stages/oscap.remediation: Properly utilize offline capabilities

The scanner will now properly react to the chroot environment. Also,
there are some optimizations to logs and results.

test/data/stages/oscap.remediation-extra/a.mpp.yaml

@@ -0,0 +1,30 @@
+version: '2'
+pipelines:
+  - mpp-import-pipelines:
+      path: ../manifests/fedora-vars.ipp.yaml
+  - mpp-import-pipeline:
+      path: ../manifests/fedora-build-v2.ipp.yaml
+      id: build
+    runner:
+      mpp-format-string: org.osbuild.fedora{release}
+  - name: tree
+    build: name:build
+    stages:
+      - type: org.osbuild.rpm
+        inputs:
+          packages:
+            type: org.osbuild.files
+            origin: org.osbuild.source
+            mpp-depsolve:
+              architecture: $arch
+              module-platform-id: $module_platform_id
+              repos:
+                mpp-eval: repos
+              packages:
+                - openscap-scanner
+                - scap-security-guide
+        options:
+          gpgkeys:
+            mpp-eval: gpgkeys
+          exclude:
+            docs: true

test/data/stages/oscap.remediation-extra/b.mpp.yaml

@@ -0,0 +1,39 @@
+version: '2'
+pipelines:
+  - mpp-import-pipelines:
+      path: ../manifests/fedora-vars.ipp.yaml
+  - mpp-import-pipeline:
+      path: ../manifests/fedora-build-v2.ipp.yaml
+      id: build
+    runner:
+      mpp-format-string: org.osbuild.fedora{release}
+  - name: tree
+    build: name:build
+    stages:
+      - type: org.osbuild.rpm
+        inputs:
+          packages:
+            type: org.osbuild.files
+            origin: org.osbuild.source
+            mpp-depsolve:
+              architecture: $arch
+              module-platform-id: $module_platform_id
+              repos:
+                mpp-eval: repos
+              packages:
+                - openscap-scanner
+                - scap-security-guide
+        options:
+          gpgkeys:
+            mpp-eval: gpgkeys
+          exclude:
+            docs: true
+      - type: org.osbuild.oscap.remediation
+        options:
+          config:
+            datastream: /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
+            profile_id: xccdf_org.ssgproject.content_profile_ospp
+            arf_results: results_arf.xml
+            html_report: report.html
+            verbose_log: log
+            compress_results: true

