oscap fails to run remediate in case `Remediation after scanning` flow is followed

[teacup-on-rockingchair]

The issue that we stumbled upon was going through the flow of Remediation after scanning from the openscap user guide.

If one follows the guidelines there, on the remediation step one gets stopped by multiple errors, that the checks cannot be remediated because the checks/remediations are not applicable and this is seem to fail mostly because of CPE checks like system with kernel.

After some analysis it looks like oscap fails to find platform definitions for a Rule, so it can not find a suitable fix for Failed rule

oscap --verbose INFO \
xccdf eval \
--profile xccdf_org.ssgproject.content_profile_stig \
--rule xccdf_org.ssgproject.content_rule_banner_etc_issue \
--results /tmp/results.xml \
/root/src/content/build/ssg-sle15-ds.xml

oscap --verbose INFO \
xccdf remediate \
/tmp/results.xml

Looking at oscap code, when --results /tmp/results.xml, oscap clones the Benchmark and adds results to the cloned Benchmark.

But function that clones the Benchmark does NOT clone CPE Lang Models, so platform-specifications are not added to results file.

Currently two approaches come to my mind:

• Approach#1: I have made a small patch which clones CPE Lang Models from Benchmark and platform-specifications are added to exported results. But selecting a suitable fix only works if saved results are in the same DIR as ssg-sle15-cpe-oval.xml, since platform-specifications use HREF to point to ssg-sle15-cpe-oval.xml. Even if ssg-sle15-cpe-oval.xml is in same DIR as exported results and
  fix is selected and executed, the next check fails, ssg-sle15-oval.xml has to be placed in same DIR as results. So ssg-sle15-cpe-oval.xml, ssg-sle15-oval.xml must be in same DIR as results AND oscap xccdf remediate has to be called with option --cpe ssg-sle15-cpe-dictionary.xml.

• Approach#2: adding full CPE platform specifications in compliance-as-code: including ProductCPEs and PlatformCPEs, like below:

<?xml version="1.0" encoding="UTF-8"?>
<cpe-lang:platform-specification xmlns:cpe-lang="http://cpe.mitre.org/language/2.0">
  <cpe-lang:platform id="system_with_kernel">
    <cpe-lang:logical-test negate="false" operator="AND">
      <cpe-lang:check-fact-ref href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-system_with_kernel:def:1" system="http://oval.mitre.org/XMLSchema/oval-definitions-5"/>
    </cpe-lang:logical-test>
  </cpe-lang:platform>

  <cpe-lang:platform id="cpe:/o:suse:linux_enterprise_server:15">
    <cpe-lang:logical-test operator="AND" negate="false">
      <cpe-lang:check-fact-ref
        system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
        href="ssg-sle15-cpe-oval.xml"
        id-ref="oval:ssg-installed_OS_is_sle15:def:1"/>
    </cpe-lang:logical-test>
  </cpe-lang:platform>

  <cpe-lang:platform id="cpe:/o:suse:linux_enterprise_desktop:15">
    <cpe-lang:logical-test operator="AND" negate="false">
      <cpe-lang:check-fact-ref
        system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
        href="ssg-sle15-cpe-oval.xml"
        id-ref="oval:ssg-installed_OS_is_sle15:def:1"/>
    </cpe-lang:logical-test>
  </cpe-lang:platform>

</cpe-lang:platform-specification>

oscap --verbose INFO \
xccdf eval \
--profile xccdf_org.ssgproject.content_profile_stig \
--rule xccdf_org.ssgproject.content_rule_banner_etc_issue \
--results /tmp/results.xml \
/root/ssg-sle15-ds.xml

oscap \
xccdf remediate \
--cpe ssg-sle15-cpe-platform-specification.xml \
/tmp/results.xml

In this case Fix is selected and executed, but the Fix verification fails again(ssg-sle15-oval.xml) is missing

sle15-sp7:~ # oscap \
> xccdf remediate \
> --cpe ssg-sle15-cpe-platform-specification.xml \
> /tmp/results.xml
WARNING: Skipping /tmp/ssg-sle15-oval.xml file which is referenced from XCCDF content
WARNING: Skipping /tmp/pub-projects-security-oval-suse.linux.enterprise.15-patch.xml.bz2 file which is referenced from XCCDF content
WARNING: Skipping /tmp/ssg-sle15-oval.xml file which is referenced from XCCDF content
WARNING: Skipping /tmp/pub-projects-security-oval-suse.linux.enterprise.15-patch.xml.bz2 file which is referenced from XCCDF content
Title   Modify the System Login Banner
Rule    xccdf_org.ssgproject.content_rule_banner_etc_issue
Ident   CCE-83262-6
Result  error

But again to verify the fix ssg-sle15-oval.xml MUST be in same dir as the results.

• Another possible solution would be to add platform-specification in compliance-as-code and make oscap remediate accept custom OVAL resources. Then it should be fine

git diff utils/oscap-xccdf.c 
diff --git a/utils/oscap-xccdf.c b/utils/oscap-xccdf.c
index 7794ea0e0..3f9c7ec1b 100644
--- a/utils/oscap-xccdf.c
+++ b/utils/oscap-xccdf.c
@@ -1438,7 +1438,7 @@ bool getopt_xccdf(int argc, char **argv, struct oscap_action *action)
                }
        }
 
-       if (action->module == &XCCDF_EVAL) {
+       if ((action->module == &XCCDF_EVAL) || (action->module == &XCCDF_REMEDIATE)) {
                /* We should have XCCDF file here */
                if (optind >= argc) {

• compile oscap
• eval

/home/vagrant/openscap/build/oscap_wrapper \
xccdf eval \
--verbose INFO \
--profile xccdf_org.ssgproject.content_profile_stig \
--rule xccdf_org.ssgproject.content_rule_banner_etc_issue \
--results /tmp/results.xml \
/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml

• then remediate should have all definitions and process rules/results ok

/home/vagrant/openscap/build/oscap_wrapper \
xccdf remediate \
--cpe /root/ssg-sle15-cpe-platform-specification.xml \
--verbose INFO \
/tmp/results.xml \
/usr/share/xml/scap/ssg/content/ssg-sle15-oval.xml