Add XCCDF conflicts and requires #5281
Conversation
redhatrises
force-pushed
the
xccdf_elems
branch
2 times, most recently
from
6001bc5
to
ad066bc
Compare
redhatrises
changed the title
| @@ -791,6 +791,10 @@ A rule itself contains these attributes: | |||
| The <tt>/tmp</tt> partition is used as temporary storage by many programs. Placing <tt>/tmp</tt> in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. | |||
| * `description`: Human-readable HTML description, which provides broader context for non-experts than the rationale. For example, description of the `partition_for_tmp` rule states that: | |||
| + | |||
| * `requires`: The `id` of another rule or group that must be selected and enabled in a profile. | |||
There was a problem hiding this comment.
What is the difference between selected and enabled in a Profile?
There was a problem hiding this comment.
@yuumasato trying to not use the XCCDF terms. Basically a rule has to exist in the profile and will flip the switch to selected='true' (aka enabled for processing in the benchmark/profile as selected in this case means to score and evaluate)
There was a problem hiding this comment.
I see, thanks for clarifying the language.
In the code you are not actually selecting any required rule in the build system, did I miss something?
It would be cool if the build system could auto-select rules for you, based on requires.
And actually, the scanner behavior works the other way. lt won't to select the required rule if it is not selected, it will flip the rule whose requirements are not fulfilled to false.
redhatrises
changed the title
redhatrises
force-pushed
the
xccdf_elems
branch
from
dcb982c
to
835327d
Compare
redhatrises
force-pushed
the
xccdf_elems
branch
from
835327d
to
bc1d43d
Compare
Description:
<xccdf:requires/>and<xccdf:conflicts/>in benchmark writing to allow finer control over rules/groups that either depend on each other or conflict with each other.