XCCDF score re-calculation after remediation. #617
Comments
|
FYI - Red Hat is on a corporate holiday shutdown through the new year, so @mpreisler and team may have delayed responses. .... but for what it's worth, I encounter this frequently during demos and labs. I'd submit the patch. |
|
@GautamSatish sounds good, we'd appreciate a patch for this. |
|
@shawndwells and @mpreisler, The problem is that after remediation, the assert checks that the score is still zero. Like here for example: https://github.com/OpenSCAP/openscap/blob/maint-1.2/tests/API/XCCDF/unittests/test_remediation_simple.sh#L43 If I change the assert to check for '//score[text()="100.000000"]', the test passes. Is there some reason we are asserting the the score must be zero after remediation? Or is it just that the current behavior of code is expected by the test cases as well? PS: I am going on holiday too, I will pick up where we are leaving this off in the new year. Wish you all a happy holiday! |
Probably the latter. Happy holidays! |
|
The code has been merged, closing this issue. |
Hello,
I had brought this up on the mailing list sometime ago. This is a report of my observations with some more experiments.
For calculating the compliance score, oscap calls "xccdf_policy_get_score" in the function "xccdf_session_evaluate".
When running "oscap xccdf evaluate" with the "--remediate" option, the report file mentions all fixed rules as passed but the compliance score is from before running remediation, i.e. based on the initial evaluation. So even if the number of rules that pass increases, compliance score does not change. When an evaluation is run again, the number of rules that passes remains the same as with the previous report but compliance score is now updated.
This behavior is the same when running "oscap xccdf remediate". The report of this operation still the mentions the same score from evaluation result passed as input to it.
From what I understand, the problem is that oscap doesn't update the score in "xccdf_session_remediate".
The functions which calculates score like xccdf_item_get_default_score() are capable for reporting the score even for "fixed" rules:
if ((xccdf_rule_result_get_result(rule_result) == XCCDF_RESULT_PASS) || (xccdf_rule_result_get_result(rule_result) == XCCDF_RESULT_FIXED)) {Its just that it doesn't get invoked after remediation.
I notice that there is a convenient function called "xccdf_result_recalculate_scores" which currently doesn't seem to be used anywhere. By invoking this function after the remediation, I am able to get the correct compliance score in the reports. I have tested this with both "oscap xccdf eval --remediate" and "oscap xccdf remediate".
I am not sure if this was one of the intended uses of "xccdf_result_recalculate_scores" but it appears to be doing the job. If this seems acceptable, I can submit a patch for review.
Thank you!
-Gautam.
The text was updated successfully, but these errors were encountered: