NAME¶
autotailor - CLI tool for tailoring of SCAP data streams.
DESCRIPTION¶
The autotailor tool produces tailoring files that SCAP-compliant
scanners can use to complement SCAP data streams. A tailoring file adds a
new profile, which is supposed to extend a profile that is already present
in the data stream.
Tailoring can add, remove or refine rules, and it also can
redefine contents of XCCDF variables.
The tool requires data stream location and ID of the base profile
as inputs. Note however, that the referenced data stream is not opened, and
the validity of tailoring is not checked against it. The tool doesn't
prevent you from extending non-existent profiles, selecting non-existent
rules, and so on.
SYNOPSIS¶
autotailor [OPTION...] DATASTREAM_FILE [BASE_PROFILE_ID]
OPTIONS¶
- --title
TITLE
Title of the new profile.
- --id-namespace
ID_NAMESPACE
The reverse-DNS style string that is part of entities IDs
in the corresponding data stream. If left out, the default value
'org.ssgproject.content' is used.
- -v VAR=VALUE, --var-value
VAR=VALUE
Specify modification of the XCCDF value in form
<varname>=<value>. Name of the variable can be either its full
name, or the suffix, in which case the 'xccdf_<id-namespace>_value'
prefix will be prepended internally. Specify the argument multiple times if
needed.
- -v VAR=SELECTOR, --var-value
VAR=SELECTOR
Specify refinement of the XCCDF value in form
<varname>=<selector>. Name of the variable can be either its full
name, or the suffix, in which case the 'xccdf_<id-namespace>_value'
prefix will be prepended internally. Specify the argument multiple times if
needed.
- -r RULE=ROLE, --rule-role
RULE=ROLE
Specify refinement of the XCCDF rule role in form
<rule_id>=<role>. Name of the rule can be either its full name, or
the suffix, in which case the 'xccdf_<id-namespace>_rule_' prefix will
be prepended internally. The value of <role> can be one of full,
unscored, unchecked. Specify the argument multiple times if needed.
- -e RULE=SEVERITY, --rule-severity
RULE=SEVERITY
Specify refinement of the XCCDF rule severity in form
<rule_id>=<severity>. Name of the rule can be either its full
name, or the suffix, in which case the 'xccdf_<id-namespace>_rule_'
prefix will be prepended internally. The value of <severity> can be one
of unknown, info, low, medium, high. Specify the argument multiple times if
needed.
- -s RULE_ID, --select
RULE_ID
Specify the rule to select. The rule ID can be either
full, or just the suffix, in which case the 'xccdf_<id-namespace>_rule'
prefix will be prepended internally. Specify the argument multiple times if
needed.
- -u RULE_ID, --unselect
RULE_ID
Specify the rule to unselect. The argument works the same
way as the --select argument.
- -p TAILORED_PROFILE_ID,
--tailored-profile-id TAILORED_PROFILE_ID
Specify the ID of the tailored profile. The ID of the new
profile can be either its full ID, or the suffix, in which case the
'xccdf_<id-namespace>_profile_' prefix will be prepended internally. If
left out, the new ID will be obtained by appending '_customized' to the
tailored profile ID.
- --new-profile-id
NEW_PROFILE_ID
Synonym of --tailored-profile-id.
- --json-tailoring
JSON_TAILORING_FILE
Import tailoring from a JSON file
(
https://github.com/ComplianceAsCode/schemas/tree/main/tailoring). This option
makes BASE_PROFILE_ID positional argument optional. However, data passed in
the command line options takes precedence over JSON contents, including the
BASE_PROFILE_ID argument. JSON tailoring can be accompanied with additional
command-line options to either override contents of an existing profile (along
with --tailored-profile-id identifier) or to create an extra profile
(BASE_PROFILE_ID is a mandatory argument in this case and
--tailored-profile-id is optional) in the resulting XCCDF tailoring
file.
USAGE¶
Modify a variable value¶
$ autotailor --var-value
xccdf_org.ssgproject.content_value_var_screensaver_lock_delay=120 -o
tailoring.xml ssg-rhel8-ds.xml
xccdf_org.ssgproject.content_profile_pci_dss
The utility allows you to specify the ID namespace using the
--namespace-id option, so you don't have to repeat the
xccdf_org.ssgproject.content_... prefix everywhere. The default namespace ID
is actually org.ssgproject.content, so the following invocations are
equivalent to the first one:
$ autotailor --var-value var_screensaver_lock_delay=120
--namespace-id org.ssgproject.content -o tailoring.xml ssg-rhel8-ds.xml
pci_dss
$ autotailor --var-value var_screensaver_lock_delay=120 -o
tailoring.xml ssg-rhel8-ds.xml pci_dss
The tailoring tailoring_file defines a new profile,
xccdf_org.ssgproject.content_profile_pci_dss_customized, which alters the
screensaver lock delay.
$ autotailor --var-value var_screensaver_lock_delay=120 --select
gconf_gnome_screensaver_idle_delay --var-value inactivity_timeout_value=600
ssg-rhel8-ds.xml pci_dss
Import JSON tailoring¶
$ autotailor ssg-rhel8-ds.xml --json-tailoring tailoring.json
AUTHORS¶
Matěj Týč <matyc@redhat.com>
Jan Černý <jcerny@redhat.com>
Evgenii Kolesnikov <ekolesni@redhat.com>
