ssg package
ssg.ansible module
Common functions for processing Ansible in SSG
- ssg.ansible.add_minimum_version(ansible_src)[source]
Adds minimum ansible version to an Ansible script
ssg.build_cpe module
Common functions for building CPEs
- class ssg.build_cpe.CPEALCheckFactRef(obj)[source]
Bases:
Symbol
- static get_base_name_of_parametrized_cpe_id(cpe_id)[source]
If given a parametrized platform name such as package[test], it returns the package part only.
- ns = 'http://cpe.mitre.org/language/2.0'
- prefix = 'cpe-lang'
- class ssg.build_cpe.CPEALLogicalTest(*args)[source]
Bases:
Function
- ns = 'http://cpe.mitre.org/language/2.0'
- prefix = 'cpe-lang'
- class ssg.build_cpe.CPEItem(id_)[source]
Bases:
XCCDFEntity
,Templatable
Represents the cpe-item element from the CPE standard.
- KEYS = {'ansible_conditional': <function CPEItem.<lambda>>, 'args': <function CPEItem.<lambda>>, 'bash_conditional': <function CPEItem.<lambda>>, 'check_id': <function CPEItem.<lambda>>, 'content_id': <function CPEItem.<lambda>>, 'definition_location': <function XCCDFEntity.<lambda>>, 'id_': <function XCCDFEntity.<lambda>>, 'is_product_cpe': <function CPEItem.<lambda>>, 'name': <function CPEItem.<lambda>>, 'template': <function Templatable.<lambda>>, 'title': <function XCCDFEntity.<lambda>>, 'versioned': <function CPEItem.<lambda>>}
- MANDATORY_KEYS = ['name']
- property cpe_oval_def_id
- property cpe_oval_short_def_id
- ns = 'http://cpe.mitre.org/dictionary/2.0'
- prefix = 'cpe-dict'
- class ssg.build_cpe.CPEList[source]
Bases:
object
Represents the cpe-list element from the CPE standard.
- ns = 'http://cpe.mitre.org/dictionary/2.0'
- prefix = 'cpe-dict'
- class ssg.build_cpe.ProductCPEs[source]
Bases:
object
Reads from the disk all the yaml CPEs related to a product and provides them in a structured way.
- ssg.build_cpe.extract_env_obj(objects, local_var)[source]
From a collection of objects, return the object with id matching the object_ref of the local variable.
NOTE: This assumes that a local variable can only reference one object. Which is not true, variables can reference multiple objects. But this assumption should work for OVAL checks for CPEs, as they are not that complicated.
- ssg.build_cpe.extract_referred_nodes(tree_with_refs, tree_with_ids, attrname)[source]
Return the elements in tree_with_ids which are referenced from tree_with_refs via the element attribute ‘attrname’.
- ssg.build_cpe.extract_subelement(objects, sub_elem_type)[source]
From a collection of element objects, return the value of the first attribute of name sub_elem_type found.
This is useful when the object is a single element and we wish to query some external reference identifier in the subtree of that element.
ssg.build_derivatives module
Common functions for enabling derivative products
- ssg.build_derivatives.add_cpe_item_to_dictionary(tree_root, product_yaml_path, cpe_ref, id_name, cpe_items_dir)[source]
- ssg.build_derivatives.add_cpes(elem, namespace, mapping)[source]
Adds derivative CPEs next to RHEL ones, checks XCCDF elements of given namespace.
- ssg.build_derivatives.add_notice(benchmark, namespace, notice, warning)[source]
Adds derivative notice as the first notice to given benchmark.
- ssg.build_derivatives.add_oval_definition_to_cpe_oval(root, unlinked_oval_file_path, oval_def_id)[source]
- ssg.build_derivatives.remove_cce_reference(tree_root, namespace)[source]
Remove CCE identifiers from OVAL checks in XML tree
ssg.build_guides module
- ssg.build_guides.build_index(benchmarks, input_basename, index_links, index_options, index_initial_src)[source]
- ssg.build_guides.builder(queue)[source]
Fetch from a queue of tasks, process tasks until the queue is empty. Each task is processed with generate_for_input_content, and the guide is written as output.
Raises: when an error occurred when processing a task.
- ssg.build_guides.fill_queue(benchmarks, benchmark_profile_pairs, input_path, path_base, output_dir)[source]
For each benchmark and profile in the benchmark, create a queue of tasks for later processing. A task is a named tuple (benchmark_id, profile_id, input_path, guide_path).
Returns: queue of tasks.
- ssg.build_guides.generate_for_input_content(input_content, benchmark_id, profile_id)[source]
Returns HTML guide for given input_content and profile_id combination. This function assumes only one Benchmark exists in given input_content!
ssg.build_ovals module
ssg.build_profile module
- class ssg.build_profile.RuleStats(rule, cis_ns)[source]
Bases:
object
Class representing the content of a rule for statistics generation purposes.
- class ssg.build_profile.XCCDFBenchmark(filepath, product='')[source]
Bases:
object
Class for processing an XCCDF benchmark to generate statistics about the profiles contained within it.
ssg.build_remediations module
- class ssg.build_remediations.AnacondaRemediation(file_path)[source]
Bases:
Remediation
- class ssg.build_remediations.AnsibleRemediation(file_path)[source]
Bases:
Remediation
- class ssg.build_remediations.BashRemediation(file_path)[source]
Bases:
Remediation
- class ssg.build_remediations.BlueprintRemediation(file_path)[source]
Bases:
Remediation
This provides class for OSBuild Blueprint remediations
- class ssg.build_remediations.BootcRemediation(file_path)[source]
Bases:
Remediation
This provides class for Bootc remediations
- class ssg.build_remediations.IgnitionRemediation(file_path)[source]
Bases:
Remediation
- class ssg.build_remediations.KickstartRemediation(file_path)[source]
Bases:
Remediation
This provides class for Kickstart remediations
- class ssg.build_remediations.KubernetesRemediation(file_path)[source]
Bases:
Remediation
- class ssg.build_remediations.PuppetRemediation(file_path)[source]
Bases:
Remediation
- class ssg.build_remediations.Remediation(file_path, remediation_type)[source]
Bases:
object
- ssg.build_remediations.RemediationObject
alias of
remediation
- ssg.build_remediations.expand_xccdf_subs(fix, remediation_type)[source]
Expand the respective populate keywords of each remediation type with an <xccdf:sub> element
This routine translates any instance of the ‘type-populate’ keyword in the form of:
(type-populate variable_name)
where type can be either ansible, puppet, anaconda or bash, into
<sub idref=”variable_name”/>
- ssg.build_remediations.get_rule_dir_remediations(dir_path, remediation_type, product=None)[source]
Gets a list of remediations of type remediation_type contained in a rule directory. If product is None, returns all such remediations. If product is not None, returns applicable remediations in order of priority:
{{{ product }}}.ext -> shared.ext
Only returns remediations which exist.
- ssg.build_remediations.is_supported_filename(remediation_type, filename)[source]
Checks if filename has a supported extension for remediation_type.
Exits when remediation_type is of an unknown type.
- ssg.build_remediations.parse_from_file_with_jinja(file_path, env_yaml)[source]
Parses a remediation from a file. As remediations contain jinja macros, we need a env_yaml context to process these. In practice, no remediations use jinja in the configuration, so for extracting only the configuration, env_yaml can be an abritrary product.yml dictionary.
If the logic of configuration parsing changes significantly, please also update ssg.fixes.parse_platform(…).
- ssg.build_remediations.parse_from_file_without_jinja(file_path)[source]
Parses a remediation from a file. Doesn’t process the Jinja macros. This function is useful in build phases in which all the Jinja macros are already resolved.
ssg.build_renumber module
- class ssg.build_renumber.FileLinker(translator, xccdftree, checks, output_file_name)[source]
Bases:
object
Bass class which represents the linking of checks to their identifiers.
- CHECK_NAMESPACE = None
- CHECK_SYSTEM = None
Returns a list of checks which have the same check system as this class.
- class ssg.build_renumber.OCILFileLinker(translator, xccdftree, checks, output_file_name)[source]
Bases:
FileLinker
- CHECK_NAMESPACE = 'http://scap.nist.gov/schema/ocil/2.0'
- CHECK_SYSTEM = 'http://scap.nist.gov/schema/ocil/2'
- class ssg.build_renumber.OVALFileLinker(translator, xccdftree, checks, output_file_name)[source]
Bases:
FileLinker
- CHECK_NAMESPACE = 'http://oval.mitre.org/XMLSchema/oval-definitions-5'
- CHECK_SYSTEM = 'http://oval.mitre.org/XMLSchema/oval-definitions-5'
- build_ovals_dir = None
- ssg.build_renumber.check_and_correct_xccdf_to_oval_data_export_matching_constraints(xccdftree, oval_document)[source]
Verify if <xccdf:Value> ‘type’ to corresponding OVAL variable ‘datatype’ export matching constraint:
http://csrc.nist.gov/publications/nistpubs/800-126-rev2/SP800-126r2.pdf#page=30&zoom=auto,69,313
is met. Also correct the ‘type’ attribute of those <xccdf:Value> elements where necessary in order the produced content to meet this constraint.
To correct the constraint we use simpler approach - prefer to fix ‘type’ attribute of <xccdf:Value> rather than ‘datatype’ attribute of the corresponding OVAL variable since there might be additional OVAL variables, derived from the affected OVAL variable, and in that case we would need to fix the ‘datatype’ attribute in each of them.
