From 9145891a711774503618c91fb442f4b77aef2462 Mon Sep 17 00:00:00 2001 From: Jiri Jaburek Date: Thu, 21 Nov 2024 14:09:33 +0100 Subject: [PATCH 1/2] collect ARF results from remediations instead of HTML reports Signed-off-by: Jiri Jaburek --- hardening/anaconda/test.py | 8 ++-- hardening/ansible/test.py | 8 ++-- hardening/container/anaconda-ostree/test.py | 15 +++++--- .../container/bootc-image-builder/test.py | 15 +++++--- hardening/host-os/ansible/test.py | 6 +-- hardening/host-os/oscap/test.py | 24 +++++++----- hardening/image-builder/test.py | 8 ++-- hardening/kickstart/test.py | 8 ++-- hardening/oscap/old-new/test.py | 38 ++++++++++--------- hardening/oscap/test.py | 22 ++++++----- 10 files changed, 87 insertions(+), 65 deletions(-) diff --git a/hardening/anaconda/test.py b/hardening/anaconda/test.py index 603f42f..41287e1 100755 --- a/hardening/anaconda/test.py +++ b/hardening/anaconda/test.py @@ -39,15 +39,15 @@ # scan the remediated system proc, lines = g.ssh_stream( f'oscap xccdf eval --profile {profile} --progress --report report.html' - f' --results-arf results-arf.xml scan-ds.xml' + f' --results-arf scan-arf.xml scan-ds.xml' ) oscap.report_from_verbose(lines) if proc.returncode not in [0,2]: raise RuntimeError("post-reboot oscap failed unexpectedly") g.copy_from('report.html') - g.copy_from('results-arf.xml') + g.copy_from('scan-arf.xml') -util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True) +util.subprocess_run(['gzip', '-9', 'scan-arf.xml'], check=True) -results.report_and_exit(logs=['report.html', 'results-arf.xml.gz']) +results.report_and_exit(logs=['report.html', 'scan-arf.xml.gz']) diff --git a/hardening/ansible/test.py b/hardening/ansible/test.py index 2294e73..6c6a28a 100755 --- a/hardening/ansible/test.py +++ b/hardening/ansible/test.py @@ -51,15 +51,15 @@ g.copy_to(util.get_datastream(), 'scan-ds.xml') proc, lines = g.ssh_stream( f'oscap xccdf eval --profile {profile} --progress --report report.html' - f' --results-arf results-arf.xml scan-ds.xml' + f' --results-arf scan-arf.xml scan-ds.xml' ) oscap.report_from_verbose(lines) if proc.returncode not in [0,2]: raise RuntimeError("post-reboot oscap failed unexpectedly") g.copy_from('report.html') - g.copy_from('results-arf.xml') + g.copy_from('scan-arf.xml') -util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True) +util.subprocess_run(['gzip', '-9', 'scan-arf.xml'], check=True) -results.report_and_exit(logs=['report.html', 'results-arf.xml.gz']) +results.report_and_exit(logs=['report.html', 'scan-arf.xml.gz']) diff --git a/hardening/container/anaconda-ostree/test.py b/hardening/container/anaconda-ostree/test.py index 82244f5..c56d62e 100755 --- a/hardening/container/anaconda-ostree/test.py +++ b/hardening/container/anaconda-ostree/test.py @@ -33,7 +33,8 @@ RUN dnf -y copr enable {copr} centos-stream-{versions.rhel.major}-x86_64 RUN dnf -y install openscap-utils COPY remediation-ds.xml /root/. - RUN oscap-bootc --profile '{profile}' /root/remediation-ds.xml + RUN oscap-bootc --profile '{profile}' \ + --results-arf /root/remediation-arf.xml /root/remediation-ds.xml # hack sshd cmdline to allow root login RUN echo "OPTIONS=-oPermitRootLogin=yes" >> /etc/sysconfig/sshd ''') @@ -65,15 +66,19 @@ # scan the remediated system proc, lines = guest.ssh_stream( f'oscap xccdf eval --profile {profile} --progress --report report.html' - f' --results-arf results-arf.xml scan-ds.xml' + f' --results-arf scan-arf.xml scan-ds.xml' ) oscap.report_from_verbose(lines) if proc.returncode not in [0,2]: raise RuntimeError("post-reboot oscap failed