SecState-devel July 2010

secstate-devel@lists.fedorahosted.org

5 participants
34 discussions

[PATCH 2/2] Deal with config files and selections better
by Josh Adams 30 Jul '10

30 Jul '10

Config files and a dict of items to their selections status are now attached to benchmark objects on import. Also allow the user to specify active profile on import. --- src/bin/secstate | 6 +- src/secstate/main.py | 253 +++++++++++++++++++++++--------------------------- src/secstate/util.py | 99 +++++++++++--------- 3 files changed, 173 insertions(+), 185 deletions(-) diff --git a/src/bin/secstate b/src/bin/secstate index 9692c0e..2348591 100644 --- a/src/bin/secstate +++ b/src/bin/secstate @@ -114,14 +114,14 @@ def import_content(arguments): help="Imports the specified CPE content") parser.add_option('-p', '--puppet', action='store_true', dest='puppet', default=False, help="Imports the specified puppet content") + parser.add_option('--profile', action='store', type='string', dest='profile', default="__None__", + help="Imports the specified benchmark and sets the active profile") (options, args) = parser.parse_args(arguments) for arg in args: - (benchmark, def_model) = sec_instance.import_content(arg, options.cpe, options.puppet, save=True) + (benchmark, def_model) = sec_instance.import_content(arg, options.cpe, options.puppet, save=True, active_profile=options.profile) if (benchmark == None) and (def_model == None): return -1 - oscap.oval.definition_model_free(def_model) - oscap.xccdf.benchmark_free(benchmark) def export(arguments): parser = OptionParser(usage="secstate export [options] <benchmark> <file>") diff --git a/src/secstate/main.py b/src/secstate/main.py index 8948712..3dd93c8 100644 --- a/src/secstate/main.py +++ b/src/secstate/main.py @@ -31,7 +31,6 @@ import subprocess import time import mimetypes import json -import cProfile import openscap_api as oscap from secstate.util import * @@ -47,8 +46,9 @@ class Secstate: self.log.error("Could not create config directory: %(dir)s" % {'dir':self.conf_dir}) return (None, None) - self.content = self.get_content_dict() - self.content_configs = self.get_content_configs() + self.content = {} + self.content_configs = {} + self.load_content() self.log = self.getLogger() self.benchmark_dir = self.config.get('secstate', 'benchmark_dir') @@ -88,28 +88,14 @@ class Secstate: return log - def get_content_dict(self): - content = {} + def load_content(self): conf_dir = self.config.get('secstate', 'conf_dir') for conf_file in os.listdir(conf_dir): id = os.path.splitext(conf_file)[0] - config = ConfigParser.ConfigParser() - fp = open(os.path.join(conf_dir, conf_file)) - config.readfp(fp) + self.content_configs[id] = os.path.join(conf_dir, conf_file) + config = load_config(os.path.join(conf_dir, conf_file)) content_file = config.get(id, 'file') - content[id] = content_file - fp.close() - - return content - - def get_content_configs(self): - configs = {} - conf_dir = self.config.get('secstate', 'conf_dir') - for conf_file in os.listdir(conf_dir): - id = os.path.splitext(conf_file)[0] - configs[id] = os.path.join(conf_dir, conf_file) - - return configs + self.content[id] = content_file def combine_def_models(self, target, source): """ @@ -174,6 +160,17 @@ class Secstate: self.log.error("Definition model is invalid") return (None, None) + oval_id = os.path.splitext(os.path.basename(oval_file))[0] + + if self.content.has_key(oval_id): + config = ConfigParser.ConfigParser() + config.optionxform = str + if config.read(self.content_configs[oval_id]) == []: + self.log.error("Error loading config file: %(file)s" % {'file':self.content_configs[oval_id]}) + return (None, None) + + def_model.__dict__['config'] = config + if store_path: if not os.path.isdir(store_path): try: @@ -197,7 +194,7 @@ class Secstate: return (None, def_model) - def import_benchmark(self, benchmark_file, oval_path="", store_path=None): + def import_benchmark(self, benchmark_file, oval_path="", store_path=None, changes=False, active_profile='__None__'): """ Function: Imports an XCCDF benchmark Input: Source File, path to associated OVAL content @@ -241,6 +238,32 @@ class Secstate: profile.id = "Custom" benchmark.add_profile(profile) + config = ConfigParser.ConfigParser() + config.optionxform = str + if self.content_configs.has_key(benchmark.id): + if config.read(self.content_configs[benchmark.id]) == []: + self.log.error("Error opening config file: %(file)s" % {'file':self.content_config[benchmark.id]}) + return (None, None) + else: + config.add_section(benchmark.id) + config.set(benchmark.id, 'profile', active_profile) + + benchmark.__dict__['config'] = config + + if changes: + benchmark = apply_changes_profile(benchmark) + + benchmark.__dict__['selections'] = {} + for item in xccdf_get_items(benchmark, oscap.xccdf.XCCDF_ITEM, benchmark.content): + benchmark.selections[item.id] = item.selected + + current_profile = benchmark.config.get(benchmark.id, 'profile') + if current_profile != '__None__': + profile = benchmark.get_item(current_profile).to_profile() + prof_sel = get_profile_selections(benchmark, profile) + for key,val in prof_sel.items(): + benchmark.selections[key] = val + if store_path != None: id = get_benchmark_id(benchmark_file) directory = os.path.join(bench_dir, id) @@ -251,12 +274,10 @@ class Secstate: try: os.mkdir(directory) shutil.copy(benchmark_file, directory) - config = ConfigParser.ConfigParser() - config.add_section(id) - config.set(id, 'file', os.path.join(directory, os.path.basename(benchmark_file))) - config.set(id, 'selected', True) + benchmark.config.set(id, 'file', os.path.join(directory, os.path.basename(benchmark_file))) + benchmark.config.set(id, 'selected', True) conf_file = open(os.path.join(self.config.get('secstate', 'conf_dir'), id + ".cfg"), 'w') - config.write(conf_file) + benchmark.config.write(conf_file) conf_file.close() for oval in list(set(oval_files)): @@ -268,7 +289,7 @@ class Secstate: return (benchmark, def_model) - def import_zipped_content(self, zip, type, store_path, puppet): + def import_zipped_content(self, zip, type, store_path, puppet, changes=False, active_profile='__None__'): """ Function: Validate and copy content from zipped file to repository Input: Zipped file contating content and bool whether it contains puppet content @@ -324,7 +345,7 @@ class Secstate: self.log.error("Could not find XCCDF benchmark in archive %(file)s", {'file':zip}) return (None, None) - (benchmark, def_model) = self.import_benchmark(os.path.join(extract_path, xccdf), extract_path, store_path) + (benchmark, def_model) = self.import_benchmark(os.path.join(extract_path, xccdf), extract_path, store_path, changes, active_profile=active_profile) if benchmark == None: return (None, None) @@ -333,7 +354,7 @@ class Secstate: return (benchmark, def_model) - def import_content(self, content, cpe=False, puppet=False, changes=True, save=False): + def import_content(self, content, cpe=False, puppet=False, changes=True, save=False, active_profile='__None__'): """ Function: Validates XCCDF/OVAL content and optionally saves it to the data store Input: File containing content @@ -353,19 +374,15 @@ class Secstate: return (None, None) if self.content.has_key(content): - (benchmark, oval) = self.import_content(os.path.join(self.benchmark_dir, content, self.content[content]), save=False) - if changes and (benchmark != None): - #benchmark = apply_changes(benchmark, os.path.join(self.benchmark_dir, content, str(content + ".cfg"))) - benchmark = apply_changes_profile(benchmark, self.content_configs[content]) + return self.import_content(self.content[content], cpe, puppet, changes, active_profile=active_profile) - return (benchmark, oval) + if save: + store_path = self.config.get('secstate', 