Bug 2058168

Summary: RFE: autotailor should support refine-rule
Product: Red Hat Enterprise Linux 9 Reporter: Jan Pazdziora <jpazdziora>
Component: openscapAssignee: Jan Černý <jcerny>
Status: NEW --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: matyc, mhaicman, mmarhefk
Target Milestone: rcKeywords: FutureFeature, MigratedToJIRA, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Story
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora 2022-02-24 12:22:48 UTC 
Description of problem:

Currently the autotailor command-line utility is useful for selecting and unselecting rules and setting variable values. However, rule properties like .role or .severity cannot be easily tailored.

Add the ability to tweak .role and .severity, to make rule which is unenforcing by default in the profile enforcing again, or vice versa.

Version-Release number of selected component (if applicable):

openscap-utils-1:1.3.6-3.el9

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have a profile which has a rule unenforcing, for example RHEL 8's OSPP profile grub2_vsyscall_argument or (after bug 2058154 is addressed) audit_access_success in RHEL 9 OSPP profile.
2. Try to use command-line utility autotailor to make tailoring where the rules will be enforcing  -- for example .role=full and .severity=medium.

Actual results:

Currently not possible, one has to manually create tailor file like

<?xml version="1.0"?>
<xccdf-1.2:Tailoring xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" id="xccdf_auto_tailoring_default">
  <xccdf-1.2:benchmark href="file:///usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml"/>
  <xccdf-1.2:version time="2022-02-24T12:30:48.396915">1</xccdf-1.2:version>
  <xccdf-1.2:Profile extends="xccdf_org.ssgproject.content_profile_ospp" id="xccdf_org.ssgproject.content_profile_ospp_customized">
    <xccdf-1.2:title override="false"/>
    <xccdf-1.2:refine-rule idref="xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument" severity="unknown" role="full"/>
  </xccdf-1.2:Profile>
</xccdf-1.2:Tailoring>

Expected results:

autotailor with a couple of command-line parameters produces the necessary XML.

Additional info:
Comment 4 Jan Černý 2022-08-01 14:10:29 UTC 
there is a draft PR in upstream https://github.com/OpenSCAP/openscap/pull/1877