Select rules on the command line #1832
Conversation
|
I have an important question. How this feature supposed to interact with For example, if in Also, what if |
|
Great question. The
Now your answers are a consequence of this behavior:
Now the question is whether the behavior is expected or isn't stupid. For example, in the aforementioned situation For example, in the aforemenation situation My impression is that the goal of the feature was to provide user a simple way to select a single rule or 2-3 rules so maybe we might want to ignore the requires and conflicts here? |
|
I have no idea how this feature should work, it's better to ask stakeholders (who they are BTW?). But I could suggest either extending |
|
There is a discussion with the BZ reporter in comment 4 https://bugzilla.redhat.com/show_bug.cgi?id=2020581#c4 Actually I like his view for development and testing:
|
| assert_exists 1 '//rule-result[@idref="xccdf_moc.elpmaxe.www_rule_17"]/result[text()="notselected"]' | ||
|
|
||
|
|
||
| # test the "conflicts" lemeent eith the --rule option |
There was a problem hiding this comment.
| # test the "conflicts" lemeent eith the --rule option | |
| # test the "conflicts" element with the --rule option |
|
@evgenyz The only thing missing is the automated addition of required rules. Is that correct? |
|
I'm afraid that the change of behavior could break SSGTS, because that uses |
src/XCCDF_POLICY/xccdf_policy.c
Outdated
| /* If at least one --rule option has been provided by the user on the | ||
| * command line skip reporting for the other rules - only the selected | ||
| * rule(s) will be reported. */ | ||
| if (oscap_htable_itemcount(policy->rules) > 0) { |
There was a problem hiding this comment.
Why not _user_specified_rule_mode(policy)?
| /* If user wants to evaluate only specific rules and the rule currently | ||
| * being evaluated is not among these rules, do not evaluate it and mark it | ||
| * as notselected. */ | ||
| if (_user_specified_rule_mode(policy) > 0) { |
There was a problem hiding this comment.
Or use oscap_htable_itemcount(policy->rules) > 0 here and get rid of that function.
utils/oscap.8
Outdated
| @@ -108,7 +108,12 @@ Select a particular profile from XCCDF document. If "(all)" is given a virtual p | |||
| .TP | |||
| \fB\-\-rule RULE\fR | |||
| .RS | |||
| Select a particular rule from XCCDF document. Only this rule will be evaluated. Rule will use values according to the selected profile. If no profile is selected, default values are used. | |||
| Select a particular rule from XCCDF document. Only this rule will be evaluated. Rule will use values according to the selected profile. If no profile is selected, default values are used. This option can be used multiple times to specify multiple rules at once. | |||
There was a problem hiding this comment.
Maybe worth mentioning that dependencies won't be evaluated?
utils/oscap.8
Outdated
| @@ -108,7 +108,7 @@ Select a particular profile from XCCDF document. If "(all)" is given a virtual p | |||
| .TP | |||
| \fB\-\-rule RULE\fR | |||
| .RS | |||
| Select a particular rule from XCCDF document. Only this rule will be evaluated. Rule will use values according to the selected profile. If no profile is selected, default values are used. This option can be used multiple times to specify multiple rules at once. | |||
| Select a particular rule from XCCDF document. Only this rule will be evaluated. Any other rules required by this rule rule won't be evaluated. Rule will use values according to the selected profile. If no profile is selected, default values are used. This option can be used multiple times to specify multiple rules at once. | |||
There was a problem hiding this comment.
| Select a particular rule from XCCDF document. Only this rule will be evaluated. Any other rules required by this rule rule won't be evaluated. Rule will use values according to the selected profile. If no profile is selected, default values are used. This option can be used multiple times to specify multiple rules at once. | |
| Select a particular rule from XCCDF document. Only this rule will be evaluated. Any other rules required by this rule won't be evaluated. Rule will use values according to the selected profile. If no profile is selected, default values are used. This option can be used multiple times to specify multiple rules at once. |
|
@jan-cerny Can you please rebase it? |
When multiple --rule options will be specified on the command line, OpenSCAP will evaluate multiple rules at once. Resolves: rhbz#2020581
The option will allow users to easily tell oscap to skip some rules without having to create a tailoring file. User will simply provide --skip-rule RULE_ID option on the command line to skip evaluation of the rule RULE_ID. Resolves: rhbz#2020580
The rule `xccdf_moc.elpmaxe.www_rule_17` requires group `xccdf_moc.elpmaxe.www_group_1_2` which is a typo or mistake because group `xccdf_moc.elpmaxe.www_group_1_2` doesn't exist. Instead, there is group `xccdf_moc.elpmaxe_group_1_2` (the correct group ID doesn't contain `.www`). To fix this, we could simply fix the ID in the `requires` element of rule `xccdf_moc.elpmaxe.www_rule_17`. But, since all other IDs in this XCCDF are in a form of `xccdf_moc.elpmaxe.www_.*` and we like consistency we will instead rename the group so that all IDs follow the same format.
The purpose of these new test cases is to preserve the current behavior of rules with requires and conflicts elements when `oscap` is invoked with the `--rule` option selecting specific rule or rules. The tests are based on current behavior, not on any specification, as `--rule` option is our custom feature, but at the same time we want notice behavior changes in future.
This allows us to modify the final selection at other places without consulting the real selection in the XCCDF document.
If the user explicitly requests a rule using --rule, they expect all the rules would be evaluated regardless selections and conflicts. The use-case for the `--rule` option is development and testing and in these situation it anyways behaves as an override. However, this patch doesn't solve the "requires" element handling. Required rules are still not added.
If at least one `--rule` option is provided by the user, only the rules listed as arguments of `--rule` options are evaluated. It ignores the `requires` element in the rule. The required rules aren't added automatically and aren't evaluated unless they're explicitely listed. This way we keep the behavior of `--rule` option in previous versions of OpenSCAP, because SSGTS relies on the fact that single occurence of `--rule` options means that at most 1 rule is evaluated. To avoid confusion, OpenSCAP will now report a warning that the rule they are evaluating a requires another rule.
jan-cerny
force-pushed
the
rule_override
branch
from
9d0524d
to
1420b04
Compare
|
@evgenyz rebased, thanks |
We introduce some changes to let users modify the list of rules to be evaluated more easily by command line options. Often users want to skip some rules or evaluate just a couple of rules. Currently, they need to create a tailoring file or build a new profile to do that. With this PR, they will be able to do it on the fly by adding command line options.
Specifically, this will
--ruleoptions to allow users to cherry-pick more rules at once (rhbz#2020581)--skip-ruleoption to allow users to skip some rules (rhbz#2020580)For more details, please read commit message of every commit.