Define the <xccdf:Value> ‘type’ to OVAL variable ‘datatype’ export matching constraints mapping as specified in Table 16 of XCCDF v1.2 standard:
http://csrc.nist.gov/publications/nistpubs/800-126-rev2/SP800-126r2.pdf#page=30&zoom=auto,69,313
- ssg.build_renumber.verify_correct_form_of_referenced_cce_identifiers(xccdftree)[source]
In SSG benchmarks, the CCEs till unassigned have the form of e.g. “RHEL7-CCE-TBD” (or any other format possibly not matching the above two requirements)
If this is the case for specific SSG product, drop such CCE identifiers from the XCCDF since they are in invalid format!
ssg.build_stig module
ssg.build_yaml module
- class ssg.build_yaml.Benchmark(id_)[source]
Bases:
XCCDFEntity
Represents XCCDF Benchmark
- GENERIC_FILENAME = 'benchmark.yml'
- KEYS = {'cpes': <function Benchmark.<lambda>>, 'definition_location': <function XCCDFEntity.<lambda>>, 'description': <function Benchmark.<lambda>>, 'front_matter': <function Benchmark.<lambda>>, 'groups': <function Benchmark.<lambda>>, 'id_': <function XCCDFEntity.<lambda>>, 'notice_description': <function Benchmark.<lambda>>, 'notice_id': <function Benchmark.<lambda>>, 'platforms': <function Benchmark.<lambda>>, 'product_cpe_names': <function Benchmark.<lambda>>, 'profiles': <function Benchmark.<lambda>>, 'rear_matter': <function Benchmark.<lambda>>, 'rules': <function Benchmark.<lambda>>, 'status': <function Benchmark.<lambda>>, 'title': <function XCCDFEntity.<lambda>>, 'values': <function Benchmark.<lambda>>, 'version': <function Benchmark.<lambda>>}
- MANDATORY_KEYS = {'description', 'front_matter', 'rear_matter', 'status', 'title'}
- classmethod process_input_dict(input_contents, env_yaml, product_cpes)[source]
Take the contents of the definition as a dictionary, and add defaults or raise errors if a required member is not present.
Extend this if you want to add, remove or alter the result that will constitute the new instance.
- represent_as_dict()[source]
Produce a dict representation of the class.
Extend this method if you need the representation to be different from the object.
- class ssg.build_yaml.BuildLoader(profiles_dir, env_yaml, product_cpes, sce_metadata_path=None)[source]
Bases:
DirectoryLoader
- class ssg.build_yaml.DirectoryLoader(profiles_dir, env_yaml, product_cpes)[source]
Bases:
object
- class ssg.build_yaml.Group(id_)[source]
Bases:
XCCDFEntity
Represents XCCDF Group
- GENERIC_FILENAME = 'group.yml'
- KEYS = {'conflicts': <function Group.<lambda>>, 'cpe_platform_names': <function Group.<lambda>>, 'definition_location': <function XCCDFEntity.<lambda>>, 'description': <function Group.<lambda>>, 'groups': <function Group.<lambda>>, 'id_': <function XCCDFEntity.<lambda>>, 'inherited_platforms': <function Group.<lambda>>, 'platform': <function Group.<lambda>>, 'platforms': <function Group.<lambda>>, 'requires': <function Group.<lambda>>, 'rules': <function Group.<lambda>>, 'title': <function XCCDFEntity.<lambda>>, 'values': <function Group.<lambda>>, 'warnings': <function Group.<lambda>>}
- MANDATORY_KEYS = {'description', 'front_matter', 'rear_matter', 'status', 'title'}
- classmethod process_input_dict(input_contents, env_yaml, product_cpes=None)[source]
Take the contents of the definition as a dictionary, and add defaults or raise errors if a required member is not present.
Extend this if you want to add, remove or alter the result that will constitute the new instance.
