-
Notifications
You must be signed in to change notification settings - Fork 709
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace rule/group prodtype
alignment with explicit inclusion in a product profile/benchmark
#11382
Comments
I like this proposal. The problem description is really spot on! I think the proposed changes will help us simplify and streamline the project. |
It is good to remove what is not necessary and simplify things. Currently, the Ideally the applicability of rules should be done by CPE-AL ( This proposal can mitigate this issue caused by lack or incorrect definition of My only remark is to be careful about how to keep the backward-compatibility simple. |
FYI @ComplianceAsCode/oracle-maintainers @ComplianceAsCode/red-hatters @ComplianceAsCode/suse-maintainers @ComplianceAsCode/ubuntu-maintainers |
Is my understanding correct that the |
No. It might have to stay for a moment. There are 2 options:
|
Share the Context
The
prodtype
property of a rule (or a group of rules) allows the build system to selectively discriminate inclusion of rules in benchmarks for products that sharebenchmark_root
pool of rules.Description of the Problem
Current implementation of this mechanism has multiple flaws, most important being:
Proposed Change
The proposal is to reverse the connection between product and rule by referring to a rule from the product profile instead of referring to a product from the rule: roughly
rule[prodtype] -> product
will be replaced withproduct[profile][rule_id] -> rule
.This change will fix the most painful problems of prodtype and also will open the way for improvements with detailed control over datastream contents:
Obviously, one of the requirements for this change would be to retain backward-compatibility in the behavior of the build system and minimization of the turbulence. Ideally SMEs should not notice the change at all up until the moment they would like to fiddle with benchmark content.
Implementation Details
There are 3 paths the conversion could be applied:
1) For a rule that has product's prodtype (or all, or implicit all) but is not listed in any profile (or a control file):
We add it to a new 'default' profile to keep the rule in the benchmark. In order to not disrupt the product final benchmark we make this profile hidden. It is a novelty to the build system: a hidden profile is not rendered as XCCDF Profile, but takes rules with it into the Benchmark.
This usually is a case of a stray rule (of which we have about 800), the rule that is a part of a product because god knows why. Later on SMEs would be able to remove there rules from the profile, move them to real profiles or even create a set of hidden profiles to structure them.
2.1) For a rule that has product's prodtype (or all, or implicit all) and is listed in a profile (or a control file):
and
2.2) For a rule that doesn't have product's prodtype (or all, or implicit all) and is not listed in a profile (or a control file):
The most straightforward thing: do nothing, all good.
3.1) For a rule that does not have product's prodtype and listed in a profile (or a control file):
We add the rule exclude id to the profile (or a profile that expands a control set):
!rule_id
, which yield the same result, butin a more visible way from SMEs point of view as the exclusion accompanies the control expansion property.
The same goes for a regular profile (instead of plain removal of the entry from profile file) for two reasons:
3.2) There are 2 special cases with control files:
We only exclude rules that match the product-profile pair, which creates a visible and clear difference between same (similar) profile files.
We only exclude rules that match benchmark_root-product-profile triplet. This might be perceived as a disruption, while it, in fact, just highlights the awkwardness of the approach.
Roadmap
The contingency plan is quite simple.
Refactoring: Remove 'prodtype' Mk.2 #11378
References:
The text was updated successfully, but these errors were encountered: