diff --git a/internal/distro/fedora/images.go b/internal/distro/fedora/images.go index ea432de24..32cf6b407 100644 --- a/internal/distro/fedora/images.go +++ b/internal/distro/fedora/images.go @@ -12,6 +12,7 @@ import ( "github.com/osbuild/osbuild-composer/internal/image" "github.com/osbuild/osbuild-composer/internal/manifest" "github.com/osbuild/osbuild-composer/internal/osbuild" + "github.com/osbuild/osbuild-composer/internal/oscap" "github.com/osbuild/osbuild-composer/internal/ostree" "github.com/osbuild/osbuild-composer/internal/rpmmd" "github.com/osbuild/osbuild-composer/internal/users" @@ -121,9 +122,13 @@ func osCustomizations( if t.rpmOstree { panic("unexpected oscap options for ostree image type") } + var datastream = oscapConfig.DataStream + if datastream == "" { + datastream = oscap.DefaultFedoraDatastream() + } osc.OpenSCAPConfig = osbuild.NewOscapRemediationStageOptions( osbuild.OscapConfig{ - Datastream: oscapConfig.DataStream, + Datastream: datastream, ProfileID: oscapConfig.ProfileID, }, ) diff --git a/internal/distro/fedora/imagetype.go b/internal/distro/fedora/imagetype.go index de3e77446..8b3438931 100644 --- a/internal/distro/fedora/imagetype.go +++ b/internal/distro/fedora/imagetype.go @@ -308,9 +308,6 @@ func (t *imageType) checkOptions(bp *blueprint.Blueprint, options distro.ImageOp if t.rpmOstree { return nil, fmt.Errorf("OpenSCAP customizations are not supported for ostree types") } - if osc.DataStream == "" { - return nil, fmt.Errorf("OpenSCAP datastream cannot be empty") - } if osc.ProfileID == "" { return nil, fmt.Errorf("OpenSCAP profile cannot be empty") } diff --git a/internal/distro/rhel8/images.go b/internal/distro/rhel8/images.go index dcf8a6848..b0afc1ff7 100644 --- a/internal/distro/rhel8/images.go +++ b/internal/distro/rhel8/images.go @@ -12,6 +12,7 @@ import ( "github.com/osbuild/osbuild-composer/internal/image" "github.com/osbuild/osbuild-composer/internal/manifest" "github.com/osbuild/osbuild-composer/internal/osbuild" + "github.com/osbuild/osbuild-composer/internal/oscap" "github.com/osbuild/osbuild-composer/internal/ostree" "github.com/osbuild/osbuild-composer/internal/platform" "github.com/osbuild/osbuild-composer/internal/rpmmd" @@ -136,9 +137,13 @@ func osCustomizations( if t.rpmOstree { panic("unexpected oscap options for ostree image type") } + var datastream = oscapConfig.DataStream + if datastream == "" { + datastream = oscap.DefaultRHEL8Datastream(t.arch.distro.isRHEL()) + } osc.OpenSCAPConfig = osbuild.NewOscapRemediationStageOptions( osbuild.OscapConfig{ - Datastream: oscapConfig.DataStream, + Datastream: datastream, ProfileID: oscapConfig.ProfileID, }, ) diff --git a/internal/distro/rhel8/imagetype.go b/internal/distro/rhel8/imagetype.go index 412de5dc9..2877e6b04 100644 --- a/internal/distro/rhel8/imagetype.go +++ b/internal/distro/rhel8/imagetype.go @@ -384,9 +384,6 @@ func (t *imageType) checkOptions(bp *blueprint.Blueprint, options distro.ImageOp if t.rpmOstree { return warnings, fmt.Errorf("OpenSCAP customizations are not supported for ostree types") } - if osc.DataStream == "" { - return warnings, fmt.Errorf("OpenSCAP datastream cannot be empty") - } if osc.ProfileID == "" { return warnings, fmt.Errorf("OpenSCAP profile cannot be empty") } diff --git a/internal/distro/rhel9/images.go b/internal/distro/rhel9/images.go index 68969ba7a..5186ace2f 100644 --- a/internal/distro/rhel9/images.go +++ b/internal/distro/rhel9/images.go @@ -13,6 +13,7 @@ import ( "github.com/osbuild/osbuild-composer/internal/image" "github.com/osbuild/osbuild-composer/internal/manifest" "github.com/osbuild/osbuild-composer/internal/osbuild" + "github.com/osbuild/osbuild-composer/internal/oscap" "github.com/osbuild/osbuild-composer/internal/ostree" "github.com/osbuild/osbuild-composer/internal/rpmmd" "github.com/osbuild/osbuild-composer/internal/users" @@ -133,9 +134,13 @@ func osCustomizations( if t.rpmOstree { panic("unexpected oscap options for ostree image type") } + var datastream = oscapConfig.DataStream + if datastream == "" { + datastream = oscap.DefaultRHEL9Datastream(t.arch.distro.isRHEL()) + } osc.OpenSCAPConfig = osbuild.NewOscapRemediationStageOptions( osbuild.OscapConfig{ - Datastream: oscapConfig.DataStream, + Datastream: datastream, ProfileID: oscapConfig.ProfileID, }, ) diff --git a/internal/distro/rhel9/imagetype.go b/internal/distro/rhel9/imagetype.go index f7d88fc2d..36e409bc0 100644 --- a/internal/distro/rhel9/imagetype.go +++ b/internal/distro/rhel9/imagetype.go @@ -396,9 +396,6 @@ func (t *imageType) checkOptions(bp *blueprint.Blueprint, options distro.ImageOp if t.rpmOstree { return warnings, fmt.Errorf("OpenSCAP customizations are not supported for ostree types") } - if osc.DataStream == "" { - return warnings, fmt.Errorf("OpenSCAP datastream cannot be empty") - } if osc.ProfileID == "" { return warnings, fmt.Errorf("OpenSCAP profile cannot be empty") } diff --git a/internal/oscap/oscap.go b/internal/oscap/oscap.go index 32fbc38df..677723164 100644 --- a/internal/oscap/oscap.go +++ b/internal/oscap/oscap.go @@ -1,6 +1,8 @@ package oscap -import "strings" +import ( + "strings" +) type Profile string @@ -26,8 +28,33 @@ const ( Standard Profile = "xccdf_org.ssgproject.content_profile_standard" Stig Profile = "xccdf_org.ssgproject.content_profile_stig" StigGui Profile = "xccdf_org.ssgproject.content_profile_stig_gui" + + // datastream fallbacks + defaultFedoraDatastream string = "/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml" + defaultCentos8Datastream string = "/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml" + defaultCentos9Datastream string = "/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml" + defaultRHEL8Datastream string = "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml" + defaultRHEL9Datastream string = "/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml" ) +func DefaultFedoraDatastream() string { + return defaultFedoraDatastream +} + +func DefaultRHEL8Datastream(isRHEL bool) string { + if isRHEL { + return defaultRHEL8Datastream + } + return defaultCentos8Datastream +} + +func DefaultRHEL9Datastream(isRHEL bool) string { + if isRHEL { + return defaultRHEL9Datastream + } + return defaultCentos9Datastream +} + func IsProfileAllowed(profile string, allowlist []Profile) bool { for _, a := range allowlist { if a.String() == profile {