Bug 2058168

Summary:	RFE: autotailor should support refine-rule
Product:	Red Hat Enterprise Linux 9	Reporter:	Jan Pazdziora (Red Hat) <jpazdziora>
Component:	openscap	Assignee:	Jan Černý <jcerny>
Status:	CLOSED WONTFIX	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	9.0	CC:	matyc, mhaicman, mmarhefk
Target Milestone:	rc	Keywords:	FutureFeature, MigratedToJIRA, Triaged
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-08-24 07:28:30 UTC	Type:	Story
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jan Pazdziora (Red Hat) 2022-02-24 12:22:48 UTC

Description of problem:

Currently the autotailor command-line utility is useful for selecting and unselecting rules and setting variable values. However, rule properties like .role or .severity cannot be easily tailored.

Add the ability to tweak .role and .severity, to make rule which is unenforcing by default in the profile enforcing again, or vice versa.

Version-Release number of selected component (if applicable):

openscap-utils-1:1.3.6-3.el9

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have a profile which has a rule unenforcing, for example RHEL 8's OSPP profile grub2_vsyscall_argument or (after bug 2058154 is addressed) audit_access_success in RHEL 9 OSPP profile.
2. Try to use command-line utility autotailor to make tailoring where the rules will be enforcing  -- for example .role=full and .severity=medium.

Actual results:

Currently not possible, one has to manually create tailor file like

<?xml version="1.0"?>
<xccdf-1.2:Tailoring xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" id="xccdf_auto_tailoring_default">
  <xccdf-1.2:benchmark href="file:///usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml"/>
  <xccdf-1.2:version time="2022-02-24T12:30:48.396915">1</xccdf-1.2:version>
  <xccdf-1.2:Profile extends="xccdf_org.ssgproject.content_profile_ospp" id="xccdf_org.ssgproject.content_profile_ospp_customized">
    <xccdf-1.2:title override="false"/>
    <xccdf-1.2:refine-rule idref="xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument" severity="unknown" role="full"/>
  </xccdf-1.2:Profile>
</xccdf-1.2:Tailoring>

Expected results:

autotailor with a couple of command-line parameters produces the necessary XML.

Additional info:

Comment 4 Jan Černý 2022-08-01 14:10:29 UTC

there is a draft PR in upstream https://github.com/OpenSCAP/openscap/pull/1877

Comment 8 RHEL Program Management 2023-08-24 07:28:30 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.