def _test_target(self, target): try: remote_dir = common.send_scripts(self.test_env.domain_ip) except RuntimeError as exc: msg = "Unable to upload test scripts: {more_info}".format( more_info=str(exc)) raise RuntimeError(msg) self._matching_rule_found = False with test_env.SavedState.create_from_environment( self.test_env, "tests_uploaded") as state: for rule in data.iterate_over_rules(): if not self._matches_target(rule.directory, target): continue self._matching_rule_found = True if not xml_operations.find_rule_in_benchmark( self.datastream, self.benchmark_id, rule.id): logging.error( "Rule '{0}' isn't present in benchmark '{1}' in '{2}'". format(rule.id, self.benchmark_id, self.datastream)) return self._check_rule(rule, remote_dir, state) if not self._matching_rule_found: logging.error("No matching rule ID found for '{0}'".format(target))
def _test_target(self, target): try: remote_dir = send_scripts(self.test_env.domain_ip) except RuntimeError as exc: msg = "Unable to upload test scripts: {more_info}".format( more_info=str(exc)) raise RuntimeError(msg) self._matching_rule_found = False with test_env.SavedState.create_from_environment( self.test_env, "tests_uploaded") as state: for rule in data.iterate_over_rules(): matched, target_matched = self._matches_target( rule.directory, target) if not matched: continue # In combined mode there is no expectations of matching substrings, # every entry in the target is expected to be unique. # Let's remove matched targets, so we can track rules not tested target.remove(target_matched) self._check_rule(rule, remote_dir, state) if len(target) != 0: target.sort() logging.info("The following rule(s) were not tested:") for rule in target: logging.info("{0}".format(rule))
def _test_target(self, target): remote_dir = _send_scripts(self.test_env.domain_ip) if not remote_dir: msg = "Unable to upload test scripts" raise RuntimeError(msg) self._matching_rule_found = False for rule in data.iterate_over_rules(): self._check_rule(rule, remote_dir, target) if not self._matching_rule_found: logging.error("No matching rule ID found for '{0}'".format(target))
def _test_target(self, target): try: remote_dir = _send_scripts(self.test_env.domain_ip) except RuntimeError as exc: msg = "Unable to upload test scripts: {more_info}".format(more_info=str(exc)) raise RuntimeError(msg) self._matching_rule_found = False with test_env.SavedState.create_from_environment(self.test_env, "tests_uploaded") as state: for rule in data.iterate_over_rules(): if not _matches_target(rule.directory, target): continue self._matching_rule_found = True self._check_rule(rule, remote_dir, state) if not self._matching_rule_found: logging.error("No matching rule ID found for '{0}'".format(target))
def perform_rule_check(options): """Perform rule check. Iterate over rule-testing scenarios and utilize `oscap-ssh` to test every scenario. Expected result is encoded in scenario file name. In case of `fail` or `error` results expected, continue with remediation and reevaluation. Revert system to clean state using snapshots. Return value not defined, textual output and generated reports is the result. """ dom = ssg_test_suite.virt.connect_domain(options.hypervisor, options.domain_name) if dom is None: sys.exit(1) snapshot_stack = SnapshotStack(dom) atexit.register(snapshot_stack.clear) snapshot_stack.create('origin') ssg_test_suite.virt.start_domain(dom) domain_ip = ssg_test_suite.virt.determine_ip(dom) scanned_something = False for rule_dir, rule, scripts in iterate_over_rules(): if 'ALL' in options.target: # we want to have them all pass else: perform = False for target in options.target: if target in rule_dir: perform = True break if not perform: continue logging.info(rule) scanned_something = True logging.debug("Testing rule directory {0}".format(rule_dir)) # get list of helper scripts (non-standard name) # and scenario scripts helpers = [] scenarios = [] for script in scripts: script_context = _get_script_context(script) if script_context is None: logging.debug('Registering helper script {0}'.format(script)) helpers += [script] else: scenarios += [script] for script in scenarios: script_context = _get_script_context(script) logging.debug(('Using test script {0} ' 'with context {1}').format(script, script_context)) snapshot_stack.create('script') # copy all helper scripts, so scenario script can use them script_path = os.path.join(rule_dir, script) helper_paths = map(lambda x: os.path.join(rule_dir, x), helpers) _send_scripts(rule_dir, domain_ip, script_path, *helper_paths) if not _apply_script(rule_dir, domain_ip, script): logging.error("Environment failed to prepare, skipping test") script_params = _parse_parameters(script_path) has_worked = False profiles = get_viable_profiles(script_params['profiles'], options.datastream, options.benchmark_id) if len(profiles) > 1: snapshot_stack.create('profile') for profile in profiles: LogHelper.preload_log(logging.INFO, ("Script {0} " "using profile {1} " "OK").format(script, profile), log_target='pass') LogHelper.preload_log(logging.ERROR, ("Script {0} " "using profile {1} " "found issue:").format(script, profile), log_target='fail') has_worked = True if oscap.run_rule(domain_ip=domain_ip, profile=profile, stage="initial", datastream=options.datastream, benchmark_id=options.benchmark_id, rule_id=rule, context=script_context, script_name=script, remediation=False, dont_clean=options.dont_clean): if script_context in ['fail', 'error']: oscap.run_rule(domain_ip=domain_ip, profile=profile, stage="remediation", datastream=options.datastream, benchmark_id=options.benchmark_id, rule_id=rule, context='fixed', script_name=script, remediation=True, dont_clean=options.dont_clean) snapshot_stack.revert(delete=False) if not has_worked: logging.error("Nothing has been tested!") snapshot_stack.delete() if len(profiles) > 1: snapshot_stack.revert() if not scanned_something: logging.error("Rule {0} has not been found".format(options.target))
def perform_rule_check(options): """Perform rule check. Iterate over rule-testing scenarios and utilize `oscap-ssh` to test every scenario. Expected result is encoded in scenario file name. In case of `fail` or `error` results expected, continue with remediation and reevaluation. Revert system to clean state using snapshots. Return value not defined, textual output and generated reports is the result. """ dom = ssg_test_suite.virt.connect_domain(options.hypervisor, options.domain_name) if dom is None: sys.exit(1) snapshot_stack = SnapshotStack(dom) atexit.register(snapshot_stack.clear) snapshot_stack.create('origin') ssg_test_suite.virt.start_domain(dom) domain_ip = ssg_test_suite.virt.determine_ip(dom) scanned_something = False for rule_dir, rule, scripts in iterate_over_rules(): if 'ALL' in options.target: # we want to have them all pass else: perform = False for target in options.target: if target in rule_dir: perform = True break if not perform: continue logging.info(rule) scanned_something = True logging.debug("Testing rule directory {0}".format(rule_dir)) # get list of helper scripts (non-standard name) # and scenario scripts helpers = [] scenarios = [] for script in scripts: script_context = _get_script_context(script) if script_context is None: logging.debug('Registering helper script {0}'.format(script)) helpers += [script] else: scenarios += [script] for script in scenarios: script_context = _get_script_context(script) logging.debug(('Using test script {0} ' 'with context {1}').format(script, script_context)) snapshot_stack.create('script') # copy all helper scripts, so scenario script can use them script_path = os.path.join(rule_dir, script) helper_paths = map(lambda x: os.path.join(rule_dir, x), helpers) _send_scripts(rule_dir, domain_ip, script_path, *helper_paths) if not _apply_script(rule_dir, domain_ip, script): logging.error("Environment failed to prepare, skipping test") snapshot_stack.revert() continue script_params = _parse_parameters(script_path) has_worked = False profiles = get_viable_profiles(script_params['profiles'], options.datastream, options.benchmark_id) if len(profiles) > 1: snapshot_stack.create('profile') for profile in profiles: LogHelper.preload_log(logging.INFO, ("Script {0} " "using profile {1} " "OK").format(script, profile), log_target='pass') LogHelper.preload_log(logging.ERROR, ("Script {0} " "using profile {1} " "found issue:").format(script, profile), log_target='fail') has_worked = True run_rule_checks( domain_ip, profile, options.datastream, options.benchmark_id, rule, script_context, script, script_params, options.remediate_using, options.dont_clean, ) snapshot_stack.revert(delete=False) if not has_worked: logging.error("Nothing has been tested!") snapshot_stack.delete() if len(profiles) > 1: snapshot_stack.revert() if not scanned_something: logging.error("Rule {0} has not been found".format(options.target))
def perform_rule_check(options): """Perform rule check. Iterate over rule-testing scenarios and utilize `oscap-ssh` to test every scenario. Expected result is encoded in scenario file name. In case of `fail` or `error` results expected, continue with remediation and reevaluation. Revert system to clean state using snapshots. Return value not defined, textual output and generated reports is the result. """ dom = ssg_test_suite.virt.connect_domain(options.hypervisor, options.domain_name) if dom is None: sys.exit(1) snapshot_stack = SnapshotStack(dom) atexit.register(snapshot_stack.clear) # create origin snapshot_stack.create('origin') ssg_test_suite.virt.start_domain(dom) domain_ip = ssg_test_suite.virt.determine_ip(dom) scanned_something = False remote_dir = _send_scripts(domain_ip) if not remote_dir: return for rule_dir, rule, scripts in data.iterate_over_rules(): remote_rule_dir = os.path.join(remote_dir, rule_dir) local_rule_dir = os.path.join(data.DATA_DIR, rule_dir) if not _matches_target(rule_dir, options.target): continue logging.info(rule) scanned_something = True logging.debug("Testing rule directory {0}".format(rule_dir)) for script, script_context, script_params in _get_scenarios( local_rule_dir, scripts): logging.debug(('Using test script {0} ' 'with context {1}').format(script, script_context)) # create origin <- script snapshot_stack.create('script') has_worked = False if not _apply_script(remote_rule_dir, domain_ip, script): logging.error("Environment failed to prepare, skipping test") # maybe revert script snapshot_stack.revert() continue profiles = get_viable_profiles(script_params['profiles'], options.datastream, options.benchmark_id) if len(profiles) > 1: # create origin <- script <- profile snapshot_stack.create('profile') for profile in profiles: LogHelper.preload_log(logging.INFO, ("Script {0} " "using profile {1} " "OK").format(script, profile), log_target='pass') LogHelper.preload_log(logging.ERROR, ("Script {0} " "using profile {1} " "found issue:").format(script, profile), log_target='fail') has_worked = True run_rule_checks( domain_ip, profile, options.datastream, options.benchmark_id, rule, script_context, script, script_params, options.remediate_using, options.dont_clean, ) # revert either profile (if created), or script. Don't delete snapshot_stack.revert(delete=False) if not has_worked: logging.error("Nothing has been tested!") # Delete the reverted profile or script. snapshot_stack.delete() if len(profiles) > 1: # revert script (we have reverted profile before). snapshot_stack.revert() if not scanned_something: logging.error("Rule {0} has not been found".format(options.target))