Something is borked. Here's what I'm doing:
[shawn@rhel6 RHEL6]$ git pull
Already up-to-date.
[shawn@rhel6 RHEL6]$ vim /tmp/jeff1.patch
[shawn@rhel6 RHEL6]$ git branch jeffverify
[shawn@rhel6 RHEL6]$ git checkout jeffverify
Switched to branch 'jeffverify'
[shawn@rhel6 RHEL6]$ git apply /tmp/jeff1.patch
/tmp/jeff1.patch:76: trailing whitespace.
prunedrules.remove(rule)
warning: 1 line adds whitespace errors.
[shawn@rhel6 RHEL6]$ make clean; make all
[shawn@rhel6 RHEL6]$ cd utils/
Signed-off-by: Jeffrey Blank <blank(a)eclipse.ncsc.mil>
---
RHEL6/utils/verify-references.py | 63 ++++++++++++++++++++++++++++++++++---
1 files changed, 57 insertions(+), 6 deletions(-)
diff --git a/RHEL6/utils/verify-references.py b/RHEL6/utils/verify-references.py
index d642ed6..e4ef43c 100755
--- a/RHEL6/utils/verify-references.py
+++ b/RHEL6/utils/verify-references.py
@@ -12,13 +12,16 @@ import lxml.etree as ET
xccdf_ns = "http://checklists.nist.gov/xccdf/1.1"
oval_ns = "http://oval.mitre.org/XMLSchema/oval-definitions-5"
-# we use this string to look for NIST references within the XCCDF rules
+# we use these strings to look for references within the XCCDF rules
nist_ref_href =
"http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"
+disa_ref_href = "http://iase.disa.mil/cci/index.html"
def parse_options():
usage = "usage: %prog [options] xccdf_file"
parser = optparse.OptionParser(usage=usage, version="%prog ")
# only some options are on by default
+ parser.add_option("-p", "--profile", default=False,
action="store", dest="profile_name",
+ help="act on Rules from this XCCDF Profile only")
parser.add_option("--rules-with-invalid-checks", default=False,
action="store_true", dest="rules_with_invalid_checks",
help="print XCCDF Rules that reference an invalid/nonexistent check")
parser.add_option("--rules-without-checks", default=False,
action="store_true", dest="rules_without_checks",
@@ -27,6 +30,12 @@ def parse_options():
help="print XCCDF Rules that do not include a severity")
parser.add_option("--rules-without-nistrefs", default=False,
action="store_true", dest="rules_without_nistrefs",
help="print XCCDF Rules which do not include any NIST 800-53
references")
+ parser.add_option("--rules-without-disarefs", default=False,
action="store_true", dest="rules_without_disarefs",
+ help="print XCCDF Rules which do not include any DISA CCI references")
+ parser.add_option("--rules-with-nistrefs-outside-profile", default=False,
action="store_true", dest="nistrefs_not_in_profile",
+ help="print XCCDF Rules which have a NIST reference, but are not part of the
Profile specified")
+ parser.add_option("--rules-with-disarefs-outside-profile", default=False,
action="store_true", dest="disarefs_not_in_profile",
+ help="print XCCDF Rules which have a DISA CCI reference, but are not part of
the Profile specified")
These all throw errors.
[shawn@rhel6 utils]$ ./verify-references.py -p common
../output/rhel6-xccdf.xml
Traceback (most recent call last):
File "./verify-references.py", line 174, in <module>
main()
File "./verify-references.py", line 101, in main
ovaltree = ET.parse(ovalfile)
File "lxml.etree.pyx", line 2692, in lxml.etree.parse
(src/lxml/lxml.etree.c:49594)
File "parser.pxi", line 1500, in lxml.etree._parseDocument
(src/lxml/lxml.etree.c:71364)
File "parser.pxi", line 1529, in lxml.etree._parseDocumentFromURL
(src/lxml/lxml.etree.c:71647)
File "parser.pxi", line 1429, in lxml.etree._parseDocFromFile
(src/lxml/lxml.etree.c:70742)
File "parser.pxi", line 975, in
lxml.etree._BaseParser._parseDocFromFile (src/lxml/lxml.etree.c:67740)
File "parser.pxi", line 539, in
lxml.etree._ParserContext._handleParseResultDoc
(src/lxml/lxml.etree.c:63824)
File "parser.pxi", line 625, in lxml.etree._handleParseResult
(src/lxml/lxml.etree.c:64745)
File "parser.pxi", line 563, in lxml.etree._raiseParseError
(src/lxml/lxml.etree.c:64060)
IOError: Error reading file 'rhel6-oval.xml': failed to load external
entity "rhel6-oval.xml"
[shawn@rhel6 utils]$ ./verify-references.py --rules-without-disarefs
../output/rhel6-xccdf.xml
Traceback (most recent call last):
File "./verify-references.py", line 174, in <module>
main()
File "./verify-references.py", line 101, in main
ovaltree = ET.parse(ovalfile)
File "lxml.etree.pyx", line 2692, in lxml.etree.parse
(src/lxml/lxml.etree.c:49594)
File "parser.pxi", line 1500, in lxml.etree._parseDocument
(src/lxml/lxml.etree.c:71364)
File "parser.pxi", line 1529, in lxml.etree._parseDocumentFromURL
(src/lxml/lxml.etree.c:71647)
File "parser.pxi", line 1429, in lxml.etree._parseDocFromFile
(src/lxml/lxml.etree.c:70742)
File "parser.pxi", line 975, in
lxml.etree._BaseParser._parseDocFromFile (src/lxml/lxml.etree.c:67740)
File "parser.pxi", line 539, in
lxml.etree._ParserContext._handleParseResultDoc
(src/lxml/lxml.etree.c:63824)
File "parser.pxi", line 625, in lxml.etree._handleParseResult
(src/lxml/lxml.etree.c:64745)
File "parser.pxi", line 563, in lxml.etree._raiseParseError
(src/lxml/lxml.etree.c:64060)
IOError: Error reading file 'rhel6-oval.xml': failed to load external
entity "rhel6-oval.xml"
Line 100-101 of main:
ovalfile = ovalfiles.pop()
ovaltree = ET.parse(ovalfile)
On line 54 the get_ovalfiles() function just pulls out the
check-content-ref:
checkcontentref = check.find("./{%s}check-content-ref" %
xccdf_ns)
Which, from our XCCDF, will return something like this from the
rhel6-xccdf.xml:
<check-content-ref href="rhel6-oval.xml"
name="mount_tmp_own_partition"/>
Which then causes verify-references.py to fail, as the the value of
$ovalfile is set to "rhel6-oval.xml", and we're executing
verify-references from another directory.
Could this be reworked to either:
- Patch verify-references to fail nicely
- Allow parsing of OVAL file location as argument
- Update usage guide to tell idiots like me that XCCDF and OVAL have to
be in the same file