|
Packit |
517ee8 |
# This file is a wrapper for python API for openscap
|
|
Packit |
517ee8 |
# library
|
|
Packit |
517ee8 |
#
|
|
Packit |
517ee8 |
# Copyright 2010 Red Hat Inc., Durham, North Carolina.
|
|
Packit |
517ee8 |
# All Rights Reserved.
|
|
Packit |
517ee8 |
#
|
|
Packit |
517ee8 |
# This library is free software; you can redistribute it and/or
|
|
Packit |
517ee8 |
# modify it under the terms of the GNU Lesser General Public
|
|
Packit |
517ee8 |
# License as published by the Free Software Foundation; either
|
|
Packit |
517ee8 |
# version 2.1 of the License, or (at your option) any later version.
|
|
Packit |
517ee8 |
#
|
|
Packit |
517ee8 |
# This library is distributed in the hope that it will be useful,
|
|
Packit |
517ee8 |
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit |
517ee8 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit |
517ee8 |
# Lesser General Public License for more details.
|
|
Packit |
517ee8 |
#
|
|
Packit |
517ee8 |
# You should have received a copy of the GNU Lesser General Public
|
|
Packit |
517ee8 |
# License along with this library; if not, write to the Free Software
|
|
Packit |
517ee8 |
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
Packit |
517ee8 |
#
|
|
Packit |
517ee8 |
# Authors:
|
|
Packit |
517ee8 |
# Maros Barabas <mbarabas@redhat.com>
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
"""Python module for openscap implementing openscap API
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
__author__ = 'Maros Barabas'
|
|
Packit |
517ee8 |
__version__ = '1.0'
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
import logging # Logger for debug/info/error messages
|
|
Packit |
517ee8 |
import re
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
logger = logging.getLogger("openscap")
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
from sys import version_info
|
|
Packit |
517ee8 |
if version_info >= (2, 6, 0):
|
|
Packit |
517ee8 |
def _import_helper():
|
|
Packit |
517ee8 |
from os.path import dirname
|
|
Packit |
517ee8 |
import imp
|
|
Packit |
517ee8 |
fp = None
|
|
Packit |
517ee8 |
try:
|
|
Packit |
517ee8 |
fp, pathname, description = imp.find_module(
|
|
Packit |
517ee8 |
'_openscap_py', [dirname(__file__)])
|
|
Packit |
517ee8 |
except ImportError:
|
|
Packit |
517ee8 |
import _openscap_py as OSCAP
|
|
Packit |
517ee8 |
return OSCAP
|
|
Packit |
517ee8 |
if fp is not None:
|
|
Packit |
517ee8 |
try:
|
|
Packit |
517ee8 |
_mod = imp.load_module(
|
|
Packit |
517ee8 |
'_openscap_py', fp, pathname, description)
|
|
Packit |
517ee8 |
finally:
|
|
Packit |
517ee8 |
fp.close()
|
|
Packit |
517ee8 |
return _mod
|
|
Packit |
517ee8 |
OSCAP = _import_helper()
|
|
Packit |
517ee8 |
del _import_helper
|
|
Packit |
517ee8 |
else:
|
|
Packit |
517ee8 |
import _openscap_py as OSCAP
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
del version_info
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
import os
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def extract_type_from_obj(obj):
|
|
Packit |
517ee8 |
# Extract the name of structure from the representation of the object
|
|
Packit |
517ee8 |
# "<Swig Object of type 'struct xccdf_result_iterator *' at 0x7f8f65fc1390>"
|
|
Packit |
517ee8 |
# or "<Swig Object of type 'oval_agent_session_t *' at 0x7f9aa2cdf360>"
|
|
Packit |
517ee8 |
return re.findall(r"type '(struct )?(\b\S*\b)", obj.__repr__())[0][1]
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
class OSCAP_List(list):
|
|
Packit |
517ee8 |
"""OSCAP List class is designed to store lists generated from openscap iterators.
|
|
Packit |
517ee8 |
All functions that return iterators are preprocessed by creation of OSCAP List instance
|
|
Packit |
517ee8 |
and move all objects given by oscap list iteration loop to list.
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
OSCAP List class implement standard Python list."""
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def remove(self, item):
|
|
Packit |
517ee8 |
"""Function to remove item from list. This removed item should be also
|
|
Packit |
517ee8 |
removed from parent oscap list. This function is supported only if there exists
|
|
Packit |
517ee8 |
reset function on iterators. Exception is throwed otherwise."""
|
|
Packit |
517ee8 |
try:
|
|
Packit |
517ee8 |
self.iterator.reset()
|
|
Packit |
517ee8 |
while self.iterator.has_more():
|
|
Packit |
517ee8 |
litem = self.iterator.next()
|
|
Packit |
517ee8 |
if (type(item) == str and type(litem) == str and litem == item) or \
|
|
Packit |
517ee8 |
("instance" in item.__dict__ and litem.instance == item.instance):
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
self.iterator.remove()
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
'''
|
|
Packit |
517ee8 |
Warning, list.remove(self, item) will fail because python yield
|
|
Packit |
517ee8 |
a new reference at each loop. So wee need to loop again into the python list,
|
|
Packit |
517ee8 |
get the new reference and remove it. Demo:
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
print(item.instance)
|
|
Packit |
517ee8 |
print(litem.instance)
|
|
Packit |
517ee8 |
print(litem.instance == item.instance)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
RETURNS:
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
<Swig Object of type 'struct xccdf_refine_value *' at 0x7ff85ed73bd0>
|
|
Packit |
517ee8 |
<Swig Object of type 'struct xccdf_refine_value *' at 0x7ff85ed73c90>
|
|
Packit |
517ee8 |
True
|
|
Packit |
517ee8 |
'''
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
for i in self[:]:
|
|
Packit |
517ee8 |
if "instance" in item.__dict__ and i.instance == item.instance:
|
|
Packit |
517ee8 |
list.remove(self, i)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
except NameError:
|
|
Packit |
517ee8 |
raise Exception("Removing %s items throught oscap list is not allowed. "
|
|
Packit |
517ee8 |
"Please use appropriate function."
|
|
Packit |
517ee8 |
% (self.iterator.object[:self.iterator.object.find("_iterator")],))
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __del__(self):
|
|
Packit |
517ee8 |
"""Free the list structure"""
|
|
Packit |
517ee8 |
self.iterator.free()
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def generate(self, iterator):
|
|
Packit |
517ee8 |
"""Generate all object from oscap list throught iterators and store them in list object.
|
|
Packit |
517ee8 |
Do not call this function on your own !"""
|
|
Packit |
517ee8 |
self.iterator = iterator
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
while iterator.has_more():
|
|
Packit |
517ee8 |
list.append(self, iterator.next())
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def append(self, item, n=1):
|
|
Packit |
517ee8 |
"""This function is not allowed. Please use appropriate function from library."""
|
|
Packit |
517ee8 |
raise Exception("Append %s item throught oscap list is not allowed. "
|
|
Packit |
517ee8 |
"Please use appropriate function."
|
|
Packit |
517ee8 |
% (self.iterator.object[:self.iterator.object.find("_iterator")],))
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def extend(self, item, n=1):
|
|
Packit |
517ee8 |
"""This function is not allowed. Please use appropriate function from library."""
