Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-60301

osbuild-composer: oscap tailoring does not work as expected with "selected"

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-9.4.z
    • osbuild-composer
    • None
    • No
    • None
    • rhel-sst-image-builder
    • ssg_front_door
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • x86_64
    • None

      What were you trying to do that didn't work?

       

      A blueprint created with a OpenSCAP tailoring like bellow:

       

      [customizations.openscap.tailoring]
selected = [ "grub2_password" ]

      generates all remediations instead of only selected one.

       

       

      However, the reverse action with "unselected" like bellow:

       

      [customizations.openscap.tailoring]
unselected = ["grub2_password"]

       works as expected as only the remediation for that rule is excluded.

       

      So, seems like autotailor file generated in stage "org.osbuild.oscap.autotailor" is not correct for "selected" option.

       

      Using autotailor(8), tailor file was generated correctly with required rules.

      What is the impact of this issue to you?

       

      • Unable to properly generate OpenSCAP secured images.

        Please provide the package NVR for which the bug is seen:

        # rpm -qa | grep osbuild
python3-osbuild-110-1.el9.noarch
osbuild-selinux-110-1.el9.noarch
osbuild-110-1.el9.noarch
osbuild-depsolve-dnf-110-1.el9.noarch
osbuild-composer-core-101-1.el9.x86_64
osbuild-luks2-110-1.el9.noarch
osbuild-lvm2-110-1.el9.noarch
osbuild-ostree-110-1.el9.noarch
osbuild-composer-worker-101-1.el9.x86_64
osbuild-composer-101-1.el9.x86_64

        How reproducible is this bug?:

        Steps to reproduce

      1.  Generate a customized image as documented [1] and include tailoring options described before

      Expected results

      - Provide remediation only to rules listed with "selected"

      Actual results

      • All remediations are applied despite what is list with "selected"

       

      Example of test:

       

      # composer-cli compose status | grep -E "ID|1375186f-835a-4293-9a8b-a6f876b69fca "
ID                                     Status     Time                       Blueprint                                                           Version   Type               Size
1375186f-835a-4293-9a8b-a6f876b69fca   FINISHED   Thu Sep 26 07:48:49 2024   hardened_xccdf_org.ssgproject.content_profile_cis_grub_unselected   0.1.74    qcow2              18253611008

# composer-cli compose log 1375186f-835a-4293-9a8b-a6f876b69fca | grep "Remediating rule" | tail -1
Remediating rule 382/382: 'xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action'

# composer-cli compose log 1375186f-835a-4293-9a8b-a6f876b69fca | grep grub2_password         
#     
# composer-cli blueprints show hardened_xccdf_org.ssgproject.content_profile_cis_grub_unselected | grep -E "^unselected|^selected"
unselected = ["grub2_password"]

# composer-cli blueprints show hardened_xccdf_org.ssgproject.content_profile_cis_grub_selected | grep -E "^unselected|^selected"
selected = ["grub2_password"]

# composer-cli compose status | grep -E "1600e204-ee05-4991-9c70-9d14af976a6b|ID"
ID                                     Status     Time                       Blueprint                                                         Version   Type               Size
1600e204-ee05-4991-9c70-9d14af976a6b   FINISHED   Thu Sep 26 10:38:33 2024   hardened_xccdf_org.ssgproject.content_profile_cis_grub_selected   0.1.74    qcow2              18253611008

# composer-cli compose log 1600e204-ee05-4991-9c70-9d14af976a6b | grep grub2_password
Rule    xccdf_org.ssgproject.content_rule_grub2_password
Remediating rule 107/383: 'xccdf_org.ssgproject.content_rule_grub2_password'
FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_grub2_password' IS MISSING!

# composer-cli compose log 1600e204-ee05-4991-9c70-9d14af976a6b | grep "Remediating rule" | tail -1
Remediating rule 383/383: 'xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action'

       

      [1]

       

      https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/composing_a_customized_rhel_system_image/assembly_creating-pre-hardened-images-with-image-builder-openscap-integration_composing-a-customized-rhel-system-image#adding-customized-tailoring-options-for-a-profile-to-the-blueprint_assembly_creating-pre-hardened-images-with-image-builder-openscap-integration

              osbuilders Osbuilders Bot Account
              rhn-support-raldaz Raúl Aldaz
              Osbuilders Bot Account Osbuilders Bot Account
              Release Test Team Release Test Team
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: