|
1
|
|
|
from __future__ import absolute_import |
|
2
|
|
|
from __future__ import print_function |
|
3
|
|
|
|
|
4
|
|
|
import sys |
|
5
|
|
|
import os |
|
6
|
|
|
import os.path |
|
7
|
|
|
import re |
|
8
|
|
|
from collections import defaultdict, namedtuple, OrderedDict |
|
9
|
|
|
|
|
10
|
|
|
import ssg.yaml |
|
11
|
|
|
import ssg.build_yaml |
|
12
|
|
|
from . import rules |
|
13
|
|
|
from . import utils |
|
14
|
|
|
|
|
15
|
|
|
from . import constants |
|
16
|
|
|
from .jinja import process_file_with_macros as jinja_process_file |
|
17
|
|
|
|
|
18
|
|
|
from .xml import ElementTree |
|
19
|
|
|
from .constants import XCCDF12_NS |
|
20
|
|
|
|
|
21
|
|
|
REMEDIATION_TO_EXT_MAP = { |
|
22
|
|
|
'anaconda': '.anaconda', |
|
23
|
|
|
'ansible': '.yml', |
|
24
|
|
|
'bash': '.sh', |
|
25
|
|
|
'puppet': '.pp', |
|
26
|
|
|
'ignition': '.yml', |
|
27
|
|
|
'kubernetes': '.yml', |
|
28
|
|
|
'blueprint': '.toml' |
|
29
|
|
|
} |
|
30
|
|
|
|
|
31
|
|
|
|
|
32
|
|
|
FILE_GENERATED_HASH_COMMENT = '# THIS FILE IS GENERATED' |
|
33
|
|
|
|
|
34
|
|
|
REMEDIATION_CONFIG_KEYS = ['complexity', 'disruption', 'platform', 'reboot', |
|
35
|
|
|
'strategy'] |
|
36
|
|
|
REMEDIATION_ELM_KEYS = ['complexity', 'disruption', 'reboot', 'strategy'] |
|
37
|
|
|
|
|
38
|
|
|
RemediationObject = namedtuple('remediation', ['contents', 'config']) |
|
39
|
|
|
|
|
40
|
|
|
|
|
41
|
|
|
def is_supported_filename(remediation_type, filename): |
|
42
|
|
|
""" |
|
43
|
|
|
Checks if filename has a supported extension for remediation_type. |
|
44
|
|
|
|
|
45
|
|
|
Exits when remediation_type is of an unknown type. |
|
46
|
|
|
""" |
|
47
|
|
|
if remediation_type in REMEDIATION_TO_EXT_MAP: |
|
48
|
|
|
return filename.endswith(REMEDIATION_TO_EXT_MAP[remediation_type]) |
|
49
|
|
|
|
|
50
|
|
|
sys.stderr.write("ERROR: Unknown remediation type '%s'!\n" |
|
51
|
|
|
% (remediation_type)) |
|
52
|
|
|
sys.exit(1) |
|
53
|
|
|
|
|
54
|
|
|
|
|
55
|
|
|
def split_remediation_content_and_metadata(fix_file): |
|
56
|
|
|
remediation_contents = [] |
|
57
|
|
|
config = defaultdict(lambda: None) |
|
58
|
|
|
|
|
59
|
|
|
# Assignment automatically escapes shell characters for XML |
|
60
|
|
|
for line in fix_file.splitlines(): |
|
61
|
|
|
if line.startswith(FILE_GENERATED_HASH_COMMENT): |
|
62
|
|
|
continue |
|
63
|
|
|
|
|
64
|
|
|
if line.startswith('#') and line.count('=') == 1: |
|
65
|
|
|
(key, value) = line.strip('#').split('=') |
|
66
|
|
|
if key.strip() in REMEDIATION_CONFIG_KEYS: |
|
67
|
|
|
config[key.strip()] = value.strip() |
|
68
|
|
|
continue |
|
69
|
|
|
|
|
70
|
|
|
# If our parsed line wasn't a config item, add it to the |
|
71
|
|
|
# returned file contents. This includes when the line |
|
72
|
|
|
# begins with a '#' and contains an equals sign, but |
|
73
|
|
|
# the "key" isn't one of the known keys from |
|
74
|
|
|
# REMEDIATION_CONFIG_KEYS. |
|
75
|
|
|
remediation_contents.append(line) |
|
76
|
|
|
|
|
77
|
|
|
contents = "\n".join(remediation_contents) |
|
78
|
|
|
return RemediationObject(contents=contents, config=config) |
|
79
|
|
|
|
|
80
|
|
|
|
|
81
|
|
|
def parse_from_file_with_jinja(file_path, env_yaml): |
|
82
|
|
|
""" |
|
83
|
|
|
Parses a remediation from a file. As remediations contain jinja macros, |
|
84
|
|
|
we need a env_yaml context to process these. In practice, no remediations |
|
85
|
|
|
use jinja in the configuration, so for extracting only the configuration, |
|
86
|
|
|
env_yaml can be an abritrary product.yml dictionary. |
|
87
|
|
|
|
|
88
|
|
|
If the logic of configuration parsing changes significantly, please also |
|
89
|
|
|