|
|
Packit |
517ee8 |
raise Exception("Extending %s items throught oscap list is not allowed. "
|
|
Packit |
517ee8 |
"Please use appropriate function."
|
|
Packit |
517ee8 |
% (self.iterator.object[:self.iterator.object.find("_iterator")],))
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def insert(self, item, n=1):
|
|
Packit |
517ee8 |
"""This function is not allowed. Please use appropriate function from library."""
|
|
Packit |
517ee8 |
raise Exception("Inserting %s items to oscap list is not allowed. "
|
|
Packit |
517ee8 |
"Please use appropriate function."
|
|
Packit |
517ee8 |
% (self.iterator.object[:self.iterator.object.find("_iterator")],))
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def sort(self, item, n=1):
|
|
Packit |
517ee8 |
"""This function is not allowed. Please use appropriate function from library."""
|
|
Packit |
517ee8 |
raise Exception("Sorting %s items in oscap list is not allowed."
|
|
Packit |
517ee8 |
% (self.iterator.object[:self.iterator.object.find("_iterator")],))
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def reverse(self, item, n=1):
|
|
Packit |
517ee8 |
"""This function is not allowed. Please use appropriate function from library."""
|
|
Packit |
517ee8 |
raise Exception("Reversing %s items in oscap list is not allowed."
|
|
Packit |
517ee8 |
% (self.iterator.object[:self.iterator.object.find("_iterator")],))
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
class OSCAP_Object(object):
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
Abstract class that represents all structures, functions and averything from
|
|
Packit |
517ee8 |
openscap library. Each structure from library is mapped inside OSCAP Object
|
|
Packit |
517ee8 |
with "object" and "instance" parameters.
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
"object" is variable of this class that keeps string representation of
|
|
Packit |
517ee8 |
type of the structure
|
|
Packit |
517ee8 |
"instance" is a variable of this class that keeps the pointer to the real
|
|
Packit |
517ee8 |
C structure.
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __init__(self, object, instance=None):
|
|
Packit |
517ee8 |
""" Called when the instance is created """
|
|
Packit |
517ee8 |
dict.__setattr__(self, "object", object)
|
|
Packit |
517ee8 |
dict.__setattr__(self, "instance", instance)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
@staticmethod
|
|
Packit |
517ee8 |
def new(retobj):
|
|
Packit |
517ee8 |
if type(retobj).__name__ in ('SwigPyObject', 'PySwigObject'):
|
|
Packit |
517ee8 |
return OSCAP_Object(extract_type_from_obj(retobj), retobj)
|
|
Packit |
517ee8 |
else:
|
|
Packit |
517ee8 |
return retobj
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __eq__(self, other):
|
|
Packit |
517ee8 |
""" Two OSCAP Objects are compared by their string representations
|
|
Packit |
517ee8 |
which reflect type and instance.
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
return str.__eq__(self.__repr__(), other.__repr__())
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __repr__(self):
|
|
Packit |
517ee8 |
return "<Oscap Object of type '%s' with instance '%s'>" % (self.object, self.instance)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __func_wrapper(self, func, value=None):
|
|
Packit |
517ee8 |
""" This is only a wrapper for getter_wrapper - another wrapper for
|
|
Packit |
517ee8 |
openscap library functions.
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __getter_wrapper(*args, **kwargs):
|
|
Packit |
517ee8 |
""" This function is a wrapper for function objects of openscap library.
|
|
Packit |
517ee8 |
Each function is called with variable number of parameters cause we don't
|
|
Packit |
517ee8 |
know how many parameters each function takes. This is based on try-except
|
|
Packit |
517ee8 |
methot that we try to call the function and if it fell down we try another
|
|
Packit |
517ee8 |
number of parameters.
|
|
Packit |
517ee8 |
This is based on knowledge that C language will always
|
|
Packit |
517ee8 |
cause error when the function is called with wrong number of parameters.
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
newargs = ()
|
|
Packit |
517ee8 |
for arg in args:
|
|
Packit |
517ee8 |
if isinstance(arg, OSCAP_Object):
|
|
Packit |
517ee8 |
newargs += (arg.instance,)
|
|
Packit |
517ee8 |
else:
|
|
Packit |
517ee8 |
newargs += (arg,)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
try:
|
|
Packit |
517ee8 |
retobj = func()
|
|
Packit |
517ee8 |
except TypeError as err:
|
|
Packit |
517ee8 |
try:
|
|
Packit |
517ee8 |
retobj = func(*newargs)
|
|
Packit |
517ee8 |
except TypeError as err:
|
|
Packit |
517ee8 |
if self.instance:
|
|
Packit |
517ee8 |
try:
|
|
Packit |
517ee8 |
retobj = func(self.instance)
|
|
Packit |
517ee8 |
except TypeError as err:
|
|
Packit |
517ee8 |
try:
|
|
Packit |
517ee8 |
retobj = func(self.instance, *newargs)
|
|
Packit |
517ee8 |
except TypeError as err:
|
|
Packit |
517ee8 |
raise TypeError(
|
|
Packit |
517ee8 |
"Wrong number of arguments in function %s" % (func.__name__,))
|
|
Packit |
517ee8 |
else:
|
|
Packit |
517ee8 |
raise TypeError(
|
|
Packit |
517ee8 |
"%s: No instance or wrong number of parameters" % (func.__name__))
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
if retobj is None:
|
|
Packit |
517ee8 |
return None
|
|
Packit |
517ee8 |
elif retobj.__str__().find("iterator") != -1:
|
|
Packit |
517ee8 |
# We have an iterator here
|
|
Packit |
517ee8 |
list = OSCAP_List()
|
|
Packit |
517ee8 |
list.generate(OSCAP_Object.new(retobj))
|
|
Packit |
517ee8 |
list.object = self.object
|
|
Packit |
517ee8 |
return list
|
|
Packit |
517ee8 |
return OSCAP_Object.new(retobj)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
return __getter_wrapper
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def introspect_all(self):
|
|
Packit |
517ee8 |
""" Listing all builtin functions accessible through SWIG """
|
|
Packit |
517ee8 |
return OSCAP.__dict__
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def introspect_functions(self):
|
|
Packit |
517ee8 |
''' Returns all builtin function accessible through SWIG
|
|
Packit |
517ee8 |
which is corresponding to the current object
|
|
Packit |
517ee8 |
'''
|
|
Packit |
517ee8 |
funcs = dict()
|
|
Packit |
517ee8 |
for (k, v) in OSCAP.__dict__.items():
|
|
Packit |
517ee8 |
if k.startswith(self.object):
|
|
Packit |
517ee8 |
funcs[k] = v
|
|
Packit |
517ee8 |
return funcs
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def introspect_constants(self, value=None, prefix=None):
|
|
Packit |
517ee8 |
'''
|
|
Packit |
517ee8 |
Returns constants names / values, given a value and/or a name filter (regex)
|
|
Packit |
517ee8 |
Example, introspect_constants(1, "XCCDF_RESULT") returns {XCCDF_RESULT_PASS: 1}
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
!!! constants are here designated by C enums (=> numeric value)
|
|
Packit |
517ee8 |
'''
|
|
Packit |
517ee8 |
return {k: v for k, v in OSCAP.__dict__.items() if (value is None or v == value) and
|
|
Packit |
517ee8 |
(isinstance(v, int)) and (prefix is None or k.startswith(prefix))}
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __getattr__(self, name):
|
|
Packit |
517ee8 |
""" Called when an attribute lookup has not found the attribute in the usual places (i.e.
|
|
Packit |
517ee8 |
it is not an instance attribute nor is it found in the class tree for self). name is
|
|
Packit |
517ee8 |
the attribute name."""
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
if name == "export" and self.object == "xccdf_policy":
|
|
Packit |
517ee8 |
return self.policy_export
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
if name in self.__dict__:
|
|
Packit |
517ee8 |
return self.__dict__[name]
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# cache self.object + "_" + name for perf / clearness purpose
|
|
Packit |
517ee8 |
obj_name = self.object + "_" + name
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
""" Catch potential C function overriden in OSCAP_Object
|
|
Packit |
517ee8 |
like xccdf_session_set_rule or xccdf_session_free for instance. """
|
|
Packit |
517ee8 |
if obj_name in dir(OSCAP_Object):
|
|
Packit |
517ee8 |
func = getattr(OSCAP_Object, obj_name)
|
|
Packit |
517ee8 |
if callable(func):
|
|
Packit |
517ee8 |
return self.__func_wrapper(func)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# If attribute is not in a local dictionary, look for it in a library
|
|
Packit |
517ee8 |
func = OSCAP.__dict__.get(name)
|
|
Packit |
517ee8 |
if func is not None:
|
|
Packit |
517ee8 |
return func
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
""" Looking for function object_subject() """
|
|
Packit |
517ee8 |
obj = OSCAP.__dict__.get(obj_name)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
if obj is not None:
|
|
Packit |
517ee8 |
if callable(obj):
|
|
Packit |
517ee8 |
return self.__func_wrapper(obj)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
""" Looking for function object_get_subject() """
|
|
Packit |
517ee8 |
obj = OSCAP.__dict__.get(self.object + "_get_" + name)
|
|
Packit |
517ee8 |
if obj is not None:
|
|
Packit |
517ee8 |
try:
|
|
Packit |
517ee8 |
return self.__func_wrapper(obj)()
|
|
Packit |
517ee8 |
except:
|
|
Packit |
517ee8 |
return self.__func_wrapper(obj)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
""" Looking if it can be a constructor """
|
|
Packit |
517ee8 |
obj = OSCAP.__dict__.get(obj_name + "_new")
|
|
Packit |
517ee8 |
if obj is not None:
|
|
Packit |
517ee8 |
# this will call the __call__ definition of OSCAP_Object
|
|
Packit |
517ee8 |
return OSCAP_Object(obj_name)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
""" There is not function with the name 'name' let return the OSCAP_Object """
|
|
Packit |
517ee8 |
raise AttributeError("Attribute {0} not found for object {1}"
|
|
Packit |
517ee8 |
.format(name, self.object))
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __dir__(self):
|
|
Packit |
517ee8 |
"""Lists all attributes inside this object.
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
This is mainly used by auto-completion and for dir(obj) in interactive prompt.
|
|
Packit |
517ee8 |
(only available in Python 2.6 and newer but doesn't hurt anything in older Pythons)
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
ret = list()
|
|
Packit |
517ee8 |
ret.extend(dir(type(self)))
|
|
Packit |
517ee8 |
ret.extend(list(self.__dict__))
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# we intentionally don't add all functions from the library, having
|
|
Packit |
517ee8 |
# them in getattr has IMO not been the right call, they would just
|
|
Packit |
517ee8 |
# clutter everything...
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
for key, v in OSCAP.__dict__.items():
|
|
Packit |
517ee8 |
if key.startswith(self.object + "_"):
|
|
Packit |
517ee8 |
# the getattr wrapper only deals with callables
|
|
Packit |
517ee8 |
if callable(OSCAP.__dict__[key]):
|
|
Packit |
517ee8 |
ret.append(key[len(self.object) + 1:])
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# we also don't add the object_get_{name} methods as {name}, it IMO
|
|
Packit |
517ee8 |
# only allows bugs to pass as working code
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
return sorted(ret)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __call__(self, *args, **kwargs):
|
|
Packit |
517ee8 |
newargs = ()
|
|
Packit |
517ee8 |
for arg in args:
|
|
Packit |
517ee8 |
if isinstance(arg, OSCAP_Object):
|
|
Packit |
517ee8 |
newargs += (arg.instance,)
|
|
Packit |
517ee8 |
else:
|
|
Packit |
517ee8 |
newargs += (arg,)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# It's maybe looking for "new" ?
|
|
Packit |
517ee8 |
obj = OSCAP.__dict__.get(self.object + "_new")
|
|
Packit |
517ee8 |
if obj is not None:
|
|
Packit |
517ee8 |
return OSCAP_Object.new(obj(*newargs))
|
|
Packit |
517ee8 |
else:
|
|
Packit |
517ee8 |
raise NameError("name '" + self.object + "' is not defined")
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __setattr__(self, name, value):
|
|
Packit |
517ee8 |
if name in self.__dict__:
|
|
Packit |
517ee8 |
return self.__dict__[name]
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
obj = OSCAP.__dict__.get(self.object + "_set_" + name)
|
|
Packit |
517ee8 |
if obj is None:
|
|
Packit |
517ee8 |
obj = OSCAP.__dict__.get(self.object + "_add_" + name)
|
|
Packit |
517ee8 |
if obj is None:
|
|
Packit |
517ee8 |
return None
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
if isinstance(value, OSCAP_Object):
|
|
Packit |
517ee8 |
value = value.instance
|
|
Packit |
517ee8 |
return obj(self.instance, value)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
def __del__(self):
|
|
Packit |
517ee8 |
#print "Free ", self.object
|
|
Packit |
517ee8 |
if "instance" in self.__dict__ and self.__dict__["instance"] != None:
|
|
Packit |
517ee8 |
# In what situations we need to free objects ?
|
|
Packit |
517ee8 |
if self.object.find("iterator") > -1:
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
self.free()
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def free(self):
|
|
Packit |
517ee8 |
if self.object == "oval_agent_session":
|
|
Packit |
517ee8 |
return OSCAP.oval_agent_destroy_session(self.instance)
|
|
Packit |
517ee8 |
# print "Free on demand ", self.object
|
|
Packit |
517ee8 |
if "instance" in self.__dict__ and self.__dict__["instance"] is not None:
|
|
Packit |
517ee8 |
obj = OSCAP.__dict__.get(self.object + "_free")
|
|
Packit |
517ee8 |
if obj is not None:
|
|
Packit |
517ee8 |
if callable(obj):
|
|
Packit |
517ee8 |
obj(self.__dict__["instance"])
|
|
Packit |
517ee8 |
dict.__setattr__(self, "instance", None)
|
|
Packit |
517ee8 |
else:
|
|
Packit |
517ee8 |
raise Exception("Can't free %s" % (self.object,))
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
""" ********* Implementation of non-trivial functions ********* """
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def xccdf_session_set_rule(self, rule):
|
|
Packit |
517ee8 |
OSCAP.xccdf_session_set_rule_py(self, rule)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# helper function to find easily the result of a single rule
|
|
Packit |
517ee8 |
# should be called in the context of a xccdf_session_set_rule
|
|
Packit |
517ee8 |
def xccdf_session_get_rule_result(self, rule):
|
|
Packit |
517ee8 |
self = OSCAP_Object("xccdf_session", self)
|
|
Packit |
517ee8 |
rs = self.get_xccdf_policy().get_results()[-1] # get last value
|
|
Packit |
517ee8 |
for rr in rs.get_rule_results():
|
|
Packit |
517ee8 |
if rule == rr.get_idref():
|
|
Packit |
517ee8 |
return rr
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def xccdf_session_free(self):
|
|
Packit |
517ee8 |
OSCAP.xccdf_session_free_py(self)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __start_callback(self, rule, obj):
|
|
Packit |
517ee8 |
return obj[0](OSCAP_Object("xccdf_rule", rule), obj[1])
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __output_callback(self, result, obj):
|
|
Packit |
517ee8 |
# the returned object can be a rule_result or an oval_definition_result,
|
|
Packit |
517ee8 |
# so I extract the right name from the object repr.
|
|
Packit |
517ee8 |
return obj[0](OSCAP_Object(extract_type_from_obj(result), result), obj[1])
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def register_start_callback(self, cb, usr):
|
|
Packit |
517ee8 |
if self.object != "xccdf_policy_model":
|
|
Packit |
517ee8 |
raise TypeError(
|
|
Packit |
517ee8 |
"Wrong call of register_start_callback function on %s" % (self.object,))
|
|
Packit |
517ee8 |
return OSCAP.xccdf_policy_model_register_start_callback_py(
|
|
Packit |
517ee8 |
self.instance, self.__start_callback, (cb, usr))
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def register_output_callback(self, cb, usr):
|
|
Packit |
517ee8 |
if self.object != "xccdf_policy_model":
|
|
Packit |
517ee8 |
raise TypeError(
|
|
Packit |
517ee8 |
"Wrong call of register_output_callback function on %s" % (self.object,))
|
|
Packit |
517ee8 |
return OSCAP.xccdf_policy_model_register_output_callback_py(
|
|
Packit |
517ee8 |
self.instance, self.__output_callback, (cb, usr))
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def register_engine_oval(self, sess):
|
|
Packit |
517ee8 |
if self.object != "xccdf_policy_model":
|
|
Packit |
517ee8 |
raise TypeError(
|
|
Packit |
517ee8 |
"Wrong call of register_engine_oval function on %s" % (self.object,))
|
|
Packit |
517ee8 |
return OSCAP.xccdf_policy_model_register_engine_oval(self.instance, sess.instance)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def register_engine_sce(self, parameters):
|
|
Packit |
517ee8 |
if self.object != "xccdf_policy_model":
|
|
Packit |
517ee8 |
raise TypeError(
|
|
Packit |
517ee8 |
"Wrong call of register_engine_sce function on %s" % (self.object,))
|
|
Packit |
517ee8 |
return OSCAP.xccdf_policy_model_register_engine_sce(self.instance, parameters.instance)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def agent_eval_system(self, sess, cb, usr):
|
|
Packit |
517ee8 |
if self.object != "oval":
|
|
Packit |
517ee8 |
raise TypeError(
|
|
Packit |
517ee8 |
"Wrong call of oval_agent_eval_system function on %s" % (self.object,))
|
|
Packit |
517ee8 |
return OSCAP.oval_agent_eval_system_py(sess.instance, self.__output_callback, (cb, usr))
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def query_sysinfo(self):
|
|
Packit |
517ee8 |
if self.object != "oval_probe_session_t":
|
|
Packit |
517ee8 |
raise TypeError(
|
|
Packit |
517ee8 |
"Wrong call of oval_probe_session_query_sysinfo function on %s" % (self.object,))
|
|
Packit |
517ee8 |
return OSCAP.oval_probe_session_query_sysinfo(self.instance)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def query_objects(self):
|
|
Packit |
517ee8 |
if self.object != "oval_probe_session_t":
|
|
Packit |
517ee8 |
raise TypeError(
|
|
Packit |
517ee8 |
"Wrong call of oval_probe_session_query_objects function on %s" % (self.object,))
|
|
Packit |
517ee8 |
return OSCAP.oval_probe_session_query_objects(self.instance)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
""" ********* Implementation of required high level functions ********* """
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def get_all_values(self):
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# first ensure that we are using an item (or convert to it otherwise)
|
|
Packit |
517ee8 |
if self.object != "xccdf_item":
|
|
Packit |
517ee8 |
item = self.to_item()
|
|
Packit |
517ee8 |
if item is None:
|
|
Packit |
517ee8 |
return None
|
|
Packit |
517ee8 |
else:
|
|
Packit |
517ee8 |
item = self
|
|
Packit |
517ee8 |
values = []
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
if item.type == OSCAP.XCCDF_BENCHMARK:
|
|
Packit |
517ee8 |
values.extend(item.to_benchmark().values)
|
|
Packit |
517ee8 |
elif item.type == OSCAP.XCCDF_GROUP:
|
|
Packit |
517ee8 |
values.extend(item.to_group().values)
|
|
Packit |
517ee8 |
else:
|
|
Packit |
517ee8 |
return []
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
for content in item.content:
|
|
Packit |
517ee8 |
values.extend(content.get_all_values())
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
return values
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def get_values_by_rule_id(self, id, check=None):
|
|
Packit |
517ee8 |
"""get_values_by_rule_id -- Get all Value elements that are referenced by rule with specified ID
|
|
Packit |
517ee8 |
If check is not None, then it is (very ugly) recursive call
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
if self.object != "xccdf_policy":
|
|
Packit |
517ee8 |
raise TypeError(
|
|
Packit |
517ee8 |
"Wrong call of \"get_values_by_rule_id\" function. "
|
|
Packit |
517ee8 |
"Should be xccdf_policy (have %s)" % (self.object,))
|
|
Packit |
517ee8 |
items = []
|
|
Packit |
517ee8 |
values = []
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# Case 1: check is not None -- we have recursive call
|
|
Packit |
517ee8 |
if check is not None:
|
|
Packit |
517ee8 |
if check.complex:
|
|
Packit |
517ee8 |
# This check is complext so there is more checks within
|
|
Packit |
517ee8 |
for child in check.children:
|
|
Packit |
517ee8 |
values.extend(self.get_values_by_rule_id(id, check=child))
|
|
Packit |
517ee8 |
else:
|
|
Packit |
517ee8 |
for export in check.exports:
|
|
Packit |
517ee8 |
values.append(export.value)
|
|
Packit |
517ee8 |
return values
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# Case 2: check is None -- this is regular call of function
|
|
Packit |
517ee8 |
item = self.model.benchmark.get_item(id)
|
|
Packit |
517ee8 |
if item.type != OSCAP.XCCDF_RULE:
|
|
Packit |
517ee8 |
raise TypeError(
|
|
Packit |
517ee8 |
"Wrong type of item with id \"%s\". Expected XCCDF_RULE, got " % (id, item.type))
|
|
Packit |
517ee8 |
rule = item.to_rule()
|
|
Packit |
517ee8 |
for check in rule.checks:
|
|
Packit |
517ee8 |
if check.complex:
|
|
Packit |
517ee8 |
# This check is complext so there is more checks within
|
|
Packit |
517ee8 |
for child in check.children:
|
|
Packit |
517ee8 |
values.extend(self.get_values_by_rule_id(id, check=child))
|
|
Packit |
517ee8 |
else:
|
|
Packit |
517ee8 |
for export in check.exports:
|
|
Packit |
517ee8 |
values.append(export.value)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
for value in self.model.benchmark.get_all_values():
|
|
Packit |
517ee8 |
if value.id in values:
|
|
Packit |
517ee8 |
items.append(self.__parse_value(value))
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
return items
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __parse_value(self, value):
|
|
Packit |
517ee8 |
''' Used by get_tailoring_items() '''
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# update the local lang lists
|
|
Packit |
517ee8 |
def __update_lang(item, lang):
|
|
Packit |
517ee8 |
if lang not in item["langs"]:
|
|
Packit |
517ee8 |
item["langs"].add(lang)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# get value properties
|
|
Packit |
517ee8 |
item = {}
|
|
Packit |
517ee8 |
item["id"] = value.id
|
|
Packit |
517ee8 |
item["langs"] = {self.model.benchmark.lang} # set of available langs
|
|
Packit |
517ee8 |
item["lang"] = self.model.benchmark.lang # legacy support of item["lang"]
|
|
Packit |
517ee8 |
item["titles"] = {}
|
|
Packit |
517ee8 |
item["descs"] = {}
|
|
Packit |
517ee8 |
# Titles / Questions
|
|
Packit |
517ee8 |
if len(value.question):
|
|
Packit |
517ee8 |
for question in value.question:
|
|
Packit |
517ee8 |
item["titles"][question.lang] = question.text
|
|
Packit |
517ee8 |
else:
|
|
Packit |
517ee8 |
for title in value.title:
|
|
Packit |
517ee8 |
__update_lang(item, title.lang)
|
|
Packit |
517ee8 |
item["titles"][title.lang] = title.text
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
if item["lang"] not in item["titles"]:
|
|
Packit |
517ee8 |
item["titles"][item["lang"]] = ""
|
|
Packit |
517ee8 |
# Descriptions
|
|
Packit |
517ee8 |
for desc in value.description:
|
|
Packit |
517ee8 |
__update_lang(item, desc.lang)
|
|
Packit |
517ee8 |
item["descs"][desc.lang] = desc.text
|
|
Packit |
517ee8 |
if item["lang"] not in item["descs"]:
|
|
Packit |
517ee8 |
item["descs"][item["lang"]] = ""
|
|
Packit |
517ee8 |
# Type
|
|
Packit |
517ee8 |
item["type"] = value.type
|
|
Packit |
517ee8 |
# Values
|
|
Packit |
517ee8 |
item["options"] = {}
|
|
Packit |
517ee8 |
item["choices"] = {}
|
|
Packit |
517ee8 |
for instance in value.instances:
|
|
Packit |
517ee8 |
item["options"][instance.selector] = instance.value
|
|
Packit |
517ee8 |
if len(instance.choices):
|
|
Packit |
517ee8 |
item["choices"][instance.selector] = instance.choices
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# Get regexp match from match of elements
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# Get regexp match from match elements
|
|
Packit |
517ee8 |
item["match"] = "|".join([i.match for i in value.instances if i.match])
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# Get regexp match from type of value
|
|
Packit |
517ee8 |
if not len(item["match"]):
|
|
Packit |
517ee8 |
item["match"] = ["", "^[\\d]+$", "^.*$", "^[01]$"][value.type]
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
if self.profile is not None:
|
|
Packit |
517ee8 |
for r_value in self.profile.refine_values:
|
|
Packit |
517ee8 |
if r_value.item == value.id:
|
|
Packit |
517ee8 |
item["selected"] = ( # will return None if invalid selector TODO: raise err ?
|
|
Packit |
517ee8 |
r_value.selector, item["options"].get(r_value.selector))
|
|
Packit |
517ee8 |
for s_value in self.profile.setvalues:
|
|
Packit |
517ee8 |
if s_value.item == value.id:
|
|
Packit |
517ee8 |
item["selected"] = ('', s_value.value)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
if "selected" not in item:
|
|
Packit |
517ee8 |
if "" in item["options"]:
|
|
Packit |
517ee8 |
item["selected"] = ('', item["options"][""])
|
|
Packit |
517ee8 |
else:
|
|
Packit |
517ee8 |
item["selected"] = ('', '')
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
print "ID: \r\t\t", item["id"]
|
|
Packit |
517ee8 |
print "Language: \r\t\t", item["lang"]
|
|
Packit |
517ee8 |
print "Titles: \r\t\t", item["titles"]
|
|
Packit |
517ee8 |
print "Descriptions: \r\t\t", item["descs"]
|
|
Packit |
517ee8 |
print "Type: \r\t\t", ["", "Number", "String", "Boolean"][item["type"]]
|
|
Packit |
517ee8 |
print "Options: \r\t\t", item["options"]
|
|
Packit |
517ee8 |
print "Choices: \r\t\t", item["choices"]
|
|
Packit |
517ee8 |
print "Match: \r\t\t", item["match"]
|
|
Packit |
517ee8 |
print "Selected: \r\t\t", item["selected"]
|
|
Packit |
517ee8 |
print
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
return item
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def get_tailor_items(self):
|
|
Packit |
517ee8 |
"""xccdf_policy.get_tailor_items() -- Get all items that can be tailored by tool.
|
|
Packit |
517ee8 |
Function will return all values that can be tailored by specified XCCDF Policy's Profile
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
Function will return list of items where item is dictionary with key representation:
|
|
Packit |
517ee8 |
"id" - id of value
|
|
Packit |
517ee8 |
"lang" - default language of document
|
|
Packit |
517ee8 |
"titles" - list of tuples (language, title)
|
|
Packit |
517ee8 |
"descs" - list of tuples (language, description)
|
|
Packit |
517ee8 |
"type" - type of value represented by integer: {0:"", 1:"Number",
|
|
Packit |
517ee8 |
2:"String", 3:"Boolean"}
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
"options" - dictionary of options where key is selector
|
|
Packit |
517ee8 |
and value is Value instance value
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
"match" - Regexp that input must match
|
|
Packit |
517ee8 |
"selected" - tuple (selector, value) of default or choosen value instance
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
if self.object != "xccdf_policy":
|
|
Packit |
517ee8 |
raise TypeError(
|
|
Packit |
517ee8 |
"Wrong call of \"get_tailor_items\" function. "
|
|
Packit |
517ee8 |
"Should be xccdf_policy (have %s)" % (self.object,))
|
|
Packit |
517ee8 |
items = []
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
for value in self.model.benchmark.get_all_values():
|
|
Packit |
517ee8 |
items.append(self.__parse_value(value))
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
return items
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def set_tailor_items(self, items):
|
|
Packit |
517ee8 |
"""xccdf_policy.set_tailor_items(items) -- Set tailored items to selected XCCDF Profile
|
|
Packit |
517ee8 |
Function will set all refine-values, setvalues to the selected XCCDF Policy's profile.
|
|
Packit |
517ee8 |
All refines should be specified in 'items' list.
|
|
Packit |
517ee8 |
All existing refine elements that are not included in 'items' list will be let unchanched.
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
Example:
|
|
Packit |
517ee8 |
value = { "id": value_id
|
|
Packit |
517ee8 |
"value": default_value }
|
|
Packit |
517ee8 |
items = [value]
|
|
Packit |
517ee8 |
xccdf_policy.set_tailor_items(items)"""
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
if self.object != "xccdf_policy":
|
|
Packit |
517ee8 |
raise TypeError(
|
|
Packit |
517ee8 |
"Wrong call of \"set_tailor_items\" function. "
|
|
Packit |
517ee8 |
"Should be xccdf_policy (have %s)" % (self.object,))
|
|
Packit |
517ee8 |
if len(items) == 0:
|
|
Packit |
517ee8 |
return
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# items = [{id, value}]
|
|
Packit |
517ee8 |
for item in items:
|
|
Packit |
517ee8 |
selector = None
|
|
Packit |
517ee8 |
value = self.model.benchmark.item(item["id"]).to_value()
|
|
Packit |
517ee8 |
for instance in value.instances:
|
|
Packit |
517ee8 |
if item["value"] == instance.value:
|
|
Packit |
517ee8 |
selector = instance.selector
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
oper = remarks = setvalue = None
|
|
Packit |
517ee8 |
for r_value in self.profile.refine_values[:]:
|
|
Packit |
517ee8 |
if r_value.item == item["id"]:
|
|
Packit |
517ee8 |
oper = r_value.oper
|
|
Packit |
517ee8 |
remarks = r_value.remarks
|
|
Packit |
517ee8 |
self.profile.refine_values.remove(r_value)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
for s_value in self.profile.setvalues[:]:
|
|
Packit |
517ee8 |
if s_value.item == item["id"]:
|
|
Packit |
517ee8 |
setvalue = s_value.value
|
|
Packit |
517ee8 |
self.profile.setvalues.remove(s_value)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
if selector is not None and selector != '':
|
|
Packit |
517ee8 |
r_value = xccdf.refine_value()
|
|
Packit |
517ee8 |
r_value.item = item["id"]
|
|
Packit |
517ee8 |
r_value.selector = selector
|
|
Packit |
517ee8 |
if oper is not None:
|
|
Packit |
517ee8 |
r_value.oper = oper
|
|
Packit |
517ee8 |
if remarks is not None:
|
|
Packit |
517ee8 |
for remark in remarks:
|
|
Packit |
517ee8 |
r_value.add_remark(remark)
|
|
Packit |
517ee8 |
self.profile.add_refine_value(r_value)
|
|
Packit |
517ee8 |
elif selector is None:
|
|
Packit |
517ee8 |
s_value = xccdf.setvalue()
|
|
Packit |
517ee8 |
s_value.item = item["id"]
|
|
Packit |
517ee8 |
s_value.value = item["value"]
|
|
Packit |
517ee8 |
self.profile.add_setvalue(s_value)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def set_refine_rule(self, id, weight=None, severity=None, role=None):
|
|
Packit |
517ee8 |
"""xccdf_policy.set_refine_rules(refines)
|
|
Packit |
517ee8 |
-- Set weight, severity and role of the rule in selected Profile.
|
|
Packit |
517ee8 |
Function will set all refine-rules to the selected XCCDF Policy's profile.
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
Example:
|
|
Packit |
517ee8 |
xccdf_policy.set_refine_rule("rul-2.1", severity=oscap.XCCDF_SEVERITY_HIGH)
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
if self.object != "xccdf_policy":
|
|
Packit |
517ee8 |
raise TypeError(
|
|
Packit |
517ee8 |
"Wrong call of \"set_refine_rule\" function. "
|
|
Packit |
517ee8 |
"Should be xccdf_policy (have %s)" % (self.object,))
|
|
Packit |
517ee8 |
if id is None:
|
|
Packit |
517ee8 |
raise AttributeError(
|
|
Packit |
517ee8 |
"Missing ID of rule in xccdf_policy.set_refine_rule function")
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
rule = self.model.benchmark.item(id).to_rule()
|
|
Packit |
517ee8 |
if rule is None:
|
|
Packit |
517ee8 |
raise Exception("Rule \"%s\" not found in benchmark" % (id,))
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
if not weight and not severity and not role:
|
|
Packit |
517ee8 |
return
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
refine = xccdf.refine_rule()
|
|
Packit |
517ee8 |
refine.item = id
|
|
Packit |
517ee8 |
for r_rule in self.profile.refine_rules[:]:
|
|
Packit |
517ee8 |
if r_rule.item == id:
|
|
Packit |
517ee8 |
refine.weight = r_rule.weight
|
|
Packit |
517ee8 |
refine.severity = r_rule.severity
|
|
Packit |
517ee8 |
refine.role = r_rule.role
|
|
Packit |
517ee8 |
self.profile.refine_rules.remove(r_rule)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# Set new weight of the rule
|
|
Packit |
517ee8 |
if weight is not None:
|
|
Packit |
517ee8 |
refine.weight = weight
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# Set new severity of the rule
|
|
Packit |
517ee8 |
if severity is not None:
|
|
Packit |
517ee8 |
refine.severity = severity
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# Set new role of the rule
|
|
Packit |
517ee8 |
if role is not None:
|
|
Packit |
517ee8 |
refine.role = role
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
self.profile.add_refine_rule(refine)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def get_all_rules(self):
|
|
Packit |
517ee8 |
"""xccdf_policy.get_all_rules() -- Get all rules/selectors and titles from benchmark
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
if self.object != "xccdf_policy":
|
|
Packit |
517ee8 |
raise TypeError(
|
|
Packit |
517ee8 |
"Wrong call of \"get_all_rules\" function. "
|
|
Packit |
517ee8 |
"Should be xccdf_policy (have %s)" % (self.object,))
|
|
Packit |
517ee8 |
pass # TODO
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def set_rules(self, rules):
|
|
Packit |
517ee8 |
"""xccdf_policy.set_rules(rules) -- Set which rules are selected by given XCCDF Profile
|
|
Packit |
517ee8 |
Function set selectors for given XCCDF Policy's profile.
|
|
Packit |
517ee8 |
Selectors are represented by ID strings in 'rules' list
|
|
Packit |
517ee8 |
All existing selectors that are not included
|
|
Packit |
517ee8 |
in 'rules' list will be deleted.
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
Example:
|
|
Packit |
517ee8 |
# We want to have selected only first rule and second group
|
|
Packit |
517ee8 |
xccdf_policy.set_rules(["id-rule-1", "id-group-2"])"""
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
if self.object != "xccdf_policy":
|
|
Packit |
517ee8 |
raise TypeError(
|
|
Packit |
517ee8 |
"Wrong call of \"set_rules\" function. "
|
|
Packit |
517ee8 |
"Should be xccdf_policy (have %s)" % (self.object,))
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
for select in self.selects:
|
|
Packit |
517ee8 |
if select.item not in rules:
|
|
Packit |
517ee8 |
select.selected = False
|
|
Packit |
517ee8 |
else:
|
|
Packit |
517ee8 |
rules.remove(select.item)
|
|
Packit |
517ee8 |
select.selected = True
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
for id in rules:
|
|
Packit |
517ee8 |
select = xccdf.select()
|
|
Packit |
517ee8 |
select.selected = True
|
|
Packit |
517ee8 |
select.item = id
|
|
Packit |
517ee8 |
self.add_select(select)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def init(self, path, paths={}):
|
|
Packit |
517ee8 |
"""xccdf.init(path) -- Initialize openscap library
|
|
Packit |
517ee8 |
Provides standard initialization of OPENScap library.
|
|
Packit |
517ee8 |
Parameter 'path' is the path to XCCDF File.
|
|
Packit |
517ee8 |
Parameter 'paths' is dictionary where key is file identificator and value path to the file.
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
Initialization has next steps:
|
|
Packit |
517ee8 |
- Parse oscap configuration file with path to XML files
|
|
Packit |
517ee8 |
- Import default XCCDF document as specified in configuration file
|
|
Packit |
517ee8 |
- Import all definitions files that are required for XCCDF evaluation
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
Function returns dictionary with keys:
|
|
Packit |
517ee8 |
"policy_model" - XCCDF Policy Model loaded from XCCDF file
|
|
Packit |
517ee8 |
"def_models" - list of OVAL Definitions models from OVAL files
|
|
Packit |
517ee8 |
"sessions" -dictionary of OVAL Agent sessions provided by OVAL Definitions models
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
All returned objects have to be freed by user. Use functions:
|
|
Packit |
517ee8 |
retval["policy_model"].free()
|
|
Packit |
517ee8 |
for model in retval["def_models"]:
|
|
Packit |
517ee8 |
model.free()
|
|
Packit |
517ee8 |
for sess in retval["sessions"]:
|
|
Packit |
517ee8 |
sess.free()
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
if path is None:
|
|
Packit |
517ee8 |
return None
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
OSCAP.oscap_init()
|
|
Packit |
517ee8 |
dirname = os.path.dirname(path)
|
|
Packit |
517ee8 |
f_XCCDF = path
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
benchmark = self.benchmark_import(f_XCCDF)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
if benchmark.instance is None:
|
|
Packit |
517ee8 |
if OSCAP.oscap_err():
|
|
Packit |
517ee8 |
desc = OSCAP.oscap_err_desc()
|
|
Packit |
517ee8 |
else:
|
|
Packit |
517ee8 |
desc = "Unknown error, please report this bug (http://bugzilla.redhat.com/)"
|
|
Packit |
517ee8 |
raise ImportError(
|
|
Packit |
517ee8 |
"Benchmark \"%s\" loading failed: %s" % (f_XCCDF, desc))
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
policy_model = self.policy_model_new(benchmark)
|
|
Packit |
517ee8 |
files = policy_model.get_files()
|
|
Packit |
517ee8 |
def_models = []
|
|
Packit |
517ee8 |
sessions = {}
|
|
Packit |
517ee8 |
names = {}
|
|
Packit |
517ee8 |
for file in files.strings:
|
|
Packit |
517ee8 |
if file in paths:
|
|
Packit |
517ee8 |
f_OVAL = paths[file]
|
|
Packit |
517ee8 |
else:
|
|
Packit |
517ee8 |
f_OVAL = os.path.join(dirname, file)
|
|
Packit |
517ee8 |
if os.path.exists(f_OVAL):
|
|
Packit |
517ee8 |
def_model = oval.definition_model_import_source(
|
|
Packit |
517ee8 |
OSCAP.oscap_source_new_from_file(f_OVAL))
|
|
Packit |
517ee8 |
if def_model.instance is None:
|
|
Packit |
517ee8 |
if OSCAP.oscap_err():
|
|
Packit |
517ee8 |
desc = OSCAP.oscap_err_desc()
|
|
Packit |
517ee8 |
else:
|
|
Packit |
517ee8 |
desc = "Unknown error,please report this bug (http://bugzilla.redhat.com/)"
|
|
Packit |
517ee8 |
raise ImportError(
|
|
Packit |
517ee8 |
"Cannot import definition model for \"%s\": %s" % (f_OVAL, desc))
|
|
Packit |
517ee8 |
def_models.append(def_model)
|
|
Packit |
517ee8 |
sess = oval.agent_new_session(def_model, file)
|
|
Packit |
517ee8 |
if sess is None or sess.instance is None:
|
|
Packit |
517ee8 |
if OSCAP.oscap_err():
|
|
Packit |
517ee8 |
desc = OSCAP.oscap_err_desc()
|
|
Packit |
517ee8 |
else:
|
|
Packit |
517ee8 |
desc = "Unknown error,please report this bug (http://bugzilla.redhat.com/)"
|
|
Packit |
517ee8 |
raise ImportError(
|
|
Packit |
517ee8 |
"Cannot create agent session for \"%s\": %s" % (f_OVAL, desc))
|
|
Packit |
517ee8 |
sessions[file] = sess
|
|
Packit |
517ee8 |
names[file] = [sess, def_model]
|
|
Packit |
517ee8 |
policy_model.register_engine_oval(sess)
|
|
Packit |
517ee8 |
else:
|
|
Packit |
517ee8 |
# TODO manage properly warnings/debug
|
|
Packit |
517ee8 |
print(
|
|
Packit |
517ee8 |
"WARNING: Skipping %s file which is referenced from XCCDF content" % (f_OVAL,))
|
|
Packit |
517ee8 |
files.free()
|
|
Packit |
517ee8 |
return {"def_models": def_models, "sessions": sessions,
|
|
Packit |
517ee8 |
"policy_model": policy_model, "xccdf_path": f_XCCDF, "names": names
|
|
Packit |
517ee8 |
}
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def policy_export(self, result=None, title=None, filename=None,
|
|
Packit |
517ee8 |
prefix=None, path=None, sessions=None, variables=True):
|
|
Packit |
517ee8 |
"""Export all files for given policy.
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
if self.object != "xccdf_policy":
|
|
Packit |
517ee8 |
raise TypeError(
|
|
Packit |
517ee8 |
"Wrong call of \"export\" function. "
|
|
Packit |
517ee8 |
"Should be xccdf_policy (have %s)" % (self.object,))
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
'''
|
|
Packit |
517ee8 |
FIXME: We clone both benchmark and the result to avoid changing them
|
|
Packit |
517ee8 |
when just export is requested. Although this is the right behavior,
|
|
Packit |
517ee8 |
it is potentially wasteful, result.clone() and benchmark.clone()
|
|
Packit |
517ee8 |
could potentially take a lot of time to complete. A better solution would be
|
|
Packit |
517ee8 |
to add the result, export and then remove the result (with appropriate exception safety
|
|
Packit |
517ee8 |
of course) or even better, allow export with custom result list.
|
|
Packit |
517ee8 |
'''
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
result_clone = result.clone()
|
|
Packit |
517ee8 |
result_clone.benchmark_uri = path or "benchmark.xml"
|
|
Packit |
517ee8 |
o_title = common.text()
|
|
Packit |
517ee8 |
o_title.text = title
|
|
Packit |
517ee8 |
result_clone.title = o_title
|
|
Packit |
517ee8 |
result_clone.fill_sysinfo()
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
files = [filename]
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
benchmark_clone = self.model.benchmark.clone()
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
for model in benchmark_clone.models:
|
|
Packit |
517ee8 |
result_clone.score = self.score(result_clone, model.system)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
benchmark_clone.add_result(result_clone)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
benchmark_clone.export(filename)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
dirname = os.path.dirname(filename)
|
|
Packit |
517ee8 |
for path in sessions.keys():
|
|
Packit |
517ee8 |
sess = sessions[path]
|
|
Packit |
517ee8 |
rmodel = oval.agent_get_results_model(sess)
|
|
Packit |
517ee8 |
pfile = path + ".result.xml"
|
|
Packit |
517ee8 |
OSCAP.oval_results_model_export(
|
|
Packit |
517ee8 |
rmodel.instance, None, os.path.join(dirname, pfile))
|
|
Packit |
517ee8 |
files.append(pfile)
|
|
Packit |
517ee8 |
if variables:
|
|
Packit |
517ee8 |
dmodel = rmodel.definition_model
|
|
Packit |
517ee8 |
for i, vmodel in enumerate(dmodel.variable_models):
|
|
Packit |
517ee8 |
vfile = "%s.variables-%d.xml" % (path, i)
|
|
Packit |
517ee8 |
vmodel.export(os.path.join(dirname, vfile))
|
|
Packit |
517ee8 |
files.append(vfile)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
return files
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def destroy(self, sdir):
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
OSCAP.oscap_cleanup()
|
|
Packit |
517ee8 |
for model in sdir["def_models"] + sdir["sessions"].values() + [sdir["policy_model"]]:
|
|
Packit |
517ee8 |
model.free()
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# ------------------------------------------------------------------------------------------------------------
|
|
Packit |
517ee8 |
# DS
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
class DS_Class(OSCAP_Object):
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __init__(self):
|
|
Packit |
517ee8 |
dict.__setattr__(self, "object", "ds")
|
|
Packit |
517ee8 |
# dict.__setattr__(self, "version", OSCAP.oval_definition_model_supported())
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __repr__(self):
|
|
Packit |
517ee8 |
return "<Oscap Object of type 'DS Class' at %s>" % (hex(id(self)),)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# ------------------------------------------------------------------------------------------------------------
|
|
Packit |
517ee8 |
# XCCDF
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
class _XCCDF_Benchmark_Class(OSCAP_Object):
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __init__(self, path):
|
|
Packit |
517ee8 |
dict.__setattr__(self, "object", "xccdf_benchmark")
|
|
Packit |
517ee8 |
dict.__setattr__(self, "instance", OSCAP.xccdf_benchmark_import_source(
|
|
Packit |
517ee8 |
OSCAP.oscap_source_new_from_file(path)))
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __repr__(self):
|
|
Packit |
517ee8 |
return "<Oscap Object of type 'XCCDF Benchmark' at %s>" % (hex(id(self)),)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
class XCCDF_Class(OSCAP_Object):
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __init__(self):
|
|
Packit |
517ee8 |
dict.__setattr__(self, "object", "xccdf")
|
|
Packit |
517ee8 |
dict.__setattr__(self, "version", OSCAP.xccdf_benchmark_supported())
|
|
Packit |
517ee8 |
pass
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __repr__(self):
|
|
Packit |
517ee8 |
return "<Oscap Object of type 'XCCDF Class' at %s>" % (hex(id(self)),)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
""" Import XCCDF Benchmark
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
def benchmark_import(self, path):
|
|
Packit |
517ee8 |
return _XCCDF_Benchmark_Class(path)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# ------------------------------------------------------------------------------------------------------------
|
|
Packit |
517ee8 |
# OVAL
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
class OVAL_Class(OSCAP_Object):
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __init__(self):
|
|
Packit |
517ee8 |
dict.__setattr__(self, "object", "oval")
|
|
Packit |
517ee8 |
dict.__setattr__(
|
|
Packit |
517ee8 |
self, "version", OSCAP.oval_definition_model_supported())
|
|
Packit |
517ee8 |
pass
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __repr__(self):
|
|
Packit |
517ee8 |
return "<Oscap Object of type 'OVAL Class' at %s>" % (hex(id(self)),)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# ------------------------------------------------------------------------------------------------------------
|
|
Packit |
517ee8 |
# CVE
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
class CVE_Class(OSCAP_Object):
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
CVE Class
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __init__(self):
|
|
Packit |
517ee8 |
dict.__setattr__(self, "object", "cve")
|
|
Packit |
517ee8 |
# dict.__setattr__(self, "version", OSCAP.cve_model_supported())
|
|
Packit |
517ee8 |
pass
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __repr__(self):
|
|
Packit |
517ee8 |
return "<Oscap Object of type 'CVE Class' at %s>" % (hex(id(self)),)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# ------------------------------------------------------------------------------------------------------------
|
|
Packit |
517ee8 |
# CPE
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
class CPE_Class(OSCAP_Object):
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
CPE Class
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __init__(self):
|
|
Packit |
517ee8 |
dict.__setattr__(self, "object", "cpe")
|
|
Packit |
517ee8 |
dict.__setattr__(self, "version", "CPE Lang: %s; CPE Dict: %s; CPE Name: %s"
|
|
Packit |
517ee8 |
% (OSCAP.cpe_lang_model_supported(),
|
|
Packit |
517ee8 |
OSCAP.cpe_dict_model_supported(),
|
|
Packit |
517ee8 |
OSCAP.cpe_name_supported()))
|
|
Packit |
517ee8 |
pass
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __repr__(self):
|
|
Packit |
517ee8 |
return "<Oscap Object of type 'CPE Class' at %s>" % (hex(id(self)),)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# ------------------------------------------------------------------------------------------------------------
|
|
Packit |
517ee8 |
# CVSS
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
class CVSS_Class(OSCAP_Object):
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
CVSS Class
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __init__(self):
|
|
Packit |
517ee8 |
dict.__setattr__(self, "object", "cvss")
|
|
Packit |
517ee8 |
dict.__setattr__(self, "version", OSCAP.cvss_model_supported())
|
|
Packit |
517ee8 |
pass
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __repr__(self):
|
|
Packit |
517ee8 |
return "<Oscap Object of type 'CVSS Class' at %s>" % (hex(id(self)),)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# ------------------------------------------------------------------------------------------------------------
|
|
Packit |
517ee8 |
# SCE
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
class SCE_Class(OSCAP_Object):
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
SCE Class
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __init__(self):
|
|
Packit |
517ee8 |
dict.__setattr__(self, "object", "sce")
|
|
Packit |
517ee8 |
pass
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
def __repr__(self):
|
|
Packit |
517ee8 |
return "<Oscap Object of type 'SCE Class' at %s>" % (hex(id(self)),)
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
# ------------------------------------------------------------------------------------------------------------
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
""" This part is very IMPORTANT! Implement your application functions
|
|
Packit |
517ee8 |
to use openscap library this way:
|
|
Packit |
517ee8 |
policy_titles = openscap.xccdf.policy.titles (this will reflect xccdf_policy_get_titles() func)
|
|
Packit |
517ee8 |
Below are particular objects for parts of openscap library module system.
|
|
Packit |
517ee8 |
The only change is in using oscap module wich is conflicting with oscap namespace.
|
|
Packit |
517ee8 |
This module is renamed to common. All functions using OSCAP functions should look like:
|
|
Packit |
517ee8 |
openscap.common.debug.seterr(err) (this will reflect oscap_debug_seterr() func)
|
|
Packit |
517ee8 |
"""
|
|
Packit |
517ee8 |
|
|
Packit |
517ee8 |
ds = DS_Class()
|
|
Packit |
517ee8 |
xccdf = XCCDF_Class()
|
|
Packit |
517ee8 |
oval = OVAL_Class()
|
|
Packit |
517ee8 |
cve = CVE_Class()
|
|
Packit |
517ee8 |
cpe = CPE_Class()
|
|
Packit |
517ee8 |
cvss = CVSS_Class()
|
|
Packit |
517ee8 |
sce = SCE_Class()
|
|
Packit |
517ee8 |
common = OSCAP_Object("oscap")
|