utils: Introduce oscap-remediate-offline utility and corresponding

systemd service

The service wrapper and activator utility are installed by CMake
and then the service is enabled by the package manager during the
installation phase.

Author: evgenyz

.packit.yaml

@@ -1,9 +1,9 @@
-downstream_package_name: openscap
 jobs:
 - job: copr_build
   metadata:
     targets:
     - fedora-all-x86_64
+    - epel-8-x86_64
   trigger: pull_request
 - job: tests
   metadata:
@@ -14,7 +14,11 @@ jobs:
   metadata:
     dist-git-branch: fedora-all
   trigger: release
-specfile_path: openscap.spec
+actions:
+  get-current-version:
+  - bash -c "source release_tools/versions.sh && echo ${version}"
 synced_files:
 - .packit.yaml
+downstream_package_name: openscap
 upstream_package_name: openscap
+specfile_path: openscap.spec

CMakeLists.txt

@@ -109,6 +109,7 @@ find_package(OpenDbx)
 find_package(PCRE REQUIRED)
 find_package(PerlLibs)
 find_package(Popt)
+find_package(Systemd)
 
 find_package(Procps)
 if(PROCPS_FOUND)
@@ -607,6 +608,14 @@ if(NOT WIN32)
 		${CMAKE_CURRENT_BINARY_DIR}/libopenscap.pc
 		DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig
 	)
+	if(WITH_SYSTEMD)
+		# systemd service for offline (boot-time) remediation
+		configure_file("oscap-remediate.service.in" "oscap-remediate.service" @ONLY)
+		install(FILES
+			${CMAKE_CURRENT_BINARY_DIR}/oscap-remediate.service
+			DESTINATION ${SYSTEMD_UNITDIR}
+		)
+	endif()
 endif()
 
 # changelog

cmake/FindSystemd.cmake

@@ -0,0 +1,25 @@
+# https://raw.githubusercontent.com/ximion/limba/master/data/cmake/systemdservice.cmake
+#
+# Find systemd service dir
+
+include(LibFindMacros)
+
+# Use pkg-config to get hints about paths
+libfind_pkg_check_modules(SYSTEMD systemd)
+
+if(SYSTEMD_FOUND AND "${SYSTEMD_UNITDIR}" STREQUAL "")
+  execute_process(
+    COMMAND ${PKG_CONFIG_EXECUTABLE} --variable=systemdsystemunitdir systemd
+    OUTPUT_VARIABLE SYSTEMD_UNITDIR
+  )
+  string(REGEX REPLACE "[ \t\n]+" "" SYSTEMD_UNITDIR "${SYSTEMD_UNITDIR}")
+elseif(NOT SYSTEMD_FOUND AND SYSTEMD_UNITDIR)
+  message(FATAL_ERROR "Variable SYSTEMD_UNITDIR is defined, but we can't find systemd using pkg-config")
+endif()
+
+if(SYSTEMD_FOUND)
+  set(WITH_SYSTEMD "ON")
+  message(STATUS "Found systemd, services install dir: ${SYSTEMD_UNITDIR}")
+else()
+  set(WITH_SYSTEMD "OFF")
+endif(SYSTEMD_FOUND)

docs/manual/manual.adoc

@@ -2158,7 +2158,49 @@ by `oscap-docker` or `oscap-vm`, like containers in other
 formats than Docker.
 Again, usage of the tool mimics usage and options of `oscap` tool.
 
