def run_oscap_remediate_profile(
mock_subprocess, monkeypatch,
anaconda_remediate_args, oscap_remediate_args):
mock_run_remediate(mock_subprocess, monkeypatch)
common.run_oscap_remediate(* anaconda_remediate_args)
expected_args = [
"oscap", "xccdf", "eval", "--remediate",
"--results=%s" % common.RESULTS_PATH,
"--report=%s" % common.REPORT_PATH,
"--profile=myprofile",
]
expected_args.extend(oscap_remediate_args)
kwargs = {
"stdout": mock_subprocess.PIPE,
"stderr": mock_subprocess.PIPE,
}
# it's impossible to check the preexec_func as it is an internal
# function of the run_oscap_remediate function
for arg in expected_args:
assert arg in mock_subprocess.Popen.call_args[0][0]
mock_subprocess.Popen.call_args[0][0].remove(arg)
# nothing else should have been passed
assert not mock_subprocess.Popen.call_args[0][0]
for (key, val) in kwargs.items():
assert kwargs[key] == mock_subprocess.Popen.call_args[1].pop(key)
# plus the preexec_fn kwarg should have been passed
assert "preexec_fn" in mock_subprocess.Popen.call_args[1]
def run_oscap_remediate_profile(
mock_subprocess, monkeypatch,
anaconda_remediate_args, oscap_remediate_args):
mock_run_remediate(mock_subprocess, monkeypatch)
common.run_oscap_remediate(* anaconda_remediate_args)
expected_args = [
"oscap", "xccdf", "eval", "--remediate",
"--results=%s" % common.RESULTS_PATH,
"--report=%s" % common.REPORT_PATH,
"--profile=myprofile",
]
expected_args.extend(oscap_remediate_args)
kwargs = {
"stdout": mock_subprocess.PIPE,
"stderr": mock_subprocess.PIPE,
}
# it's impossible to check the preexec_func as it is an internal
# function of the run_oscap_remediate function
for arg in expected_args:
assert arg in mock_subprocess.Popen.call_args[0][0]
mock_subprocess.Popen.call_args[0][0].remove(arg)
# nothing else should have been passed
assert not mock_subprocess.Popen.call_args[0][0]
for (key, val) in kwargs.items():
assert kwargs[key] == mock_subprocess.Popen.call_args[1].pop(key)
# plus the preexec_fn kwarg should have been passed
assert "preexec_fn" in mock_subprocess.Popen.call_args[1]
def run(self):
"""Run the task."""
try:
common.assert_scanner_works(chroot=self._sysroot,
executable="oscap")
except Exception as exc:
msg_lines = [
_("The 'oscap' scanner doesn't work in the installed system: {error}"
.format(error=str(exc)))
]
msg_lines.append(
_("As a result, the installed system can't be hardened."))
terminate("\n".join(msg_lines))
return
try:
common.run_oscap_remediate(self._policy_data.profile_id,
self._target_content_path,
self._policy_data.datastream_id,
self._policy_data.xccdf_id,
self._target_tailoring_path,
chroot=self._sysroot)
except Exception as exc:
msg = _(
f"Something went wrong during the final hardening: {str(exc)}."
)
terminate(msg)
return
def execute(self, storage, ksdata, instclass, users, payload):
"""
The execute method that should make changes to the installed system. It
is called only once in the post-install setup phase.
:see: setup
:param users: information about created users
:type users: pyanaconda.users.Users instance
"""
if self.dry_run or not self.profile_id:
# nothing more to be done in the dry-run mode or if no profile is
# selected
return
target_content_dir = utils.join_paths(getSysroot(),
common.TARGET_CONTENT_DIR)
utils.ensure_dir_exists(target_content_dir)
if self.content_type == "datastream":
shutil.copy2(self.preinst_content_path, target_content_dir)
elif self.content_type == "rpm":
# copy the RPM to the target system
shutil.copy2(self.raw_preinst_content_path, target_content_dir)
# and install it with yum
ret = iutil.execInSysroot(
"yum",
["-y", "--nogpg", "install", self.raw_postinst_content_path])
if ret != 0:
raise common.ExtractionError("Failed to install content "
"RPM to the target system")
elif self.content_type == "scap-security-guide":
# nothing needed
pass
else:
utils.universal_copy(
utils.join_paths(common.INSTALLATION_CONTENT_DIR, "*"),
target_content_dir)
if os.path.exists(self.preinst_tailoring_path):
shutil.copy2(self.preinst_tailoring_path, target_content_dir)
common.run_oscap_remediate(self.profile_id,
self.postinst_content_path,
self.datastream_id,
self.xccdf_id,
self.postinst_tailoring_path,
chroot=getSysroot())
def execute(self, storage, ksdata, users, payload):
"""
The execute method that should make changes to the installed system. It
is called only once in the post-install setup phase.
:see: setup
:param users: information about created users
:type users: pyanaconda.users.Users instance
"""
if self.dry_run or not self.profile_id:
# nothing more to be done in the dry-run mode or if no profile is
# selected
return
target_content_dir = utils.join_paths(getSysroot(),
common.TARGET_CONTENT_DIR)
utils.ensure_dir_exists(target_content_dir)
if self.content_type == "datastream":
shutil.copy2(self.preinst_content_path, target_content_dir)
elif self.content_type == "rpm":
# copy the RPM to the target system
shutil.copy2(self.raw_preinst_content_path, target_content_dir)
# and install it with yum
ret = util.execInSysroot("yum", ["-y", "--nogpg", "install",
self.raw_postinst_content_path])
if ret != 0:
raise common.ExtractionError("Failed to install content "
"RPM to the target system")
elif self.content_type == "scap-security-guide":
# nothing needed
pass
else:
utils.universal_copy(utils.join_paths(common.INSTALLATION_CONTENT_DIR,
"*"),
target_content_dir)
if os.path.exists(self.preinst_tailoring_path):
shutil.copy2(self.preinst_tailoring_path, target_content_dir)
common.run_oscap_remediate(self.profile_id, self.postinst_content_path,
self.datastream_id, self.xccdf_id,
self.postinst_tailoring_path,
chroot=getSysroot())
def test_run_oscap_remediate_create_chroot_dir(mock_subprocess, monkeypatch):
mock_run_remediate(mock_subprocess, monkeypatch)
common.run_oscap_remediate("myprofile", "my_ds.xml", chroot="/mnt/test")
chroot_dir = "/mnt/test" + os.path.dirname(common.RESULTS_PATH)
common.utils.ensure_dir_exists.assert_called_with(chroot_dir)
def test_run_oscap_remediate_create_chroot_dir(mock_subprocess, monkeypatch):
mock_run_remediate(mock_subprocess, monkeypatch)
common.run_oscap_remediate("myprofile", "my_ds.xml", chroot="/mnt/test")
chroot_dir = "/mnt/test" + os.path.dirname(common.RESULTS_PATH)
common.utils.ensure_dir_exists.assert_called_with(chroot_dir)