Skip to content

Fix import_disa_stig.py script#14835

Open
jan-cerny wants to merge 3 commits into
ComplianceAsCode:masterfrom
jan-cerny:import_disa_stig_fixes
Open

Fix import_disa_stig.py script#14835
jan-cerny wants to merge 3 commits into
ComplianceAsCode:masterfrom
jan-cerny:import_disa_stig_fixes

Conversation

@jan-cerny

@jan-cerny jan-cerny commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator

Description:

Multiple fixes in import_disa_stig.py script.

For more details read commit messages of all commits.

Rationale:

This change will allow us to use the script import data from manual XCCDF file from DISA STIG for RHEL 10.

Review Hints:

python utils/import_disa_stig.py -c stig_rhel10 -p rhel10 -n "RHEL 10" -o rhel10.yml shared/references/disa-stig-rhel10-v1r1-xccdf-manual.xml

jan-cerny added 3 commits June 29, 2026 11:32
@jan-cerny
Use product-specific controls in import_disa_stig.py
6701892 
This change will make the script import_disa_stig.py work
with product-specific control files (files in products/PRODUCT/controls
directories). This will allow us to use this script to import RHEL 10
DISA STIG data.
@jan-cerny
Customize output file names in import_disa_stig.py
2f6bba1 
The script import_disa_stig.py always wrote the output data
to a file named "shared.yml". But, we need to write the data
to product-specific files, like "rhel10.yml" because we want
to import the RHEL 10 DISA STIG but we don't want to overwrite
the existing data in our rules that belong to RHEL 9.
This commit introduces a new "-o / --output-file-name" CLI option
that allows the user to specify a different output name
(defaults to "shared.yml").
@jan-cerny
Fix variable processing in import_disa_stig.py
c89601d 
The "rules" key in control files can contain both rules and variables
selection.  If a control in a control file contained a rule and a
variable selection, the script import_disa_stig.py skipped this control
with a misleading error message: "Unable to update stig_id since it
doesn't have exactly one rule." Consequently, STIG data weren't imported
for that control.  This commit fixes the script to not process variables
as rules and correctly identify the count of selected rules in
a control.
@jan-cerny jan-cerny added this to the 0.1.82 milestone Jun 29, 2026
@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown

@jan-cerny: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-platform-compliance c89601d link true /test e2e-aws-openshift-platform-compliance
ci/prow/e2e-aws-openshift-node-compliance c89601d link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@ggbecker ggbecker self-assigned this Jun 29, 2026
@ggbecker

ggbecker commented Jun 29, 2026

Copy link
Copy Markdown
Member

This might be unrelated to the pull request, but when I run the utils/rule_dir_json.py to generate the rule_dirs.json required by the import_disa_stig.py script, I get the following:

Traceback (most recent call last):
  File "/home/ggasparb/workspace/github/content-jan-cerny/utils/rule_dir_json.py", line 253, in <module>
    main()
    ~~~~^^
  File "/home/ggasparb/workspace/github/content-jan-cerny/utils/rule_dir_json.py", line 213, in main
    rule_obj['remediations'], r_products = handle_remediations(given_products, product_yamls,
                                           ~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                                               rule_obj)
                                                               ^^^^^^^^^
  File "/home/ggasparb/workspace/github/content-jan-cerny/utils/rule_dir_json.py", line 170, in handle_remediations
    _, config = ssg.build_remediations.parse_from_file_with_jinja(
                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
        r_path, env_yaml
        ^^^^^^^^^^^^^^^^
    )
    ^
  File "/home/ggasparb/workspace/github/content/ssg/build_remediations.py", line 94, in parse_from_file_with_jinja
    fix_file = ssg.jinja.process_file(file_path, env_yaml)
  File "/home/ggasparb/workspace/github/content/ssg/jinja.py", line 213, in process_file
    return template.render(substitutions_dict)
           ~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.14/site-packages/jinja2/environment.py", line 1295, in render
    self.environment.handle_exception()
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^
  File "/usr/lib/python3.14/site-packages/jinja2/environment.py", line 942, in handle_exception
    raise rewrite_traceback_stack(source=source)
  File "/home/ggasparb/workspace/github/content-jan-cerny/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml", line 10, in top-level template code
    {{{ ansible_sssd_ensure_default_config(sssd_conf, sssd_conf_dir, rule_title) }}}
    ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.14/site-packages/jinja2/utils.py", line 92, in from_obj
    if hasattr(obj, "jinja_pass_arg"):
       ~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^
jinja2.exceptions.UndefinedError: 'ansible_sssd_ensure_default_config' is undefined

(.pyenv) ~/w/g/content-jan-cerny (import_disa_stig_fixes) 1 $ python utils/import_disa_stig.py -c stig_rhel10 -p rhel10 -n "RHEL 10" -o rhel10.yml shared/references/disa-stig-rhel10-v1r1-xccdf-manual.xml
Traceback (most recent call last):
  File "/home/ggasparb/workspace/github/content-jan-cerny/utils/import_disa_stig.py", line 144, in <module>
    raise SystemExit(main())
                     ~~~~^^
  File "/home/ggasparb/workspace/github/content-jan-cerny/utils/import_disa_stig.py", line 95, in main
    rule_dir_json = get_rule_dir_json(args.json)
  File "/home/ggasparb/workspace/github/content/utils/srg_utils/__init__.py", line 33, in get_rule_dir_json
    with open(path, 'r') as f:
         ~~~~^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/home/ggasparb/workspace/github/content-jan-cerny/build/rule_dirs.json'

I don't understand why it isn't able to generate the rule_dirs.json file even with the ansible_sssd_ensure_default_config defined at:

content/shared/macros/10-ansible.jinja

Line 819 in a8ae5fc

{{% macro ansible_sssd_ensure_default_config(sssd_conf, sssd_conf_dir, rule_title) -%}}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@ggbecker ggbecker

Labels

None yet

Projects

None yet

Milestone

0.1.82

Development

Successfully merging this pull request may close these issues.

2 participants

@jan-cerny @ggbecker