ssg package

ssg.ansible module

Common functions for processing Ansible in SSG

ssg.ansible.add_minimum_version(ansible_src)[source]

Adds minimum ansible version to an Ansible script

ssg.ansible.remove_too_many_blank_lines(ansible_src)[source]

Condenses three or more empty lines as two.

ssg.ansible.remove_trailing_whitespace(ansible_src)[source]

Removes trailing whitespace in an Ansible script

ssg.build_cpe module

Common functions for building CPEs

class ssg.build_cpe.CPEALCheckFactRef(obj)[source]

Bases: Symbol

static cpe_id_is_parametrized(cpe_id)[source]
enrich_with_cpe_info(cpe_products)[source]
static get_base_name_of_parametrized_cpe_id(cpe_id)[source]

If given a parametrized platform name such as package[test], it returns the package part only.

ns = 'http://cpe.mitre.org/language/2.0'
prefix = 'cpe-lang'
to_ansible_conditional()[source]
to_bash_conditional()[source]
to_xml_element()[source]
class ssg.build_cpe.CPEALLogicalTest(*args)[source]

Bases: Function

enrich_with_cpe_info(cpe_products)[source]
ns = 'http://cpe.mitre.org/language/2.0'
prefix = 'cpe-lang'
to_ansible_conditional()[source]
to_bash_conditional()[source]
to_xml_element()[source]
exception ssg.build_cpe.CPEDoesNotExist[source]

Bases: Exception

class ssg.build_cpe.CPEItem(id_)[source]

Bases: XCCDFEntity, Templatable

Represents the cpe-item element from the CPE standard.

KEYS = {'ansible_conditional': <function CPEItem.<lambda>>, 'args': <function CPEItem.<lambda>>, 'bash_conditional': <function CPEItem.<lambda>>, 'check_id': <function CPEItem.<lambda>>, 'content_id': <function CPEItem.<lambda>>, 'definition_location': <function XCCDFEntity.<lambda>>, 'id_': <function XCCDFEntity.<lambda>>, 'is_product_cpe': <function CPEItem.<lambda>>, 'name': <function CPEItem.<lambda>>, 'template': <function Templatable.<lambda>>, 'title': <function XCCDFEntity.<lambda>>, 'versioned': <function CPEItem.<lambda>>}
MANDATORY_KEYS = ['name']
property cpe_oval_def_id
property cpe_oval_short_def_id
create_resolved_cpe_item_for_fact_ref(fact_ref)[source]
classmethod from_yaml(yaml_file, env_yaml=None, product_cpes=None)[source]
static is_cpe_name(cpe_id_or_name)[source]
ns = 'http://cpe.mitre.org/dictionary/2.0'
prefix = 'cpe-dict'
set_conditional(language, content)[source]
set_cpe_oval_def_id()[source]
set_template_variables(*sources)[source]
to_xml_element(cpe_oval_filename)[source]
class ssg.build_cpe.CPEList[source]

Bases: object

Represents the cpe-list element from the CPE standard.

add(cpe_item)[source]
ns = 'http://cpe.mitre.org/dictionary/2.0'
prefix = 'cpe-dict'
to_file(file_name, cpe_oval_file, selection_of_cpe_names=None)[source]
to_xml_element(cpe_oval_file, selection_of_cpe_names=None)[source]
translate_cpe_oval_def_ids()[source]
class ssg.build_cpe.ProductCPEs[source]

Bases: object

Reads from the disk all the yaml CPEs related to a product and provides them in a structured way.

add_cpe_item(cpe_item)[source]
add_resolved_cpe_items_from_platform(platform)[source]
get_cpe(cpe_id_or_name)[source]
get_cpe_for_fact_ref(fact_ref)[source]
get_cpe_name(cpe_id)[source]
get_product_cpe_names()[source]
load_content_cpes(env_yaml)[source]
load_cpes_from_directory_tree(root_path, env_yaml)[source]
load_cpes_from_list(cpes_list)[source]
load_product_cpes(env_yaml)[source]
load_product_cpes_from_list(product_cpes_list)[source]
ssg.build_cpe.extract_env_obj(objects, local_var)[source]

From a collection of objects, return the object with id matching the object_ref of the local variable.

NOTE: This assumes that a local variable can only reference one object. Which is not true, variables can reference multiple objects. But this assumption should work for OVAL checks for CPEs, as they are not that complicated.

ssg.build_cpe.extract_referred_nodes(tree_with_refs, tree_with_ids, attrname)[source]

Return the elements in tree_with_ids which are referenced from tree_with_refs via the element attribute ‘attrname’.

ssg.build_cpe.extract_subelement(objects, sub_elem_type)[source]

From a collection of element objects, return the value of the first attribute of name sub_elem_type found.

This is useful when the object is a single element and we wish to query some external reference identifier in the subtree of that element.

ssg.build_cpe.get_linked_cpe_oval_document(unlinked_oval_file_path)[source]

ssg.build_derivatives module

Common functions for enabling derivative products

ssg.build_derivatives.add_cpe_item_to_dictionary(tree_root, product_yaml_path, cpe_ref, id_name, cpe_items_dir)[source]
ssg.build_derivatives.add_cpes(elem, namespace, mapping)[source]

Adds derivative CPEs next to RHEL ones, checks XCCDF elements of given namespace.

ssg.build_derivatives.add_element_to(oval_root, tag_name, component_element)[source]
ssg.build_derivatives.add_notice(benchmark, namespace, notice, warning)[source]

Adds derivative notice as the first notice to given benchmark.

ssg.build_derivatives.add_oval_components_to_oval_xml(oval_root, tag_name, component_dict)[source]
ssg.build_derivatives.add_oval_definition_to_cpe_oval(root, unlinked_oval_file_path, oval_def_id)[source]
ssg.build_derivatives.get_cpe_item(product_yaml, cpe_ref, cpe_items_dir)[source]
ssg.build_derivatives.get_cpe_oval_root(root)[source]
ssg.build_derivatives.profile_handling(tree_root, namespace)[source]
ssg.build_derivatives.remove_cce_reference(tree_root, namespace)[source]

Remove CCE identifiers from OVAL checks in XML tree

ssg.build_derivatives.remove_idents(tree_root, namespace, prod='RHEL')[source]

Remove product identifiers from rules in XML tree

ssg.build_derivatives.replace_platform(tree_root, namespace, product)[source]

ssg.build_guides module

ssg.build_guides.build_index(benchmarks, input_basename, index_links, index_options, index_initial_src)[source]
ssg.build_guides.builder(queue)[source]

Fetch from a queue of tasks, process tasks until the queue is empty. Each task is processed with generate_for_input_content, and the guide is written as output.

Raises: when an error occurred when processing a task.

ssg.build_guides.fill_queue(benchmarks, benchmark_profile_pairs, input_path, path_base, output_dir)[source]

For each benchmark and profile in the benchmark, create a queue of tasks for later processing. A task is a named tuple (benchmark_id, profile_id, input_path, guide_path).

Returns: queue of tasks.

ssg.build_guides.generate_for_input_content(input_content, benchmark_id, profile_id)[source]

Returns HTML guide for given input_content and profile_id combination. This function assumes only one Benchmark exists in given input_content!

ssg.build_guides.get_benchmark_profile_pairs(input_tree, benchmarks)[source]
ssg.build_guides.get_output_guide_paths(benchmarks, benchmark_profile_pairs, path_base, output_dir)[source]

Return a list of guide paths containing guides for each non-skipped profile_id in a benchmark.

ssg.build_guides.get_path_args(args)[source]

Return a namedtuple of (input_path, input_basename, path_base, output_dir) from an argparse containing args.input and args.output.

