Add new test /scanning/disa-stig-viewer-results

matusmarhefka · matusmarhefka · commit 601e5f97c975 · 2026-02-04T13:22:06.000+01:00
The new test verifies that results generated by OpenSCAP using the
`--stig-viewer` option are compatible with the DISA STIG Viewer.

This commit also extends the `/static-checks/rule-identifiers` test
to verify all rules from the STIG profile contain `stigref` references
which are used when results are imported into the DISA STIG Viewer.
diff --git a/conf/waivers/productization b/conf/waivers/productization
@@ -40,10 +40,20 @@
 
 # RHEL10 - No official RHEL10 STIG benchmark yet
 /static-checks/rule-identifiers/stig/stigid/.*
+/static-checks/rule-identifiers/stig/stigref/.*
+/scanning/disa-stig-viewer-results
     rhel == 10
 # RHEL8 https://github.com/ComplianceAsCode/content/issues/12422
 /static-checks/rule-identifiers/ospp/ospp/.*
     rhel == 8
+# https://github.com/ComplianceAsCode/content/issues/14359
+/static-checks/rule-identifiers/stig/stigref/enable_authselect
+    rhel == 8 or rhel == 9
+/static-checks/rule-identifiers/stig/stigref/configure_kerberos_crypto_policy
+/static-checks/rule-identifiers/stig/stigref/file_permissions_etc_audit_auditd
+/static-checks/rule-identifiers/stig/stigref/file_sshd_50_redhat_exists
+/static-checks/rule-identifiers/stig/stigref/sshd_include_crypto_policy
+    rhel == 9
 
 # bz1825810 or maybe bz1929805
 # can be reproduced mostly reliably (95%) both via anaconda and oscap CLI,
diff --git a/scanning/disa-stig-viewer-results/main.fmf b/scanning/disa-stig-viewer-results/main.fmf
@@ -0,0 +1,15 @@
+summary: Run oscap scan with STIG profile and verify results compatible with DISA STIG Viewer
+description: |-
+    Verify that results generated by OpenSCAP using the `--stig-viewer`
+    option are compatible with the DISA STIG Viewer.
+test: $CONTEST_PYTHON -m lib.runtest ./test.py
+result: custom
+environment+:
+    PYTHONPATH: ../..
+duration: 30m
+require+:
+  - openscap-scanner
+adjust+:
+  - when: arch != x86_64
+    enabled: false
+    because: the test is not architecture-specific, one is enough
diff --git a/scanning/disa-stig-viewer-results/test.py b/scanning/disa-stig-viewer-results/test.py
@@ -0,0 +1,25 @@
+#!/usr/bin/python3
+
+import re
+import subprocess
+
+from lib import util, results
+
+proc = util.subprocess_run(
+    ['oscap', 'xccdf', 'eval', '--profile', 'stig', '--progress',
+     '--stig-viewer', 'stig_results.xml', util.get_datastream()],
+    stderr=subprocess.STDOUT)
+if proc.returncode not in [0,2]:
+    raise RuntimeError("oscap failed unexpectedly")
+results.add_log('stig_results.xml')
+
+# parse stig_results.xml and count STIG results
+with open('stig_results.xml') as f:
+    stig_content = f.read()
+stig_results_count = len(re.findall(r'<rule-result\s+idref="SV-', stig_content))
+
+note = f'number of rules with STIG Viewer reference: {stig_results_count}'
+if stig_results_count > 0:
+    results.report_and_exit('pass', note=note)
+else:
+    results.report_and_exit('fail', note=note)
diff --git a/static-checks/rule-identifiers/test.py b/static-checks/rule-identifiers/test.py
@@ -15,7 +15,7 @@
 # Associations between profiles and reference names
 profile_reference_names = {
     'bsi': ['bsi'],
-    'stig': ['stigid', 'os-srg'],
+    'stig': ['stigid', 'os-srg', 'stigref'],
     'ospp': ['ospp'],
     'cis': ['cis'],
     'anssi_bp28_high': ['anssi'],
