Always check the current lists before inserting on blueprints

Fixes #2282

Author: Mab879

src/XCCDF_POLICY/xccdf_policy_remediate.c

@@ -724,7 +724,7 @@ static inline int _parse_blueprint_fix(const char *fix_text, struct blueprint_cu
 			memcpy(val, &fix_text[ovector[2]], ovector[3] - ovector[2]);
 			val[ovector[3] - ovector[2]] = '\0';
 
-			if (!oscap_list_contains(customizations->kernel_append, val, (oscap_cmp_func) oscap_streq)) {
+			if (!oscap_list_contains(tab[i].list, val, (oscap_cmp_func) oscap_streq)) {
 				oscap_list_prepend(tab[i].list, val);
 			} else {
 				free(val);

tests/API/XCCDF/unittests/CMakeLists.txt

@@ -112,3 +112,4 @@ add_oscap_test("test_no_newline_between_select_elements.sh")
 add_oscap_test("test_single_line_tailoring.sh")
 add_oscap_test("test_reference.sh")
 add_oscap_test("test_remediation_bootc.sh")
+add_oscap_test("test_duplicate_blueprint_service.sh")

tests/API/XCCDF/unittests/test_duplicate_blueprint_service.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+. $builddir/tests/test_common.sh
+
+set -e
+set -o pipefail
+
+name=$(basename $0 .sh)
+result=$(make_temp_file /tmp ${name}.out)
+stderr=$(make_temp_file /tmp ${name}.out)
+
+ret=0
+
+input_xml="$srcdir/${name}.xccdf.xml"
+valid_toml="$srcdir/${name}.toml"
+
+expected_result=$(mktemp)
+sed "s;TEST_XCCDF_FILE_NAME;$input_xml;" "$valid_toml" > "$expected_result"
+
+echo "Stderr file = $stderr"
+echo "Result file = $result"
+[ -f $stderr ]; [ ! -s $stderr ]; :> $stderr
+
+# The expected file was generated without ' # This file was generated by OpenSCAP 1.3.14 using:' line
+# to make the test independent from the scanner version. We have to filter this line from the output as well.
+
+$OSCAP xccdf generate fix --fix-type blueprint --profile 'common' "$input_xml" | grep -v "OpenSCAP" > "$result"
+
+diff "$expected_result" "$result"
+
+rm "$result"
+rm "$expected_result"

tests/API/XCCDF/unittests/test_duplicate_blueprint_service.toml

@@ -0,0 +1,52 @@
+###############################################################################
+#
+# Blueprint for Profile title on one line
+#
+# Profile Description:
+# Profile description
+#
+# Profile ID:  xccdf_moc.elpmaxe.www_profile_common
+# Benchmark ID:  xccdf_moc.elpmaxe.www_benchmark_test
+# Benchmark Version:  1.0
+# XCCDF Version:  1.2
+#
+#
+# It attempts to fix every selected rule, even if the system is already compliant.
+#
+# How to apply this Blueprint:
+# composer-cli blueprints push blueprint.toml
+#
+###############################################################################
+
+name = "hardened_xccdf_moc.elpmaxe.www_profile_common"
+description = "Profile title on one line"
+version = "1.0"
+
+[customizations.openscap]
+profile_id = "xccdf_moc.elpmaxe.www_profile_common"
+# If your hardening data stream is not part of the 'scap-security-guide' package
+# provide the absolute path to it (from the root of the image filesystem).
+# datastream = "/usr/share/xml/scap/ssg/content/ssg-xxxxx-ds.xml"
+
+distro = rhel-80
+
+[[packages]]
+name = "aide"
+version = "*"
+
+[[customizations.filesystem]]
+mountpoint = "/home"
+size = 1
+
+[[customizations.filesystem]]
+mountpoint = "/tmp"
+size = 2
+
+[customizations.kernel]
+append = "foo=bar audit=1"
+
+[customizations.services]
+enabled = ["sshd","usbguard"]
+disabled = ["kdump"]
+masked = []
+

tests/API/XCCDF/unittests/test_duplicate_blueprint_service.xccdf.xml

@@ -0,0 +1,112 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_moc.elpmaxe.www_benchmark_test">
+  <status>accepted</status>
+  <version>1.0</version>
+  <Profile id="xccdf_moc.elpmaxe.www_profile_common">
+      <title>Profile title on one line</title>
+      <description>Profile description</description>
+      <select idref="xccdf_moc.elpmaxe.www_rule_1" selected="true"/>
+  </Profile>
+  <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_1">
+    <title>Install aide</title>
+    <fix system="urn:redhat:osbuild:blueprint">
+[[packages]]
+name = "aide"
+version = "*"
+</fix>
+    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+      <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
+    </check>
+  </Rule>
+  <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_2">
+    <title>Define /home</title>
+    <fix system="urn:redhat:osbuild:blueprint">
+[[customizations.filesystem]]
+mountpoint = "/home"
+size = 1
+</fix>
+    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+      <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
+    </check>
+  </Rule>
+  <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_3">
+    <title>Add audit=1 kernel option</title>
+    <fix system="urn:redhat:osbuild:blueprint">
+[customizations.kernel]
+append = "audit=1"
+</fix>
+    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+      <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
+    </check>
+  </Rule>
+  <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_4">
+    <title>Add foo=bar kernel option</title>
+    <fix system="urn:redhat:osbuild:blueprint">
+[customizations.kernel]
+append = "foo=bar"
+</fix>
+    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+      <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
+    </check>
+  </Rule>
+  <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_5">
+    <title>Define /tmp</title>
+    <fix system="urn:redhat:osbuild:blueprint">
+[[customizations.filesystem]]
+mountpoint = "/tmp"
+size = 2
+</fix>
+    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+      <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
+    </check>
+  </Rule>
+  <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_6">
+    <title>Enable usbguard</title>
+    <fix system="urn:redhat:osbuild:blueprint">
+[customizations.services]
+enabled = ["usbguard"]
+</fix>
+    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+      <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
+    </check>
+  </Rule>
+  <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_7">
+    <title>Disable kdump</title>
+    <fix system="urn:redhat:osbuild:blueprint">
+[customizations.services]
+disabled = ["kdump"]
+</fix>
+    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+      <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
+    </check>
+  </Rule>
+  <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_8">
+    <title>Set distro (RHEL 8.0)</title>
+    <fix system="urn:redhat:osbuild:blueprint">
+distro = rhel-80
+</fix>
+    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+      <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
+    </check>
+  </Rule>
+  <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_9">
+    <title>Enable sshd</title>
+    <fix system="urn:redhat:osbuild:blueprint">
+[customizations.services]
+enabled = ["sshd"]
+</fix>
+    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+      <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
+    </check>
+  </Rule>
+  <Rule selected="true" id="xccdf_moc.elpmaxe.www_rule_10">
+    <title>Enable sshd</title>
+    <fix system="urn:redhat:osbuild:blueprint">
+[customizations.services]
+enabled = ["sshd"]
+</fix>
+    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+      <check-content-ref href="test_remediation_simple.oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
+    </check>
+  </Rule>
+</Benchmark>