def has_prefix_cce(yaml_file, product_yaml=None):
rule = ssgcommon.open_and_macro_expand_yaml(yaml_file, product_yaml)
if 'identifiers' in rule and rule['identifiers'] is not None:
for i_type, i_value in rule['identifiers'].items():
if i_type[0:3] == 'cce':
has_prefix = i_value[0:3].upper() == 'CCE'
remainder_valid = ssgcommon.cce_is_valid("CCE-" + i_value[3:])
remainder_valid |= ssgcommon.cce_is_valid("CCE-" + i_value[4:])
return has_prefix and remainder_valid
return False
def rewrite_value_remove_prefix(line):
# Rewrites a key's value to remove a "CCE" prefix.
key_end = line.index(':')
key = line[0:key_end]
value = line[key_end + 1:].strip()
new_value = value
if ssgcommon.cce_is_valid("CCE-" + value[3:]):
new_value = value[3:]
elif ssgcommon.cce_is_valid("CCE-" + value[4:]):
new_value = value[4:]
return key + ": " + new_value
def has_invalid_cce(yaml_file, product_yaml=None):
rule = ssgcommon.open_and_macro_expand_yaml(yaml_file, product_yaml)
if 'identifiers' in rule and rule['identifiers'] is not None:
for i_type, i_value in rule['identifiers'].items():
if i_type[0:3] == 'cce':
if not ssgcommon.cce_is_valid("CCE-" + i_value):
return True
return False
def fix_prefix_cce(file_contents, yaml_contents):
section = 'identifiers'
prefixed_identifiers = []
if yaml_contents[section] is not None:
for i_type, i_value in yaml_contents[section].items():
if i_type[0:3] == 'cce':
has_prefix = i_value[0:3].upper() == 'CCE'
remainder_valid = ssgcommon.cce_is_valid("CCE-" + i_value[3:])
remainder_valid |= ssgcommon.cce_is_valid("CCE-" + i_value[4:])
if has_prefix and remainder_valid:
prefixed_identifiers.append(i_type)
return rewrite_section_value(file_contents, yaml_contents, section,
prefixed_identifiers,
rewrite_value_remove_prefix)
def validate_identifiers(self, yaml_file):
# Validate all identifiers are non-empty:
for ident_type, ident_val in self.identifiers.items():
if ident_val.strip() == "":
raise ValueError("Identifiers must not be empty: %s in file %s"
% (ident_type, yaml_file))
# Validate that cce is valid
if 'cce' in self.identifiers:
if not ssgcommon.cce_is_valid("CCE-" + self.identifiers['cce']):
raise ValueError("CCE Identifiers must be valid: %s in file %s"
% (self.identifiers['cce'], yaml_file))
def fix_invalid_cce(file_contents, yaml_contents):
section = 'identifiers'
invalid_identifiers = []
if yaml_contents[section] is not None:
for i_type, i_value in yaml_contents[section].items():
if i_type[0:3] == 'cce':
if not ssgcommon.cce_is_valid("CCE-" + i_value):
invalid_identifiers.append(i_type)
return remove_section_keys(file_contents, yaml_contents, section,
invalid_identifiers)
def validate_identifiers(self, yaml_file):
if self.identifiers is None:
raise ValueError("Empty identifier section in file %s" % yaml_file)
# Validate all identifiers are non-empty:
for ident_type, ident_val in self.identifiers.items():
if not type(ident_type) == str or not type(ident_val) == str:
raise ValueError("Identifiers and values must be strings: %s in file %s"
% (ident_type, yaml_file))
if ident_val.strip() == "":
raise ValueError("Identifiers must not be empty: %s in file %s"
% (ident_type, yaml_file))
if ident_type[0:3] == 'cce':
if not ssgcommon.cce_is_valid("CCE-" + ident_val):
raise ValueError("CCE Identifiers must be valid: value %s for cce %s"
" in file %s" % (ident_val, ident_type, yaml_file))
def verify_correct_form_of_referenced_cce_identifiers(xccdftree):
"""
In SSG benchmarks, the CCEs till unassigned have the form of e.g. "RHEL7-CCE-TBD"
(or any other format possibly not matching the above two requirements)
If this is the case for specific SSG product, drop such CCE identifiers from the XCCDF
since they are in invalid format!
"""
xccdfrules = xccdftree.findall(".//{%s}Rule" % xccdf_ns)
for rule in xccdfrules:
identcce = _find_identcce(rule)
if identcce is None:
continue
cceid = identcce.text
if not ssgcommon.cce_is_valid(cceid):
msg = "The CCE ID {0} is not in valid form.".format(cceid)
raise ssgcommon.SSGError(msg)
def verify_correct_form_of_referenced_cce_identifiers(xccdftree):
"""
In SSG benchmarks, the CCEs till unassigned have the form of e.g. "RHEL7-CCE-TBD"
(or any other format possibly not matching the above two requirements)
If this is the case for specific SSG product, drop such CCE identifiers from the XCCDF
since they are in invalid format!
"""
xccdfrules = xccdftree.findall(".//{%s}Rule" % xccdf_ns)
for rule in xccdfrules:
identcce = _find_identcce(rule)
if identcce is not None:
cceid = identcce.text
if not ssgcommon.cce_is_valid(cceid):
print(
"Warning: CCE '{0}' is invalid for rule '{1}'. Removing CCE..."
.format(cceid, rule.get("id"), file=sys.stderr))
rule.remove(identcce)
def _add_cce_id_refs_to_oval_checks(self, idmappingdict):
"""
For each XCCDF rule ID having <ident> CCE set and
having OVAL check implemented (remote OVAL isn't sufficient!)
add a new <reference> element into the OVAL definition having the
following form:
<reference source="CCE" ref_id="CCE-ID" />
where "CCE-ID" is the CCE identifier for that particular rule
retrieved from the XCCDF file
"""
ovalrules = self.tree.findall(".//{0}".format(
self._get_checkid_string()))
for rule in ovalrules:
ovalid = rule.get("id")
assert ovalid is not None, \
"An OVAL rule doesn't have an ID"
ovaldesc = rule.find(".//{%s}description" % self.CHECK_NAMESPACE)
assert ovaldesc is not None, \
"OVAL rule '{0}' doesn't have a description, which is mandatory".format(ovalid)
if ovalid not in idmappingdict:
print("OVAL ID '{0}' has not XCCDF rule ID <ident> CCE set".
format(ovalid),
file=sys.stderr)
continue
xccdfcceid = idmappingdict[ovalid]
if not ssgcommon.cce_is_valid(xccdfcceid):
msg = "The CCE ID {0} is not in valid form.".format(xccdfcceid)
raise ssgcommon.SSGError(msg)
# Then append the <reference source="CCE" ref_id="CCE-ID" /> element right
# after <description> element of specific OVAL check
ccerefelem = ssgcommon.ElementTree.Element('reference',
ref_id=xccdfcceid,
source="CCE")
ovaldesc.addnext(ccerefelem)
# Sanity check if appending succeeded
if ccerefelem.getprevious() is not ovaldesc:
msg = "Failed to add CCE ID to {0}.".format(ovalid)
raise ssgcommon.SSGError(msg)
def has_invalid_cce(yaml_file, product_yaml=None):
rule = ssgcommon.open_and_macro_expand_yaml(yaml_file, product_yaml)
if 'identifiers' in rule and 'cce' in rule['identifiers']:
if not ssgcommon.cce_is_valid("CCE-" + rule['identifiers']['cce']):
return True
return False