From f98d07c1e99c2ad161d38b0bc47aed9eaf53151f Mon Sep 17 00:00:00 2001 From: Evgeny Kolesnikov Date: Mon, 11 Mar 2024 14:54:23 +0100 Subject: [PATCH] Support Blueprint services customization for masking [customizations.services] masked = ["service"] --- src/XCCDF_POLICY/xccdf_policy_remediate.c | 29 +++++++++++++++---- .../unittests/test_remediation_blueprint.toml | 1 + .../test_remediation_blueprint.xccdf.xml | 10 +++++++ 3 files changed, 35 insertions(+), 5 deletions(-) diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c index 20402ea21e..e817e6d2e1 100644 --- a/src/XCCDF_POLICY/xccdf_policy_remediate.c +++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c @@ -667,7 +667,9 @@ struct blueprint_entries { oscap_pcre_t *re; }; -static inline int _parse_blueprint_fix(const char *fix_text, struct oscap_list *generic, struct oscap_list *services_enable, struct oscap_list *services_disable, struct oscap_list *kernel_append) +static inline int _parse_blueprint_fix(const char *fix_text, struct oscap_list *generic, + struct oscap_list *services_enable, struct oscap_list *services_disable, struct oscap_list *services_mask, + struct oscap_list *kernel_append) { char *err; int errofs; @@ -676,6 +678,7 @@ static inline int _parse_blueprint_fix(const char *fix_text, struct oscap_list * struct blueprint_entries tab[] = { {"\\[customizations\\.services\\]\\s+enabled[=\\s]+\\[([^\\]]+)\\]\\s+", services_enable, NULL}, {"\\[customizations\\.services\\]\\s+disabled[=\\s]+\\[([^\\]]+)\\]\\s+", services_disable, NULL}, + {"\\[customizations\\.services\\]\\s+masked[=\\s]+\\[([^\\]]+)\\]\\s+", services_mask, NULL}, {"\\[customizations\\.kernel\\]\\s+append[=\\s\"]+([^\"]+)[\\s\"]+", kernel_append, NULL}, // We do this only to pop the 'distro' entry to the top of the generic list, // effectively placing it to the root of the TOML document. @@ -872,14 +875,17 @@ static int _xccdf_policy_rule_generate_fix(struct xccdf_policy *policy, struct x return ret; } -static int _xccdf_policy_rule_generate_blueprint_fix(struct xccdf_policy *policy, struct xccdf_rule *rule, const char *template, struct oscap_list *generic, struct oscap_list *services_enable, struct oscap_list *services_disable, struct oscap_list *kernel_append) +static int _xccdf_policy_rule_generate_blueprint_fix(struct xccdf_policy *policy, struct xccdf_rule *rule, const char *template, + struct oscap_list *generic, + struct oscap_list *services_enable, struct oscap_list *services_disable, struct oscap_list *services_mask, + struct oscap_list *kernel_append) { char *fix_text = NULL; int ret = _xccdf_policy_rule_get_fix_text(policy, rule, template, &fix_text); if (fix_text == NULL) { return ret; } - ret = _parse_blueprint_fix(fix_text, generic, services_enable, services_disable, kernel_append); + ret = _parse_blueprint_fix(fix_text, generic, services_enable, services_disable, services_mask, kernel_append); free(fix_text); return ret; } @@ -1167,11 +1173,12 @@ static int _xccdf_policy_generate_fix_blueprint(struct oscap_list *rules_to_fix, struct oscap_list *generic = oscap_list_new(); struct oscap_list *services_enable = oscap_list_new(); struct oscap_list *services_disable = oscap_list_new(); + struct oscap_list *services_mask = oscap_list_new(); struct oscap_list *kernel_append = oscap_list_new(); struct oscap_iterator *rules_to_fix_it = oscap_iterator_new(rules_to_fix); while (oscap_iterator_has_more(rules_to_fix_it)) { struct xccdf_rule *rule = (struct xccdf_rule*)oscap_iterator_next(rules_to_fix_it); - ret = _xccdf_policy_rule_generate_blueprint_fix(policy, rule, sys, generic, services_enable, services_disable, kernel_append); + ret = _xccdf_policy_rule_generate_blueprint_fix(policy, rule, sys, generic, services_enable, services_disable, services_mask, kernel_append); if (ret != 0) break; } @@ -1219,10 +1226,22 @@ static int _xccdf_policy_generate_fix_blueprint(struct oscap_list *rules_to_fix, if (oscap_iterator_has_more(services_disable_it)) _write_text_to_fd(output_fd, ","); } - _write_text_to_fd(output_fd, "]\n\n"); + _write_text_to_fd(output_fd, "]\n"); oscap_iterator_free(services_disable_it); oscap_list_free(services_disable, free); + _write_text_to_fd(output_fd, "masked = ["); + struct oscap_iterator *services_mask_it = oscap_iterator_new(services_mask); + while(oscap_iterator_has_more(services_mask_it)) { + char *var_line = (char *) oscap_iterator_next(services_mask_it); + _write_text_to_fd(output_fd, var_line); + if (oscap_iterator_has_more(services_mask_it)) + _write_text_to_fd(output_fd, ","); + } + _write_text_to_fd(output_fd, "]\n\n"); + oscap_iterator_free(services_mask_it); + oscap_list_free(services_mask, free); + return ret; } diff --git a/tests/API/XCCDF/unittests/test_remediation_blueprint.toml b/tests/API/XCCDF/unittests/test_remediation_blueprint.toml index 0ac5bc5b4c..2dfd8fce50 100644 --- a/tests/API/XCCDF/unittests/test_remediation_blueprint.toml +++ b/tests/API/XCCDF/unittests/test_remediation_blueprint.toml @@ -49,4 +49,5 @@ append = "foo=bar audit=1" [customizations.services] enabled = ["sshd","usbguard"] disabled = ["kdump"] +masked = ["evil"] diff --git a/tests/API/XCCDF/unittests/test_remediation_blueprint.xccdf.xml b/tests/API/XCCDF/unittests/test_remediation_blueprint.xccdf.xml index e685620dac..2fc909795b 100644 --- a/tests/API/XCCDF/unittests/test_remediation_blueprint.xccdf.xml +++ b/tests/API/XCCDF/unittests/test_remediation_blueprint.xccdf.xml @@ -94,6 +94,16 @@ distro = rhel-80 [customizations.services] enabled = ["sshd"] + + + + + + + Enable sshd + +[customizations.services] +masked = ["evil"]