generate fix from XCCDF results & profile from tailoring file

[ybznek]

Expected workflow:

1. create tailoring file
2. scan system using additional tailoring file
3. generate fix

---

• Problem occurs during generating fix

  oscap xccdf generate fix --template urn:xccdf:fix:script:ansible  /tmp/ssg-rhel7-ds-xccdf.results.xml
  

• Doesn't generate any output.

---

Let's try to use --result-id

oscap xccdf generate fix --template urn:xccdf:fix:script:ansible --result-id xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_pci-dss  /tmp/ssg-rhel7-ds-xccdf.results.xml 

#Warning: OpenSCAP will now use fallback mode (XSLT) to generate fixes. Some of the functionality might be missing (Text substitution, CPE processing, DataStream support, and tailoring). Please ommit --result-id option to trigger advanced processing.
legacy-fix.xsl has been deprecated!
I/O warning : failed to load external entity "legacy-fixtpl-urn:xccdf:fix:script:ansible.xml"
Fix template 'urn:xccdf:fix:script:ansible' failed to load. Aborting.

---

Let's try to use --profile-id Oh, used profile id was from tailoring file and is not available from result file.

---

[ybznek]

$ oscap xccdf generate fix /tmp/ssg-rhel7-ds-arf.xml
OpenSCAP Error: Session input file was determined but it isn't an XCCDF file, a source datastream or an XCCDF tailoring file. [xccdf_session.c:135]

[ybznek]

@rsprudencio Isn't this issue already fixed?

[jan-cerny]

@ybznek I don't think it was fixed completely.

We now support ARFs in xccdf genarate fix command. That was merged upstream in https://github.com/OpenSCAP/openscap/pull/659

However we can't handle tailoring in ARF files there. Tailoring support remains to be implemented.

[jan-cerny]

@ybznek just to be more precise, now we have a different error message than you wrote in the issue description

[jcerny@thinkpad ~]$ myoscap xccdf generate fix --result-id xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_common_customized arf.xml
E: oscap: (xccdf_session.c:1608:xccdf_session_build_policy_from_testresult()) Could not find Profile/@id="xccdf_org.ssgproject.content_profile_common_customized" to build policy from TestResult/@id="xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_common_customized"
OpenSCAP Error: Could not find Profile/@id="xccdf_org.ssgproject.content_profile_common_customized" to build policy from TestResult/@id="xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_common_customized" [xccdf_session.c:1608]

I think that is caused by merging #659, but it's still an error message, only different 😄

[rsprudencio]

@ybznek partially yes, as mentioned by @jan-cerny.

We still need to support Tailoring.

[chuckatkins]

Not quite sure when this was added but the issue seems to be resolved now as you can pass the --tailoring-file option to oscap generate fix. It seems to work with both a results file and arf file.

[peedy2495]

Not using --new-profile-id/--p on creating a tailorfile does the trick! By doing this method, the tailorfile refers from and to the tailored profile:

<xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_cis_level2_workstation" extends="xccdf_org.ssgproject.content_profile_cis_level2_workstation">

Now, u're able to generate the desired output via oscap xccdf generate --profile xccdf_org.ssgproject.content_profile_cis_level2_workstation fix --tailoring-file mytailorfile.xml --fix-type ansible --output fixit.yml result.xml

A recommended way to close this issue should be to modify the documentation in the tailoring section, or to aggregate and add a new profile named by the tailor new-profile-id into the result xml file.