[Open-scap] Small CLI improvement for remediation

Viktor Hercinger vhercing at redhat.com
Fri Feb 15 12:06:08 UTC 2013 

Hello,

You're right, I went with your counting solution.

I fixed the patch, now it does the following things:
* Count the number of rules where a fix is present and its result is not XCCDF_RESULT_PASS, this is the total number of the re-mediated rules
* Count the number of rules where a fix is present and its result is not XCCDF_RESULT_FIXED, this is the total number of the rules with failed remediation

When the re-mediation has been run, do the following:
* If the failed counter is zero, we succeeded. Display Done and the number of rules re-mediated.
* Otherwise display the number of failed and total rules.

Viktor

----- Original Message -----
From: "Simon Lukasik" <slukasik at redhat.com>
To: "Viktor Hercinger" <vhercing at redhat.com>
Cc: open-scap-list at redhat.com
Sent: Friday, February 15, 2013 11:13:43 AM
Subject: Re: [Open-scap] Small CLI improvement for remediation

On 02/14/2013 03:52 PM, Viktor Hercinger wrote:
> Hi all,
> 
> I have a small suggestion for improving the XCCDF eval --remediation option: show if the remediation has succeeded or failed. The attached patch contains the proposed fix.
> 
> Viktor Hercinger 
> 
> 
> 0001-show-remediation-result-on-command-line.patch
> 
> 
> From 7e80e3ad903a95ca5593850b910051115a59c6ff Mon Sep 17 00:00:00 2001
> From: Viktor Hercinger <vhercing at redhat.com>
> Date: Thu, 14 Feb 2013 15:25:08 +0100
> Subject: [PATCH] show remediation result on command-line
> 

Hello Victor,

Thanks for suggestion!

> ---
>  src/XCCDF_POLICY/xccdf_policy_remediate.c | 8 +++++---
>  utils/oscap-xccdf.c                       | 6 ++++--
>  2 files changed, 9 insertions(+), 5 deletions(-)
> 
> diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
> index e7dcf0b..d669adf 100644
> --- a/src/XCCDF_POLICY/xccdf_policy_remediate.c
> +++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c
> @@ -182,7 +182,7 @@ static inline int _xccdf_fix_execute(struct xccdf_rule_result *rr, struct xccdf_
>  				_rule_add_info_message(rr, stdout_buff);
>  			oscap_free(stdout_buff);
>  			/* We return zero to indicate success. Rather than returning the exit code. */
> -			result = 0;
> +			result = (WEXITSTATUS(wstatus) != 0);

I am opposed to this idea. The commentary above even indicates that zero
is returned intentionally. Otherwise, you would be unable to distinguish
between aborted execution of fix and successful execution.

The standard does not define that an 'unsuccessfully' applied fix shall
return non-zero value. Moreover, even if the script returns zero value
there is no guarantee that anything has been fixed. :)

That is why OpenSCAP runs OVAL check again after each remediated rule.
If you want to count rule-results which failed to remediate, please use
one of the following conditions:

  * count all rule-results which *has* a <fix> element
    and the <result> element is ERROR

or

  * count all rule-results which have had <result> equal to FAIL before
    remediation and after remediation the <result> equals to ERROR.

Best regards,

>  		}
>  	}
>  	else
> @@ -254,10 +254,12 @@ int xccdf_policy_remediate(struct xccdf_policy *policy, struct xccdf_result *res
>  {
>  	__attribute__nonnull__(result);
>  	struct xccdf_rule_result_iterator *rr_it = xccdf_result_get_rule_results(result);
> +	int ret = 0;
>  	while (xccdf_rule_result_iterator_has_more(rr_it)) {
>  		struct xccdf_rule_result *rr = xccdf_rule_result_iterator_next(rr_it);
> -		xccdf_policy_rule_result_remediate(policy, rr, NULL, result);
> +		if (xccdf_policy_rule_result_remediate(policy, rr, NULL, result) != 0)
> +			ret = 1;
>  	}
>  	xccdf_rule_result_iterator_free(rr_it);
> -	return 0;
> +	return ret;
>  }
> diff --git a/utils/oscap-xccdf.c b/utils/oscap-xccdf.c
> index a0b6a2f..93bf370 100644
> --- a/utils/oscap-xccdf.c
> +++ b/utils/oscap-xccdf.c
> @@ -462,8 +462,10 @@ int app_evaluate_xccdf(const struct oscap_action *action)
>  	if (action->remediate) {
>  		printf("Starting Remediation: ... ");
>  		fflush(stdout);
> -		xccdf_session_remediate(session);
> -		printf("Done.\n");
> +		if (xccdf_session_remediate(session) != 0)
> +			printf("Failed\n");
> +		else
> +			printf("Done.\n");
>  	}
>  
>  	xccdf_session_set_xccdf_export(session, action->f_results);
> -- 1.7.11.7
> 


-- 
Simon Lukasik
Security Technologies
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-show-remediation-result-on-command-line.patch
Type: text/x-patch
Size: 7476 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20130215/7f643fd5/attachment.bin>

More information about the Open-scap-list mailing list