Support Blueprint services customization for masking

[customizations.services] masked = ["service"]
OpenSCAP · Mar 11, 2024 · f98d07c · f98d07c
1 parent 8fedd96
commit f98d07c
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 5 deletions.
diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
@@ -667,7 +667,9 @@ struct blueprint_entries {
 	oscap_pcre_t *re;
 };
 
-static inline int _parse_blueprint_fix(const char *fix_text, struct oscap_list *generic, struct oscap_list *services_enable, struct oscap_list *services_disable, struct oscap_list *kernel_append)
+static inline int _parse_blueprint_fix(const char *fix_text, struct oscap_list *generic,
+										struct oscap_list *services_enable, struct oscap_list *services_disable, struct oscap_list *services_mask,
+										struct oscap_list *kernel_append)
 {
 	char *err;
 	int errofs;
@@ -676,6 +678,7 @@ static inline int _parse_blueprint_fix(const char *fix_text, struct oscap_list *
 	struct blueprint_entries tab[] = {
 		{"\\[customizations\\.services\\]\\s+enabled[=\\s]+\\[([^\\]]+)\\]\\s+", services_enable, NULL},
 		{"\\[customizations\\.services\\]\\s+disabled[=\\s]+\\[([^\\]]+)\\]\\s+", services_disable, NULL},
+		{"\\[customizations\\.services\\]\\s+masked[=\\s]+\\[([^\\]]+)\\]\\s+", services_mask, NULL},
 		{"\\[customizations\\.kernel\\]\\s+append[=\\s\"]+([^\"]+)[\\s\"]+", kernel_append, NULL},
 		// We do this only to pop the 'distro' entry to the top of the generic list,
 		// effectively placing it to the root of the TOML document.
@@ -872,14 +875,17 @@ static int _xccdf_policy_rule_generate_fix(struct xccdf_policy *policy, struct x
 	return ret;
 }
 
-static int _xccdf_policy_rule_generate_blueprint_fix(struct xccdf_policy *policy, struct xccdf_rule *rule, const char *template, struct oscap_list *generic, struct oscap_list *services_enable, struct oscap_list *services_disable, struct oscap_list *kernel_append)
+static int _xccdf_policy_rule_generate_blueprint_fix(struct xccdf_policy *policy, struct xccdf_rule *rule, const char *template,
+													struct oscap_list *generic,
+													struct oscap_list *services_enable, struct oscap_list *services_disable, struct oscap_list *services_mask,
+													struct oscap_list *kernel_append)
 {
 	char *fix_text = NULL;
 	int ret = _xccdf_policy_rule_get_fix_text(policy, rule, template, &fix_text);
 	if (fix_text == NULL) {
 		return ret;
 	}
-	ret = _parse_blueprint_fix(fix_text, generic, services_enable, services_disable, kernel_append);
+	ret = _parse_blueprint_fix(fix_text, generic, services_enable, services_disable, services_mask, kernel_append);
 	free(fix_text);
 	return ret;
 }
@@ -1167,11 +1173,12 @@ static int _xccdf_policy_generate_fix_blueprint(struct oscap_list *rules_to_fix,
 	struct oscap_list *generic = oscap_list_new();
 	struct oscap_list *services_enable = oscap_list_new();
 	struct oscap_list *services_disable = oscap_list_new();
+	struct oscap_list *services_mask = oscap_list_new();
 	struct oscap_list *kernel_append = oscap_list_new();
 	struct oscap_iterator *rules_to_fix_it = oscap_iterator_new(rules_to_fix);
 	while (oscap_iterator_has_more(rules_to_fix_it)) {
 		struct xccdf_rule *rule = (struct xccdf_rule*)oscap_iterator_next(rules_to_fix_it);
-		ret = _xccdf_policy_rule_generate_blueprint_fix(policy, rule, sys, generic, services_enable, services_disable, kernel_append);
+		ret = _xccdf_policy_rule_generate_blueprint_fix(policy, rule, sys, generic, services_enable, services_disable, services_mask, kernel_append);
 		if (ret != 0)
 			break;
 	}
@@ -1219,10 +1226,22 @@ static int _xccdf_policy_generate_fix_blueprint(struct oscap_list *rules_to_fix,
 		if (oscap_iterator_has_more(services_disable_it))
 			_write_text_to_fd(output_fd, ",");
 	}
-	_write_text_to_fd(output_fd, "]\n\n");
+	_write_text_to_fd(output_fd, "]\n");
 	oscap_iterator_free(services_disable_it);
 	oscap_list_free(services_disable, free);
 
+	_write_text_to_fd(output_fd, "masked = [");
+	struct oscap_iterator *services_mask_it = oscap_iterator_new(services_mask);
+	while(oscap_iterator_has_more(services_mask_it)) {
+		char *var_line = (char *) oscap_iterator_next(services_mask_it);
+		_write_text_to_fd(output_fd, var_line);
+		if (oscap_iterator_has_more(services_mask_it))
+			_write_text_to_fd(output_fd, ",");
+	}
+	_write_text_to_fd(output_fd, "]\n\n");
+	oscap_iterator_free(services_mask_it);
+	oscap_list_free(services_mask, free);
+
 	return ret;
 }
 

diff --git a/tests/API/XCCDF/unittests/test_remediation_blueprint.toml b/tests/API/XCCDF/unittests/test_remediation_blueprint.toml
@@ -49,4 +49,5 @@ append = "foo=bar audit=1"
 [customizations.services]
 enabled = ["sshd","usbguard"]
 disabled = ["kdump"]
+masked = ["evil"]
 
diff --git a/tests/API/XCCDF/unittests/test_remediation_blueprint.xccdf.xml b/tests/API/XCCDF/unittests/test_remediation_blueprint.xccdf.xml
@@ -94,6 +94,16 @@ distro = rhel-80
     <fix system="urn:redhat:osbuild:blueprint">
 [customizations.services]
 enabled = ["sshd"]
+</fix>
+    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+      <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
+    </check>
+  </Rule>
+  <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_10">
+    <title>Enable sshd</title>
+    <fix system="urn:redhat:osbuild:blueprint">
+[customizations.services]
+masked = ["evil"]
 </fix>
     <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
       <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>