From e5101a68ce16e85246cf33f15db8f369416aef6b Mon Sep 17 00:00:00 2001 From: Achilleas Koutsou Date: Tue, 5 Mar 2024 19:09:03 +0100 Subject: [PATCH] test/base-host-check: run oscap checks Read the config if it's passed as an argument and detect if any openscap customizations are specified. If they are, run some oscap checks. --- test/scripts/base-host-check.sh | 50 +++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/test/scripts/base-host-check.sh b/test/scripts/base-host-check.sh index c8f6b7d6e1..7575f3c1d2 100755 --- a/test/scripts/base-host-check.sh +++ b/test/scripts/base-host-check.sh @@ -32,6 +32,48 @@ running_wait() { done } +get_oscap_score() { + config_file="$1" + baseline_score=0.8 + echo "🔒 Running oscap scanner" + # NOTE: sudo works here without password because we test this only on qcow2 + # initialised with cloud-init, which sets sudo NOPASSWD for the user + profile=$(jq -r .blueprint.customizations.openscap.profile_id "${config_file}") + datastream=$(jq -r .blueprint.customizations.openscap.datastream "${config_file}") + sudo oscap xccdf eval \ + --results results.xml \ + --profile "${profile}_osbuild_tailoring" \ + --tailoring-file "/usr/share/xml/osbuild-openscap-data/tailoring.xml" \ + "${datastream}" || true # oscap returns exit code 2 for any failed rules + + echo "📄 Saving results" + + echo "📗 Checking oscap score" + hardened_score=$(xmlstarlet sel -N x="http://checklists.nist.gov/xccdf/1.2" -t -v "//x:score" results.xml) + echo "Hardened score: ${hardened_score}%" + + echo "📗 Checking for failed rules" + severity=$(xmlstarlet sel -N x="http://checklists.nist.gov/xccdf/1.2" -t -v "//x:rule-result[@severity='high']" results.xml | grep -c "fail" || true) + echo "Severity count: ${severity}" + + echo "🎏 Checking for test result" + echo "Baseline score: ${baseline_score}%" + echo "Hardened score: ${hardened_score}%" + + # compare floating point numbers + if (( hardened_score < baseline_score )); then + echo "❌ Failed" + echo "Hardened image score (${hardened_score}) did not improve baseline score (${baseline_score})" + exit 1 + fi + + if (( severity > 0 )); then + echo "❌ Failed" + echo "One or more oscap rules with high severity failed" + exit 1 + fi +} + echo "❓ Checking system status" if ! running_wait; then @@ -56,3 +98,11 @@ uname -a echo "🕰️ uptime" uptime + +# NOTE: we should do a lot more here +if (( $# > 0 )); then + config="$1" + if jq -e .blueprint.customizations.openscap "${config}"; then + get_oscap_score "${config}" + fi +fi