New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add XCCDF conflicts and requires #5281
Conversation
6001bc5
to
ad066bc
Compare
@@ -791,6 +791,10 @@ A rule itself contains these attributes: | |||
The <tt>/tmp</tt> partition is used as temporary storage by many programs. Placing <tt>/tmp</tt> in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. | |||
* `description`: Human-readable HTML description, which provides broader context for non-experts than the rationale. For example, description of the `partition_for_tmp` rule states that: | |||
+ | |||
* `requires`: The `id` of another rule or group that must be selected and enabled in a profile. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the difference between selected and enabled in a Profile?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@yuumasato trying to not use the XCCDF terms. Basically a rule has to exist in the profile and will flip the switch to selected='true' (aka enabled for processing in the benchmark/profile as selected in this case means to score and evaluate)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, thanks for clarifying the language.
In the code you are not actually selecting any required rule in the build system, did I miss something?
It would be cool if the build system could auto-select rules for you, based on requires.
And actually, the scanner behavior works the other way. lt won't to select the required rule if it is not selected, it will flip the rule whose requirements are not fulfilled to false.
dcb982c
to
835327d
Compare
835327d
to
bc1d43d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Enriches the projects' overall support for the XCCDF spec, and even if existing rules & profile owners chose not to implement this, it's a move towards stewardship of full XCCDF implementation. Nice job!
Description:
<xccdf:requires/>
and<xccdf:conflicts/>
in benchmark writing to allow finer control over rules/groups that either depend on each other or conflict with each other.