update ssg.fixes.parse_platform(...). |
|
90
|
|
|
""" |
|
91
|
|
|
|
|
92
|
|
|
fix_file = jinja_process_file(file_path, env_yaml) |
|
93
|
|
|
return split_remediation_content_and_metadata(fix_file) |
|
94
|
|
|
|
|
95
|
|
|
|
|
96
|
|
|
def parse_from_file_without_jinja(file_path): |
|
97
|
|
|
""" |
|
98
|
|
|
Parses a remediation from a file. Doesn't process the Jinja macros. |
|
99
|
|
|
This function is useful in build phases in which all the Jinja macros |
|
100
|
|
|
are already resolved. |
|
101
|
|
|
""" |
|
102
|
|
|
with open(file_path, "r") as f: |
|
103
|
|
|
f_str = f.read() |
|
104
|
|
|
return split_remediation_content_and_metadata(f_str) |
|
105
|
|
|
|
|
106
|
|
|
|
|
107
|
|
|
class Remediation(object): |
|
108
|
|
|
def __init__(self, file_path, remediation_type): |
|
109
|
|
|
self.file_path = file_path |
|
110
|
|
|
self.local_env_yaml = dict() |
|
111
|
|
|
|
|
112
|
|
|
self.metadata = defaultdict(lambda: None) |
|
113
|
|
|
|
|
114
|
|
|
self.remediation_type = remediation_type |
|
115
|
|
|
self.associated_rule = None |
|
116
|
|
|
|
|
117
|
|
|
def associate_rule(self, rule_obj): |
|
118
|
|
|
self.associated_rule = rule_obj |
|
119
|
|
|
self.expand_env_yaml_from_rule() |
|
120
|
|
|
|
|
121
|
|
|
def expand_env_yaml_from_rule(self): |
|
122
|
|
|
if not self.associated_rule: |
|
123
|
|
|
return |
|
124
|
|
|
|
|
125
|
|
|
self.local_env_yaml["rule_title"] = self.associated_rule.title |
|
126
|
|
|
self.local_env_yaml["rule_id"] = self.associated_rule.id_ |
|
127
|
|
|
self.local_env_yaml["cce_identifiers"] = self.associated_rule.identifiers |
|
128
|
|
|
|
|
129
|
|
|
def parse_from_file_with_jinja(self, env_yaml, cpe_platforms): |
|
130
|
|
|
return parse_from_file_with_jinja(self.file_path, env_yaml) |
|
131
|
|
|
|
|
132
|
|
|
def get_inherited_cpe_platform_names(self): |
|
133
|
|
|
inherited_cpe_platform_names = set() |
|
134
|
|
|
if self.associated_rule: |
|
135
|
|
|
# There can be repeated inherited platforms and rule platforms |
|
136
|
|
|
inherited_cpe_platform_names.update(self.associated_rule.inherited_cpe_platform_names) |
|
137
|
|
|
return inherited_cpe_platform_names |
|
138
|
|
|
|
|
139
|
|
|
def get_rule_specific_cpe_platform_names(self): |
|
140
|
|
|
rule_specific_cpe_platform_names = set() |
|
141
|
|
|
inherited_cpe_platform_names = self.get_inherited_cpe_platform_names() |
|
142
|
|
|
if self.associated_rule and self.associated_rule.cpe_platform_names is not None: |
|
143
|
|
|
rule_specific_cpe_platform_names = { |
|
144
|
|
|
p for p in self.associated_rule.cpe_platform_names |
|
145
|
|
|
if p not in inherited_cpe_platform_names} |
|
146
|
|
|
return rule_specific_cpe_platform_names |
|
147
|
|
|
|
|
148
|
|
|
def _get_stripped_conditional(self, language, platform): |
|
149
|
|
|
conditional = platform.get_remediation_conditional(language) |
|
150
|
|
|
if conditional is not None: |
|
151
|
|
|
stripped_conditional = conditional.strip() |
|
152
|
|
|
if stripped_conditional: |
|
153
|
|
|
return stripped_conditional |
|
154
|
|
|
return None |
|
155
|
|
|
|
|
156
|
|
|
def get_stripped_conditionals(self, language, cpe_platform_names, cpe_platforms): |
|
157
|
|
|
""" |
|
158
|
|
|
collect conditionals of platforms defined by cpe_platform_names |
|
159
|
|
|
and strip them of white spaces |
|
160
|
|
|
""" |
|
161
|
|
|
stripped_conditionals = [] |
|
162
|
|
|
for p in cpe_platform_names: |
|
163
|
|
|
platform = cpe_platforms[p] |
|
164
|
|
|
maybe_stripped_conditional = self._get_stripped_conditional(language, platform) |
|
165
|
|
|
if maybe_stripped_conditional is not None: |
|
166
|
|
|
stripped_conditionals.append(maybe_stripped_conditional) |
|
167
|
|
|
return stripped_conditionals |
|
168
|
|
|
|
|
169
|
|
|
def get_rule_specific_conditionals(self, language, cpe_platforms): |
|
170
|
|
|
cpe_platform_names = self.get_rule_specific_cpe_platform_names() |
|
171
|
|
|
return self.get_stripped_conditionals(language, cpe_platform_names, cpe_platforms) |
|
172
|
|
|
|
|
173
|
|
|
def get_inherited_conditionals(self, language, cpe_platforms): |
|
174
|
|
|
cpe_platform_names = self.get_inherited_cpe_platform_names() |
|
175
|
|
|
return self.get_stripped_conditionals(language, cpe_platform_names, cpe_platforms) |
|
176
|
|
|
|
|
177
|
|
|
|
|
178
|
|
|
def process(remediation, env_yaml, cpe_platforms): |
|
179
|
|
|
""" |
|
180
|
|
|
Process a fix, and return the processed fix iff the file is of a valid |
|
181
|
|
|
extension for the remediation type and the fix is valid for the current |
|
182
|
|
|
product. |
|
183
|
|
|
|
|
184
|
|
|
Note that platform is a required field in the contents of the fix. |
|
185
|
|
|
""" |
|
186
|
|
|
if not is_supported_filename(remediation.remediation_type, remediation.file_path): |
|
187
|
|
|
return |
|
188
|
|
|
|
|
189
|
|
|
result = remediation.parse_from_file_with_jinja(env_yaml, cpe_platforms) |
|
190
|
|
|
platforms = result.config['platform'] |
|
191
|
|
|
|
|
192
|
|
|
if not platforms: |
|
193
|
|
|
raise RuntimeError( |
|
194
|
|
|
"The '%s' remediation script does not contain the " |
|
195
|
|
|
"platform identifier!" % (remediation.file_path)) |
|
196
|
|
|
|
|
197
|
|
|
for platform in platforms.split(","): |
|
198
|
|
|
if platform.strip() != platform: |
|
199
|
|
|
msg = ( |
|
200
|
|
|
"Comma-separated '{platform}' platforms " |
|
201
|
|
|
"in '{remediation_file}' contains whitespace." |
|
202
|
|
|
.format(platform=platforms, remediation_file=remediation.file_path)) |
|
203
|
|
|
raise ValueError(msg) |
|
204
|
|
|
|
|
205
|
|
|
product = env_yaml["product"] |
|
206
|
|
|
if utils.is_applicable_for_product(platforms, product): |
|
207
|
|
|
return result |
|
208
|
|
|
|
|
209
|
|
|
return None |
|
210
|
|
|
|
|
211
|
|
|
|
|
212
|
|
|
class BashRemediation(Remediation): |
|
213
|
|
|
def __init__(self, file_path): |
|
214
|
|
|
super(BashRemediation, self).__init__(file_path, "bash") |
|
215
|
|
|
|
|
216
|
|
|
def parse_from_file_with_jinja(self, env_yaml, cpe_platforms): |
|
217
|
|
|
self.local_env_yaml.update(env_yaml) |
|
218
|
|
|
result = super(BashRemediation, self).parse_from_file_with_jinja( |
|
219
|
|
|
self.local_env_yaml, cpe_platforms) |
|
220
|
|
|
|
|
221
|
|
|
# Avoid platform wrapping empty fix text |
|
222
|
|
|
# Remediations can be empty when a Jinja macro or conditional |
|
223
|
|
|
# renders no fix text for a product |
|
224
|
|
|
stripped_fix_text = result.contents.strip() |
|
225
|
|
|
if stripped_fix_text == "": |
|
226
|
|
|
return result |
|
227
|
|
|
|
|
228
|
|
|
inherited_conditionals = sorted(super( |
|
229
|
|
|
BashRemediation, self).get_inherited_conditionals("bash", cpe_platforms)) |
|
230
|
|
|
rule_specific_conditionals = sorted(super( |
|
231
|
|
|
BashRemediation, self).get_rule_specific_conditionals("bash", cpe_platforms)) |
|
232
|
|
|
if inherited_conditionals or rule_specific_conditionals: |
|
233
|
|
|
wrapped_fix_text = ["# Remediation is applicable only in certain platforms"] |
|
234
|
|
|
|
|
235
|
|
|
all_conditions = "" |
|
236
|
|
|
if inherited_conditionals: |
|
237
|
|
|
all_conditions += " && ".join(inherited_conditionals) |
|
238
|
|
|
if rule_specific_conditionals: |
|
239
|
|
|
if all_conditions: |
|
240
|
|
|
all_conditions += " && { " + " || ".join(rule_specific_conditionals) + "; }" |
|
241
|
|
|
else: |
|
242
|
|
|
all_conditions = " || ".join(rule_specific_conditionals) |
|
243
|
|
|
wrapped_fix_text.append("if {0}; then".format(all_conditions)) |
|
244
|
|
|
wrapped_fix_text.append("") |
|
245
|
|
|
# It is possible to indent the original body of the remediation with textwrap.indent(), |
|
246
|
|
|
# however, it is not supported by python2, and there is a risk of breaking remediations |
|
247
|
|
|
# For example, remediations with a here-doc block could be affected. |
|
248
|
|
|
wrapped_fix_text.append("{0}".format(stripped_fix_text)) |
|
249
|
|
|
wrapped_fix_text.append("") |
|
250
|
|
|
wrapped_fix_text.append("else") |
|
251
|
|
|
wrapped_fix_text.append( |
|
252
|
|
|
" >&2 echo 'Remediation is not applicable, nothing was done'") |
|
253
|
|
|
wrapped_fix_text.append("fi") |
|
254
|
|
|
|
|
255
|
|
|
result = RemediationObject(contents="\n".join(wrapped_fix_text), config=result.config) |
|
256
|
|
|
|
|
257
|
|
|
return result |
|
258
|
|
|
|
|
259
|
|
|
|
|
260
|
|
|
class AnsibleRemediation(Remediation): |
|
261
|
|
|
def __init__(self, file_path): |
|
262
|
|
|
super(AnsibleRemediation, self).__init__( |
|
263
|
|
|
file_path, "ansible") |
|
264
|
|
|
|
|
265
|
|
|
self.body = None |
|
266
|
|
|
|
|
267
|
|
|
def parse_from_file_with_jinja(self, env_yaml, cpe_platforms): |
|
268
|
|
|
self.local_env_yaml.update(env_yaml) |
|
269
|
|
|
result = super(AnsibleRemediation, self).parse_from_file_with_jinja( |
|
270
|
|
|
self.local_env_yaml, cpe_platforms) |
|
271
|
|
|
|
|
272
|
|
|
if not self.associated_rule: |
|
273
|
|
|
return result |
|
274
|
|
|
|
|
275
|
|
|
parsed = ssg.yaml.ordered_load(result.contents) |
|
276
|
|
|
|
|
277
|
|
|
self.update(parsed, result.config, cpe_platforms) |
|
278
|
|
|
|
|
279
|
|
|
updated_yaml_text = ssg.yaml.ordered_dump( |
|
280
|
|
|
parsed, None, default_flow_style=False) |
|
281
|
|
|
result = result._replace(contents=updated_yaml_text) |
|
282
|
|
|
|
|
283
|
|
|
self.body = parsed |
|
284
|
|
|
self.metadata = result.config |
|
285
|
|
|
|
|
286
|
|
|
return result |
|
287
|
|
|
|
|
288
|
|
|
def update_tags_from_config(self, to_update, config): |
|
289
|
|
|
tags = to_update.get("tags", []) |
|
290
|
|
|
if "strategy" in config: |
|
291
|
|
|
tags.append("{0}_strategy".format(config["strategy"])) |
|
292
|
|
|
if "complexity" in config: |
|
293
|
|
|
tags.append("{0}_complexity".format(config["complexity"])) |
|
294
|
|
|
if "disruption" in config: |
|
295
|
|
|
tags.append("{0}_disruption".format(config["disruption"])) |
|
296
|
|
|
if "reboot" in config: |
|
297
|
|
|
if config["reboot"] == "true": |
|
298
|
|
|
reboot_tag = "reboot_required" |
|
299
|
|
|
else: |
|
300
|
|
|
reboot_tag = "no_reboot_needed" |
|
301
|
|
|
tags.append(reboot_tag) |
|
302
|
|
|
to_update["tags"] = sorted(tags) |
|
303
|
|
|
|
|
304
|
|
|
def update_tags_from_rule(self, to_update): |
|
305
|
|
|
if not self.associated_rule: |
|
306
|
|
|
raise RuntimeError("The Ansible snippet has no rule loaded.") |
|
307
|
|
|
|
|
308
|
|
|
tags = to_update.get("tags", []) |
|
309
|
|
|
tags.insert(0, "{0}_severity".format(self.associated_rule.severity)) |
|
310
|
|
|
tags.insert(0, self.associated_rule.id_) |
|
311
|
|
|
|
|
312
|
|
|
cce_num = self._get_cce() |
|
313
|
|
|
if cce_num: |
|
314
|
|
|
tags.append("{0}".format(cce_num)) |
|
315
|
|
|
|
|
316
|
|
|
refs = self.get_references() |
|
317
|
|
|
tags.extend(refs) |
|
318
|
|
|
to_update["tags"] = sorted(tags) |
|
319
|
|
|
|
|
320
|
|
|
def _get_cce(self): |
|
321
|
|
|
return self.associated_rule.identifiers.get("cce", None) |
|
322
|
|
|
|
|
323
|
|
|
def get_references(self): |
|
324
|
|
|
if not self.associated_rule: |
|
325
|
|
|
raise RuntimeError("The Ansible snippet has no rule loaded.") |
|
326
|
|
|
|
|
327
|
|
|
result = [] |
|
328
|
|
|
for ref_class, prefix in constants.REF_PREFIX_MAP.items(): |
|
329
|
|
|
refs = self._get_rule_reference(ref_class) |
|
330
|
|
|
result.extend(["{prefix}-{value}".format(prefix=prefix, value=v) for v in refs]) |
|
331
|
|
|
return result |
|
332
|
|
|
|
|
333
|
|
|
def _get_rule_reference(self, ref_class): |
|
334
|
|
|
refs = self.associated_rule.references.get(ref_class, "") |
|
335
|
|
|
if refs: |
|
336
|
|
|
return refs.split(",") |
|
337
|
|
|
else: |
|
338
|
|
|
return [] |
|
339
|
|
|
|
|
340
|
|
|
def inject_package_facts_task(self, parsed_snippet): |
|
341
|
|
|
""" Injects a package_facts task only if |
|
342
|
|
|
the snippet has a task with a when clause with ansible_facts.packages, |
|
343
|
|
|
and the snippet doesn't already have a package_facts task |
|
344
|
|
|
""" |
|
345
|
|
|
has_package_facts_task = False |
|
346
|
|
|
has_ansible_facts_packages_clause = False |
|
347
|
|
|
|
|
348
|
|
|
for p_task in parsed_snippet: |
|
349
|
|
|
# We are only interested in the OrderedDicts, which represent Ansible tasks |
|
350
|
|
|
if not isinstance(p_task, dict): |
|
351
|
|
|
continue |
|
352
|
|
|
|
|
353
|
|
|
if "package_facts" in p_task: |
|
354
|
|
|
has_package_facts_task = True |
|
355
|
|
|
|
|
356
|
|
|
# When clause of the task can be string or a list, lets normalize to list |
|
357
|
|
|
task_when = p_task.get("when", "") |
|
358
|
|
|
if type(task_when) is str: |
|
359
|
|
|
task_when = [task_when] |
|
360
|
|
|
for when in task_when: |
|
361
|
|
|
if "ansible_facts.packages" in when: |
|
362
|
|
|
has_ansible_facts_packages_clause = True |
|
363
|
|
|
|
|
364
|
|
|
if has_ansible_facts_packages_clause and not has_package_facts_task: |
|
365
|
|
|
facts_task = OrderedDict([ |
|
366
|
|
|
('name', 'Gather the package facts'), |
|
367
|
|
|
('package_facts', {'manager': 'auto'}) |
|
368
|
|
|
]) |
|
369
|
|
|
parsed_snippet.insert(0, facts_task) |
|
370
|
|
|
|
|
371
|
|
|
def update_when_from_rule(self, to_update, cpe_platforms): |
|
372
|
|
|
additional_when = [] |
|
373
|
|
|
inherited_conditionals = sorted(super( |
|
374
|
|
|
AnsibleRemediation, self).get_inherited_conditionals("ansible", cpe_platforms)) |
|
375
|
|
|
rule_specific_conditionals = sorted(super( |
|
376
|
|
|
AnsibleRemediation, self).get_rule_specific_conditionals("ansible", cpe_platforms)) |
|
377
|
|
|
# Remove conditionals related to package CPEs if the updated task collects package facts |
|
378
|
|
|
if "package_facts" in to_update: |
|
379
|
|
|
inherited_conditionals = filter( |
|
380
|
|
|
lambda c: "in ansible_facts.packages" not in c, |
|
381
|
|
|
inherited_conditionals) |
|
382
|
|
|
rule_specific_conditionals = filter( |
|
383
|
|
|
lambda c: "in ansible_facts.packages" not in c, rule_specific_conditionals) |
|
384
|
|
|
|
|
385
|
|
|
if inherited_conditionals: |
|
386
|
|
|
additional_when.extend(inherited_conditionals) |
|
387
|
|
|
|
|
388
|
|
|
if rule_specific_conditionals: |
|
389
|
|
|
additional_when.append(" or ".join(rule_specific_conditionals)) |
|
390
|
|
|
|
|
391
|
|
|
to_update.setdefault("when", "") |
|
392
|
|
|
new_when = ssg.yaml.update_yaml_list_or_string(to_update["when"], additional_when, |
|
393
|
|
|
prepend=True) |
|
394
|
|
|
if not new_when: |
|
395
|
|
|
to_update.pop("when") |
|
396
|
|
|
else: |
|
397
|
|
|
to_update["when"] = new_when |
|
398
|
|
|
|
|
399
|
|
|
def update(self, parsed, config, cpe_platforms): |
|
400
|
|
|
# We split the remediation update in three steps |
|
401
|
|
|
|
|
402
|
|
|
# 1. Update the when clause |
|
403
|
|
|
for p in parsed: |
|
404
|
|
|
if not isinstance(p, dict): |
|
405
|
|
|
continue |
|
406
|
|
|
self.update_when_from_rule(p, cpe_platforms) |
|
407
|
|
|
|
|
408
|
|
|
# 2. Inject any extra task necessary |
|
409
|
|
|
self.inject_package_facts_task(parsed) |
|
410
|
|
|
|
|
411
|
|
|
# 3. Add tags to all tasks, including the ones we have injected |
|
412
|
|
|
for p in parsed: |
|
413
|
|
|
if not isinstance(p, dict): |
|
414
|
|
|
continue |
|
415
|
|
|
self.update_tags_from_config(p, config) |
|
416
|
|
|
self.update_tags_from_rule(p) |
|
417
|
|
|
|
|
418
|
|
|
@classmethod |
|
419
|
|
|
def from_snippet_and_rule(cls, snippet_fname, rule_fname): |
|
420
|
|
|
if os.path.isfile(snippet_fname) and os.path.isfile(rule_fname): |
|
421
|
|
|
result = cls(snippet_fname) |
|
422
|
|
|
try: |
|
423
|
|
|
rule_obj = ssg.build_yaml.Rule.from_yaml(rule_fname) |
|
424
|
|
|
result.associate_rule(rule_obj) |
|
425
|
|
|
except ssg.yaml.DocumentationNotComplete: |
|
426
|
|
|
# Happens on non-debug build when a rule is "documentation-incomplete" |
|
427
|
|
|
return None |
|
428
|
|
|
return result |
|
429
|
|
|
|
|
430
|
|
|
|
|
431
|
|
|
class AnacondaRemediation(Remediation): |
|
432
|
|
|
def __init__(self, file_path): |
|
433
|
|
|
super(AnacondaRemediation, self).__init__( |
|
434
|
|
|
file_path, "anaconda") |
|
435
|
|
|
|
|
436
|
|
|
|
|
437
|
|
|
class PuppetRemediation(Remediation): |
|
438
|
|
|
def __init__(self, file_path): |
|
439
|
|
|
super(PuppetRemediation, self).__init__( |
|
440
|
|
|
file_path, "puppet") |
|
441
|
|
|
|
|
442
|
|
|
|
|
443
|
|
|
class IgnitionRemediation(Remediation): |
|
444
|
|
|
def __init__(self, file_path): |
|
445
|
|
|
super(IgnitionRemediation, self).__init__( |
|
446
|
|
|
file_path, "ignition") |
|
447
|
|
|
|
|
448
|
|
|
|
|
449
|
|
|
class KubernetesRemediation(Remediation): |
|
450
|
|
|
def __init__(self, file_path): |
|
451
|
|
|
super(KubernetesRemediation, self).__init__( |
|
452
|
|
|
file_path, "kubernetes") |
|
453
|
|
|
|
|
454
|
|
|
|
|
455
|
|
|
class BlueprintRemediation(Remediation): |
|
456
|
|
|
""" |
|
457
|
|
|
This provides class for OSBuild Blueprint remediations |
|
458
|
|
|
""" |
|
459
|
|
|
def __init__(self, file_path): |
|
460
|
|
|
super(BlueprintRemediation, self).__init__( |
|
461
|
|
|
file_path, "blueprint") |
|
462
|
|
|
|
|
463
|
|
|
|
|
464
|
|
|
REMEDIATION_TO_CLASS = { |
|
465
|
|
|
'anaconda': AnacondaRemediation, |
|
466
|
|
|
'ansible': AnsibleRemediation, |
|
467
|
|
|
'bash': BashRemediation, |
|
468
|
|
|
'puppet': PuppetRemediation, |
|
469
|
|
|
'ignition': IgnitionRemediation, |
|
470
|
|
|
'kubernetes': KubernetesRemediation, |
|
471
|
|
|
'blueprint': BlueprintRemediation, |
|
472
|
|
|
} |
|
473
|
|
|
|
|
474
|
|
|
|
|
475
|
|
|
def write_fix_to_file(fix, file_path): |
|
476
|
|
|
""" |
|
477
|
|
|
Writes a single fix to the given file path. |
|
478
|
|
|
""" |
|
479
|
|
|
fix_contents, config = fix |
|
480
|
|
|
with open(file_path, "w") as f: |
|
481
|
|
|
for k, v in config.items(): |
|
482
|
|
|
f.write("# %s = %s\n" % (k, v)) |
|
483
|
|
|
f.write(fix_contents) |
|
484
|
|
|
|
|
485
|
|
|
|
|
486
|
|
|
def get_rule_dir_remediations(dir_path, remediation_type, product=None): |
|
487
|
|
|
""" |
|
488
|
|
|
Gets a list of remediations of type remediation_type contained in a |
|
489
|
|
|
rule directory. If product is None, returns all such remediations. |
|
490
|
|
|
If product is not None, returns applicable remediations in order of |
|
491
|
|
|
priority: |
|
492
|
|
|
|
|
493
|
|
|
{{{ product }}}.ext -> shared.ext |
|
494
|
|
|
|
|
495
|
|
|
Only returns remediations which exist. |
|
496
|
|
|
""" |
|
497
|
|
|
|
|
498
|
|
|
if not rules.is_rule_dir(dir_path): |
|
499
|
|
|
return [] |
|
500
|
|
|
|
|
501
|
|
|
remediations_dir = os.path.join(dir_path, remediation_type) |
|
502
|
|
|
has_remediations_dir = os.path.isdir(remediations_dir) |
|
503
|
|
|
ext = REMEDIATION_TO_EXT_MAP[remediation_type] |
|
504
|
|
|
if not has_remediations_dir: |
|
505
|
|
|
return [] |
|
506
|
|
|
|
|
507
|
|
|
# Two categories of results: those for a product and those that are |
|
508
|
|
|
# shared to multiple products. Within common results, there's two types: |
|
509
|
|
|
# those shared to multiple versions of the same type (added up front) and |
|
510
|
|
|
# those shared across multiple product types (e.g., RHEL and Ubuntu). |
|
511
|
|
|
product_results = [] |
|
512
|
|
|
common_results = [] |
|
513
|
|
|
for remediation_file in sorted(os.listdir(remediations_dir)): |
|
514
|
|
|
file_name, file_ext = os.path.splitext(remediation_file) |
|
515
|
|
|
remediation_path = os.path.join(remediations_dir, remediation_file) |
|
516
|
|
|
|
|
517
|
|
|
if file_ext == ext and rules.applies_to_product(file_name, product): |
|
518
|
|
|
# rules.applies_to_product ensures we only have three entries: |
|
519
|
|
|
# 1. shared |
|
520
|
|
|
# 2. <product> |
|
521
|
|
|
# 3. <product><version> |
|
522
|
|
|
# |
|
523
|
|
|
# Note that the product variable holds <product><version>. |
|
524
|
|
|
if file_name == 'shared': |
|
525
|
|
|
# Shared are the lowest priority items, add them to the end |
|
526
|
|
|
# of the common results. |
|
527
|
|
|
common_results.append(remediation_path) |
|
528
|
|
|
elif file_name != product: |
|
529
|
|
|
# Here, the filename is a subset of the product, but isn't |
|
530
|
|
|
# the full product. Product here is both the product name |
|
531
|
|
|
# (e.g., ubuntu) and its version (2004). Filename could be |
|
532
|
|
|
# either "ubuntu" or "ubuntu2004" so we want this branch |
|
533
|
|
|
# to trigger when it is the former, not the latter. It is |
|
534
|
|
|
# the highest priority of common results, so insert it |
|
535
|
|
|
# before any shared ones. |
|
536
|
|
|
common_results.insert(0, remediation_path) |
|
537
|
|
|
else: |
|
538
|
|
|
# Finally, this must be product-specific result. |
|
539
|
|
|
product_results.append(remediation_path) |
|
540
|
|
|
|
|
541
|
|
|
# Combine the two sets in priority order. |
|
542
|
|
|
return product_results + common_results |
|
543
|
|
|
|
|
544
|
|
|
|
|
545
|
|
|
def expand_xccdf_subs(fix, remediation_type): |
|
546
|
|
|
"""Expand the respective populate keywords of each |
|
547
|
|
|
remediation type with an <xccdf:sub> element |
|
548
|
|
|
|
|
549
|
|
|
This routine translates any instance of the '`type`-populate' keyword in |
|
550
|
|
|
the form of: |
|
551
|
|
|
|
|
552
|
|
|
(`type`-populate variable_name) |
|
553
|
|
|
|
|
554
|
|
|
where `type` can be either ansible, puppet, anaconda or bash, into |
|
555
|
|
|
|
|
556
|
|
|
<sub idref="variable_name"/> |
|
557
|
|
|
|
|
558
|
|
|
""" |
|
559
|
|
|
|
|
560
|
|
|
if fix is not None: |
|
561
|
|
|
fix_text = fix.text |
|
562
|
|
|
else: |
|
563
|
|
|
return |
|
564
|
|
|
if remediation_type == "ignition": |
|
565
|
|
|
return |
|
566
|
|
|
elif remediation_type == "kubernetes": |
|
567
|
|
|
return |
|
568
|
|
|
elif remediation_type == "blueprint": |
|
569
|
|
|
pattern = r'\(blueprint-populate\s*(\S+)\)' |
|
570
|
|
|
elif remediation_type == "ansible": |
|
571
|
|
|
|
|
572
|
|
|
if "(ansible-populate " in fix_text: |
|
573
|
|
|
raise RuntimeError( |
|
574
|
|
|
"(ansible-populate VAR) has been deprecated. Please use " |
|
575
|
|
|
"(xccdf-var VAR) instead. Keep in mind that the latter will " |
|
576
|
|
|
"make an ansible variable out of XCCDF Value as opposed to " |
|
577
|
|
|
"substituting directly." |
|
578
|
|
|
) |
|
579
|
|
|
|
|
580
|
|
|
# If you change this string make sure it still matches the pattern |
|
581
|
|
|
# defined in OpenSCAP. Otherwise you break variable handling in |
|
582
|
|
|
# 'oscap xccdf generate fix' and the variables won't be customizable! |
|
583
|
|
|
# https://github.com/OpenSCAP/openscap/blob/1.2.17/src/XCCDF_POLICY/xccdf_policy_remediate.c#L588 |
|
584
|
|
|
# const char *pattern = |
|
585
|
|
|
# "- name: XCCDF Value [^ ]+ # promote to variable\n set_fact:\n" |
|
586
|
|
|
# " ([^:]+): (.+)\n tags:\n - always\n"; |
|
587
|
|
|
# We use !!str typecast to prevent treating values as different types |
|
588
|
|
|
# eg. yes as a bool or 077 as an octal number |
|
589
|
|
|
fix_text = re.sub( |
|
590
|
|
|
r"- \(xccdf-var\s+(\S+)\)", |
|
591
|
|
|
r"- name: XCCDF Value \1 # promote to variable\n" |
|
592
|
|
|
r" set_fact:\n" |
|
593
|
|
|
r" \1: !!str (ansible-populate \1)\n" |
|
594
|
|
|
r" tags:\n" |
|
595
|
|
|
r" - always", |
|
596
|
|
|
fix_text |
|
597
|
|
|
) |
|
598
|
|
|
|
|
599
|
|
|
pattern = r'\(ansible-populate\s*(\S+)\)' |
|
600
|
|
|
|
|
601
|
|
|
elif remediation_type == "puppet": |
|
602
|
|
|
pattern = r'\(puppet-populate\s*(\S+)\)' |
|
603
|
|
|
|
|
604
|
|
|
elif remediation_type == "anaconda": |
|
605
|
|
|
pattern = r'\(anaconda-populate\s*(\S+)\)' |
|
606
|
|
|
|
|
607
|
|
|
elif remediation_type == "bash": |
|
608
|
|
|
pattern = r'\(bash-populate\s*(\S+)\)' |
|
609
|
|
|
|
|
610
|
|
|
else: |
|
611
|
|
|
sys.stderr.write("Unknown remediation type '%s'\n" % (remediation_type)) |
|
612
|
|
|
sys.exit(1) |
|
613
|
|
|
|
|
614
|
|
|
# we will get list what looks like |
|
615
|
|
|
# [text, varname, text, varname, ..., text] |
|
616
|
|
|
parts = re.split(pattern, fix_text) |
|
|
|
|
|
|
617
|
|
|
|
|
618
|
|
|
fix.text = parts[0] # add first "text" |
|
619
|
|
|
for index in range(1, len(parts), 2): |
|
620
|
|
|
varname = parts[index] |
|
621
|
|
|
text_between_vars = parts[index + 1] |
|
622
|
|
|
|
|
623
|
|
|
# we cannot combine elements and text easily |
|
624
|
|
|
# so text is in ".tail" of element |
|
625
|
|
|
xccdfvarsub = ElementTree.SubElement( |
|
626
|
|
|
fix, "{%s}sub" % XCCDF12_NS, idref=constants.OSCAP_VALUE + varname) |
|
627
|
|
|
xccdfvarsub.tail = text_between_vars |
|
628
|
|
|
xccdfvarsub.set("use", "legacy") |
|
629
|
|
|
|
|
630
|
|
|
|
|
631
|
|
|
def load_compiled_remediations(fixes_dir): |
|
632
|
|
|
if not os.path.isdir(fixes_dir): |
|
633
|
|
|
raise RuntimeError( |
|
634
|
|
|
"Directory with compiled fixes '%s' does not exist" % fixes_dir) |
|
635
|
|
|
all_remediations = defaultdict(dict) |
|
636
|
|
|
for language in os.listdir(fixes_dir): |
|
637
|
|
|
language_dir = os.path.join(fixes_dir, language) |
|
638
|
|
|
if not os.path.isdir(language_dir): |
|
639
|
|
|
raise RuntimeError( |
|
640
|
|
|
"Can't find the '%s' directory with fixes for %s" % |
|
641
|
|
|
(language_dir, language)) |
|
642
|
|
|
for filename in sorted(os.listdir(language_dir)): |
|
643
|
|
|
file_path = os.path.join(language_dir, filename) |
|
644
|
|
|
rule_id, _ = os.path.splitext(filename) |
|
645
|
|
|
remediation = parse_from_file_without_jinja(file_path) |
|
646
|
|
|
all_remediations[rule_id][language] = remediation |
|
647
|
|
|
return all_remediations |
|
648
|
|
|
|
ComplianceAsCode /
content
Loading history...