+== Scanning and remediating the system at boot time
 
+OpenSCAP can scan and remediate the system at boot time using systemd's `system-update.target`.
+The `oscap-remediate.service` is expecting the `/system-update` symlink (universal trigger for all services in system-update's requires list) which points to a file with base name `oscap-remediate-offline.conf.sh`.
+The file itself could be located anywhere, but it should be accessible at boot time. This configuration file is essentially a Bash script with a set of environment variables, loaded with `source` by the service.
+Upon the start the service will immediately remove the symlink to prevent invocation loop but it won't touch the configuration file itself. A helper tool, `oscap-remediate-offline`, can be used to bootstrap the configuration and prime the `/system-update` symlink, but its flexibility is limited and in general it should only be used for debugging.
+
+WARNING: The `oscap-remediate-offline` tool should not be considered as a stable API for priming the service. The *only* API of the service is the configuration file and the `/system-update` symlink pointing to it.
+
+Configuration variables:
+----
+# Mandatory -----------------------------
+
+# The path to the data stream file
+OSCAP_REMEDIATE_DS=/some/data_stream.xml
+
+# The ID of the profile to use
+OSCAP_REMEDIATE_PROFILE_ID=some_profile
+
+# Optional ------------------------------
+
+# Data stream, XCCDF or Benchmark IDs
+# Benchmark ID and DS + XCCDF IDs pair are mutually
+# exclusive. DS + XCCDF IDs will take precedence
+OSCAP_REMEDIATE_DATASTREAM_ID=some_ds_id
+OSCAP_REMEDIATE_XCCDF_ID=some_xccdf_id
+OSCAP_REMEDIATE_BENCHMARK_ID=some_bench_id
+
+# Tailoring file and tailoring component ID
+OSCAP_REMEDIATE_TAILORING=/some/tailoring.xml
+OSCAP_REMEDIATE_TAILORING_ID=tailoring_id
+
+# Where to write ARF result and HTML report
+# No defaults, they won't be generated if
+# they are not requested explicitly
+OSCAP_REMEDIATE_ARF_RESULT=/some/arf_res.xml
+OSCAP_REMEDIATE_HTML_REPORT=/some/report.html
+
+# Log file name and verbosity
+OSCAP_REMEDIATE_VERBOSE_LOG=/var/some_verbose.log
+# Optional even if OSCAP_REMEDIATE_VERBOSE_LOG is provided (default: INFO)
+OSCAP_REMEDIATE_VERBOSE_LEVEL=INFO
+----
 
 == Frequently Asked Questions (FAQs)
 *Why do I get "notchecked" results when I use e.g. https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V2R3_STIG.zip[STIG checklist]?*

openscap.spec

@@ -1,8 +1,8 @@
 # This spec file is not synchronized to the Fedora downstream.
 # It serves as Fedora CI configuration and as support for downstream updates.
 Name:           openscap
-Version:        1.3.4
 Release:        0%{?dist}
+Version:        1.3.0
 Epoch:          1
 Summary:        Set of open source libraries enabling integration of the SCAP line of standards
 License:        LGPLv2+
@@ -151,6 +151,12 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
 
 %ldconfig_scriptlets
 
+# enable oscap-remediate-offline.service here for now
+# https://github.com/hughsie/PackageKit/issues/401
+# https://bugzilla.redhat.com/show_bug.cgi?id=1833176
+mkdir -p %{buildroot}%{_unitdir}/system-update.target.wants/
+ln -sf ../oscap-remediate.service %{buildroot}%{_unitdir}/system-update.target.wants/oscap-remediate.service
+
 %files
 %doc AUTHORS NEWS README.md
 %license COPYING
@@ -183,6 +189,9 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
 %{_bindir}/oscap
 %{_bindir}/oscap-chroot
 %{_sysconfdir}/bash_completion.d
+%{_libexecdir}/oscap-remediate
+%{_unitdir}/oscap-remediate.service
+%{_unitdir}/system-update.target.wants/
 
 %files utils
 %doc docs/oscap-scan.cron

oscap-remediate.service.in

@@ -0,0 +1,13 @@
+[Unit]
+Description=Scan and remediate the operating system using OpenSCAP scanner in accordance with the selected profile
+
+DefaultDependencies=no
+Requires=sysinit.target dbus.socket
+After=sysinit.target dbus.socket systemd-journald.socket system-update-pre.target
+Before=shutdown.target system-update.target
+
+[Service]
+Type=oneshot
+ExecStart=@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_LIBEXECDIR@/oscap-remediate
+
+FailureAction=reboot

