particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

distro: add oscap packages to image

Browse source 
Since the oscap remediation stage in osbuild runs
the oscap package in `chroot`, it is necessary to
install the `openscap-scanner` package to the image
itself rather than the build root.
This commit is contained in:
Gianluca Zuccarelli 2022-08-15 15:42:56 +01:00 committed by Tomáš Hozza
parent de6b8e8f5b
commit c264ce53cd
4 changed files with 12 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

10
internal/distro/rhel8/distro.go
View file

@ -450,13 +450,11 @@ func (t *imageType) PackageSets(bp blueprint.Blueprint, options distro.ImageOpti
mergedSets[buildPkgsKey] = mergedSets[buildPkgsKey].Append(extraPkgs) mergedSets[buildPkgsKey] = mergedSets[buildPkgsKey].Append(extraPkgs)
} }
// if oscap customizations are enabled we need to add `openscap-scanner` // if oscap customizations are enabled we need to add
// and `scap-security-guides` packages to build root // `openscap-scanner` & `scap-security-guide` packages
// to build root
if bp.Customizations.GetOpenSCAP() != nil { if bp.Customizations.GetOpenSCAP() != nil {
mergedSets[buildPkgsKey] = mergedSets[buildPkgsKey].Append(rpmmd.PackageSet{Include: []string{ bpPackages = append(bpPackages, "openscap-scanner", "scap-security-guide")
"openscap-scanner",
"scap-security-guide",
}})
} }
// depsolve bp packages separately // depsolve bp packages separately

10
internal/distro/rhel9/distro.go
View file

@ -386,13 +386,11 @@ func (t *imageType) PackageSets(bp blueprint.Blueprint, options distro.ImageOpti
mergedSets[buildPkgsKey] = mergedSets[buildPkgsKey].Append(extraPkgs) mergedSets[buildPkgsKey] = mergedSets[buildPkgsKey].Append(extraPkgs)
} }
// if oscap customizations are enabled we need to add `openscap-scanner` // if oscap customizations are enabled we need to add
// and `scap-security-guides` packages to build root // `openscap-scanner` & `scap-security-guide` packages
// to build root
if bp.Customizations.GetOpenSCAP() != nil { if bp.Customizations.GetOpenSCAP() != nil {
mergedSets[buildPkgsKey] = mergedSets[buildPkgsKey].Append(rpmmd.PackageSet{Include: []string{ bpPackages = append(bpPackages, "openscap-scanner", "scap-security-guide")
"openscap-scanner",
"scap-security-guide",
}})
} }
// depsolve bp packages separately // depsolve bp packages separately

7
internal/manifest/os.go
View file

@ -155,6 +155,10 @@ func (p *OS) getPackageSetChain() []rpmmd.PackageSet {
packages = append(packages, fmt.Sprintf("selinux-policy-%s", p.SElinux)) packages = append(packages, fmt.Sprintf("selinux-policy-%s", p.SElinux))
} }
if p.OpenSCAPConfig != nil {
packages = append(packages, "openscap-scanner", "scap-security-guide")
}
chain := []rpmmd.PackageSet{ chain := []rpmmd.PackageSet{
{ {
Include: append(packages, p.ExtraBasePackages...), Include: append(packages, p.ExtraBasePackages...),
@ -186,9 +190,6 @@ func (p *OS) getBuildPackages() []string {
packages = append(packages, "policycoreutils") packages = append(packages, "policycoreutils")
packages = append(packages, fmt.Sprintf("selinux-policy-%s", p.SElinux)) packages = append(packages, fmt.Sprintf("selinux-policy-%s", p.SElinux))
} }
if p.OpenSCAPConfig != nil {
packages = append(packages, "openscap-scanner", "scap-security-guide")
}
return packages return packages
} }

8
test/cases/oscap.sh
View file

@ -373,14 +373,6 @@ version = "0.0.1"
modules = [] modules = []
groups = [] groups = []
[[ packages ]]
name = "openscap-scanner"
version = "*"
[[ packages ]]
name = "scap-security-guide"
version = "*"
[customizations.openscap] [customizations.openscap]
profile_id = "${PROFILE}" profile_id = "${PROFILE}"
datastream = "${DATASTREAM}" datastream = "${DATASTREAM}"