Support the @-notation for control attributes.

[jhrozek]

Description of problem:

It would be helpful for control attributes to be settable per-product with the @-notation, especially for check and fixtext it would be nice to do: check@rhcos4: some loop with oc debug check@rhel9: ssh ...

Thinking about this more, there might be cases where even the status or rationale might differ between OS-es .For example SRG-OS-000028-GPOS-00009 is automated for RHEL-9 but not applicable for RHCOS because there's no user management on RHEL and you can't install packages. But those cases might be better served with a jinja template and in that case we'd template the whole rule I guess...

SCAP Security Guide Version:

latest

Operating System Version:

RHCOS

[Mab879]

We might want this on rules as well.

[jhrozek]

Yeah, the previous maintainers of CaC were against that for reasons I don't remember anymore, but I agree it would be nice

[matejak]

Previous maintainers had the vision that the source rule yaml won't differ significantly from what you will find in datastreams. Although more complex syntax or macros indeed reduce readability of the content, I believe that this is more than compensated by the reduction of copy-pasting that such syntax prevents.

However, I would be careful with the @ notation. We use it for identifiers that are really related to individual products. But I feel that things s.a. check texts will be related to classes of products, e.g. to RHEL-like systems or to k8s-based systems. Therefore, I would suggest to look in the direction of macros and more advanced means (Jinja2 blocks?) how to decide what goes where.