test/base-host-check: run oscap checks

Read the config if it's passed as an argument and detect if any openscap customizations are specified. If they are, run some oscap checks.
osbuild · Mar 22, 2024 · 7901956 · 7901956
1 parent cf81a3e
commit 7901956
Showing 1 changed file with 53 additions and 0 deletions.
diff --git a/test/scripts/base-host-check.sh b/test/scripts/base-host-check.sh
@@ -32,6 +32,51 @@ running_wait() {
     done
 }
 
+get_oscap_score() {
+    config_file="$1"
+    baseline_score=0.8
+    echo "🔒 Running oscap scanner"
+    # NOTE: sudo works here without password because we test this only on ami
+    # initialised with cloud-init, which sets sudo NOPASSWD for the user
+    profile=$(jq -r .blueprint.customizations.openscap.profile_id "${config_file}")
+    datastream=$(jq -r .blueprint.customizations.openscap.datastream "${config_file}")
+    sudo oscap xccdf eval \
+        --results results.xml \
+        --profile "${profile}_osbuild_tailoring" \
+        --tailoring-file "/usr/share/xml/osbuild-openscap-data/tailoring.xml" \
+        "${datastream}" || true # oscap returns exit code 2 for any failed rules
+
+    # change ownership of results file so we can read it without sudo-ing for every command
+    sudo chown ${UID} results.xml
+
+    echo "📄 Saving results"
+
+    echo "📗 Checking oscap score"
+    hardened_score=$(xmlstarlet sel -N x="http://checklists.nist.gov/xccdf/1.2" -t -v "//x:score" results.xml)
+    echo "Hardened score: ${hardened_score}%"
+
+    echo "📗 Checking for failed rules"
+    severity=$(xmlstarlet sel -N x="http://checklists.nist.gov/xccdf/1.2" -t -v "//x:rule-result[@severity='high']" results.xml | grep -c "fail" || true)
+    echo "Severity count: ${severity}"
+
+    echo "🎏 Checking for test result"
+    echo "Baseline score: ${baseline_score}%"
+    echo "Hardened score: ${hardened_score}%"
+
+    # compare floating point numbers
+    if (( hardened_score < baseline_score )); then
+        echo "❌ Failed"
+        echo "Hardened image score (${hardened_score}) did not improve baseline score (${baseline_score})"
+        exit 1
+    fi
+
+    if (( severity > 0 )); then
+        echo "❌ Failed"
+        echo "One or more oscap rules with high severity failed"
+        exit 1
+    fi
+}
+
 echo "❓ Checking system status"
 if ! running_wait; then
 
@@ -56,3 +101,11 @@ uname -a
 
 echo "🕰️ uptime"
 uptime
+
+# NOTE: we should do a lot more here
+if (( $# > 0 )); then
+    config="$1"
+    if jq -e .blueprint.customizations.openscap "${config}"; then
+        get_oscap_score "${config}"
+    fi
+fi