'benchmark_dir') file_type = mimetypes.guess_type(content) if file_type[0] == "text/xml": if is_benchmark(content): xccdf = True - if save: - store_path = self.config.get('secstate', 'benchmark_dir') else: oval = True if save: @@ -375,10 +392,10 @@ class Secstate: return self.import_oval(content, store_path) if xccdf: - return self.import_benchmark(content, store_path=store_path, oval_path=os.path.dirname(content)) + return self.import_benchmark(content, store_path=store_path, oval_path=os.path.dirname(content), changes=changes, active_profile=active_profile) else: - return self.import_zipped_content(content, file_type, store_path=self.config.get('secstate', 'benchmark_dir'), puppet=puppet) + return self.import_zipped_content(content, file_type, store_path=store_path, puppet=puppet, changes=changes, active_profile=active_profile) def export(self, benchmark_id, new_file, original=False): if not self.content.has_key(benchmark_id): @@ -416,17 +433,13 @@ class Secstate: self.remove_content(key) elif self.content.has_key(benchmark_id): - cfg = ConfigParser.ConfigParser() - conf_file = self.content_configs[benchmark_id] - fp = open(conf_file) - cfg.readfp(fp) - fp.close() + cfg = load_config(self.content_configs[benchmark_id]) try: if os.path.split(cfg.get(benchmark_id, "file"))[0] != self.config.get('secstate', 'oval_dir'): shutil.rmtree(os.path.split(cfg.get(benchmark_id, "file"))[0]) else: os.remove(cfg.get(benchmark_id, "file")) - os.remove(conf_file) + os.remove(self.content_configs[benchmark_id]) except IOError,e: self.log.error("Error removing content: %(error)s" % {'error':e}) return False @@ -444,21 +457,7 @@ class Secstate: Output: Succes or failure """ sel_dict = {'selected':selected, 'message':message} - bench_cfg = ConfigParser.ConfigParser() - bench_cfg.optionxform = str - conf_path = self.content_configs[benchmark_id] - if os.path.isfile(conf_path): - try: - fp = open(conf_path) - bench_cfg.readfp(fp) - except IOError, e: - self.log.error("Could not open config file: %(error)s" % {'error':e}) - return False - fp.close() - - if not bench_cfg.has_section('Custom'): - bench_cfg.add_section('Custom') - + if not self.content.has_key(benchmark_id): self.log.error("No benchmark %(id)s in datastore" % {'id':benchmark_id}) return False @@ -469,13 +468,13 @@ class Secstate: self.log.error("Error opening benchmark: %(file)s" % {'file':benchmark_id}) return False else: - bench_cfg.set(benchmark_id, 'selected', selected) + oval.config.set(benchmark_id, 'selected', selected) self.log.debug("Set Oval file %(file)s to %(sel)s" % {'file':benchmark_id, 'sel':selected}) else: if item_id == benchmark_id: - bench_cfg.set(benchmark_id, 'selected', selected) + benchmark.config.set(benchmark_id, 'selected', selected) self.log.debug("Setting %(id)s to %(val)s" % {'id':benchmark_id, 'val':selected}) item = benchmark.to_item() @@ -488,37 +487,44 @@ class Secstate: return False if item.type == oscap.xccdf.XCCDF_PROFILE: - bench_cfg.set(benchmark_id, 'profile', item_id) + benchmark.config.set(benchmark_id, 'profile', item_id) self.log.debug("Setting active profile to %(id)s" % {'id':item_id}) else: - if bench_cfg.has_option(benchmark_id, 'profile'): - active_profile = bench_cfg.get(benchmark_id, 'profile') + if benchmark.config.has_option(benchmark_id, 'profile'): + active_profile = benchmark.config.get(benchmark_id, 'profile') if active_profile != "Custom": - bench_cfg.set('Custom', 'extends', active_profile) + if not benchmark.config.has_section("Custom"): + benchmark.config.add_section("Custom") + benchmark.config.set('Custom', 'extends', active_profile) if item.type != oscap.xccdf.XCCDF_BENCHMARK: - bench_cfg.set('Custom', item_id, json.dumps(sel_dict)) + benchmark.config.set('Custom', item_id, json.dumps(sel_dict)) self.log.debug("Setting %(id)s to %(val)s" % {'id':item_id, 'val':selected}) if selected: parent = item.parent while parent.id != benchmark_id: - bench_cfg.set('Custom', parent_id, json.dumps(sel_dict)) + benchmark.config.set('Custom', parent_id, json.dumps(sel_dict)) self.log.debug("Setting %(id)s to %(val)s" % {'id':parent_id, 'val':selected}) parent = parent.parent - bench_cfg.set(benchmark_id, 'profile', 'Custom') + benchmark.config.set(benchmark_id, 'profile', 'Custom') if recurse: if (item.type == oscap.xccdf.XCCDF_GROUP) or (item.type == oscap.xccdf.XCCDF_BENCHMARK): for sub in xccdf_get_items(benchmark, oscap.xccdf.XCCDF_ITEM, item.content): - bench_cfg.set('Custom', sub.id, json.dumps(sel_dict)) + benchmark.config.set('Custom', sub.id, json.dumps(sel_dict)) self.log.debug("Setting %(id)s to %(val)s" % {'id':sub.id, 'val':selected}) - fp = open(conf_path, 'w') - bench_cfg.write(fp) - fp.close() + try: + fp = open(self.content_configs[benchmark_id], 'w') + benchmark.config.write(fp) + fp.close() + except IOError, e: + self.log.error("Error saving changes: %(err)s" % {'err':e}) + return False + return True def save_profile(self, benchmark_id, profile_name): @@ -526,12 +532,7 @@ class Secstate: self.log.error("No benchmark named %(id)s has been imported" % {'id':benchmark_id}) return False - bench_cfg = ConfigParser.ConfigParser() - bench_cfg.optionxform = str - fp = open(self.content_configs[benchmark_id]) - bench_cfg.readfp(fp) - fp.close() - + bench_cfg = load_config(self.content_configs[benchmark_id]) if bench_cfg.has_section("Custom"): bench_cfg.add_section(profile_name) for opt,val in bench_cfg.items("Custom"): @@ -542,9 +543,13 @@ class Secstate: self.log.error("No changes have been made to the current profile") return False - fp = open(self.content_configs[benchmark_id], 'w') - bench_cfg.write(fp) - fp.close() + try: + fp = open(self.content_configs[benchmark_id], 'w') + bench_cfg.write(fp) + fp.close() + except IOError, e: + self.log.error("Error saving changes: %(err)s" % {'err':e}) + return False return True @@ -560,7 +565,6 @@ class Secstate: benchmark = None res_model = None res_benchmark = None - config = None if args == []: args = self.content.keys() @@ -573,11 +577,11 @@ class Secstate: else: if self.content.has_key(arg): - config = ConfigParser.ConfigParser() - fp = open(self.content_configs[arg]) - config.readfp(fp) - fp.close() - if not all and (not config.getboolean(arg, 'selected')) and (len(args) > 1): + if benchmark == None: + scanned_content = def_model + else: + scanned_content = benchmark + if not all and (not scanned_content.config.getboolean(arg, 'selected')) and (len(args) > 1): print "Skipping %(id)s" % {'id':arg} ret = True continue @@ -586,10 +590,10 @@ class Secstate: sess = oscap.oval.agent_new_session(def_model) if benchmark != None: - # Set profile to default found in config file - if (profile == None) and (config != None): - if config.has_option(arg, 'profile'): - profile = config.get(arg, 'profile') + # Set profile to default found in benchmark.config.file + if (profile == None) and (benchmark.