search

OpenSCAP / openscap-daemon

Manages continuous scans of your infrastructure
https://www.open-scap.org/tools/openscap-daemon
GNU Lesser General Public License v2.1
106 stars 32 forks source link

List security profiles applicable on a given target #100

Closed jan-cerny closed 7 years ago

jan-cerny commented 7 years ago

This commit introduce 'oscapd-evaluate target-profiles' subcommand. Similarly to 'oscapd-evaluate target-cpes', this will show a list of available profiles to a scan target.

jan-cerny commented 7 years ago

I used oscap_helpers.get_profile_choices_for_input() instead.

jan-cerny commented 7 years ago

I have removed the commit with change of default profile. I have also fixed the std output for oscapd-evaluate target-profiles. I have rebased the pull request.

jan-cerny commented 7 years ago

@mpreisler That's a good question.

All profiles from all benchmarks will be printed.

The problem is that the XCCDF ID is not printed here. Moreover, oscapd evaluate scan has no way to choose benchmark within a datastream. Default benchmark is always chosen.

Scan won't work for xccdf_org.ssgproject.content_profile_pci-dss_centric on RHEL7, even though this will be listed here.

I have encountered same behaviour of oscapd-cli task-create. It also allows me to create a task with profile xccdf_org.ssgproject.content_profile_pci-dss_centric on RHEL7 , but running the task errors out, because it can't find the profile in the datastream.

jan-cerny commented 7 years ago

@mpreisler I have further investigated the issue with multiple benchmarks in one SDS. I think about 2 solutions:

1) Use only the default benchmark everywhere, don't list profiles from other benchmarks. That's would be very easy to do. I don't like the solution, because we couldn't use the PCI-DSS centric profile from SSG or something else in future.

2) Support multiple benchmarks in one datastream. That would require to rewrite some of the existing methods, namely get_profile_choices_for_input, so that it doesn't return a dictionary [id:title], but rather a dictionary of dicitionaries. Also implement --bechmark-id in oscapd-evaluate scan. Also implement support for multiple benchmarks in interactive task creating.

What do you think about this?

jan-cerny commented 7 years ago

Solution 1 is a 6-line patch. I can push the patch here as a temporary solution, and work on solution 2 in a separate pull request. The patch won't introduce a regression, because multiple benchmarks in a single datastream aren't supported now, as I mentioned before.

mpreisler commented 7 years ago

@jan-cerny agreed

jan-cerny commented 7 years ago

@mpreisler OK, I have pushed the temporary patch.

mpreisler commented 7 years ago

ACK