-
Notifications
You must be signed in to change notification settings - Fork 365
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Select rules on the command line #1832
Merged
Merged
Commits on Jan 18, 2022
-
When multiple --rule options will be specified on the command line, OpenSCAP will evaluate multiple rules at once. Resolves: rhbz#2020581
Configuration menu - View commit details
-
Copy full SHA for 734e951 - Browse repository at this point
Copy the full SHA 734e951View commit details -
The option will allow users to easily tell oscap to skip some rules without having to create a tailoring file. User will simply provide --skip-rule RULE_ID option on the command line to skip evaluation of the rule RULE_ID. Resolves: rhbz#2020580
Configuration menu - View commit details
-
Copy full SHA for 7971af8 - Browse repository at this point
Copy the full SHA 7971af8View commit details -
The rule `xccdf_moc.elpmaxe.www_rule_17` requires group `xccdf_moc.elpmaxe.www_group_1_2` which is a typo or mistake because group `xccdf_moc.elpmaxe.www_group_1_2` doesn't exist. Instead, there is group `xccdf_moc.elpmaxe_group_1_2` (the correct group ID doesn't contain `.www`). To fix this, we could simply fix the ID in the `requires` element of rule `xccdf_moc.elpmaxe.www_rule_17`. But, since all other IDs in this XCCDF are in a form of `xccdf_moc.elpmaxe.www_.*` and we like consistency we will instead rename the group so that all IDs follow the same format.
Configuration menu - View commit details
-
Copy full SHA for a33607d - Browse repository at this point
Copy the full SHA a33607dView commit details -
Extend tests of the XCCDF requires and conflicts
The purpose of these new test cases is to preserve the current behavior of rules with requires and conflicts elements when `oscap` is invoked with the `--rule` option selecting specific rule or rules. The tests are based on current behavior, not on any specification, as `--rule` option is our custom feature, but at the same time we want notice behavior changes in future.
Configuration menu - View commit details
-
Copy full SHA for a54703e - Browse repository at this point
Copy the full SHA a54703eView commit details -
This allows us to modify the final selection at other places without consulting the real selection in the XCCDF document.
Configuration menu - View commit details
-
Copy full SHA for 4a1eab6 - Browse repository at this point
Copy the full SHA 4a1eab6View commit details -
Ignore selections and conflicts
If the user explicitly requests a rule using --rule, they expect all the rules would be evaluated regardless selections and conflicts. The use-case for the `--rule` option is development and testing and in these situation it anyways behaves as an override. However, this patch doesn't solve the "requires" element handling. Required rules are still not added.
Configuration menu - View commit details
-
Copy full SHA for 360b329 - Browse repository at this point
Copy the full SHA 360b329View commit details -
Issue a warning about required rules
If at least one `--rule` option is provided by the user, only the rules listed as arguments of `--rule` options are evaluated. It ignores the `requires` element in the rule. The required rules aren't added automatically and aren't evaluated unless they're explicitely listed. This way we keep the behavior of `--rule` option in previous versions of OpenSCAP, because SSGTS relies on the fact that single occurence of `--rule` options means that at most 1 rule is evaluated. To avoid confusion, OpenSCAP will now report a warning that the rule they are evaluating a requires another rule.
Configuration menu - View commit details
-
Copy full SHA for bf45839 - Browse repository at this point
Copy the full SHA bf45839View commit details -
Configuration menu - View commit details
-
Copy full SHA for fdc07ad - Browse repository at this point
Copy the full SHA fdc07adView commit details -
Configuration menu - View commit details
-
Copy full SHA for 8006bbd - Browse repository at this point
Copy the full SHA 8006bbdView commit details -
Configuration menu - View commit details
-
Copy full SHA for 1420b04 - Browse repository at this point
Copy the full SHA 1420b04View commit details
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.