__dict__.has_key('config')): + if benchmark.config.has_option(arg, 'profile'): + profile = benchmark.config.get(arg, 'profile') else: profile = 'Custom' @@ -631,14 +635,14 @@ class Secstate: print "In benchmark %(bench)s:" % {'bench':key} - for item in xccdf_get_itesm(benchmark, oscap.xccdf.XCCDF_ITEM, benchmark.content): + for item in xccdf_get_items(benchmark, oscap.xccdf.XCCDF_ITEM, benchmark.content): title = None description = None - if len(item.titles) > 0: - title = item.titles[0].text + if len(item.title) > 0: + title = item.title[0].text - if len(item.descriptions) > 0: + if len(item.description) > 0: description = item.description[0].text if (title != None) and (description != None): @@ -686,20 +690,16 @@ class Secstate: for title in item.title: print "\tTitle: '%(title)s'" % {'title':title.text} - for description in item.descriptions: + for description in item.description: print "\tDescription: %(desc)s" % {'desc':description.text} print "\tSelected: %(sel)s" % {'sel':item.selected} type = item.type if type == oscap.xccdf.XCCDF_BENCHMARK: - bench_cfg = ConfigParser.ConfigParser() - fp = open(self.content_configs[key]) - bench_cfg.readfp(fp) - fp.close() active_profile = None - if bench_cfg.has_option(key, 'profile'): - active_profile = bench_cfg.get(key, 'profile') + if benchmark.config.has_option(key, 'profile'): + active_profile = benchmark.config.get(key, 'profile') if len(benchmark.profiles) > 0: print "\tProfiles:" for profile in benchmark.profiles: @@ -730,14 +730,15 @@ class Secstate: return True - def sublist(self, benchmark, bench_cfg, def_model, arg, recurse, show_all, selects={}, tabs=0): + def sublist(self, benchmark, def_model, arg, recurse, show_all, tabs=0): tabstr = "\t" * tabs selected = "" profile = "" if benchmark == None: if self.content.has_key(arg): - if bench_cfg.getboolean(arg, 'selected'): + print dir(def_model) + if def_model.config.getboolean(arg, 'selected'): if show_all: selected = "[X]" else: @@ -753,22 +754,15 @@ class Secstate: item = None if arg == benchmark.id: item = benchmark.to_item() - is_selected = bench_cfg.getboolean(arg, 'selected') - if bench_cfg.has_option(arg, 'profile'): - profile = ", Profile: '%s'" % bench_cfg.get(arg, 'profile') - else: - profile = ", Profile: None" + is_selected = benchmark.config.getboolean(arg, 'selected') + profile = ", Profile: '%s'" % benchmark.config.get(arg, 'profile') + else: item = benchmark.get_item(arg) if item == None: - return self.sublist(None, bench_cfg, def_model, arg, recurse, show_all, selects, tabs) - - is_selected = item.selected - - try: - is_selected = selects[item.id] - except KeyError, e: - pass + return self.sublist(None, def_model, arg, recurse, show_all, tabs) + else: + is_selected = benchmark.selections[item.id] for title in item.title: if show_all: @@ -790,7 +784,7 @@ class Secstate: type = item.type if (type == oscap.xccdf.XCCDF_GROUP) or (type == oscap.xccdf.XCCDF_BENCHMARK): for sub in item.content: - self.sublist(benchmark, bench_cfg, def_model, sub.id, recurse, show_all, selects, tabs+1) + self.sublist(benchmark, def_model, sub.id, recurse, show_all, tabs+1) def list_content(self, arg=None, recurse=False, show_all=False): @@ -802,29 +796,12 @@ class Secstate: self.log.error("Error loading benchmark: %(id)s" % {'id':key}) return False - config = ConfigParser.ConfigParser() - fp = open(self.content_configs[key]) - config.readfp(fp) - fp.close() - - selects = {} - if benchmark != None: - if config.has_option(benchmark.id, 'profile'): - prof = benchmark.get_item(config.get(benchmark.id, "profile")) - if prof == None: - self.log.error("Error loading profile %(prof)s" % {'prof':config.get(benchmark.id, 'profile')}) - return False - prof = prof.to_profile() - - for select in prof.selects: - selects[select.item] = select.selected - if (arg == None) or (arg == key): - ret = self.sublist(benchmark, config, def_model, key, recurse, show_all, selects) + ret = self.sublist(benchmark, def_model, key, recurse, show_all) else: if not self.content.has_key(arg): - ret = self.sublist(benchmark, config, def_model, arg, recurse, show_all, selects) + ret = self.sublist(benchmark, def_model, arg, recurse, show_all) return ret diff --git a/src/secstate/util.py b/src/secstate/util.py index 783ed9e..c3b52c0 100644 --- a/src/secstate/util.py +++ b/src/secstate/util.py @@ -39,6 +39,19 @@ class SecstateException(Exception): def __str__(self): return str(self.reason) +def load_config(conf_file): + config = ConfigParser.ConfigParser() + config.optionxform = str + try: + fp = open(conf_file) + config.readfp(fp) + fp.close() + except IOError, e: + sys.stderr.write("Error opening config file: %(file)s" % {'file':conf_file}) + return None + + return config + def xccdf_reporter(msg, usr): result = oscap.common.reporter_message_get_user2num(msg) if result == oscap.xccdf.XCCDF_RESULT_PASS: @@ -70,7 +83,7 @@ def evaluate_xccdf(benchmark, url_XCCDF, sess, s_profile=None, all=False, verbos if (s_profile != None): policy = policy_model.get_policy_by_id(s_profile) else: - policies = policy_modea.policiesl + policies = policy_model.policies if len(policies) > 0: policy = policies[0] @@ -99,9 +112,8 @@ def evaluate_xccdf(benchmark, url_XCCDF, sess, s_profile=None, all=False, verbos ritem.add_title(title) ritem.start_time = time.time() if policy != None: - id = policy.profile.id - if id != None: - ritem.set_profile(id) + if policy.profile != None: + ritem.set_profile(policy.profile.id) oscap.oval.agent_export_sysinfo_to_xccdf_result(sess, ritem) for model in benchmark.models: @@ -121,7 +133,6 @@ def evaluate_xccdf(benchmark, url_XCCDF, sess, s_profile=None, all=False, verbos "Informational:\t%(info)s\n" \ "Unknown:\t%(unknown)s\n" % res_dict - print "HERE" results_benchmark = benchmark.clone() results_benchmark.add_result(oscap.xccdf.result_clone(ritem)) res_model = oscap.oval.agent_get_results_model(sess) @@ -315,50 +326,50 @@ def xccdf_rule_get_defs(rule): return defs -def apply_changes_profile(benchmark, conf): - config = ConfigParser.ConfigParser() - config.optionxform = str - if os.path.isfile(conf): - try: - fp = open(conf) - config.readfp(fp) - except IOError,e: - sys.stderr.write("Error opening config file: %(err)s\n" % {'err':e}) - return None - fp.close() - - for section in config.sections(): - if section != benchmark.id: - prof = oscap.xccdf.profile_new() - if config.has_option(section, 'extends'): - original_prof = benchmark.get_item(config.get(section, 'extends')).to_profile() - if len(original_prof.title) > 0: - new_title = oscap.common.text_new() - new_title.text = "-- Customized --" + original_prof.title[0].text - prof.add_title(new_title) - prof.extends = config.get(section, 'extends') - else: +def apply_changes_profile(benchmark): + for section in benchmark.config.sections(): + if section != benchmark.id: + prof = oscap.xccdf.profile_new() + if benchmark.config.has_option(section, 'extends'): + original_prof = benchmark.get_item(benchmark.config.get(section, 'extends')).to_profile() + if len(original_prof.title) > 0: new_title = oscap.common.text_new() - new_title.text = "Customized profile from secstate" + new_title.text = "-- Customized --" + original_prof.title[0].text prof.add_title(new_title) - prof.id = section - - for id,val in config.items(section): - if id != 'extends': - sel_dict = json.loads(val) - select = oscap.xccdf.select_new() - select.item = id - select.selected = sel_dict['selected'] - if sel_dict['message']: - text = oscap.common.text_new() - text.text = str(sel_dict['message']) - select.add_remark(text) - prof.add_select(select) - - benchmark.add_profile(prof) + prof.extends = benchmark.config.get(section, 'extends') + else: + new_title = oscap.common.text_new() + new_title.text = "Customized profile from secstate" + prof.add_title(new_title) + prof.id = section + + for id,val in benchmark.config.items(section): + if id != 'extends': + sel_dict = json.loads(val) + select = oscap.xccdf.select_new() + select.item = id + select.selected = sel_dict['selected'] + if sel_dict['message']: + text = oscap.common.text_new() + text.text = str(sel_dict['message']) + select.add_remark(text) + prof.add_select(select) + + benchmark.add_profile(prof) return benchmark +def get_profile_selections(benchmark, profile): + selections = {} + if profile.extends != None: + selections.update(get_profile_selections(benchmark, benchmark.get_item(profile.extends).to_profile())) + + for sel in profile.selects: + selections[sel.item] = sel.selected + + return selections + + def xccdf_get_fixes(benchmark, ignore_ids=[]): """ Function: Get all fixes for rules in the XCCDF document -- 1.7.2

1 0

[PATCH 1/2] Added the ability to save profiles
by Josh Adams 30 Jul '10

30 Jul '10

The user can now save customizations to a named profile, which can be loaded later. Fixes bug #7328 --- src/bin/secstate | 10 +++++++ src/secstate/main.py | 42 ++++++++++++++++++++++++----- src/secstate/util.py | 72 ++++++++++++++++++++----------------------------- 3 files changed, 74 insertions(+), 50 deletions(-) diff --git a/src/bin/secstate b/src/bin/secstate index e4bc7f0..9692c0e 100644 --- a/src/bin/secstate +++ b/src/bin/secstate @@ -41,6 +41,7 @@ Sub-commands: export -- Exports imported content along with any changes that have been made select -- Sets a portion of the benchmark (group/rule) to be selected deselect -- Sets a portion of the benchmark (group/rule) to be deselected + save -- Saves changes made to the current benchmark to a named profile list -- List the imported benchmarks show -- Shows the information associated with a group, rule, or definition id search -- Search through imported content @@ -98,6 +99,9 @@ def main(): elif subcommand == 'remediate': remediate(sys.argv[arg_num:]) + + elif subcommand == 'save': + save_profile(sys.argv[arg_num:]) else: sys.stderr.write("Uknown subcommand: %(command)s" % {'command':subcommand}) @@ -250,6 +254,12 @@ def show(arguments): return -1 return 0 +def save_profile(arguments): + parser = OptionParser(usage="secstate save [options] <benchmark> <profile name>") + (options, args) = parser.parse_args(arguments) + if not sec_instance.save_profile(args[0], args[1]): + return -1 + if __name__ == '__main__': sys.exit(main()) diff --git a/src/secstate/main.py b/src/secstate/main.py index d38e96e..8948712 100644 --- a/src/secstate/main.py +++ b/src/secstate/main.py @@ -456,8 +456,8 @@ class Secstate: return False fp.close() - if not bench_cfg.has_section('selections'): - bench_cfg.add_section('selections') + if not bench_cfg.has_section('Custom'): + bench_cfg.add_section('Custom') if not self.content.has_key(benchmark_id): self.log.error("No benchmark %(id)s in datastore" % {'id':benchmark_id}) @@ -494,16 +494,16 @@ class Secstate: if bench_cfg.has_option(benchmark_id, 'profile'): active_profile = bench_cfg.get(benchmark_id, 'profile') if active_profile != "Custom": - bench_cfg.set(benchmark_id, 'extends', active_profile) + bench_cfg.set('Custom', 'extends', active_profile) if item.type != oscap.xccdf.XCCDF_BENCHMARK: - bench_cfg.set('selections', item_id, json.dumps(sel_dict)) + bench_cfg.set('Custom', item_id, json.dumps(sel_dict)) self.log.debug("Setting %(id)s to %(val)s" % {'id':item_id, 'val':selected}) if selected: parent = item.parent while parent.id != benchmark_id: - bench_cfg.set('selections', parent_id, json.dumps(sel_dict)) + bench_cfg.set('Custom', parent_id, json.dumps(sel_dict)) self.log.debug("Setting %(id)s to %(val)s" % {'id':parent_id, 'val':selected}) parent = parent.parent @@ -512,7 +512,7 @@ class Secstate: if recurse: if (item.type == oscap.xccdf.XCCDF_GROUP) or (item.type == oscap.xccdf.XCCDF_BENCHMARK): for sub in xccdf_get_items(benchmark, oscap.xccdf.XCCDF_ITEM, item.content): - bench_cfg.set('selections', sub.id, json.dumps(sel_dict)) + bench_cfg.set('Custom', sub.id, json.dumps(sel_dict)) self.log.debug("Setting %(id)s to %(val)s" % {'id':sub.id, 'val':selected}) @@ -521,6 +521,34 @@ class Secstate: fp.close() return True + def save_profile(self, benchmark_id, profile_name): + if not self.content.has_key(benchmark_id): + self.log.error("No benchmark named %(id)s has been imported" % {'id':benchmark_id}) + return False + + bench_cfg = ConfigParser.ConfigParser() + bench_cfg.optionxform = str + fp = open(self.content_configs[benchmark_id]) + bench_cfg.readfp(fp) + fp.close() + + if bench_cfg.has_section("Custom"): + bench_cfg.add_section(profile_name) + for opt,val in bench_cfg.items("Custom"): + bench_cfg.set(profile_name, opt, val) + bench_cfg.remove_section("Custom") + bench_cfg.set(benchmark_id, 'profile', profile_name) + else: + self.log.error("No changes have been made to the current profile") + return False + + fp = open(self.content_configs[benchmark_id], 'w') + bench_cfg.write(fp) + fp.close() + + return True + + def audit(self, interpreter, args, profile=None, verbose=False, all=False, xml=None, html=None): """ Function: Run an audit on the system agains the given definition model @@ -784,7 +812,7 @@ class Secstate: if config.has_option(benchmark.id, 'profile'): prof = benchmark.get_item(config.get(benchmark.id, "profile")) if prof == None: - self.log.error("Error loading profile %(prof)s" % {'prof':profile}) + self.log.error("Error loading profile %(prof)s" % {'prof':config.get(benchmark.id, 'profile')}) return False prof = prof.to_profile() diff --git a/src/secstate/util.py b/src/secstate/util.py index 214e782..783ed9e 100644 --- a/src/secstate/util.py +++ b/src/secstate/util.py @@ -315,24 +315,6 @@ def xccdf_rule_get_defs(rule): return defs -def apply_changes(benchmark, conf): - config = ConfigParser.ConfigParser() - config.optionxform = str - if os.path.isfile(conf): - try: - fp = open(conf) - config.readfp(fp) - except IOError,e: - sys.stderr.write("Error opening config file: %(err)s\n" % {'err':e}) - return None - fp.close() - - for id in config.options("selections"): - item = benchmark.get_item(id) - item.selected = config.getboolean('selections', id) - - return benchmark - def apply_changes_profile(benchmark, conf): config = ConfigParser.ConfigParser() config.optionxform = str @@ -345,31 +327,35 @@ def apply_changes_profile(benchmark, conf): return None fp.close() - if config.has_option(benchmark.id, 'extends'): - prof = benchmark.get_item(config.get(benchmark.id, 'extends')).to_profile().clone() - titles = prof.title - if len(titles) > 0: - title = titles[0] - original_text = title.text - title.text = "-- Customized --" + original_text - prof.extends = config.get(benchmark.id, 'extends') - else: - prof = oscap.xccdf.profile_new() - prof.id = "Custom" - - if config.has_section("selections"): - for id in config.options("selections"): - sel_dict = json.loads(config.get('selections', id)) - select = oscap.xccdf.select_new() - select.item = id - select.selected = sel_dict['selected'] - if sel_dict['message']: - text = oscap.common.text_new() - text.text = str(sel_dict['message']) - select.add_remark(text) - prof.add_select(select) - - benchmark.add_profile(prof) + for section in config.sections(): + if section != benchmark.id: + prof = oscap.xccdf.profile_new() + if config.has_option(section, 'extends'): + original_prof = benchmark.get_item(config.get(section, 'extends')).to_profile() + if len(original_prof.title) > 0: + new_title = oscap.common.text_new() + new_title.text = "-- Customized --" + original_prof.title[0].text + prof.add_title(new_title) + prof.extends = config.get(section, 'extends') + else: + new_title = oscap.common.text_new() + new_title.text = "Customized profile from secstate" + prof.add_title(new_title) + prof.id = section + + for id,val in config.items(section): + if id != 'extends': + sel_dict = json.loads(val) + select = oscap.xccdf.select_new() + select.item = id + select.selected = sel_dict['selected'] + if sel_dict['message']: + text = oscap.common.text_new() + text.text = str(sel_dict['message']) + select.add_remark(text) + prof.add_select(select) + + benchmark.add_profile(prof) return benchmark -- 1.7.2

1 0

[PATCH] Update makefile for ifdefiend puppet module
by Francisco Slavin 30 Jul '10

30 Jul '10

--- Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/Makefile b/Makefile index c8e2671..83847a3 100644 --- a/Makefile +++ b/Makefile @@ -29,7 +29,7 @@ CLIP_DIR := $(CWD)../ RPM_PACKAGER := Tresys Technology, LLC QUIET ?= 0 -MODULE_LIST = file_perms pam +MODULE_LIST = file_perms pam ifdefined # Add additional subdirs for Make recursion here. # The all, clean, and bare targets will be called on these directories -- 1.7.2

1 0

[PATCH 1/2] Added puppet ifdefined module, updated spec file and license info accordingly
by Francisco Slavin 30 Jul '10

30 Jul '10

--- LICENSE | 2 +- dist/secstate.spec | 2 + remediation/puppet-modules/ifdefined/LICENSE | 10 +++++++ remediation/puppet-modules/ifdefined/README | 26 ++++++++++++++++++++ .../plugins/puppet/parser/functions/ifdefined.rb | 21 ++++++++++++++++ 5 files changed, 60 insertions(+), 1 deletions(-) create mode 100644 remediation/puppet-modules/ifdefined/LICENSE create mode 100644 remediation/puppet-modules/ifdefined/README create mode 100644 remediation/puppet-modules/ifdefined/plugins/puppet/parser/functions/ifdefined.rb diff --git a/LICENSE b/LICENSE index 1dd738f..16dd111 100644 --- a/LICENSE +++ b/LICENSE @@ -20,4 +20,4 @@ The pam puppet module: BSD: The OVAL to XHTML transform: /etc/secstate/results_to_html.xsl - + /usr/share/puppet/modules/ifdefined/* diff --git a/dist/secstate.spec b/dist/secstate.spec index 0ab9240..bf24209 100644 --- a/dist/secstate.spec +++ b/dist/secstate.spec @@ -68,6 +68,8 @@ rm -rf $RPM_BUILD_ROOT # BSD %config(noreplace) %{_sysconfdir}/secstate/results_to_html.xsl +%dir /usr/share/puppet/modules/ifdefined +/usr/share/puppet/modules/ifdefined/* %changelog * Fri Jul 16 2010 Marshall Miller <mmiller(a)tresys.com> 0.3-8 diff --git a/remediation/puppet-modules/ifdefined/LICENSE b/remediation/puppet-modules/ifdefined/LICENSE new file mode 100644 index 0000000..d170e97 --- /dev/null +++ b/remediation/puppet-modules/ifdefined/LICENSE @@ -0,0 +1,10 @@ +Copyright (c) 2010, Michael DeHaan, Puppet Labs +All rights reserved. + +Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: + + * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. + * Neither the name of the Organization nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/remediation/puppet-modules/ifdefined/README b/remediation/puppet-modules/ifdefined/README new file mode 100644 index 0000000..6946e32 --- /dev/null +++ b/remediation/puppet-modules/ifdefined/README @@ -0,0 +1,26 @@ +This is a puppet module for using a variable if it is defined, and otherwise not +doing anything with the variable. + +Example: + +file { "/path/to/foo.txt": + mode => ifdefined('mode') +} + +This will do nothing if an external nodes tool does not set $mode, and if it is +set, will use the mode, exactly as specified. + +This is a shortcut around this syntax: + +file { "/path/to/foo.txt": + mode ? { + '' : undef, + default : $mode + } +} + +This will allow the file to stay as set on the system unless explicitly set, +in other words. + +Michael DeHaan <michael(a)puppetlabs.com> + diff --git a/remediation/puppet-modules/ifdefined/plugins/puppet/parser/functions/ifdefined.rb b/remediation/puppet-modules/ifdefined/plugins/puppet/parser/functions/ifdefined.rb new file mode 100644 index 0000000..2facc22 --- /dev/null +++ b/remediation/puppet-modules/ifdefined/plugins/puppet/parser/functions/ifdefined.rb @@ -0,0 +1,21 @@ +# ifdefined -- if a variable is defined, use it, otherwise use undef +# +# which means, for instance, "if this variable is defined, set the mode to it, +# otherwise do nothing" +# +# allows: +# $x = ifdefined('foo') +# +# Michael DeHaan <michael(a)puppetlabs.com> + +module Puppet::Parser::Functions + newfunction(:ifdefined, :type => :rvalue) do |args| + key = args[0] + value = lookupvar(key) + if value == '' + value = :undef # not nil + end + value + end +end + -- 1.7.2

1 1

[PATCH] fixes remediation for the new openscap api
by mkeeler＠tresys.com 29 Jul '10

29 Jul '10

From: Matt Keeler <mkeeler(a)tresys.com> --- src/secstate/util.py | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/secstate/util.py b/src/secstate/util.py index 214e782..05284bf 100644 --- a/src/secstate/util.py +++ b/src/secstate/util.py @@ -384,7 +384,7 @@ def xccdf_get_fixes(benchmark, ignore_ids=[]): fixes = [] for rule in rules: if rule.id not in ignore_ids: - fixes.extend(xccdf_fix_list(rule.fixes)) + fixes.extend(rule.fixes) return fixes def item_get_type_str(item): @@ -466,7 +466,7 @@ def dereference_sub_elements(fix, benchmark): sub_element_re = r'<sub\s+.*idref="(.*?)"\s*/\s*>' replacement_re = r'<sub\s+.*idref="%s"\s*/\s*>' - content = fix._content + content = fix.content ids = [m.group(1) for m in re.finditer(sub_element_re, content)] for id in ids: #lookup the actual value the id points too -- 1.6.5.2

1 0

[PATCH] Added the ability to save profiles
by Josh Adams 28 Jul '10

28 Jul '10

1 0

[PATCH] if the .cmd file doesn't exist in /test_name/command/ then bail out of the test before it runs
by Chris Smith 28 Jul '10

28 Jul '10

--- testing/harness/secstate_harness/testcase.py | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) diff --git a/testing/harness/secstate_harness/testcase.py b/testing/harness/secstate_harness/testcase.py index 4cae8a9..2b77142 100644 --- a/testing/harness/secstate_harness/testcase.py +++ b/testing/harness/secstate_harness/testcase.py @@ -53,7 +53,10 @@ class Command: self.command_path = os.path.join(commands_dir, '%s.cmd' % self.command_name) if not os.path.exists(self.command_path): - raise Exception('Error: Command Not Valid: %s.cmd does not exist in %s' % (self.command_name, self.command_path)) + print 'Error: Command Not Valid: %s.cmd does not exist in %s' % (self.command_name, self.command_path) + sys.exit(0) + #if not os.path.exists(self.command_path): + #raise Exception('Error: Command Not Valid: %s.cmd does not exist in %s' % (self.command_name, self.command_path)) self.rc_path = os.path.join(commands_dir, '%s.rc' % self.command_name) self.stdout_path = os.path.join(commands_dir, '%s.stdout' % self.command_name) @@ -300,4 +303,4 @@ class TestCase: sys.stdout.write(join(tab(['Verification Section Completed Successfully: %s\n' % str(cmds_ok)]))) return cmds_ok - \ No newline at end of file + -- 1.7.0.1

1 0

[PATCH] Implemented reverse search for OVAL to XCCDF
by Josh Adams 28 Jul '10

28 Jul '10

Search can now trace an OVAL definition to the XCCDF rule that uses it. Fixes bug #7240 --- src/bin/secstate | 4 +++- src/secstate/main.py | 22 ++++++++++++++++++---- src/secstate/util.py | 8 ++++++++ 3 files changed, 29 insertions(+), 5 deletions(-) diff --git a/src/bin/secstate b/src/bin/secstate index e4bc7f0..5e0591a 100644 --- a/src/bin/secstate +++ b/src/bin/secstate @@ -219,8 +219,10 @@ def search(arguments): parser = OptionParser(usage="secstate search [options] <string>") parser.add_option('-v', '--verbose', action='store_true', dest='verbose', default=False, help="Show extra information from the search") + parser.add_option('-r', '--reverse', action='store_true', dest='reverse', default=False, + help="Search for an XCCDF rule based on an OVAL definition id") (options, args) = parser.parse_args(arguments) - if not sec_instance.search(args[0], options.verbose): + if not sec_instance.search(args[0], options.verbose, options.reverse): return -1 def list_content(arguments): diff --git a/src/secstate/main.py b/src/secstate/main.py index d38e96e..0c2870f 100644 --- a/src/secstate/main.py +++ b/src/secstate/main.py @@ -588,7 +588,7 @@ class Secstate: return True - def search(self, search_string, verbose=False): + def search(self, search_string, verbose=False, reverse=False): """ Function: Searches though all imported benchmarks for a string of text Input: A benchmark id and a string to search for @@ -596,13 +596,27 @@ class Secstate: Side Effects: Prints out the results of the search """ for key in self.content: - benchmark = oscap.xccdf.benchmark_import(os.path.join(self.benchmark_dir, key, self.content[key])) + (benchmark, def_model) = self.import_content(key) if benchmark == None: - self.log.error("Error importing benchmark: %(key)s" % {'key':key}) - return False + if def_model == None: + self.log.error("Error importing content: %(key)s" % {'key':key}) + return False + else: + continue print "In benchmark %(bench)s:" % {'bench':key} + if reverse: + defn = def_model.get_definition(search_string) + if defn == None: + continue + else: + rule_defs = rules_to_defs(benchmark) + for k, v in rule_defs.iteritems(): + if search_string in v: + print "OVAL Definition %(id)s is used by %(rule_id)s" % {'id':search_string, 'rule_id':k} + continue + for item in xccdf_get_itesm(benchmark, oscap.xccdf.XCCDF_ITEM, benchmark.content): title = None description = None diff --git a/src/secstate/util.py b/src/secstate/util.py index 214e782..93ce34a 100644 --- a/src/secstate/util.py +++ b/src/secstate/util.py @@ -315,6 +315,14 @@ def xccdf_rule_get_defs(rule): return defs +def rules_to_defs(benchmark): + res_defs = {} + rules = xccdf_get_items(benchmark, oscap.xccdf.XCCDF_RULE) + for rule in rules: + res_defs[rule.id] = xccdf_rule_get_defs(rule) + + return res_defs + def apply_changes(benchmark, conf): config = ConfigParser.ConfigParser() config.optionxform = str -- 1.7.2

1 0

[PATCH] Fixed segfault and removed cProfile
by Josh Adams 28 Jul '10

28 Jul '10

Forgot to remove the import call to cProfile --- src/bin/secstate | 2 -- src/secstate/main.py | 1 - 2 files changed, 0 insertions(+), 3 deletions(-) diff --git a/src/bin/secstate b/src/bin/secstate index e4bc7f0..88dd58a 100644 --- a/src/bin/secstate +++ b/src/bin/secstate @@ -116,8 +116,6 @@ def import_content(arguments): (benchmark, def_model) = sec_instance.import_content(arg, options.cpe, options.puppet, save=True) if (benchmark == None) and (def_model == None): return -1 - oscap.oval.definition_model_free(def_model) - oscap.xccdf.benchmark_free(benchmark) def export(arguments): parser = OptionParser(usage="secstate export [options] <benchmark> <file>") diff --git a/src/secstate/main.py b/src/secstate/main.py index d38e96e..c1abe83 100644 --- a/src/secstate/main.py +++ b/src/secstate/main.py @@ -31,7 +31,6 @@ import subprocess import time import mimetypes import json -import cProfile import openscap_api as oscap from secstate.util import * -- 1.7.2

1 0

[PATCH] Fixes to test_harness
by mkeeler＠tresys.com 28 Jul '10

28 Jul '10

From: Matt Keeler <mkeeler(a)tresys.com> Check against output files not just rc,stdout and stderr. Some fixes to test files for what the actual output should be. --- testing/harness/secstate_harness/testcase.py | 82 ++++++++++++++------ .../tests/import_xccdf_tgz/commands/import.stdout | 5 +- .../output/var/lib/secstate/configs/PassComp.cfg | 2 +- testing/tests/import_xccdf_tgz/test.manifest | 1 - 4 files changed, 61 insertions(+), 29 deletions(-) diff --git a/testing/harness/secstate_harness/testcase.py b/testing/harness/secstate_harness/testcase.py index 4cae8a9..f994622 100644 --- a/testing/harness/secstate_harness/testcase.py +++ b/testing/harness/secstate_harness/testcase.py @@ -31,7 +31,7 @@ def join(lst): return ''.join(lst) class Command: - results_template = 'Command %(command_name)s Results:\n%(rc_results)s%(stdout_results)s%(stderr_results)s\n\tCommand Completed Successfully: %(success)s' + results_template = 'Command %(command_name)s Results:\n%(rc_results)s%(stdout_results)s%(stderr_results)sCommand Completed Successfully: %(success)s\n' rc_results = 'Expected RC : %(expected)s, Actual RC : %(actual)s' stdout_results = 'Expected STDOUT :\n%(expected)s\nActual STDOUT :\n%(actual)s\n' stderr_results = 'Expected STDERR :\n%(expected)s\nActual STDERR :\n%(actual)s\n' @@ -72,20 +72,24 @@ class Command: def cache_rc(self): rc_file = open(self.rc_path, 'r') - self.expected_rc = rc_file.readline().strip('\n') + self.expected_rc = int(rc_file.readline().strip('\n')) rc_file.close() def cache_stdout(self): if self.stdout_exists: stdout = open(self.stdout_path) - self.expected_stdout = stdout.readlines() + self.expected_stdout = [line.rstrip('\n') for line in stdout.readlines()] stdout.close() + if not self.expected_stdout: + self.expected_stdout = [''] def cache_stderr(self): if self.stderr_exists: stderr = open(self.stderr_path) - self.expected_stderr = stderr.readlines() + self.expected_stderr = [line.rstrip('\n') for line in stderr.readlines()] stderr.close() + if not self.expected_stderr: + self.expected_stderr = [''] def execute(self, chroot): if not self.cmd_args: @@ -116,12 +120,12 @@ class Command: return False elif not self.expected_stdout: self.cache_stdout() - - return self.stdout == self.expected_stdout + + return self.stdout != self.expected_stdout def stdout_differ_string(self): if self.does_stdout_differ(): - return self.stdout_results % {'expected' : join(tab(self.expected_stdout)), 'actual' : join(tab(self.stdout))} + return self.stdout_results % {'expected' : '\n'.join(tab(self.expected_stdout)), 'actual' : '\n'.join(tab(self.stdout))} else: return '' @@ -132,12 +136,11 @@ class Command: return False elif not self.expected_stderr: self.cache_stderr() - return self.stderr == self.expected_stderr + return self.stderr != self.expected_stderr - def stderr_differ_string(self): if self.does_stderr_differ(): - return self.stderr_results % { 'expected' : tab(self.expected_stderr), 'actual' : tab(self.stderr)} + return self.stderr_results % { 'expected' : '\n'.join(tab(self.expected_stderr)), 'actual' : '\n'.join(tab(self.stderr))} else: return '' @@ -148,7 +151,7 @@ class Command: return False elif not self.expected_rc: self.cache_rc() - return self.rc == self.expected_rc + return self.rc != self.expected_rc def rc_differ_string(self): if self.does_rc_differ(): @@ -158,9 +161,9 @@ class Command: def get_results_string(self): rep = { 'command_name' : self.command_name, - 'rc_results' : self.rc_differ_string() + '\n' if self.rc_differ_string() else '', - 'stdout_results' : join(tab(self.stdout_differ_string().split('\n'))) + '\n' if self.rc_differ_string() else '', - 'stderr_results' : '%s\n' % join(tab(self.stderr_differ_string().split('\n'))) + '\n' if self.rc_differ_string() else '', + 'rc_results' : (join(tab([self.rc_differ_string()])) + '\n') if self.does_rc_differ() else join(tab(['Expected RC matches Actual RC\n'])), + 'stdout_results' : ('\n'.join(tab(self.stdout_differ_string().split('\n'))) + '\n') if self.does_stdout_differ() else join(tab(['Expect STDOUT matches Actual STDOUT\n'])), + 'stderr_results' : ('\n'.join(tab(self.stderr_differ_string().split('\n'))) + '\n') if self.does_stderr_differ() else join(tab(['Expect STDERR matches Actual STDERR\n'])), 'success' : not (self.does_rc_differ() or self.does_stdout_differ() or self.does_stderr_differ())} return self.results_template % rep @@ -233,7 +236,34 @@ class TestCase: shutil.copy2(fpath, os.path.join(chroot_dir, basename)) def check_output_files(self): - pass + rc = True + expected = 'Expected File Contents:\n%s' + actual = 'Actual File Contents:\n%s' + fdiffer = 'Output File %(oname)s differs:\n%(expected)s\n%(actual)s\n' + output_path = os.path.join(self.files_dir, 'output') + for root,dirs,files in os.walk(output_path): + for file in files: + opath = os.path.join(root, file) + dirname = re.sub(r'^%s(.*)' % re.escape(output_path), r'\1', root).lstrip(os.path.sep) + cpath = os.path.join(self.chroot, dirname, file) + + ofile = open(opath) + otext = ofile.readlines() + ofile.close() + + cfile = open(cpath) + ctext = cfile.readlines() + cfile.close() + + if otext != ctext: + rc = False + etext = '\n'.join(tab((expected % join(tab(otext))).split('\n'))) + atext = '\n'.join(tab((actual % join(tab(ctext))).split('\n'))) + dtext = fdiffer % {'oname' : os.path.join(dirname,file), 'expected' : etext, 'actual' : atext} + sys.stdout.write('\n'.join(tab(dtext.rstrip('\n').split('\n'))) + '\n') + if rc: + sys.stdout.write('\n'.join(tab(['All Output Files matched expected output'])) + '\n\n') + return rc def run_test(self): sys.stdout.write('Test %s:\n' % self.test_name) @@ -243,9 +273,11 @@ class TestCase: if rc: rc = self.__run_verification() if rc: - sys.stdout.write('Test %s Completed Successfully: True\n' % self.test_name) - return True - sys.stdout.write('Test %s Completed Successfully: False\n' % self.tests_name) + rc = self.check_output_files() + if rc: + sys.stdout.write('Test %s Completed Successfully: True\n' % self.test_name) + return True + sys.stdout.write('Test %s Completed Successfully: False\n' % self.test_name) return False def __run_requires(self): @@ -259,12 +291,12 @@ class TestCase: if cmd.does_rc_differ() or cmd.does_stdout_differ() or cmd.does_stderr_differ(): cmds_ok = False - sys.stdout.write('%s\n\n' % '\n'.join(tab(cmd.get_results_string().split('\n'), num_tabs=2))) + sys.stdout.write('%s\n' % '\n'.join(tab(cmd.get_results_string().split('\n'), num_tabs=2))) if not cmds_ok: break - sys.stdout.write(join(tab(['Requires Section Completed Successfully: %s\n' % str(cmds_ok)]))) + sys.stdout.write(join(tab(['Requires Section Completed Successfully: %s\n\n' % str(cmds_ok)]))) return cmds_ok def __run_tests(self): @@ -275,12 +307,12 @@ class TestCase: if cmd.does_rc_differ() or cmd.does_stdout_differ() or cmd.does_stderr_differ(): cmds_ok = False - sys.stdout.write('%s\n\n' % '\n'.join(tab(cmd.get_results_string().split('\n'), num_tabs=2))) + sys.stdout.write('%s\n' % '\n'.join(tab(cmd.get_results_string().split('\n'), num_tabs=2))) if not cmds_ok: break - sys.stdout.write(join(tab(['Tests Section Completed Successfully: %s\n' % str(cmds_ok)]))) + sys.stdout.write(join(tab(['Tests Section Completed Successfully: %s\n\n' % str(cmds_ok)]))) return cmds_ok def __run_verification(self): @@ -293,11 +325,11 @@ class TestCase: if cmd.does_rc_differ() or cmd.does_stdout_differ() or cmd.does_stderr_differ(): cmds_ok = False - sys.stdout.write('%s\n\n' % '\n'.join(tab(cmd.get_results_string().split('\n'), num_tabs=2))) + sys.stdout.write('%s\n' % '\n'.join(tab(cmd.get_results_string().split('\n'), num_tabs=2))) if not cmds_ok: break - sys.stdout.write(join(tab(['Verification Section Completed Successfully: %s\n' % str(cmds_ok)]))) + sys.stdout.write(join(tab(['Verification Section Completed Successfully: %s\n\n' % str(cmds_ok)]))) return cmds_ok - \ No newline at end of file + diff --git a/testing/tests/import_xccdf_tgz/commands/import.stdout b/testing/tests/import_xccdf_tgz/commands/import.stdout index 177b335..8151aeb 100644 --- a/testing/tests/import_xccdf_tgz/commands/import.stdout +++ b/testing/tests/import_xccdf_tgz/commands/import.stdout @@ -1,6 +1,7 @@ 2-19PasswordComplexity_Lowercase.xml -2-22PasswordComplexity_Special.xml 2-20PasswordComplexity_MinLen.xml 2-21PasswordComplexity_Numeric.xml -PassComp.xccdf.xml 2-23PasswordComplexity_Uppercase.xml +2-22PasswordComplexity_Special.xml +PassComp.xccdf.xml + diff --git a/testing/tests/import_xccdf_tgz/files/output/var/lib/secstate/configs/PassComp.cfg b/testing/tests/import_xccdf_tgz/files/output/var/lib/secstate/configs/PassComp.cfg index 46852ed..e589a45 100644 --- a/testing/tests/import_xccdf_tgz/files/output/var/lib/secstate/configs/PassComp.cfg +++ b/testing/tests/import_xccdf_tgz/files/output/var/lib/secstate/configs/PassComp.cfg @@ -1,4 +1,4 @@ [PassComp] selected = True -file = PassComp.xccdf.xml +file = /var/lib/secstate/benchmarks/PassComp/PassComp.xccdf.xml diff --git a/testing/tests/import_xccdf_tgz/test.manifest b/testing/tests/import_xccdf_tgz/test.manifest index e6ed303..566cd6f 100644 --- a/testing/tests/import_xccdf_tgz/test.manifest +++ b/testing/tests/import_xccdf_tgz/test.manifest @@ -1,5 +1,4 @@ [requires] -usage [test] import -- 1.6.5.2

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

SecState-devel July 2010