[RFE] Scan rules based on their reference attribute
ggbecker opened this issue · comments
Description
Add an option in OpenSCAP that allow to evaluate rules based on their references. For example:
RHEL STIG id in rules is put as a reference such as:
<xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020290</xccdf-1.2:reference>
This new option would allow something like this to be executed:
oscap xccdf eval --profile stig --reference RHEL-08-020290 ssg-rhel8-ds.xml
And the scanner would evaluate all rules selected in the profile that contain this reference.
Rationale
Even though rules from ComplianceAsCode/content try to be generic, sometimes it is difficult to find the rule that is associated to a particular policy reference.
Possible problems
- If there are equal reference values among different policies, what it should do? Add a new parameter to specify the target policy, for example:
--policy stig
, and this would only try to match references from the one that hashref="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux"
. This way would require to store the policy->href value in OpenSCAP itself - It can't use the
--profile
option to determine which policy it targets as there are references that are not tied to any profile and there is also tailored/new profiles that can be created by users in their environments.