test/data/stages/oscap.remediation-extra/diff.json

@@ -0,0 +1,282 @@
+{
+  "added_directories": [
+    "/var/lib/authselect/backups"
+  ],
+  "added_files": [
+    "/boot/grub2/grubenv",
+    "/dev/null",
+    "/dev/shm",
+    "/etc/authselect/custom/hardening",
+    "/etc/authselect/custom/hardening/README",
+    "/etc/authselect/custom/hardening/REQUIREMENTS",
+    "/etc/authselect/custom/hardening/dconf-db",
+    "/etc/authselect/custom/hardening/dconf-locks",
+    "/etc/authselect/custom/hardening/fingerprint-auth",
+    "/etc/authselect/custom/hardening/nsswitch.conf",
+    "/etc/authselect/custom/hardening/password-auth",
+    "/etc/authselect/custom/hardening/postlogin",
+    "/etc/authselect/custom/hardening/smartcard-auth",
+    "/etc/authselect/custom/hardening/system-auth",
+    "/etc/chrony.conf",
+    "/etc/default/grub",
+    "/etc/dnf/automatic.conf",
+    "/etc/fstab",
+    "/etc/kernel/cmdline",
+    "/etc/modprobe.d/atm.conf",
+    "/etc/modprobe.d/can.conf",
+    "/etc/modprobe.d/firewire-core.conf",
+    "/etc/modprobe.d/tipc.conf",
+    "/etc/profile.d/tmout.sh",
+    "/etc/rsyslog.conf",
+    "/etc/rsyslog.d",
+    "/etc/rsyslog.d/cron.conf",
+    "/etc/selinux/config",
+    "/etc/ipsec.conf",
+    "/etc/ssh",
+    "/etc/ssh/sshd_config.d",
+    "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf",
+    "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf",
+    "/etc/systemd/system/debug-shell.service",
+    "/etc/systemd/system/systemd-coredump.service",
+    "/etc/systemd/system/systemd-coredump.socket",
+    "/root/log.eval",
+    "/root/log.eval-remediated",
+    "/root/log.generate-fix",
+    "/root/log.remediation",
+    "/root/report.html",
+    "/root/results_arf.xml.xz",
+    "/root/oscap_eval_xccdf_results.xml.xz",
+    "/root/oscap_remediation.bash"
+  ],
+  "deleted_files": [],
+  "differences": {
+    "/etc/authselect/authselect.conf": {
+      "content": [
+        null,
+        null
+      ]
+    },
+    "/etc/authselect/dconf-db": {
+      "content": [
+        null,
+        null
+      ]
+    },
+    "/etc/authselect/dconf-locks": {
+      "content": [
+        null,
+        null
+      ]
+    },
+    "/etc/authselect/fingerprint-auth": {
+      "content": [
+        null,
+        null
+      ]
+    },
+    "/etc/authselect/nsswitch.conf": {
+      "content": [
+        null,
+        null
+      ]
+    },
+    "/etc/authselect/password-auth": {
+      "content": [
+        null,
+        null
+      ]
+    },
+    "/etc/authselect/postlogin": {
+      "content": [
+        null,
+        null
+      ]
+    },
+    "/etc/authselect/smartcard-auth": {
+      "content": [
+        null,
+        null
+      ]
+    },
+    "/etc/authselect/system-auth": {
+      "content": [
+        null,
+        null
+      ]
+    },
+    "/etc/pki/tls/openssl.cnf": {
+      "content": [
+        null,
+        null
+      ]
+    },
+    "/etc/yum.repos.d/fedora-cisco-openh264.repo": {
+      "content": [
+        null,
+        null
+      ]
+    },
+    "/etc/yum.repos.d/fedora-updates-testing.repo": {
+      "content": [
+        null,
+        null
+      ]
+    },
+    "/etc/yum.repos.d/fedora-updates.repo": {
+      "content": [
+        null,
+        null
+      ]
+    },
+    "/etc/yum.repos.d/fedora.repo": {
+      "content": [
+        null,
+        null
+      ]
+    },
+    "/etc/crypto-policies/back-ends/bind.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/bind.txt",
+        "/usr/share/crypto-policies/FIPS/bind.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/gnutls.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/gnutls.txt",
+        "/usr/share/crypto-policies/FIPS/gnutls.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/java.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/java.txt",
+        "/usr/share/crypto-policies/FIPS/java.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/javasystem.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/javasystem.txt",
+        "/usr/share/crypto-policies/FIPS/javasystem.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/krb5.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/krb5.txt",
+        "/usr/share/crypto-policies/FIPS/krb5.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/libreswan.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/libreswan.txt",
+        "/usr/share/crypto-policies/FIPS/libreswan.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/libssh.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/libssh.txt",
+        "/usr/share/crypto-policies/FIPS/libssh.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/nss.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/nss.txt",
+        "/usr/share/crypto-policies/FIPS/nss.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/openssh.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/openssh.txt",
+        "/usr/share/crypto-policies/FIPS/openssh.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/opensshserver.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/opensshserver.txt",
+        "/usr/share/crypto-policies/FIPS/opensshserver.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/openssl.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/openssl.txt",
+        "/usr/share/crypto-policies/FIPS/openssl.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/opensslcnf.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/opensslcnf.txt",
+        "/usr/share/crypto-policies/FIPS/opensslcnf.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/rpm-sequoia.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/rpm-sequoia.txt",
+        "/usr/share/crypto-policies/FIPS/rpm-sequoia.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/sequoia.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/sequoia.txt",
+        "/usr/share/crypto-policies/FIPS/sequoia.txt"
+      ]
+    },
+    "/etc/crypto-policies/config": {
+      "content": [
+        "sha256:ecae097fb02a733ac98c03d7527fd923d5c9607c6a02feb5f0d388375f3e70dc",
+        "sha256:858dd9c983a8e87bbb242952b737f33499c99ff5fd8b377b218da3836357c874"
+      ]
+    },
+    "/etc/crypto-policies/state/CURRENT.pol": {
+      "content": [
+        "sha256:34459f8b102d05d1df56885c4a103e68ae6353f88ef41386402edf97c56eb505",
+        "sha256:3433137c54925eb3618bc7a34e33dfbc2d8fedad947256b91aa7ba7ac49eea51"
+      ]
+    },
+    "/etc/crypto-policies/state/current": {
+      "content": [
+        "sha256:ecae097fb02a733ac98c03d7527fd923d5c9607c6a02feb5f0d388375f3e70dc",
+        "sha256:858dd9c983a8e87bbb242952b737f33499c99ff5fd8b377b218da3836357c874"
+      ]
+    },
+    "/etc/security/faillock.conf": {
+      "content": [
+        "sha256:5c8c902912f0bb59f86b86517f2127ea0c57c5d05b17c4aa62f5bc06c7043c78",
+        "sha256:41bd2ba3b10f12377f3f766acb790f36a38e3ef24a05093d4bf2a15624d39ece"
+      ]
+    },
+    "/etc/security/pwquality.conf": {
+      "content": [
+        "sha256:8c6951c20f2489549e8793711818cfb0318e26fe8ced35da930a70a3cac757c8",
+        "sha256:2472eda92cb43fa38e231f104e979c2c080c4c67bccf5f9e6e7788f33bb05f82"
+      ]
+    },
+    "/etc/sysctl.conf": {
+      "content": [
+        "sha256:51d16ee2e7eef12dd42e924af6b835861e8b79d11921ba0418d7d0aec7a2a93b",
+        "sha256:92aa2a3f72f18d68ed3f2bda68a2fc214689996c549fd6f56780fee0e7ea275a"
+      ]
+    },
+    "/etc/systemd/coredump.conf": {
+      "content": [
+        "sha256:72f8630b657da48549b2bd9ba5e855939e4afec3d4ee60574fc5757cfc767bd6",
+        "sha256:67206831694bca3b569ad27ca9b577101e45b9dc19fbfd68b1722949c862ba9d"
+      ]
+    },
+    "/usr/lib/issue": {
+      "content": [
+        "sha256:9489d28fbd325690224dd76c0d7ae403177e15a0d63758cc0171327b5ba2aa85",
+        "sha256:0a48f732f0a2ae7c1c1884c5a5db85eda09a6506489c137656707957f2b84686"
+      ]
+    },
+    "/usr/lib/sysctl.d/10-default-yama-scope.conf": {
+      "content": [
+        "sha256:2411b554d569a269581e12f946b5746e6eab4d0be621df030865cd7528ddca95",
+        "sha256:252f244f9ec7433c86bc21b1003de48a53bc3c35349a11789ed21a69ba0dec69"
+      ]
+    },
+    "/usr/lib/sysctl.d/50-coredump.conf": {
+      "content": [
+        "sha256:fa3e45fa358e07c53128adca1fc663e3c294a27795d7629db598c541d4ad806b",
+        "sha256:90368094e1eb7c6a3ac68e623706185531ad76edd8ebca80b394538f230910c0"
+      ]
+    }
+  }
+}

test/data/stages/oscap.remediation/diff.json

@@ -20,7 +20,6 @@
     "/etc/chrony.conf",
     "/etc/default/grub",
     "/etc/dnf/automatic.conf",
-    "/etc/dracut.conf.d/40-fips.conf",
     "/etc/fstab",
     "/etc/kernel/cmdline",
     "/etc/modprobe.d/atm.conf",
@@ -32,8 +31,16 @@
     "/etc/rsyslog.d",
     "/etc/rsyslog.d/cron.conf",
     "/etc/selinux/config",
-    "/var/tmp/eval_remediate_report.html",
-    "/var/tmp/eval_remediate_results.xml"
+    "/etc/ipsec.conf",
+    "/etc/ssh",
+    "/etc/ssh/sshd_config.d",
+    "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf",
+    "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf",
+    "/etc/systemd/system/debug-shell.service",
+    "/etc/systemd/system/systemd-coredump.service",
+    "/etc/systemd/system/systemd-coredump.socket",
+    "/var/tmp/oscap_eval_xccdf_results.xml",
+    "/var/tmp/oscap_remediation.bash"
   ],
   "deleted_files": [],
   "differences": {
@@ -91,6 +98,36 @@
         null
       ]
     },
+    "/etc/pki/tls/openssl.cnf": {
+      "content": [
+        null,
+        null
+      ]
+    },
+    "/etc/yum.repos.d/fedora-cisco-openh264.repo": {
+      "content": [
+        null,
+        null
+      ]
+    },
+    "/etc/yum.repos.d/fedora-updates-testing.repo": {
+      "content": [
+        null,
+        null
+      ]
+    },
+    "/etc/yum.repos.d/fedora-updates.repo": {
+      "content": [
+        null,
+        null
+      ]
+    },
+    "/etc/yum.repos.d/fedora.repo": {
+      "content": [
+        null,
+        null
+      ]
+    },
     "/etc/crypto-policies/back-ends/bind.config": {
       "symlink": [
         "/usr/share/crypto-policies/DEFAULT/bind.txt",