-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-10.1
-
No
-
Low
-
rhel-security-compliance
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
Summary:
=========
Autotailor accepts arbitrary variable names without validation even if the variable name does not exist in the SCAP datastream. Invalid names are silently ignored or generate incorrect XML, which can lead to compliance drift or audit failures.
Problem Statement:
===================
Tailoring with wrong variable names creates XML that does not match any XCCDF content_value_var_*, silently failing.
Users only notice these issues at evaluation time or verifying the change.
Therefore, verification of content_value_var_* entries in the tailoring file is mandatory.
Proposed Enhancement:
=====================
Validate each variable names or RULEID argument against the datastream before generating the tailored XML.
If the variable or rule does not exist, Autotailor should fail with a clear error message.
Use Cases:
===================
Prevent compliance drift caused by mistyped variable names.
Ensure tailoring do not silently generate invalid XML.
Improve auditability and CI/CD reliability.
Examples:
===================
Kindly observe the discrepancy in the output generated by the command when an incorrect variable name is utilized, as demonstrated in the example below:
Correct varname:
-------------------
# autotailor \ --var-value var_accounts_passwords_pam_faillock_unlock_time=1800 \ --var-value var_password_pam_minlen=20 \ --output tailoring2.xml \ --tailored-profile-id sampleprofile_cis_server_l1 \ /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml xccdf_org.ssgproject.content_profile_cis # cat tailoring2.xml | egrep "xccdf_org.ssgproject.content_value_var_password_pam_minlen|xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" <ns0:set-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">1800</ns0:set-value> <ns0:set-value idref="xccdf_org.ssgproject.content_value_var_password_pam_minlen">20</ns0:set-value>
wrong varname::
-------------------
# autotailor \ --var-value accounts_passwords_pam_faillock_unlock_time=1800 \ --var-value password_pam_minlen=20 \ --output tailoring3.xml \ --tailored-profile-id sampleprofile_cis_server_l1 \ /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml xccdf_org.ssgproject.content_profile_cis # cat tailoring3.xml | egrep "xccdf_org.ssgproject.content_value_var_password_pam_minlen|xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" # # cat tailoring3.xml <?xml version="1.0" ?> <ns0:Tailoring xmlns:ns0="http://checklists.nist.gov/xccdf/1.2" id="xccdf_auto_tailoring_default"> <ns0:benchmark href="file:///usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml"/> <ns0:version time="2026-01-22T21:04:55.988702">1</ns0:version> <ns0:Profile id="xccdf_org.ssgproject.content_profile_sampleprofile_cis_server_l1" extends="xccdf_org.ssgproject.content_profile_cis"> <ns0:title override="false"/> <ns0:set-value idref="xccdf_org.ssgproject.content_value_accounts_passwords_pam_faillock_unlock_time">1800</ns0:set-value> <ns0:set-value idref="xccdf_org.ssgproject.content_value_password_pam_minlen">20</ns0:set-value> </ns0:Profile> </ns0:Tailoring>
