Skip to content

List rules and variables in a profile by "oscap info"#2313

Open
jan-cerny wants to merge 9 commits intoOpenSCAP:mainfrom
jan-cerny:list_rules_vars
Open

List rules and variables in a profile by "oscap info"#2313
jan-cerny wants to merge 9 commits intoOpenSCAP:mainfrom
jan-cerny:list_rules_vars

Conversation

@jan-cerny
Copy link
Member

@jan-cerny jan-cerny commented Feb 16, 2026

Description

  • Add --list-rules option to oscap info that prints the IDs of all XCCDF rules selected by a given profile
  • Add --list-vars option to oscap info that prints XCCDF Value IDs and their resolved values for a given profile

Both options support SCAP Source data streams and also XCCDF Tailoring files (both standalone and embedded). These input file types are tested by tests that are part of this PR.

Rationale

Currently, there is no way to list rules and variable values for a specific XCCDF profile. Users and tools need to parse XML
manually or by different tools. These options provide machine-readable output directly from the oscap CLI.

Resolves: https://issues.redhat.com/browse/RHEL-143569

Example

$ ./oscap_wrapper info --profile cis --list-rules /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration
xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth
xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth
...

$ ./oscap_wrapper info --profile cis --list-vars /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 
xccdf_org.ssgproject.content_value_var_user_initialization_files_regex	^\.[\w\- ]+$
xccdf_org.ssgproject.content_value_var_accounts_user_umask	027
xccdf_org.ssgproject.content_value_var_accounts_tmout	900
...

@jan-cerny
Add --list-rules option to oscap info
e2c0bba 
Add a new --list-rules option to the oscap info module that, when
combined with --profile, prints the IDs of all XCCDF rules selected
by the given profile. The output is machine-readable (one rule ID per
line with no decoration), making it suitable for CI/CD automation,
auditing, and tailoring validation workflows.

Resolves: https://issues.redhat.com/browse/RHEL-143569
@jan-cerny
Add --list-vars option to oscap info
90228c3 
The new option `--list-vars` lists all XCCDF values used by the given
profile, including their values.

Resolves: https://issues.redhat.com/browse/RHEL-143569
@jan-cerny
Prevent using --list-rules and --list-vars together
2d9993a 
There's no check preventing `--list-rules` and `--list-vars` from being
passed simultaneously. If both are set, `--list_rules` wins silently
because of the `if/else if` chain. We will print an error message in
this situation.
@jan-cerny
Support XCCDF Tailoring files in oscap info --list-rules and --list-vars
da6c717 
Refactor _print_rules_for_profile and _print_vars_for_profile to accept
a pre-configured xccdf_policy_model instead of a raw benchmark. This
enables callers to set tailoring on the policy model before printing,
so that profile inheritance and overrides are properly resolved.

Add support for two tailoring scenarios:
- Standalone XCCDF Tailoring files: resolve the referenced benchmark
  from the tailoring file's benchmark href, load it, create a policy
  model with tailoring set, then print the resolved profile's rules
  or variables.
- Source data streams with tailoring components: find the XCCDF benchmark
  component in the stream, re-import the tailoring with benchmark
  context, then print via the policy model.
@jan-cerny
Move list_rules/list_vars tests to tests/oscap_info_profiles
0fb1b77 
These tests are for oscap info --list-rules and --list-vars options,
not XCCDF unit tests, so they belong in their own test directory.
Data files used only by these tests are moved; test_reference_ds.xml
is copied since it is also used by test_reference.sh in unittests.
@jan-cerny jan-cerny added this to the 1.4.4 milestone Feb 16, 2026
@Mab879 Mab879 self-assigned this Feb 16, 2026
Mab879
Mab879 reviewed Feb 16, 2026
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe you also need to update the bash bash_completion file as well.

@jan-cerny
Fix CodeClimate problem
addcb46 
Use '[[' instead of '[' for conditional tests. The '[[' construct
is safer and more feature-rich.
@jan-cerny
Fix CodeClimate problem
96f3b3a 
Make the type of this variable a pointer-to-const. The current type
of "profile" is "struct xccdf_profile *".
@jan-cerny
Reduce cognitive complexity of app_info_single_ds_one_profile
2ba6d9d
@jan-cerny
Update bash completion
529c867
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 17, 2026

Quality Gate Passed Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 left review comments

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@Mab879 Mab879

Labels

None yet

Projects

None yet

Milestone

1.4.4

Development

Successfully merging this pull request may close these issues.

2 participants

@jan-cerny @Mab879