ssg.build_ovals module

exception ssg.build_ovals.OVALBuildException[source]

Bases: Exception

class ssg.build_ovals.OVALBuilder(env_yaml, product_yaml_path, shared_directories, build_ovals_dir)[source]

Bases: object

get_oval_document_from_shorthands(include_benchmark)[source]
property product_name
ssg.build_ovals.expand_shorthand(shorthand_path, oval_path, env_yaml)[source]

ssg.build_profile module

class ssg.build_profile.RuleStats(rule, cis_ns)[source]

Bases: object

Class representing the content of a rule for statistics generation purposes.

class ssg.build_profile.XCCDFBenchmark(filepath, product='')[source]

Bases: object

Class for processing an XCCDF benchmark to generate statistics about the profiles contained within it.

console_print(content, width)[source]

Prints the ‘content’ array left aligned, each time 45 characters long, each row ‘width’ characters wide

get_all_profile_stats()[source]
get_profile_stats(profile)[source]

Obtain statistics for the profile

show_all_profile_stats(options)[source]
show_profile_stats(profile, options)[source]

Displays statistics for specific profile

ssg.build_profile.get_cis_uri(product)[source]
ssg.build_profile.make_name_to_profile_mapping(profile_files, env_yaml, product_cpes)[source]

ssg.build_remediations module

class ssg.build_remediations.AnacondaRemediation(file_path)[source]

Bases: Remediation

class ssg.build_remediations.AnsibleRemediation(file_path)[source]

Bases: Remediation

classmethod from_snippet_and_rule(snippet_fname, rule_fname)[source]
get_references()[source]
inject_package_facts_task(parsed_snippet)[source]

Injects a package_facts task only if the snippet has a task with a when clause with ansible_facts.packages, and the snippet doesn’t already have a package_facts task

parse_from_file_with_jinja(env_yaml, cpe_platforms)[source]
update(parsed, config, cpe_platforms)[source]
update_tags_from_config(to_update, config)[source]
update_tags_from_rule(to_update)[source]
update_when_from_rule(to_update, cpe_platforms)[source]
class ssg.build_remediations.BashRemediation(file_path)[source]

Bases: Remediation

parse_from_file_with_jinja(env_yaml, cpe_platforms)[source]
class ssg.build_remediations.BlueprintRemediation(file_path)[source]

Bases: Remediation

This provides class for OSBuild Blueprint remediations

class ssg.build_remediations.BootcRemediation(file_path)[source]

Bases: Remediation

This provides class for Bootc remediations

class ssg.build_remediations.IgnitionRemediation(file_path)[source]

Bases: Remediation

class ssg.build_remediations.KickstartRemediation(file_path)[source]

Bases: Remediation

This provides class for Kickstart remediations

class ssg.build_remediations.KubernetesRemediation(file_path)[source]

Bases: Remediation

class ssg.build_remediations.PuppetRemediation(file_path)[source]

Bases: Remediation

class ssg.build_remediations.Remediation(file_path, remediation_type)[source]

Bases: object

associate_rule(rule_obj)[source]
expand_env_yaml_from_rule()[source]
get_inherited_conditionals(language, cpe_platforms)[source]
get_inherited_cpe_platform_names()[source]
get_rule_specific_conditionals(language, cpe_platforms)[source]
get_rule_specific_cpe_platform_names()[source]
get_stripped_conditionals(language, cpe_platform_names, cpe_platforms)[source]

collect conditionals of platforms defined by cpe_platform_names and strip them of white spaces

parse_from_file_with_jinja(env_yaml, cpe_platforms)[source]
ssg.build_remediations.RemediationObject

alias of remediation

ssg.build_remediations.expand_xccdf_subs(fix, remediation_type)[source]

Expand the respective populate keywords of each remediation type with an <xccdf:sub> element

This routine translates any instance of the ‘type-populate’ keyword in the form of:

(type-populate variable_name)

where type can be either ansible, puppet, anaconda or bash, into

<sub idref=”variable_name”/>

ssg.build_remediations.get_rule_dir_remediations(dir_path, remediation_type, product=None)[source]

Gets a list of remediations of type remediation_type contained in a rule directory. If product is None, returns all such remediations. If product is not None, returns applicable remediations in order of priority:

{{{ product }}}.ext -> shared.ext

Only returns remediations which exist.

ssg.build_remediations.is_supported_filename(remediation_type, filename)[source]

Checks if filename has a supported extension for remediation_type.

