Fix Blueprint template to be self-contained

evgenyz · evgenyz · commit d5204de4c75a · 2024-01-31T23:56:39.000+01:00
Now the generated Blueprint file will be ready-to-use right after
generation unless a custom data stream is used for hardening.

There are also instructions on how to adapt the Blueprint for
a custom data stream.
diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
@@ -1143,10 +1143,23 @@ static int _write_script_header_to_fd(struct xccdf_policy *policy, struct xccdf_
 	} else if (oscap_streq(sys, "urn:redhat:osbuild:blueprint")) {
 		char *blueprint_fix_header = oscap_sprintf(
 			"%s"
-			"name = \"%s\"\n"
+			"name = \"hardened_%s\"\n"
 			"description = \"%s\"\n"
-			"version = \"%s\"\n",
-			fix_header, profile_id, profile_title, benchmark_version_info);
+			"version = \"%s\"\n\n"
+			"[customizations.openscap]\n"
+			"profile_id = \"%s\"\n"
+			"# If your hardening data stream is not part of the 'scap-security-guide' package\n"
+			"# provide the absolute path to it (from the root of the image filesystem).\n"
+			"# datastream = \"/usr/share/xml/scap/ssg/content/ssg-xxxxx-ds.xml\"\n\n"
+			"# If your hardening data stream is not part of the 'scap-security-guide' package\n"
+			"# you don't need this package to be installed in the image (section can be removed).\n"
+			"[[packages]]\n"
+			"name = \"scap-security-guide\"\n"
+			"version = \"*\"\n\n"
+			"[[packages]]\n"
+			"name = \"openscap-scanner\"\n"
+			"version = \"*\"\n\n",
+			fix_header, profile_id, profile_title, benchmark_version_info, profile_id);
 		free(fix_header);
 		free(profile_title);
 		return _write_text_to_fd_and_free(output_fd, blueprint_fix_header);
diff --git a/tests/API/XCCDF/unittests/test_remediation_blueprint.toml b/tests/API/XCCDF/unittests/test_remediation_blueprint.toml
@@ -19,9 +19,26 @@
 #
 ###############################################################################
 
-name = "xccdf_moc.elpmaxe.www_profile_common"
+name = "hardened_xccdf_moc.elpmaxe.www_profile_common"
 description = "Profile title on one line"
 version = "1.0"
+
+[customizations.openscap]
+profile_id = "xccdf_moc.elpmaxe.www_profile_common"
+# If your hardening data stream is not part of the 'scap-security-guide' package
+# provide the absolute path to it (from the root of the image filesystem).
+# datastream = "/usr/share/xml/scap/ssg/content/ssg-xxxxx-ds.xml"
+
+# If your hardening data stream is not part of the 'scap-security-guide' package
+# you don't need this package to be installed in the image (section can be removed).
+[[packages]]
+name = "scap-security-guide"
+version = "*"
+
+[[packages]]
+name = "openscap-scanner"
+version = "*"
+
 distro = rhel-80
 
 [[packages]]