unexpectedly") guest.copy_from('report.html') - guest.copy_from('results-arf.xml') + guest.copy_from('remediation-arf.xml') + guest.copy_from('scan-arf.xml') -util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True) +tar = [ + 'tar', '-cvJf', 'results-arf.tar.xz', 'remediation-arf.xml', 'scan-arf.xml', +] +util.subprocess_run(tar, check=True) -results.report_and_exit(logs=['report.html', 'results-arf.xml.gz']) +results.report_and_exit(logs=['report.html', 'results-arf.tar.xz']) diff --git a/hardening/container/bootc-image-builder/test.py b/hardening/container/bootc-image-builder/test.py index 93ac810..958eeef 100755 --- a/hardening/container/bootc-image-builder/test.py +++ b/hardening/container/bootc-image-builder/test.py @@ -36,7 +36,8 @@ RUN dnf -y copr enable {copr} centos-stream-{versions.rhel.major}-x86_64 RUN dnf -y install openscap-utils COPY remediation-ds.xml /root/. - RUN oscap-bootc --profile '{profile}' /root/remediation-ds.xml + RUN oscap-bootc --profile '{profile}' \ + --results-arf /root/remediation-arf.xml /root/remediation-ds.xml # hack sshd cmdline to allow root login RUN echo "OPTIONS=-oPermitRootLogin=yes" >> /etc/sysconfig/sshd ''') @@ -80,15 +81,19 @@ # scan the remediated system proc, lines = guest.ssh_stream( f'oscap xccdf eval --profile {profile} --progress --report report.html' - f' --results-arf results-arf.xml scan-ds.xml' + f' --results-arf scan-arf.xml scan-ds.xml' ) oscap.report_from_verbose(lines) if proc.returncode not in [0,2]: raise RuntimeError("post-reboot oscap failed unexpectedly") guest.copy_from('report.html') - guest.copy_from('results-arf.xml') + guest.copy_from('remediation-arf.xml') + guest.copy_from('scan-arf.xml') -util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True) +tar = [ + 'tar', '-cvJf', 'results-arf.tar.xz', 'remediation-arf.xml', 'scan-arf.xml', +] +util.subprocess_run(tar, check=True) -results.report_and_exit(logs=['report.html', 'results-arf.xml.gz']) +results.report_and_exit(logs=['report.html', 'results-arf.tar.xz']) diff --git a/hardening/host-os/ansible/test.py b/hardening/host-os/ansible/test.py index a446f77..8a2ce8b 100755 --- a/hardening/host-os/ansible/test.py +++ b/hardening/host-os/ansible/test.py @@ -42,7 +42,7 @@ # scan the remediated system cmd = [ 'oscap', 'xccdf', 'eval', '--profile', profile, '--progress', - '--report', 'report.html', '--results-arf', 'results-arf.xml', + '--report', 'report.html', '--results-arf', 'scan-arf.xml', util.get_datastream(), ] proc, lines = util.subprocess_stream(cmd) @@ -50,6 +50,6 @@ if proc.returncode not in [0,2]: raise RuntimeError("post-reboot oscap failed unexpectedly") - util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True) + util.subprocess_run(['gzip', '-9', 'scan-arf.xml'], check=True) - results.report_and_exit(logs=['report.html', 'results-arf.xml.gz']) + results.report_and_exit(logs=['report.html', 'scan-arf.xml.gz']) diff --git a/hardening/host-os/oscap/test.py b/hardening/host-os/oscap/test.py index f30659d..95dd41b 100755 --- a/hardening/host-os/oscap/test.py +++ b/hardening/host-os/oscap/test.py @@ -17,10 +17,10 @@ remediation_ds = tmpdir / 'remediation-ds.xml' -def do_one_remediation(ds, profile, html_report): +def do_one_remediation(ds, profile, arf_results): cmd = [ 'oscap', 'xccdf', 'eval', '--profile', profile, '--progress', - '--report', html_report, '--remediate', ds, + '--results-arf', arf_results, '--remediate', ds, ] proc = util.subprocess_run(cmd) if proc.returncode not in [0,2]: @@ -41,7 +41,7 @@ def do_one_remediation(ds, profile, html_report): oscap.unselect_rules(util.get_datastream(), remediation_ds, remediation.excludes()) - do_one_remediation(remediation_ds, profile, tmpdir / 'remediation.html') + do_one_remediation(remediation_ds, profile, tmpdir / 'remediation-arf.xml') util.reboot() @@ -50,7 +50,7 @@ def do_one_remediation(ds, profile, html_report): elif util.get_reboot_count() == 1: util.log("second boot, doing second remediation") - do_one_remediation(remediation_ds, profile, tmpdir / 'remediation2.html') + do_one_remediation(remediation_ds, profile, tmpdir / 'remediation2-arf.xml') util.reboot() @@ -61,7 +61,7 @@ def do_one_remediation(ds, profile, html_report): # - use the original unmodified datastream cmd = [ 'oscap', 'xccdf', 'eval', '--profile', profile, '--progress', - '--report', 'report.html', '--results-arf', 'results-arf.xml', + '--report', 'report.html', '--results-arf', 'scan-arf.xml', util.get_datastream(), ] proc, lines = util.subprocess_stream(cmd) @@ -69,12 +69,18 @@ def do_one_remediation(ds, profile, html_report): if proc.returncode not in [0,2]: raise RuntimeError("post-reboot oscap failed unexpectedly") - util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True) + # TODO: str() because of python 3.6 shutil.move() not supporting Path + shutil.move(str(tmpdir / 'remediation-arf.xml'), '.') + shutil.move(str(tmpdir / 'remediation2-arf.xml'), '.') + + tar = [ + 'tar', '-cvJf', 'results-arf.tar.xz', + 'remediation-arf.xml', 'remediation2-arf.xml', 'scan-arf.xml', + ] + util.subprocess_run(tar, check=True) logs = [ 'report.html', - 'results-arf.xml.gz', - tmpdir / 'remediation.html', - tmpdir / 'remediation2.html', + 'results-arf.tar.xz', ] results.report_and_exit(logs=logs) diff --git a/hardening/image-builder/test.py b/hardening/image-builder/test.py index 889780a..70f40ac 100755 --- a/hardening/image-builder/test.py +++ b/hardening/image-builder/test.py @@ -33,15 +33,15 @@ # scan the remediated system proc, lines = g.ssh_stream( f'oscap xccdf eval --profile {profile} --progress --report report.html' - f' --results-arf results-arf.xml scan-ds.xml' + f' --results-arf scan-arf.xml scan-ds.xml' ) oscap.report_from_verbose(lines) if proc.returncode not in [0,2]: raise RuntimeError("post-reboot oscap failed unexpectedly") g.copy_from('report.html') - g.copy_from('results-arf.xml') + g.copy_from('scan-arf.xml') -util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True) +util.subprocess_run(['gzip', '-9', 'scan-arf.xml'], check=True) -results.report_and_exit(logs=['report.html', 'results-arf.xml.gz', g.osbuild_log]) +results.report_and_exit(logs=['report.html', 'scan-arf.xml.gz', g.osbuild_log]) diff --git a/hardening/kickstart/test.py b/hardening/kickstart/test.py index b993f2e..253581b 100755 --- a/hardening/kickstart/test.py +++ b/hardening/kickstart/test.py @@ -36,15 +36,15 @@ # scan the remediated system proc, lines = g.ssh_stream( f'oscap xccdf eval --profile {profile} --progress --report report.html' - f' --results-arf results-arf.xml scan-ds.xml' + f' --results-arf scan-arf.xml scan-ds.xml' ) oscap.report_from_verbose(lines) if proc.returncode not in [0,2]: raise RuntimeError("post-reboot oscap failed unexpectedly") g.copy_from('report.html') - g.copy_from('results-arf.xml') + g.copy_from('scan-arf.xml') -util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True) +util.subprocess_run(['gzip', '-9', 'scan-arf.xml'], check=True) -results.report_and_exit(logs=['report.html', 'results-arf.xml.gz']) +results.report_and_exit(logs=['report.html', 'scan-arf.xml.gz']) diff --git a/hardening/oscap/old-new/test.py b/hardening/oscap/old-new/test.py index f8e0dea..1dab39a 100644 --- a/hardening/oscap/old-new/test.py +++ b/hardening/oscap/old-new/test.py @@ -22,13 +22,13 @@ oscap.unselect_rules(util.get_datastream(), 'remediation-new.xml', remediation.excludes()) g.copy_to('remediation-new.xml') - def remediate(datastream, html_report, html_report2): + def remediate(datastream, arf_results, arf_results2): # remediate twice due to some rules being 'notapplicable' # on the first pass - for html_report in [html_report, html_report2]: + for arf_output in [arf_results, arf_results2]: cmd = [ 'oscap', 'xccdf', 'eval', '--profile', profile, - '--progress', '--report', html_report, + '--progress', '--results-arf', arf_output, '--remediate', datastream, ] proc = g.ssh(' '.join(cmd)) @@ -38,34 +38,38 @@ def remediate(datastream, html_report, html_report2): # remediate using old content, # then remediate using new content - remediate('remediation-old.xml', 'remediation-old.html', 'remediation-old2.html') - remediate('remediation-new.xml', 'remediation-new.html', 'remediation-new2.html') + remediate('remediation-old.xml', 'remediation-arf-old.xml', 'remediation-arf-old2.xml') + remediate('remediation-new.xml', 'remediation-arf-new.xml', 'remediation-arf-new2.xml') # scan using new content g.copy_to(util.get_datastream(), 'scan-new.xml') proc, lines = g.ssh_stream( f'oscap xccdf eval --profile {profile} --progress --report report.html' - f' --results-arf results-arf.xml scan-new.xml' + f' --results-arf scan-arf.xml scan-new.xml' ) oscap.report_from_verbose(lines) if proc.returncode not in [0,2]: raise RuntimeError("post-reboot oscap failed unexpectedly") g.copy_from('report.html') - g.copy_from('results-arf.xml') - g.copy_from('remediation-old.html') - g.copy_from('remediation-old2.html') - g.copy_from('remediation-new.html') - g.copy_from('remediation-new2.html') + g.copy_from('scan-arf.xml') + g.copy_from('remediation-arf-old.xml') + g.copy_from('remediation-arf-old2.xml') + g.copy_from('remediation-arf-new.xml') + g.copy_from('remediation-arf-new2.xml') -util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True) +tar = [ + 'tar', '-cvJf', 'results-arf.tar.xz', + 'scan-arf.xml', + 'remediation-arf-old.xml', + 'remediation-arf-old2.xml', + 'remediation-arf-new.xml', + 'remediation-arf-new2.xml', +] +util.subprocess_run(tar, check=True) logs = [ 'report.html', - 'results-arf.xml.gz', - 'remediation-old.html', - 'remediation-old2.html', - 'remediation-new.html', - 'remediation-new2.html', + 'results-arf.tar.xz', ] results.report_and_exit(logs=logs) diff --git a/hardening/oscap/test.py b/hardening/oscap/test.py index 6bbf18b..9e31054 100755 --- a/hardening/oscap/test.py +++ b/hardening/oscap/test.py @@ -29,10 +29,10 @@ # - remediate twice due to some rules being 'notapplicable' # on the first pass - for html_report in ['remediation.html', 'remediation2.html']: + for arf_results in ['remediation-arf.xml', 'remediation2-arf.xml']: cmd = [ 'oscap', 'xccdf', 'eval', '--profile', profile, - '--progress', '--report', html_report, + '--progress', '--results-arf', arf_results, '--remediate', 'remediation-ds.xml', ] proc = g.ssh(' '.join(cmd)) @@ -45,23 +45,25 @@ # scan the remediated system proc, lines = g.ssh_stream( f'oscap xccdf eval --profile {profile} --progress --report report.html' - f' --results-arf results-arf.xml scan-ds.xml' + f' --results-arf scan-arf.xml scan-ds.xml' ) oscap.report_from_verbose(lines) if proc.returncode not in [0,2]: raise RuntimeError("post-reboot oscap failed unexpectedly") g.copy_from('report.html') - g.copy_from('results-arf.xml') - g.copy_from('remediation.html') - g.copy_from('remediation2.html') + g.copy_from('remediation-arf.xml') + g.copy_from('remediation2-arf.xml') + g.copy_from('scan-arf.xml') -util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True) +tar = [ + 'tar', '-cvJf', 'results-arf.tar.xz', + 'remediation-arf.xml', 'remediation2-arf.xml', 'scan-arf.xml', +] +util.subprocess_run(tar, check=True) logs = [ 'report.html', - 'results-arf.xml.gz', - 'remediation.html', - 'remediation2.html', + 'results-arf.tar.xz', ] results.report_and_exit(logs=logs) From d23ea4c644de05942e8231a8834bc778a3bf2d84 Mon Sep 17 00:00:00 2001 From: Jiri Jaburek Date: Thu, 21 Nov 2024 14:57:55 +0100 Subject: [PATCH 2/2] use a TestingFarm RHEL image for container tests Signed-off-by: Jiri Jaburek --- hardening/container/anaconda-ostree/main.fmf | 3 --- hardening/container/anaconda-ostree/test.py | 9 +++++++-- hardening/container/bootc-image-builder/main.fmf | 3 --- hardening/container/bootc-image-builder/test.py | 9 +++++++-- 4 files changed, 14 insertions(+), 10 deletions(-) diff --git a/hardening/container/anaconda-ostree/main.fmf b/hardening/container/anaconda-ostree/main.fmf index f34691b..e7c9519 100644 --- a/hardening/container/anaconda-ostree/main.fmf +++ b/hardening/container/anaconda-ostree/main.fmf @@ -28,9 +28,6 @@ adjust: - when: distro < rhel-9.6 enabled: false because: Image Mode not supported for older RHELs - - when: distro == rhel - enabled: false - because: TODO - no freely accessible RHEL bootc image, CentOS Stream only tag+: # TODO: this test is currently broken by / blocked on Anaconda # having broken ostreecontainer kickstart functionality, diff --git a/hardening/container/anaconda-ostree/test.py b/hardening/container/anaconda-ostree/test.py index c56d62e..8b8b258 100755 --- a/hardening/container/anaconda-ostree/test.py +++ b/hardening/container/anaconda-ostree/test.py @@ -16,8 +16,13 @@ guest.wipe() guest.generate_ssh_keypair() -# CentOS Stream image only, for now -src_image = f'quay.io/centos-bootc/centos-bootc:stream{versions.rhel.major}' +# select appropriate container image based on host OS +major = versions.rhel.major +minor = versions.rhel.minor +if versions.rhel.is_true_rhel(): + src_image = f'images.paas.redhat.com/testingfarm/rhel-bootc:{major}.{minor}' +else: + src_image = f'quay.io/centos-bootc/centos-bootc:stream{major}' # RHEL-9 and older use 'maint-1.3' openscap git repo branch, newer use 'main' if versions.rhel <= 9: diff --git a/hardening/container/bootc-image-builder/main.fmf b/hardening/container/bootc-image-builder/main.fmf index 4bea20b..fe6549b 100644 --- a/hardening/container/bootc-image-builder/main.fmf +++ b/hardening/container/bootc-image-builder/main.fmf @@ -28,9 +28,6 @@ adjust: - when: distro < rhel-9.6 enabled: false because: Image Mode not supported for older RHELs - - when: distro == rhel - enabled: false - because: TODO - no freely accessible RHEL bootc image, CentOS Stream only /anssi_bp28_high: diff --git a/hardening/container/bootc-image-builder/test.py b/hardening/container/bootc-image-builder/test.py index 958eeef..f1110b1 100755 --- a/hardening/container/bootc-image-builder/test.py +++ b/hardening/container/bootc-image-builder/test.py @@ -19,8 +19,13 @@ guest.wipe() guest.generate_ssh_keypair() -# CentOS Stream image only, for now -src_image = f'quay.io/centos-bootc/centos-bootc:stream{versions.rhel.major}' +# select appropriate container image based on host OS +major = versions.rhel.major +minor = versions.rhel.minor +if versions.rhel.is_true_rhel(): + src_image = f'images.paas.redhat.com/testingfarm/rhel-bootc:{major}.{minor}' +else: + src_image = f'quay.io/centos-bootc/centos-bootc:stream{major}' # RHEL-9 and older use 'maint-1.3' openscap git repo branch, newer use 'main' if versions.rhel <= 9: