List rules and variables in a profile by "oscap info"#2313
Open
jan-cerny wants to merge 11 commits intoOpenSCAP:mainfrom
Open
List rules and variables in a profile by "oscap info"#2313jan-cerny wants to merge 11 commits intoOpenSCAP:mainfrom
jan-cerny wants to merge 11 commits intoOpenSCAP:mainfrom
Conversation
Mab879
reviewed
Feb 16, 2026
Member
Mab879
left a comment
Mab879
left a comment
There was a problem hiding this comment.
I believe you also need to update the bash bash_completion file as well.
Mab879
requested changes
Feb 18, 2026
Member
Mab879
left a comment
Mab879
left a comment
There was a problem hiding this comment.
So it seems that this new mode has some interactions with tailoring files. See below.
$ autotailor --var-value xccdf_org.ssgproject.content_value_var_screensaver_lock_delay=120 -o tailoring.xml /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml cups
$ ./oscap_wrapper info --list-rules --profile cups tailoring.xml
OpenSCAP Error: Unable to open file: './file:///usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml' [/home/mburket/Developer/github.com/OpenSCAP/openscap/src/source/oscap_source.c:298]
Find element '(null)' while expecting element: 'Benchmark' [/home/mburket/Developer/github.com/OpenSCAP/openscap/src/XCCDF/benchmark.c:131]
Failed to import XCCDF content from './file:///usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml'. [/home/mburket/Developer/github.com/OpenSCAP/openscap/src/XCCDF/benchmark.c:64]
Add a new --list-rules option to the oscap info module that, when combined with --profile, prints the IDs of all XCCDF rules selected by the given profile. The output is machine-readable (one rule ID per line with no decoration), making it suitable for CI/CD automation, auditing, and tailoring validation workflows. Resolves: https://issues.redhat.com/browse/RHEL-143569
The new option `--list-vars` lists all XCCDF values used by the given profile, including their values. Resolves: https://issues.redhat.com/browse/RHEL-143569
There's no check preventing `--list-rules` and `--list-vars` from being passed simultaneously. If both are set, `--list_rules` wins silently because of the `if/else if` chain. We will print an error message in this situation.
Refactor _print_rules_for_profile and _print_vars_for_profile to accept a pre-configured xccdf_policy_model instead of a raw benchmark. This enables callers to set tailoring on the policy model before printing, so that profile inheritance and overrides are properly resolved. Add support for two tailoring scenarios: - Standalone XCCDF Tailoring files: resolve the referenced benchmark from the tailoring file's benchmark href, load it, create a policy model with tailoring set, then print the resolved profile's rules or variables. - Source data streams with tailoring components: find the XCCDF benchmark component in the stream, re-import the tailoring with benchmark context, then print via the policy model.
These tests are for oscap info --list-rules and --list-vars options, not XCCDF unit tests, so they belong in their own test directory. Data files used only by these tests are moved; test_reference_ds.xml is copied since it is also used by test_reference.sh in unittests.
Use '[[' instead of '[' for conditional tests. The '[[' construct is safer and more feature-rich.
Make the type of this variable a pointer-to-const. The current type of "profile" is "struct xccdf_profile *".
This commit fixes processing of tailoring files in oscap info module options `--list-rules` and `--list-vars`. It fixes these situations: 1. tailoring points to a file using an URI with `file://` prefix 2. tailoring points to a SCAP source data stream
jan-cerny
force-pushed
the
list_rules_vars
branch
from
463d7b6 to
dff5eeb
Compare
Member
|
What is the expected behavior for tailoring? Current it seems to return nothing. |
Member
Seems I forgot the name of the profile. It should be |
Member
Author
|
@Mab879 Great catch! What currently works is to query the custom profile. But if you query the original profile it really doesn't work. I'll investigate what could be the behavior in this situation. |
If someone provides a tailoring file and a profile ID that isn't present in the tailoring file, it will print an error message.
Member
Author
|
I have changed the code so that it prints an error if someone provides a tailoring file and a profile ID that isn't |
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
--list-rulesoption tooscap infothat prints the IDs of all XCCDF rules selected by a given profile--list-varsoption tooscap infothat prints XCCDF Value IDs and their resolved values for a given profileBoth options support SCAP Source data streams and also XCCDF Tailoring files (both standalone and embedded). These input file types are tested by tests that are part of this PR.
Rationale
Currently, there is no way to list rules and variable values for a specific XCCDF profile. Users and tools need to parse XML
manually or by different tools. These options provide machine-readable output directly from the oscap CLI.
Resolves: https://issues.redhat.com/browse/RHEL-143569
Example