OpenSCAP / openscap

NIST Certified SCAP 1.2 toolkit
https://www.open-scap.org/tools/openscap-base
GNU Lesser General Public License v2.1
1.37k stars 377 forks source link

Add missing XCCDF Profile selection remark to HTML report #1743

Open cipherboy opened 3 years ago

cipherboy commented 3 years ago

Description of Problem:

I was discussing how to add commentary to a tailoring file the other day on #openscap. I suggested adding a remark under the select element of a profile. However:

OpenSCAP doesn't display the <xccdf:remark /> child of a <xccdf:select /> inside a <xccdf:Profile /> in the corresponding HTML report.

This is allowed by the standard -- pdf page 43, noted as page 36.

Take for instance this DS:

      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_cis_level1_server">
        <xccdf-1.2:title xml:lang="en-US" override="true">CIS Ubuntu 20.04 Level 1 Server Benchmark</xccdf-1.2:title>
        <xccdf-1.2:description xml:lang="en-US" override="true">This baseline aligns to the Center for Internet Security
Ubuntu 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.</xccdf-1.2:description>
        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow" selected="true">
            <xccdf-1.2:remark>My testing remark on disabling groupowner_chron_allow</xccdf-1.2:remark>
        </xccdf-1.2:select>
        ....
      </xccdf-1.2:Profile>

This eventually gets rendered into a results.xml like the following:

  <Profile id="xccdf_org.ssgproject.content_profile_cis_level1_server">
    <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">CIS Ubuntu 20.04 Level 1 Server Benchmark</title>
    <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">This baseline aligns to the Center for Internet Security
Ubuntu 20.04 LTS Benchmark, v1.0.0, released 07-21-2020.</description>
    <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow" selected="true">
      <remark xml:lang="en-US">My testing remark on disabling groupowner_chron_allow</remark>
    </select>
    ...
  </Profile>

And a HTML report like follows:

Screenshot from 2021-04-22 15-59-12 Screenshot from 2021-04-22 15-59-00

However, it doesn't appear to do anything after that.

OpenSCAP Version:

Right now on 20.04:

root@ubuntu-2004-base:~# oscap --version
OpenSCAP command line tool (oscap) 1.2.16
Copyright 2009--2017 Red Hat Inc., Durham, North Carolina.

==== Supported specifications ====
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1
CVRF Version: 1.1

==== Capabilities added by auto-loaded plugins ====
SCE Version: 1.0 (from libopenscap_sce.so.8)

==== Paths ====
Schema files: /usr/share/openscap/schemas
Default CPE files: /usr/share/openscap/cpe
Probes: /usr/lib/x86_64-linux-gnu/openscap

Operating System & Version:

root@ubuntu-2004-base:~# cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS"

Steps to Reproduce:

  1. Manually modify a DS and add a remark to some selected element of a profile
  2. Execute said profile and save XML/HTML reports

Actual Results:

Expected the remark to be visible somewhere.

Expected Results:

Not presently visible.

Additional information

I see some tests cases like tests/nist/R3005/r3005-datastream-01.xml include remarks, but as far as I can tell, no test cases check HTML output for it.

The only thing mildly related in the XSL is here (as far as I can tell, it is a different field though): https://github.com/OpenSCAP/openscap/blob/maint-1.3/xsl/xccdf-report-impl.xsl#L825-L833

Maybe I'm barking up the wrong tree though. :-)

evgenyz commented 3 years ago

@cipherboy the content tag is for problems related to the security content rather than the scanner itself. As far as I can see it is not the case here.

evgenyz commented 3 years ago

Also, is it still the same for 1.3.x?

jan-cerny commented 3 years ago

Great idea!

The only thing mildly related in the XSL is here (as far as I can tell, it is a different field though): https://github.com/OpenSCAP/openscap/blob/maint-1.3/xsl/xccdf-report-impl.xsl#L825-L833

I think that's a different thing because it matches a remark element inside override element but you want remark element inside select element.

Also, is it still the same for 1.3.x?

It most likely is, we haven't added it in 1.3.x.

cipherboy commented 3 years ago

@evgenyz said:

@cipherboy the content tag is for problems related to the security content rather than the scanner itself. As far as I can see it is not the case here.

Aha, ty :) I've gone ahead and updated the label's description.

jan-cerny commented 3 years ago

@cipherboy The PR has been merged. Can this be closed?

cipherboy commented 3 years ago

@jan-cerny I was debating that as well.

IIRC we only merged the portion of this related to the scan results. You mentioned on the PR:

  1. It would be nice to have the same feature also in HTML guide.
  2. I think it can be useful to enable it also for tailoring files.

The latter I think will sit open longer and be a different RFE (since it is harder), but it might be nice to see 1 addressed before closing this. Thoughts?

Mab879 commented 3 years ago

@cipherboy I can look into opening a new PR addressing your first point this week.

jan-cerny commented 3 years ago

The latter I think will sit open longer and be a different RFE (since it is harder), but it might be nice to see 1 addressed before closing this. Thoughts?

I agree.