def preprocess(data, lang): embedded_data = parse_template_boolean_value(data, parameter="embedded_data", default_value=False) data["embedded_data"] = embedded_data if data.get("xccdf_variable") and embedded_data: values = data.get("values", [{}]) if len(values) > 1: raise ValueError( "Only a single value can be checked when querying " "for a 'xccdf_value' that returns an embedded value. " "Rule ID: {}".format(data["_rule_id"])) elif not values[0].get("value"): raise ValueError( "You should specify a capture regex in the 'value' field " "when querying for a 'xccdf_value' that returns an embedded value. " "Rule ID: {}".format(data["_rule_id"])) if data.get("xccdf_variable") and not embedded_data: if data.get("values"): raise ValueError( "You cannot specify the 'value' field when querying " "for a 'xccdf_value' that doesn't return an embedded value. " "Rule ID: {}".format(data["_rule_id"])) data["ocp_data"] = parse_template_boolean_value(data, parameter="ocp_data", default_value=False) return data
def preprocess(data, lang): _file_owner_groupowner_permissions_regex(data) data["allow_stricter_permissions"] = parse_template_boolean_value(data, parameter="allow_stricter_permissions", default_value=True) data["missing_file_pass"] = parse_template_boolean_value(data, parameter="missing_file_pass", default_value=False) if lang == "oval": data["fileid"] = data["_rule_id"].replace("file_permissions", "") # build the state that describes our mode # mode_str maps to STATEMODE in the template mode = data["filemode"] fields = [ 'oexec', 'owrite', 'oread', 'gexec', 'gwrite', 'gread', 'uexec', 'uwrite', 'uread', 'sticky', 'sgid', 'suid'] mode_int = int(mode, 8) mode_str = "" for field in fields: if mode_int & 0x01 == 1: if not data['allow_stricter_permissions']: mode_str = ( "<unix:" + field + " datatype=\"boolean\">true</unix:" + field + ">\n" + mode_str) else: value = "false" if data['allow_stricter_permissions']: value = "true" mode_str = ( "<unix:" + field + " datatype=\"boolean\">{}</unix:".format(value) + field + ">\n" + mode_str) mode_int = mode_int >> 1 data["statemode"] = mode_str.rstrip("\n") return data
def preprocess(data, lang): data["arg_negate"] = parse_template_boolean_value(data, parameter="arg_negate", default_value=False) data["arg_is_regex"] = parse_template_boolean_value( data, parameter="arg_is_regex", default_value=False) return data
def preprocess(data, lang): data["missing_parameter_pass"] = parse_template_boolean_value( data, parameter="missing_parameter_pass", default_value=False) is_default_value = parse_template_boolean_value( data, parameter="is_default_value", default_value=False) if is_default_value: data[ "config_basename"] = "01-complianceascode-reinforce-os-defaults.conf" else: data["config_basename"] = "00-complianceascode-hardening.conf" return data
def preprocess(data, lang): _file_owner_groupowner_permissions_regex(data) data["missing_file_pass"] = parse_template_boolean_value( data, parameter="missing_file_pass", default_value=False) data["recursive"] = parse_template_boolean_value(data, parameter="recursive", default_value=False) if lang == "oval": data["fileid"] = data["_rule_id"].replace("file_groupowner", "") return data
def preprocess(data, lang): # Default value of default_is_enabled is false; # When variable_name is set, this option is disabled. # It is not easy to check if the value of an XCCDF Value is the default in a template. data["default_is_enabled"] = parse_template_boolean_value( data, parameter="default_is_enabled", default_value=False) if data.get("variable_name"): data["default_is_enabled"] = False if data.get("default_is_enabled") is True: data["option_existence"] = "any_exist" else: data["option_existence"] = "at_least_one_exists" if lang == "oval": if data.get("variable_name"): if 'option_regex_suffix' not in data: data['option_regex_suffix'] = r"=(\w+)\b" data["option_regex"] = data["option"] + data['option_regex_suffix'] else: data["option_regex"] = data["option"] elif lang == "bash": if data.get("variable_name"): if 'option_regex_suffix' not in data: data['option_regex_suffix'] = r"=\w+\b" data["option_regex"] = data["option"] + data['option_regex_suffix'] data["option_value"] = "{opt}=${{{var}}}".format( opt=data["option"], var=data["variable_name"]) else: data["option_regex"] = data["option"] data["option_value"] = data["option"] return data
def preprocess(data, lang): value = data["value"] if value[0] in ("'", '"') and value[0] == value[-1]: msg = ( "Value >>{value}<< of shell variable '{varname}' " "has been supplied with quotes, please fix the content - " "shell quoting is handled by the check/remediation code.".format( value=value, varname=data["parameter"])) raise Exception(msg) data["missing_parameter_pass"] = parse_template_boolean_value( data, parameter="missing_parameter_pass", default_value=False) data["no_quotes"] = parse_template_boolean_value(data, parameter="no_quotes", default_value=False) return data
def preprocess(data, lang): data["check_root_user"] = parse_template_boolean_value(data, parameter="check_root_user", default_value=False) if lang == "bash": if "syscall_grouping" in data: # Make it easier to tranform the syscall_grouping into a Bash array data["syscall_grouping"] = " ".join(data["syscall_grouping"]) elif lang == "ansible": if "attr" in data: # Tranform the syscall into a Ansible list data["attr"] = [data["attr"]] if "syscall_grouping" not in data: # Ensure that syscall_grouping is a list data["syscall_grouping"] = [] return data
def preprocess(data, lang): data["exists"] = parse_template_boolean_value(data, parameter="exists", default_value=False) return data
def preprocess(data, lang): data["missing_parameter_pass"] = parse_template_boolean_value( data, parameter="missing_parameter_pass", default_value=False) return data
def preprocess(data, lang): data["oval_extend_definitions"] = data.get("oval_extend_definitions", []) data["escape_text"] = parse_template_boolean_value(data, parameter="escape_text", default_value=True) return data
def preprocess(data, lang): data["check_root_user"] = parse_template_boolean_value(data, parameter="check_root_user", default_value=False) return data