- class ssg.build_yaml.Platform(id_)[source]
Bases:
XCCDFEntity
- KEYS = {'ansible_conditional': <function Platform.<lambda>>, 'bash_conditional': <function Platform.<lambda>>, 'definition_location': <function XCCDFEntity.<lambda>>, 'id_': <function XCCDFEntity.<lambda>>, 'name': <function Platform.<lambda>>, 'original_expression': <function Platform.<lambda>>, 'title': <function XCCDFEntity.<lambda>>, 'xml_content': <function Platform.<lambda>>}
- MANDATORY_KEYS = ['name', 'xml_content', 'original_expression', 'bash_conditional', 'ansible_conditional']
- ns = 'http://cpe.mitre.org/language/2.0'
- prefix = 'cpe-lang'
- class ssg.build_yaml.Rule(id_)[source]
Bases:
XCCDFEntity
,Templatable
Represents XCCDF Rule
- GENERIC_FILENAME = 'rule.yml'
- ID_LABEL = 'rule_id'
- KEYS = {'bash_conditional': <function Rule.<lambda>>, 'checktext': <function Rule.<lambda>>, 'components': <function Rule.<lambda>>, 'conflicts': <function Rule.<lambda>>, 'control_references': <function Rule.<lambda>>, 'cpe_platform_names': <function Rule.<lambda>>, 'definition_location': <function XCCDFEntity.<lambda>>, 'description': <function Rule.<lambda>>, 'fixes': <function Rule.<lambda>>, 'fixtext': <function Rule.<lambda>>, 'id_': <function XCCDFEntity.<lambda>>, 'identifiers': <function Rule.<lambda>>, 'inherited_cpe_platform_names': <function Rule.<lambda>>, 'inherited_platforms': <function Rule.<lambda>>, 'ocil': <function Rule.<lambda>>, 'ocil_clause': <function Rule.<lambda>>, 'oval_external_content': <function Rule.<lambda>>, 'platform': <function Rule.<lambda>>, 'platforms': <function Rule.<lambda>>, 'policy_specific_content': <function Rule.<lambda>>, 'rationale': <function Rule.<lambda>>, 'references': <function Rule.<lambda>>, 'requires': <function Rule.<lambda>>, 'sce_metadata': <function Rule.<lambda>>, 'severity': <function Rule.<lambda>>, 'srg_requirement': <function Rule.<lambda>>, 'template': <function Templatable.<lambda>>, 'title': <function XCCDFEntity.<lambda>>, 'vuldiscussion': <function Rule.<lambda>>, 'warnings': <function Rule.<lambda>>}
- MANDATORY_KEYS = {'description', 'rationale', 'severity', 'title'}
- PRODUCT_REFERENCES = ('stigid', 'cis')
- class ssg.build_yaml.Value(id_)[source]
Bases:
XCCDFEntity
Represents XCCDF Value
- KEYS = {'definition_location': <function XCCDFEntity.<lambda>>, 'description': <function Value.<lambda>>, 'id_': <function XCCDFEntity.<lambda>>, 'interactive': <function Value.<lambda>>, 'operator': <function Value.<lambda>>, 'options': <function Value.<lambda>>, 'title': <function XCCDFEntity.<lambda>>, 'type': <function Value.<lambda>>, 'warnings': <function Value.<lambda>>}
- MANDATORY_KEYS = {'description', 'title', 'type'}
- classmethod process_input_dict(input_contents, env_yaml, product_cpes=None)[source]
Take the contents of the definition as a dictionary, and add defaults or raise errors if a required member is not present.
Extend this if you want to add, remove or alter the result that will constitute the new instance.
ssg.checks module
- ssg.checks.get_content_ref_if_exists_and_not_remote(check)[source]
Given an OVAL check element, examine the
xccdf_ns:check-content-ref
If it exists and it isn’t remote, pass it as the return value. Otherwise, return None.
..see-also:: is_content_href_remote
- ssg.checks.get_oval_contents(rule_obj, oval_id)[source]
Returns the tuple (path, contents) of the check described by the given oval_id or product.
- ssg.checks.get_oval_path(rule_obj, oval_id)[source]
For the given oval_id or product, return the full path to the check in the given rule.
ssg.constants module
- class ssg.constants.OvalNamespaces[source]
Bases:
object
- definition = 'http://oval.mitre.org/XMLSchema/oval-definitions-5'
- independent = 'http://oval.mitre.org/XMLSchema/oval-definitions-5#independent'
- linux = 'http://oval.mitre.org/XMLSchema/oval-definitions-5#linux'
- oval = 'http://oval.mitre.org/XMLSchema/oval-common-5'
ssg.contributors module
ssg.fixes module
- ssg.fixes.find_platform_line(fix_contents)[source]
Parses the platform configuration item to determine the line number that the platforms configuration option is on. If this key is not found, None is returned instead.
Note that this performs no validation on the contents of the file besides this and does not return the current value of the platform.
If the configuration specification changes any, please update the corresponding parsing in ssg.build_remediations.parse_from_file_with_jinja (…).
- ssg.fixes.get_fix_contents(rule_obj, lang, fix_id)[source]
Returns the tuple (path, contents) of the fix described by the given fix_id or product.
ssg.id_translate module
ssg.jinja module
- class ssg.jinja.AbsolutePathFileSystemLoader(encoding='utf-8')[source]
Bases:
BaseLoader
Loads templates from the file system. This loader insists on absolute paths and fails if a relative path is provided.
>>> loader = AbsolutePathFileSystemLoader()
Per default the template encoding is
'utf-8'
which can be changed by setting the encoding parameter to something else.- get_source(environment, template)[source]
Get the template source, filename and reload helper for a template. It’s passed the environment and template name and has to return a tuple in the form
(source, filename, uptodate)
or raise a TemplateNotFound error if it can’t locate the template.The source part of the returned tuple must be the source of the template as a string. The filename should be the name of the file on the filesystem if it was loaded from there, otherwise
None
. The filename is used by Python for the tracebacks if no loader extension is used.The last item in the tuple is the uptodate function. If auto reloading is enabled it’s always called to check if the template changed. No arguments are passed so the function must store the old state somewhere (for example in a closure). If it returns False the template will be reloaded.
- ssg.jinja.load_macros(substitutions_dict=None)[source]
Augment the substitutions_dict dict with project Jinja macros in /shared/.
- ssg.jinja.process_file(filepath, substitutions_dict)[source]
Process the jinja file at the given path with the specified substitutions. Return the result as a string. Note that this will not load the project macros; use process_file_with_macros(…) for that.
- ssg.jinja.process_file_with_macros(filepath, substitutions_dict)[source]
Process the file with jinja macros at the given path with the specified substitutions. Return the result as a string.
See also: process_file
- ssg.jinja.update_substitutions_dict(filename, substitutions_dict)[source]
Treat the given filename as a jinja2 file containing macro definitions, and export definitions that don’t start with _ into the substitutions_dict, a name->macro dictionary. During macro compilation, symbols already existing in substitutions_dict may be used by those definitions.
ssg.oval module
- ssg.oval.applicable_platforms(oval_file, oval_version_string=None)[source]
Returns the applicable platforms for a given oval file
- ssg.oval.parse_affected(oval_contents)[source]
Returns the tuple (start_affected, end_affected, platform_indents) for the passed oval file contents. start_affected is the line number of starting tag of the <affected> element, end_affected is the line number of the closing tag of the </affected> element, and platform_indents is a string containing the indenting characters before the contents of the <affected> element.
ssg.parse_oval module
ssg.playbook_builder module
- class ssg.playbook_builder.PlaybookBuilder(product_yaml_path, input_dir, output_dir, rules_dir, profiles_dir, build_config_yaml)[source]
Bases:
object
- build(profile_id=None, rule_id=None)[source]
Creates Playbooks for a specified profile. If profile is not given, creates playbooks for all profiles in the product. If the rule_id is not given, Playbooks are created for every rule.
- choose_variable_value(var_id, variables, refinements)[source]
Determine value of variable based on profile refinements.
- create_playbook(snippet_path, rule_id, variables, refinements, output_dir)[source]
Creates a Playbook from Ansible snippet for the given rule specified by rule ID, fills in the profile values and saves it into output_dir.
- create_playbook_for_single_rule(profile, rule_id, variables)[source]
Creates a Playbook for given rule specified by a rule_id. Created Playbooks are parametrized by variables according to profile selection. Playbooks are written into a new subdirectory in output_dir.
- create_playbooks_for_all_rules_in_profile(profile, variables)[source]
Creates a Playbook for each rule selected in a profile from tasks extracted from snippets. Created Playbooks are parametrized by variables according to profile selection. Playbooks are written into a new subdirectory in output_dir.
- get_benchmark_variables()[source]
Get all variables, their selectors and values used in a given benchmark. Returns a dictionary where keys are variable IDs and values are dictionaries where keys are selectors and values are variable values.
ssg.products module
- ssg.products.get_all(ssg_root)[source]
Analyzes all products in the SSG root and sorts them into two categories: those which use linux_os and those which use their own directory. Returns a namedtuple of sets, (linux, other).
ssg.rule_dir_stats module
This module contains common code shared by utils/rule_dir_stats.py and utils/rule_dir_diff.py. This code includes functions for walking the output of the utils/rule_dir_json.py script, and filtering functions used in both scripts.
- ssg.rule_dir_stats.filter_rule_ids(all_keys, queries)[source]
From a set of queries (a comma separated list of queries, where a query is either a rule id or a substring thereof), return the set of matching keys from all_keys. When queries is the literal string “all”, return all of the keys.
- ssg.rule_dir_stats.get_affected_products(rule_obj)[source]
From a rule_obj, return the set of affected products from rule.yml
- ssg.rule_dir_stats.get_all_affected_products(args, rule_obj)[source]
From a rule_obj, return the set of affected products from rule.yml, and all fixes and checks.
If args.strict is set, this function is equivalent to get_affected_products. Otherwise, it includes ovals and fix content based on the values of args.fixes_only and args.ovals_only.
- ssg.rule_dir_stats.missing_oval(rule_obj)[source]
For a rule object, check if it is missing an oval.
- ssg.rule_dir_stats.missing_remediation(rule_obj, r_type)[source]
For a rule object, check if it is missing a remediation of type r_type.
- ssg.rule_dir_stats.product_names_oval(rule_obj)[source]
For a rule_obj, check the scope of the platforms versus the product name of the OVAL objects.
- ssg.rule_dir_stats.product_names_remediation(rule_obj, r_type)[source]
For a rule_obj, check the scope of the platforms versus the product name of the remediations of type r_type.
- ssg.rule_dir_stats.two_plus_oval(rule_obj)[source]
For a rule object, check if it has two or more OVALs.
- ssg.rule_dir_stats.two_plus_remediation(rule_obj, r_type)[source]
For a rule object, check if it has two or more remediations of type r_type.
- ssg.rule_dir_stats.walk_rule_stats(rule_output)[source]
Walk the output of a rule, generating statistics about affected ovals, remediations, and generating verbose output in a stable order.
Returns a tuple of (affected_ovals, affected_remediations, all_affected_remediations, affected_remediations_type, all_output)
- ssg.rule_dir_stats.walk_rules(args, known_rules, oval_func, remediation_func)[source]
Walk a dictionary of known_rules, returning the number of visited rules and the output at each visited rule, conditionally calling oval_func and remediation_func based on the values of args.fixes_only and args.ovals_only. If the result of these functions are not Falsy, set the appropriate output content.
The input rule_obj structure is the value of known_rules[rule_id].
The output structure is a dict as follows:
{ rule_id: { "oval": oval_func(args, rule_obj), "ansible": remediation_func(args, "ansible", rule_obj), "anaconda": remediation_func(args, "anaconda", rule_obj), "bash": remediation_func(args, "bash", rule_obj), "puppet": remediation_func(args, "puppet", rule_obj) }, ... }
The arguments supplied to oval_func are args and rule_obj. The arguments supplied to remediation_func are args, the remediation type, and rule_obj.
- ssg.rule_dir_stats.walk_rules_diff(args, left_rules, right_rules, oval_func, remediation_func)[source]
Walk a two dictionary of known_rules (left_rules and right_rules) and generate five sets of output: left_only rules output, right_only rules output, shared left output, shared right output, and shared common output, as a five-tuple, where each tuple element is equivalent to walk_rules on the appropriate set of rules.
Does not understand renaming of rule_ids as this would depend on disk content to reflect these differences. Unless significantly more data is added to the rule_obj structure (contents of rule.yml, ovals, remediations, etc.), all information besides ‘title’ is not uniquely identifying or could be easily updated.
- ssg.rule_dir_stats.walk_rules_diff_stats(results)[source]
Takes the results of walk_rules_diff (results) and generates five sets of output statistics: left_only rules output, right_only rules output, shared left output, shared right output, and shared common output, as a five-tuple, where each tuple element is equivalent to walk_rules_stats on the appropriate set of rules.
Can assert.
- ssg.rule_dir_stats.walk_rules_parallel(args, left_rules, right_rules, oval_func, remediation_func)[source]
Walks two sets of known_rules (left_rules and right_rules) with identical keys and returns left_only, right_only, and common_only output from _walk_rule. If the outputted data for a rule when called on left_rules and right_rules is the same, it is added to common_only. Only rules which output different data will have their data added to left_only and right_only respectively.
Can assert.
- ssg.rule_dir_stats.walk_rules_stats(args, known_rules, oval_func, remediation_func)[source]
Walk a dictionary of known_rules and generate simple aggregate statistics for all visited rules. The oval_func and remediation_func arguments behave according to walk_rules().
Returned values are visited_rules, affected_ovals, affected_remediation, a dictionary containing all fix types and the quantity of affected fixes, and the ordered output of all functions.
An effort is made to provide consistently ordered verbose_output by sorting all visited keys and the keys of ssg.build_remediations.REMEDIATION_MAP.
ssg.rule_yaml module
The rule_yaml module provides various utility functions for handling YAML files containing Jinja macros, without having to parse the macros.
- ssg.rule_yaml.add_key_value(contents, key, start_line, new_value)[source]
Adds a new key to contents with the given value after line start_line, returning the result. Also adds a blank line afterwards.
Does not modify the value of contents.
- ssg.rule_yaml.find_section_lines(file_contents, sec)[source]
Parses the given file_contents as YAML to find the section with the given identifier. Note that this does not call into the yaml library and thus correctly handles jinja macros at the expense of not being a strictly valid yaml parsing.
Returns a list of namedtuples (start, end) of the lines where section exists.
- ssg.rule_yaml.get_section_lines(file_path, file_contents, key_name)[source]
From the given file_path and file_contents, find the lines describing the section key_name and returns the line range of the section.
- ssg.rule_yaml.get_yaml_contents(rule_obj)[source]
From a rule_obj description, return a namedtuple of (path, contents); where path is the path to the rule YAML and contents is the list of lines in the file.
- ssg.rule_yaml.has_duplicated_subkeys(file_path, file_contents, sections)[source]
Checks whether a section has duplicated keys. Note that these are silently eaten by the YAML parser we use.
- ssg.rule_yaml.parse_from_yaml(file_contents, lines)[source]
Parse the given line range as a yaml, returning the parsed object.
- ssg.rule_yaml.remove_lines(contents, lines)[source]
Remove the lines of the section from the parsed file, returning the new contents.
Does not modify the passed in contents.
- ssg.rule_yaml.sort_section_keys(file_path, file_contents, sections, sort_func=None)[source]
Sort subkeys in a YAML file’s section.
