search

OpenSCAP / openscap

NIST Certified SCAP 1.2 toolkit
https://www.open-scap.org/tools/openscap-base
GNU Lesser General Public License v2.1
1.37k stars 377 forks source link

generate fix from XCCDF results & profile from tailoring file #524

Open ybznek opened 8 years ago

ybznek commented 8 years ago

Expected workflow:

  1. create tailoring file
  2. scan system using additional tailoring file
  3. generate fix

Let's try to use --result-id

oscap xccdf generate fix --template urn:xccdf:fix:script:ansible --result-id xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_pci-dss  /tmp/ssg-rhel7-ds-xccdf.results.xml 
#Warning: OpenSCAP will now use fallback mode (XSLT) to generate fixes. Some of the functionality might be missing (Text substitution, CPE processing, DataStream support, and tailoring). Please ommit --result-id option to trigger advanced processing.
legacy-fix.xsl has been deprecated!
I/O warning : failed to load external entity "legacy-fixtpl-urn:xccdf:fix:script:ansible.xml"
Fix template 'urn:xccdf:fix:script:ansible' failed to load. Aborting.

Let's try to use --profile-id Oh, used profile id was from tailoring file and is not available from result file.

ybznek commented 8 years ago 
$ oscap xccdf generate fix /tmp/ssg-rhel7-ds-arf.xml
OpenSCAP Error: Session input file was determined but it isn't an XCCDF file, a source datastream or an XCCDF tailoring file. [xccdf_session.c:135]
ybznek commented 7 years ago

@rsprudencio Isn't this issue already fixed?

jan-cerny commented 7 years ago

@ybznek I don't think it was fixed completely.

We now support ARFs in xccdf genarate fix command. That was merged upstream in https://github.com/OpenSCAP/openscap/pull/659

However we can't handle tailoring in ARF files there. Tailoring support remains to be implemented.

jan-cerny commented 7 years ago

@ybznek just to be more precise, now we have a different error message than you wrote in the issue description

[jcerny@thinkpad ~]$ myoscap xccdf generate fix --result-id xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_common_customized arf.xml
E: oscap: (xccdf_session.c:1608:xccdf_session_build_policy_from_testresult()) Could not find Profile/@id="xccdf_org.ssgproject.content_profile_common_customized" to build policy from TestResult/@id="xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_common_customized"
OpenSCAP Error: Could not find Profile/@id="xccdf_org.ssgproject.content_profile_common_customized" to build policy from TestResult/@id="xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_common_customized" [xccdf_session.c:1608]

I think that is caused by merging #659, but it's still an error message, only different 😄

rsprudencio commented 7 years ago

@ybznek partially yes, as mentioned by @jan-cerny.

We still need to support Tailoring.

chuckatkins commented 6 years ago

Not quite sure when this was added but the issue seems to be resolved now as you can pass the --tailoring-file option to oscap generate fix. It seems to work with both a results file and arf file.

peedy2495 commented 1 year ago

Not using --new-profile-id/--p on creating a tailorfile does the trick! By doing this method, the tailorfile refers from and to the tailored profile:

<xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_cis_level2_workstation" extends="xccdf_org.ssgproject.content_profile_cis_level2_workstation">

Now, u're able to generate the desired output via oscap xccdf generate --profile xccdf_org.ssgproject.content_profile_cis_level2_workstation fix --tailoring-file mytailorfile.xml --fix-type ansible --output fixit.yml result.xml

A recommended way to close this issue should be to modify the documentation in the tailoring section, or to aggregate and add a new profile named by the tailor new-profile-id into the result xml file.