search

OpenSCAP / oscap-anaconda-addon

The add-on to Anaconda installer providing scanning capabilities
https://www.open-scap.org/tools/oscap-anaconda-addon/
GNU General Public License v2.0
28 stars 26 forks source link

trying content-path and tailoring-path , need content-url too? #199

Closed bdouxx closed 2 years ago

bdouxx commented 2 years ago 
%pre --interpreter=/bin/bash --log=/tmp/pre-ks.log --erroronfail                                                                                                                              
[ -d /tmp/openscap_data/ ] || /bin/mkdir -m 755 /tmp/openscap_data                                                                                                                            
curl --request GET --insecure --user xxx:yyy https://URL/ssg-rhel8-ds-tailored.xml  --output /tmp/openscap_data/ssg-rhel8-ds-tailored.xml
curl --request GET --insecure --user xxx:yyy https://URL/ssg-rhel8-ds.xml --output /tmp/openscap_data/ssg-rhel8-ds.xml
%end

%addon org_fedora_oscap
  content-type = datastream
  profile = xccdf_org.ssgproject.content_profile_cis
  content-path = ssg-rhel8-ds.xml
  tailoring-path = ssg-rhel8-ds-tailored.xml
%end

output : 

content-url missing for the org_fedora_oscap addon
bdouxx commented 2 years ago

Ok found the solution after reading https://github.com/OpenSCAP/oscap-anaconda-addon/blob/rhel8-branch/org_fedora_oscap/ks/oscap.py

%pre --interpreter=/bin/bash --log=/tmp/pre-ks.log --erroronfail                                                                                                                              
[ -d /tmp/openscap_data/ ] || /bin/mkdir -m 755 /tmp/openscap_data                                                                                                                            
curl --request GET --insecure --user xxx:yyy https://URL/ssg-rhel8-ds-tailored.xml  --output /tmp/openscap_data/ssg-rhel8-ds-tailored.xml
curl --request GET --insecure --user xxx:yyy https://URL/ssg-rhel8-ds.xml --output /tmp/openscap_data/ssg-rhel8-ds.xml
%end

%addon org_fedora_oscap
  content-type = datastream
  profile = xccdf_org.ssgproject.content_profile_cis
  content-url = file://tmp/openscap_data/ssg-rhel8-ds.xml
  tailoring-path = ssg-rhel8-ds-tailored.xml
%end
matejak commented 2 years ago

Indeed, can I ask you what is your use case? We were wondering whether the file:// URI scheme could be useful to anybody, and it turns out that it indeed can be useful.

bdouxx commented 2 years ago

we use redhat satellite with openscap and tailoring file integration: https://www.redhat.com/en/blog/deploying-openscap-satellite-using-ansible https://access.redhat.com/solutions/5823351

I want to create VM directly with the good configuration( need a password to get files on satellite, so need a pre-step)

matejak commented 2 years ago

Thanks, I am happy that you found your way through. It is, to some degree, a hack, as the lookup directory of the tailoring path is not defined in this context, but it should work like this. We may design a more logical addon configuration section in the future which would allow to specify tailoring and datastream separately.