def preprocess(data, lang):
embedded_data = parse_template_boolean_value(data,
parameter="embedded_data",
default_value=False)
data["embedded_data"] = embedded_data
if data.get("xccdf_variable") and embedded_data:
values = data.get("values", [{}])
if len(values) > 1:
raise ValueError(
"Only a single value can be checked when querying "
"for a 'xccdf_value' that returns an embedded value. "
"Rule ID: {}".format(data["_rule_id"]))
elif not values[0].get("value"):
raise ValueError(
"You should specify a capture regex in the 'value' field "
"when querying for a 'xccdf_value' that returns an embedded value. "
"Rule ID: {}".format(data["_rule_id"]))
if data.get("xccdf_variable") and not embedded_data:
if data.get("values"):
raise ValueError(
"You cannot specify the 'value' field when querying "
"for a 'xccdf_value' that doesn't return an embedded value. "
"Rule ID: {}".format(data["_rule_id"]))
data["ocp_data"] = parse_template_boolean_value(data,
parameter="ocp_data",
default_value=False)
return data
def preprocess(data, lang):
_file_owner_groupowner_permissions_regex(data)
data["allow_stricter_permissions"] = parse_template_boolean_value(data, parameter="allow_stricter_permissions", default_value=True)
data["missing_file_pass"] = parse_template_boolean_value(data, parameter="missing_file_pass", default_value=False)
if lang == "oval":
data["fileid"] = data["_rule_id"].replace("file_permissions", "")
# build the state that describes our mode
# mode_str maps to STATEMODE in the template
mode = data["filemode"]
fields = [
'oexec', 'owrite', 'oread', 'gexec', 'gwrite', 'gread',
'uexec', 'uwrite', 'uread', 'sticky', 'sgid', 'suid']
mode_int = int(mode, 8)
mode_str = ""
for field in fields:
if mode_int & 0x01 == 1:
if not data['allow_stricter_permissions']:
mode_str = (
"<unix:" + field + " datatype=\"boolean\">true</unix:"
+ field + ">\n" + mode_str)
else:
value = "false"
if data['allow_stricter_permissions']:
value = "true"
mode_str = (
"<unix:" + field + " datatype=\"boolean\">{}</unix:".format(value)
+ field + ">\n" + mode_str)
mode_int = mode_int >> 1
data["statemode"] = mode_str.rstrip("\n")
return data
def preprocess(data, lang):
data["arg_negate"] = parse_template_boolean_value(data,
parameter="arg_negate",
default_value=False)
data["arg_is_regex"] = parse_template_boolean_value(
data, parameter="arg_is_regex", default_value=False)
return data
def preprocess(data, lang):
data["missing_parameter_pass"] = parse_template_boolean_value(
data, parameter="missing_parameter_pass", default_value=False)
is_default_value = parse_template_boolean_value(
data, parameter="is_default_value", default_value=False)
if is_default_value:
data[
"config_basename"] = "01-complianceascode-reinforce-os-defaults.conf"
else:
data["config_basename"] = "00-complianceascode-hardening.conf"
return data
def preprocess(data, lang):
_file_owner_groupowner_permissions_regex(data)
data["missing_file_pass"] = parse_template_boolean_value(
data, parameter="missing_file_pass", default_value=False)
data["recursive"] = parse_template_boolean_value(data,
parameter="recursive",
default_value=False)
if lang == "oval":
data["fileid"] = data["_rule_id"].replace("file_groupowner", "")
return data
def preprocess(data, lang):
# Default value of default_is_enabled is false;
# When variable_name is set, this option is disabled.
# It is not easy to check if the value of an XCCDF Value is the default in a template.
data["default_is_enabled"] = parse_template_boolean_value(
data, parameter="default_is_enabled", default_value=False)
if data.get("variable_name"):
data["default_is_enabled"] = False
if data.get("default_is_enabled") is True:
data["option_existence"] = "any_exist"
else:
data["option_existence"] = "at_least_one_exists"
if lang == "oval":
if data.get("variable_name"):
if 'option_regex_suffix' not in data:
data['option_regex_suffix'] = r"=(\w+)\b"
data["option_regex"] = data["option"] + data['option_regex_suffix']
else:
data["option_regex"] = data["option"]
elif lang == "bash":
if data.get("variable_name"):
if 'option_regex_suffix' not in data:
data['option_regex_suffix'] = r"=\w+\b"
data["option_regex"] = data["option"] + data['option_regex_suffix']
data["option_value"] = "{opt}=${{{var}}}".format(
opt=data["option"], var=data["variable_name"])
else:
data["option_regex"] = data["option"]
data["option_value"] = data["option"]
return data
def preprocess(data, lang):
value = data["value"]
if value[0] in ("'", '"') and value[0] == value[-1]:
msg = (
"Value >>{value}<< of shell variable '{varname}' "
"has been supplied with quotes, please fix the content - "
"shell quoting is handled by the check/remediation code.".format(
value=value, varname=data["parameter"]))
raise Exception(msg)
data["missing_parameter_pass"] = parse_template_boolean_value(
data, parameter="missing_parameter_pass", default_value=False)
data["no_quotes"] = parse_template_boolean_value(data,
parameter="no_quotes",
default_value=False)
return data
def preprocess(data, lang):
data["check_root_user"] = parse_template_boolean_value(data, parameter="check_root_user", default_value=False)
if lang == "bash":
if "syscall_grouping" in data:
# Make it easier to tranform the syscall_grouping into a Bash array
data["syscall_grouping"] = " ".join(data["syscall_grouping"])
elif lang == "ansible":
if "attr" in data:
# Tranform the syscall into a Ansible list
data["attr"] = [data["attr"]]
if "syscall_grouping" not in data:
# Ensure that syscall_grouping is a list
data["syscall_grouping"] = []
return data
def preprocess(data, lang):
data["exists"] = parse_template_boolean_value(data,
parameter="exists",
default_value=False)
return data
def preprocess(data, lang):
data["missing_parameter_pass"] = parse_template_boolean_value(
data, parameter="missing_parameter_pass", default_value=False)
return data
def preprocess(data, lang):
data["oval_extend_definitions"] = data.get("oval_extend_definitions", [])
data["escape_text"] = parse_template_boolean_value(data,
parameter="escape_text",
default_value=True)
return data
def preprocess(data, lang):
data["check_root_user"] = parse_template_boolean_value(data, parameter="check_root_user", default_value=False)
return data
