message(STATUS "oscap-bootc: ${ENABLE_OSCAP_UTIL_BOOTC}") +message(STATUS "oscap-im: ${ENABLE_OSCAP_UTIL_IM}") message(STATUS "oscap-chroot: ${ENABLE_OSCAP_UTIL_CHROOT}") message(STATUS "autotailor: ${ENABLE_OSCAP_UTIL_AUTOTAILOR}") message(STATUS " ") diff --git a/docs/manual/manual.adoc b/docs/manual/manual.adoc index b03a06f29d..4d1e807293 100644 --- a/docs/manual/manual.adoc +++ b/docs/manual/manual.adoc @@ -2134,15 +2134,15 @@ registry.access.redhat.com/ubi8 latest 3269c37eae33 2 months ago 208 MB Note that the `oscap-podman` command requires root privileges. -=== Building hardened bootable container images using oscap-bootc +=== Building hardened bootable container images using oscap-im -The `oscap-bootc` tool is a convenience script that makes building hardened bootable container images easier. +The `oscap-im` tool is a convenience script that makes building hardened bootable container images easier. This tool is designed to be used during the build of the bootable container image. -Include `oscap-bootc` in your `Containerfile` that will be used to build your bootable container image. -The `Containerfile` first needs to install the `openscap-utils` package which ships the `oscap-bootc` tool. +Include `oscap-im` in your `Containerfile` that will be used to build your bootable container image. +The `Containerfile` first needs to install the `openscap-utils` package which ships the `oscap-im` tool. -Also, SCAP content needs to be installed to the image before `oscap-bootc` will be run. +Also, SCAP content needs to be installed to the image before `oscap-im` will be run. Although any SCAP content can be consumed by the tool, the SCAP source data streams shipped in `scap-security-guide` are specially cared to be compatible with bootable containers. Example `Containerfile`: @@ -2152,7 +2152,7 @@ FROM quay.io/centos-bootc/centos-bootc:stream9 RUN dnf install -y openscap-utils scap-security-guide -RUN oscap-bootc --profile stig /usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml +RUN oscap-im --profile stig /usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml ---- Once you have your `Containerfile`, execute the image build: @@ -2161,7 +2161,7 @@ Once you have your `Containerfile`, execute the image build: podman build -t hardened_image . ---- -The `oscap-bootc` tool installs and removes all packages required by the selected profile to or from the image. +The `oscap-im` tool installs and removes all packages required by the selected profile to or from the image. Then, it runs a scan and remediation with the selected profile. It doesn't use offline scanning. The configuration files and other content in the image are modified by this process, depending on the used SCAP content. @@ -2169,7 +2169,7 @@ The configuration files and other content in the image are modified by this proc The built bootable container image can be then deployed and booted. After booting the image, the state of the resulting system will be in line with the selected security profile. -The `oscap-bootc` tool can't be used anywhere else than in a `Containerfile`. +The `oscap-im` tool can't be used anywhere else than in a `Containerfile`. === Scanning of Docker containers and images using oscap-docker diff --git a/utils/CMakeLists.txt b/utils/CMakeLists.txt index 7b9274434e..c372663370 100644 --- a/utils/CMakeLists.txt +++ b/utils/CMakeLists.txt @@ -139,11 +139,11 @@ if(ENABLE_OSCAP_UTIL_PODMAN) DESTINATION "${CMAKE_INSTALL_MANDIR}/man8" ) endif() -if(ENABLE_OSCAP_UTIL_BOOTC) - install(PROGRAMS "oscap-bootc" +if(ENABLE_OSCAP_UTIL_IM) + install(PROGRAMS "oscap-im" DESTINATION ${CMAKE_INSTALL_BINDIR} ) - install(FILES "oscap-bootc.8" + install(FILES "oscap-im.8" DESTINATION "${CMAKE_INSTALL_MANDIR}/man8" ) endif() diff --git a/utils/oscap-bootc b/utils/oscap-im similarity index 100% rename from utils/oscap-bootc rename to utils/oscap-im diff --git a/utils/oscap-bootc.8 b/utils/oscap-im.8 similarity index 69% rename from utils/oscap-bootc.8 rename to utils/oscap-im.8 index 9c911807b6..4dd1dc6cc3 100644 --- a/utils/oscap-bootc.8 +++ b/utils/oscap-im.8 @@ -1,19 +1,19 @@ -.TH oscap-bootc "8" "November 2024" "Red Hat, Inc." "System Administration Utilities" +.TH oscap-im "8" "January 2025" "Red Hat, Inc." "System Administration Utilities" .SH NAME -oscap-bootc \- Tool for building hardened bootable container images +oscap-im \- Tool for building hardened bootable container images .SH DESCRIPTION -The oscap-bootc tool is a convenience script that makes building hardened bootable container images easier. +The oscap-im tool is a convenience script that makes building hardened bootable container images easier. This tool is designed to be used during the build of the bootable container image. -Include oscap-bootc in your Containerfile that will be used to build your bootable container image. -The oscap-bootc runs oscap tool on a given container image. +Include oscap-im in your Containerfile that will be used to build your bootable container image. +The oscap-im runs oscap tool on a given container image. -The oscap-bootc tool can't be used anywhere else than in a Containerfile. +The oscap-im tool can't be used anywhere else than in a Containerfile. .SH USAGE -oscap-bootc [OPTION...] DATASTREAM_FILE +oscap-im [OPTION...] DATASTREAM_FILE Usage of the tool mimics usage and options of oscap(8) tool.