Introduce machine and package platform conditionals to Bash remediations #6061
Conversation
|
Hello @yuumasato! Thanks for updating this PR. We checked the lines you've touched for PEP 8 issues, and found:
Comment last updated at 2020-09-10 15:27:00 UTC |
yuumasato
force-pushed
the
bash-platforms
branch
from
9ab5f7a
to
6dc5687
Compare
yuumasato
changed the title
There was a problem hiding this comment.
Well done, there are some minor remarks, but the functionality works as expected.
The {} in format strings can be probably replaced by {0} to keep the code working on Python<2.7.
I see potential problems with tests, as I can imagine that sometest scenarios may misbehave due to the newly introduced "do nothing when it's not my business" functionality, but I see this as unlikely - OVALs are already platform-aware.
ssg/build_remediations.py
Outdated
| platform_conditionals.append(pkg_check_command.format(platform)) | ||
|
|
||
| if platform_conditionals: | ||
| platform_fix_text = "# Remediation is applicable only in certain platforms\n" |
There was a problem hiding this comment.
It is advisable to construct a multi-line string by creating a list of lines and then joining it. The primary aspect are performance reasons, but I believe that it would be nicer as well.
Next, I would suggest placing a blank line between the header and the remediation body for greater readability.
ssg/build_remediations.py
Outdated
| platform_fix_text += "if {}".format(cond) | ||
| for cond in platform_conditionals: | ||
| platform_fix_text += " && {}".format(cond) | ||
| platform_fix_text += '; then\n{}\nelse\necho "Remediation is not applicable, nothing was done"\nfi'.format(result.contents) |
There was a problem hiding this comment.
- I would use
textwrap. indentto indent the innner original body of the remediation if it doesn't break our dark remediation generation magic. - What do you think of redirecting the echo to stderr?
There was a problem hiding this comment.
Indenting the body of the the remediation didn't break the build nor the behavior.
Unfortunately, not everything is indented.
When the scanner performs the XCCDF substitutions, the Bash remediation functions are not properly indented.
Main issue being that they have multiple lines, and can be used "platform wrapped" or not.
There was a problem hiding this comment.
@matejak indent is not available in python2.
Do you know of a trivial substitute?
There was a problem hiding this comment.
Oh, that Python2 not being able to do this - that's a surprise. We can have an indent as an optional feature in the try-except block.
However, I wouldn't do it now, as it conflicts with those XCCDF substitutions as you have pointed out, and there is a small likelihood that some remediations may not be indent-safe - consider here-docs.
There was a problem hiding this comment.
Interesting find. I'll drop adcb827 for now.
ssg/build_remediations.py
Outdated
| platform_fix_text = "# Remediation is applicable only in certain platforms\n" | ||
|
|
||
| cond = platform_conditionals.pop(0) | ||
| platform_fix_text += "if {}".format(cond) |
There was a problem hiding this comment.
I think that it could be slightly more elegant to join the platform_conditionals list by &&.
| @@ -691,24 +738,27 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions): | |||
| patcomp = re.compile(pattern, re.DOTALL) | |||
| fixparts = re.split(patcomp, fix.text) | |||
| if fixparts[0] is not None: | |||
There was a problem hiding this comment.
I can't wait for the moment when we take some of the existing magic out and simplify this function.
There was a problem hiding this comment.
I suspect that when all bash remediation functions are converted to Jinja macros expand_xccdf_subs won't be needed anymore.
|
Can you show us an example of the conditional? |
That's easy - compile e.g. Fedora and then grep Regarding the PR, I gave a second thought on the indentation, and I suggest to put there a comment that there is such possibility, but there is a Python2/3 catch, plus a small risk for remediations themselves. |
|
It may be that if you rebase against master, OCP tests will start to pass :-) |
yuumasato
force-pushed
the
bash-platforms
branch
from
adcb827
to
dc9b126
Compare
Wraps the remediation of rules with Packager CPE Platform with an if condition that checks for the respective platforms's package.
Adjust expansion of subs and variables not to remove the whole beginning of the fix test. This was removing the package conditional wrapping.
yuumasato
force-pushed
the
bash-platforms
branch
from
dc9b126
to
7953a02
Compare
|
Changes identified: Recommended tests to execute: |
|
/retest |
| wrapped_fix_text.append("{0}".format(result.contents)) | ||
| wrapped_fix_text.append("") | ||
| wrapped_fix_text.append("else") | ||
| wrapped_fix_text.append(" >&2 echo 'Remediation is not applicable, nothing was done'") |
There was a problem hiding this comment.
Is this leading >&2 intentional? I would place it after the echo.
There was a problem hiding this comment.
Yes, it follows syntax similar to what OpenSCAP does when generating Bash fixes.
https://github.com/OpenSCAP/openscap/blob/maint-1.3/src/XCCDF_POLICY/xccdf_policy_remediate.c#L631
There was a problem hiding this comment.
Apparently you can place redirects before of after "simple commands" in Bash. Interesting!
|
This is a great step and historic moment for the project - our most common remediations are now platform-aware, and therefore consistent with OVALs and Ansible, who became fully platform-aware recently. |
matejak
added
Bash
|
@matejak Thank you very much for the review! |
Description:
platformbe itmachineor aPackage CPEplatform, the whole Bash remediation is wrapped around anifconditionmachineplatformRationale:
When a rule has a Package CPE platform, like
platform: dconffor example.It is meant to be evaluated and remediated when the systems has
dconfpackage installed.Evaluation and remediation done with OpenSCAP respects these CPEs, as the scanner understands the
CPEand theXCCDF:Platformfield.But when the Bash scripts are generated, the Package applicability of the remediation is lost.
Rationale: