Add a script for finding unused rules #12110
Conversation
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
Mab879
force-pushed
the
add_script_for_unused_rules
branch
from
19ec07d to
5d14c90
Compare
There was a problem hiding this comment.
The script prints for example rule ensure_amazon_gpgkey_installed which isn't used in a data stream but it is linked as a related rule in a control in the cis_al2023 control file. This means we need to be careful when removing rules, we can't remove all of the rules produced by this script.
Mab879
force-pushed
the
add_script_for_unused_rules
branch
from
2fbb3fd to
d8274c9
Compare
|
/packit retest-failed |
| Example useage: | ||
|
|
||
| ```bash | ||
| $ ./build_products --derivatives |
There was a problem hiding this comment.
It's better than build_project, but the correct name is build_product.
| @@ -743,3 +743,24 @@ An example of how to execute the script to generate roles locally: | |||
| $ ./build_product rhel9 | |||
| $ ./utils/ansible_playbook_to_role.py --dry-run output | |||
| ``` | |||
|
|
|||
| ### `utils/find_unused_rules.py` – List Rules That Are Not Used In Any Datastream | |||
| ### `utils/find_unused_rules.py` – List Rules That Are Not Used In Any Datastream | ||
|
|
||
| This script will output rules are not in any data streams. | ||
| To prevent false positives the script will not run if the number of build datas treams less than the total number of products in the project. |
utils/find_unused_rules.py
Outdated
| It requires that all products (and derivatives) are built. | ||
| To do this run ./build_product --derivatives | ||
| The script has the following return codes: | ||
| 0 - All rules are used in the datastreams, |
utils/find_unused_rules.py
Outdated
| To do this run ./build_product --derivatives | ||
| The script has the following return codes: | ||
| 0 - All rules are used in the datastreams, | ||
| 1 - Some rules are not used in the datastreams, |
| The script works by adding off the rule ids from the data streams to a `set`. | ||
| Then the script converts the keys of `rule_dirs.json` to a set. | ||
| The set of rules in the data stream is subtracted to from the set of rules in `rule_dirs.json`. | ||
| The differnce is then output to the user. |
| The set of rules in the data stream is subtracted to from the set of rules in `rule_dirs.json`. | ||
| The differnce is then output to the user. | ||
|
|
||
| Example useage: |
utils/find_unused_rules.py
Outdated
| BUILD_DIR = SSG_ROOT.joinpath("build") | ||
| RULE_DIR_JSON = BUILD_DIR.joinpath("rule_dirs.json") | ||
| EPILOG = """ | ||
| This script lists rules that are not used in any datastreams. |
utils/find_unused_rules.py
Outdated
| ds_products.add(ds.name.split("-")[1]) | ||
| if products_count > len(datastream_files): | ||
| print("Not all products are built, cowardly refusing to continue.", file=sys.stderr) | ||
| print(f"Products: {products_count}, Datastreams: {len(datastream_files)}", file=sys.stderr) |
|
|
||
| This script will output rules are not in any data streams. | ||
| To prevent false positives the script will not run if the number of build datas treams less than the total number of products in the project. | ||
| The script assumes that `./build_project --derivatives` will be ran before the script is used. |
Mab879
force-pushed
the
add_script_for_unused_rules
branch
from
d8274c9 to
329047c
Compare
|
Code Climate has analyzed commit 329047c and detected 1 issue on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
|
The CI fail on OL 7 isn't caused by the contents of this PR. I am fine with the line exceeding its length in this case. |
Description:
Add a script for finding unused rules
Rationale:
To help find outdated rules when removing a product.
Review Hints:
Remove or adjusting profiles is out of scope of this PR. This needs to be addressed on a case-by-case basis.