- ssg.rule_yaml.update_key_value(contents, key, old_value, new_value)[source]
Find key in the contents of a file and replace its value with the new value, returning the resulting file. This validates that the old value is constant and hasn’t changed since parsing its value.
Raises a ValueError when the key cannot be found in the given contents.
Does not modify the value of contents.
ssg.rules module
- ssg.rules.applies_to_product(file_name, product)[source]
A OVAL or fix is filtered by product iff product is Falsy, file_name is “shared”, or file_name is product. Note that this does not filter by contents of the fix or check, only by the name of the file.
- ssg.rules.find_rule_dirs(base_dir)[source]
Generator which yields all rule directories within a given base_dir, recursively
- ssg.rules.find_rule_dirs_in_paths(base_dirs)[source]
Generator which yields all rule directories within a given directories list, recursively
- ssg.rules.get_rule_dir_id(path)[source]
Returns the ID of a rule directory; correctly handles being passed either the directory path or the yaml metadata path.
- ssg.rules.get_rule_dir_ovals(dir_path, product=None)[source]
Gets a list of OVALs contained in a rule directory. If product is None, returns all OVALs. If product is not None, returns applicable OVALs in order of priority:
{{{ product }}}.xml -> shared.xml
Only returns OVALs which exist.
- ssg.rules.get_rule_dir_sces(dir_path, product=None)[source]
Get a list of SCEs contained in a rule directory. If product is None, returns all SCEs. If product is not None, returns applicable SCEs in order of priority:
{{{ product }}}.{{{ ext }}} -> shared.{{{ ext }}}
Only returns SCEs which exist.
ssg.shims module
ssg.templates module
- class ssg.templates.Builder(env_yaml, resolved_rules_dir, templates_dir, remediations_dir, checks_dir, platforms_dir, cpe_items_dir)[source]
Bases:
object
Class for building all templated content for a given product.
To generate content from templates, pass the env_yaml, path to the directory with resolved rule YAMLs, path to the directory that contains templates, path to the output directory for checks and a path to the output directory for remediations into the constructor. Then, call the method build() to perform a build.
- build()[source]
Builds all templated content for all languages, writing the output to the correct build directories.
- build_lang_for_templatable(templatable, lang)[source]
Builds templated content of a given Templatable for a selected language returning the filled template.
- build_platform(platform)[source]
Builds templated content of a given Platform (all CPEs/Symbols) for all available languages, writing the output to the correct build directories and updating the platform it self.
- build_rule(rule)[source]
Builds templated content of a given Rule for all available languages, writing the output to the correct build directories.
- get_lang_contents_for_templatable(templatable, language)[source]
For the specified Templatable, build and return only the specified language content.
- get_resolved_langs_to_generate(templatable)[source]
Given a specific Templatable instance, determine which languages are generated by the combination of the template supported_languages AND the Templatable’s template configuration ‘backends’.
- ssg.templates.TemplatingLang
alias of
templating_language_attributes
ssg.utils module
- class ssg.utils.VersionSpecifier(op, evr_ver_dict)[source]
Bases:
object
- property cpe_id
- property ev_ver
- property evr_op
- property evr_ver
- property oval_id
- property title
- property ver
- class ssg.utils.VersionSpecifierSet(s=())[source]
Bases:
set
- property cpe_id
- property oval_id
- property title
- ssg.utils.apply_formatting_on_dict_values(source_dict, string_dict, ignored_keys=frozenset({}))[source]
Uses Python built-in string replacement. It replaces strings marked by {token} if “token” is a key in the string_dict parameter. It skips keys in source_dict which are listed in ignored_keys parameter. This works only for dictionaries whose values are dicts or strings
- ssg.utils.check_conflict_regex_directory(data)[source]
Validate that either all path are directories OR file_regex exists.
Throws ValueError.
- ssg.utils.ensure_file_paths_and_file_regexes_are_correctly_defined(data)[source]
This function is common for the file_owner, file_groupowner and file_permissions templates. It ensures that the data structure meets certain rules, e.g. the file_path item is a list and number of list items in file_regex equals to number of items in file_path.
- ssg.utils.get_cpu_count()[source]
Returns the most likely estimate of the number of CPUs in the machine for threading purposes, gracefully handling errors and possible exceptions.
- ssg.utils.is_applicable(platform, product)[source]
Function to check if a platform is applicable for the product. Handles when a platform is really a list of products.
Returns true iff product is applicable for the platform or list of products
- ssg.utils.is_applicable_for_product(platform, product)[source]
Based on the platform dict specifier of the remediation script to determine if this remediation script is applicable for this product. Return ‘True’ if so, ‘False’ otherwise
- ssg.utils.map_name(version)[source]
Maps SSG Makefile internal product name to official product name
- ssg.utils.merge_dicts(left, right)[source]
Merges two dictionaries, keeing left and right as passed. If there are any common keys between left and right, the value from right is use.
Returns the merger of the left and right dictionaries
- ssg.utils.name_to_platform(names)[source]
Converts one or more full names to a string containing one or more <platform> elements.
- ssg.utils.parse_name(product)[source]
Returns a namedtuple of (name, version) from parsing a given product; e.g., “rhel7” -> (“rhel”, “7”)
- ssg.utils.parse_platform(platform)[source]
From a platform line, returns the set of platforms listed.
- ssg.utils.product_to_name(prod)[source]
Converts a vaguely-product-id-like thing into one or more full product names.
- ssg.utils.product_to_platform(prods)[source]
Converts one or more product ids into a string with one or more <platform> elements.
- ssg.utils.read_file_list(path)[source]
Reads the given file path and returns the contents as a list.
- ssg.utils.required_key(_dict, _key)[source]
Returns the value of _key if it is in _dict; otherwise, raise an exception stating that it was not found but is required.
ssg.xccdf module
A couple generic XCCDF utilities used by build_all_guides.py and build_all_remediations.py
Author: Martin Preisler <mpreisle@redhat.com>
- ssg.xccdf.get_profile_choices_for_input(input_tree, benchmark_id, tailoring_tree)[source]
Returns a dictionary that maps profile_ids to their respective titles.
ssg.xml module
- class ssg.xml.XMLBenchmark(root)[source]
Bases:
XMLElement
Represents an XCCDF Benchmark read from an XML file.
- class ssg.xml.XMLCPEPlatform(root)[source]
Bases:
XMLElement
- class ssg.xml.XMLComponent(root)[source]
Bases:
XMLElement
Represents the element of the Data stream component that has relevant content.
This make it easier to access contents pertaining to a SCAP component.
- class ssg.xml.XMLContent(root)[source]
Bases:
XMLElement
Can represent a Data Stream or an XCCDF Benchmark read from an XML file.
- check_engines = [('OVAL', 'oval:oval_definitions'), ('OCIL', 'ocil:ocil')]
- class ssg.xml.XMLElement(root)[source]
Bases:
object
Represents an generic element read from an XML file.
- ns = {'catalog': 'urn:oasis:names:tc:entity:xmlns:xml:catalog', 'cpe-lang': 'http://cpe.mitre.org/language/2.0', 'ds': 'http://scap.nist.gov/schema/scap/source/1.2', 'ocil': 'http://scap.nist.gov/schema/ocil/2.0', 'oval': 'http://oval.mitre.org/XMLSchema/oval-definitions-5', 'xccdf-1.1': 'http://checklists.nist.gov/xccdf/1.1', 'xccdf-1.2': 'http://checklists.nist.gov/xccdf/1.2', 'xlink': 'http://www.w3.org/1999/xlink'}
- class ssg.xml.XMLOcilQuestion(root)[source]
Bases:
XMLComponent
- class ssg.xml.XMLOcilQuestionnaire(root)[source]
Bases:
XMLComponent
- class ssg.xml.XMLOcilTestAction(root)[source]
Bases:
XMLComponent
- class ssg.xml.XMLOvalDefinition(root)[source]
Bases:
XMLComponent
- class ssg.xml.XMLRule(root)[source]
Bases:
XMLElement
Represents an XCCDF Rule read from an XML file.
- join_text_elements()[source]
This function collects the text of almost all subelements. Similar to what itertext() would do, except that this function skips some elements that are not relevant for comparison.
This function also injects a line for each element whose text was collected, to facilitate tracking of where in the rule the text came from.
- ssg.xml.add_xhtml_namespace(data)[source]
Given a xml blob, adds the xhtml namespace to all relevant tags.
- ssg.xml.get_namespaces_from(file)[source]
Return dictionary of namespaces in file. Return empty dictionary in case of error.
- ssg.xml.map_elements_to_their_ids(tree, xpath_expr)[source]
Given an ElementTree and an XPath expression, iterate through matching elements and create 1:1 id->element mapping.
Raises AssertionError if a matching element doesn’t have the
id
attribute.Returns mapping as a dictionary
ssg.yaml module
- ssg.yaml.convert_string_to_bool(string)[source]
Returns True if string is “true” (in any letter case) returns False if “false” raises ValueError
- ssg.yaml.open_and_expand(yaml_file, substitutions_dict=None)[source]
Process the file as a template, using substitutions_dict to perform expansion. Then, process the expansion result as a YAML content.
See also: _open_yaml
- ssg.yaml.open_and_macro_expand(yaml_file, substitutions_dict=None)[source]
Do the same as open_and_expand, but load definitions of macros so they can be expanded in the template.
- ssg.yaml.open_raw(yaml_file)[source]
Open given file-like object and parse it as YAML without performing any kind of template processing
See also: _open_yaml
- ssg.yaml.ordered_dump(data, stream=None, Dumper=<class 'yaml.cyaml.CDumper'>, **kwds)[source]
Drop-in replacement for yaml.dump(), but preserves order of dictionaries