utils/CMakeLists.txt

@@ -57,6 +57,18 @@ if(ENABLE_OSCAP_UTIL)
 			COMMENT "Generating chroot-capable oscap buddy"
 			DEPENDS oscap-chrootable-nocap
 		)
+
+		if(WITH_SYSTEMD)
+			install(PROGRAMS "oscap-remediate"
+				DESTINATION ${CMAKE_INSTALL_LIBEXECDIR}
+			)
+			install(PROGRAMS "oscap-remediate-offline"
+				DESTINATION ${CMAKE_INSTALL_BINDIR}
+			)
+			install(FILES "oscap-remediate-offline.8"
+				DESTINATION "${CMAKE_INSTALL_MANDIR}/man8"
+			)
+		endif()
 	endif()
 endif()
 if(ENABLE_OSCAP_UTIL_CHROOT)

utils/oscap-remediate

@@ -0,0 +1,142 @@
+#!/bin/bash
+
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (C) 2021 Red Hat Inc., Durham, North Carolina.
+#
+# Evgenii Kolesnikov <[email protected]>
+#
+# This is OpenSCAP's offline system remediation service wrapper script and
+# it is supposed to be executed by systemd. Not sutable for manual invocation.
+
+
+UCHAR_MAX=255
+SYSTEMD_SYSTEM_UPDATE_LINK="/system-update"
+OSCAP_REMEDIATE_CONF_BASENAME="oscap-remediate-offline.conf.sh"
+
+
+display() {
+	# Plymouth does not like messages longer than UCHAR_MAX
+	plymouth display-message --text="${1:0:${UCHAR_MAX}}"
+}
+
+log() {
+	echo "${@}"
+}
+
+err() {
+	echo "${@}" >&2
+}
+
+die() {
+	err "${@}"
+	display "OpenSCAP has failed to evaluate or remediate the system, please check the journal for the details."$'\n'"The system will now restart..."
+	sleep 5
+	systemctl reboot
+	exit 1
+}
+
+
+config=$(readlink -f "${SYSTEMD_SYSTEM_UPDATE_LINK}")
+
+if [[ "$(basename ${config})" != "${OSCAP_REMEDIATE_CONF_BASENAME}" ]]; then
+	log "The ${SYSTEMD_SYSTEM_UPDATE_LINK} symlink does not point to an oscap offline remediation configuration file, ignoring"
+	exit 0
+fi
+
+rm -f "${SYSTEMD_SYSTEM_UPDATE_LINK}"
+log "Removed ${SYSTEMD_SYSTEM_UPDATE_LINK}"
+log "Found the config file: ${config}"
+
+source "$config"
+
+
+log "OSCAP_REMEDIATE_DS: ${OSCAP_REMEDIATE_DS}"
+
+log "OSCAP_REMEDIATE_PROFILE_ID: ${OSCAP_REMEDIATE_PROFILE_ID}"
+log "OSCAP_REMEDIATE_DATASTREAM_ID: ${OSCAP_REMEDIATE_DATASTREAM_ID}"
+log "OSCAP_REMEDIATE_XCCDF_ID: ${OSCAP_REMEDIATE_XCCDF_ID}"
+log "OSCAP_REMEDIATE_BENCHMARK_ID: ${OSCAP_REMEDIATE_BENCHMARK_ID}"
+
+log "OSCAP_REMEDIATE_TAILORING: ${OSCAP_REMEDIATE_TAILORING}"
+log "OSCAP_REMEDIATE_TAILORING_ID: ${OSCAP_REMEDIATE_TAILORING_ID}"
+
+log "OSCAP_REMEDIATE_ARF_RESULT: ${OSCAP_REMEDIATE_ARF_RESULT}"
+log "OSCAP_REMEDIATE_HTML_REPORT: ${OSCAP_REMEDIATE_HTML_REPORT}"
+
+log "OSCAP_REMEDIATE_VERBOSE_LOG: ${OSCAP_REMEDIATE_VERBOSE_LOG}"
+log "OSCAP_REMEDIATE_VERBOSE_LEVEL: ${OSCAP_REMEDIATE_VERBOSE_LEVEL}"
+
+
+[[ -r "${OSCAP_REMEDIATE_DS}" ]] || {
+	die "The data stream file does not exists: ${OSCAP_REMEDIATE_DS}"
+}
+
+[[ -n "${OSCAP_REMEDIATE_PROFILE_ID}" ]] || {
+	die "The profile identifier is not defined"
+}
+
+[[ -z "${OSCAP_REMEDIATE_TAILORING}" || -r "${OSCAP_REMEDIATE_TAILORING}" ]] || {
+	die "The tailoring file does not exists: ${OSCAP_REMEDIATE_TAILORING}"
+}
+
+oscap xccdf validate --skip-schematron "${OSCAP_REMEDIATE_DS}" || {
+	die "Invalid data stream file: ${OSCAP_REMEDIATE_DS}"
+}
+
+profile=${OSCAP_REMEDIATE_PROFILE_ID}
+profile_id_arg="--profile=${OSCAP_REMEDIATE_PROFILE_ID}"
+profile_title_line=$(oscap info "${profile_id_arg}" "${OSCAP_REMEDIATE_DS}" | grep Title) || {
+	die "Can not find the profile: ${profile}"
+}
+profile_title=${profile_title_line#*Title: }
+log "Profile: ${profile} (${profile_title})"
+
+args+=( ${OSCAP_REMEDIATE_VERBOSE_LOG:+"--verbose-log-file=${OSCAP_REMEDIATE_VERBOSE_LOG}"} )
+# We don't want to create havok in the output, so no verbose messages unless they are redirected
+args+=( ${OSCAP_REMEDIATE_VERBOSE_LOG:+"--verbose=${OSCAP_REMEDIATE_VERBOSE_LEVEL:-INFO}"} )
+args+=( "xccdf" )
+args+=( "eval" )
+args+=( "${profile_id_arg}" )
+args+=( ${OSCAP_REMEDIATE_DATASTREAM_ID:+"--datastream-id=${OSCAP_REMEDIATE_DATASTREAM_ID}"} )
+args+=( ${OSCAP_REMEDIATE_BENCHMARK_ID:+"--datastream-id=${OSCAP_REMEDIATE_BENCHMARK_ID}"} )
+args+=( ${OSCAP_REMEDIATE_XCCDF_ID:+"--xccdf-id=${OSCAP_REMEDIATE_XCCDF_ID}"} )
+args+=( ${OSCAP_REMEDIATE_TAILORING:+"--tailoring-file=${OSCAP_REMEDIATE_TAILORING}"} )
+args+=( ${OSCAP_REMEDIATE_TAILORING_ID:+"--tailoring-id=${OSCAP_REMEDIATE_TAILORING_ID}"} )
+args+=( ${OSCAP_REMEDIATE_ARF_RESULT:+"--results-arf=${OSCAP_REMEDIATE_ARF_RESULT}"} )
+args+=( ${OSCAP_REMEDIATE_HTML_REPORT:+"--report=${OSCAP_REMEDIATE_HTML_REPORT}"} )
+args+=( "--progress-full" )
+args+=( "--remediate" )
+args+=( "${OSCAP_REMEDIATE_DS}" )
+log "Args: ${args[@]}"
+
+# Now we are good to go
+header="OpenSCAP is checking the system for compliance using"$'\n'"${profile_title}"$'\n\n'"Evaluating..."
+display "$header"
+
+while read -r line; do
+	if [[ "${line}" =~ "---evaluation" ]]; then
+		header="OpenSCAP is checking the system for compliance using"$'\n'"${profile_title}"$'\n\n'
+		log "Evaluating..."
+	elif [[ "${line}" =~ "---remediation" ]]; then
+		header="OpenSCAP is remediating the system using"$'\n'"${profile_title}"$'\n\n'
+		log "Remediating..."
+	else
+		# The line is: "rule_id|Rule Title|result"
+		IFS="|" read -ra fields <<< "${line}"
+		mark=$([[ "${fields[2]}" == "pass" ]] && echo "✔ " || echo "✘ ")
+
+		display "${header}${mark}${fields[1]}"
+		log "Rule: ${fields[0]} ${fields[2]}"
+	fi
+done < <(oscap "${args[@]}" || {
+	# Resturn value of 2 and more could mean partial remediation and whatnot,
+	# no reason to frighten the user in those cases.
+	if [[ $? == 1 ]]; then
+		die "Result: 1, processing error"
+	fi
+	err "Result: $?"
+})
+
+display "The system will now restart..."
+log "Done. Rebooting..."
+systemctl reboot