Exits when remediation_type is of an unknown type.

ssg.build_remediations.load_compiled_remediations(fixes_dir)[source]
ssg.build_remediations.parse_from_file_with_jinja(file_path, env_yaml)[source]

Parses a remediation from a file. As remediations contain jinja macros, we need a env_yaml context to process these. In practice, no remediations use jinja in the configuration, so for extracting only the configuration, env_yaml can be an abritrary product.yml dictionary.

If the logic of configuration parsing changes significantly, please also update ssg.fixes.parse_platform(…).

ssg.build_remediations.parse_from_file_without_jinja(file_path)[source]

Parses a remediation from a file. Doesn’t process the Jinja macros. This function is useful in build phases in which all the Jinja macros are already resolved.

ssg.build_remediations.process(remediation, env_yaml, cpe_platforms)[source]

Process a fix, and return the processed fix iff the file is of a valid extension for the remediation type and the fix is valid for the current product.

Note that platform is a required field in the contents of the fix.

ssg.build_remediations.split_remediation_content_and_metadata(fix_file)[source]
ssg.build_remediations.write_fix_to_file(fix, file_path)[source]

Writes a single fix to the given file path.

ssg.build_renumber module

class ssg.build_renumber.FileLinker(translator, xccdftree, checks, output_file_name)[source]

Bases: object

Bass class which represents the linking of checks to their identifiers.

CHECK_NAMESPACE = None
CHECK_SYSTEM = None
add_missing_check_exports(check, checkcontentref)[source]

Returns a list of checks which have the same check system as this class.

save_linked_tree()[source]

Write internal tree to the file in self.linked_fname.

class ssg.build_renumber.OCILFileLinker(translator, xccdftree, checks, output_file_name)[source]

Bases: FileLinker

CHECK_NAMESPACE = 'http://scap.nist.gov/schema/ocil/2.0'
CHECK_SYSTEM = 'http://scap.nist.gov/schema/ocil/2'
class ssg.build_renumber.OVALFileLinker(translator, xccdftree, checks, output_file_name)[source]

Bases: FileLinker

CHECK_NAMESPACE = 'http://oval.mitre.org/XMLSchema/oval-definitions-5'
CHECK_SYSTEM = 'http://oval.mitre.org/XMLSchema/oval-definitions-5'
add_missing_check_exports(check, checkcontentref)[source]
build_ovals_dir = None
save_linked_tree()[source]

Write internal tree to the file in self.linked_fname.

save_oval_document_for_each_xccdf_rule(file_name_prefix='')[source]
ssg.build_renumber.check_and_correct_xccdf_to_oval_data_export_matching_constraints(xccdftree, oval_document)[source]

Verify if <xccdf:Value> ‘type’ to corresponding OVAL variable ‘datatype’ export matching constraint:

http://csrc.nist.gov/publications/nistpubs/800-126-rev2/SP800-126r2.pdf#page=30&zoom=auto,69,313

is met. Also correct the ‘type’ attribute of those <xccdf:Value> elements where necessary in order the produced content to meet this constraint.

To correct the constraint we use simpler approach - prefer to fix ‘type’ attribute of <xccdf:Value> rather than ‘datatype’ attribute of the corresponding OVAL variable since there might be additional OVAL variables, derived from the affected OVAL variable, and in that case we would need to fix the ‘datatype’ attribute in each of them.

Define the <xccdf:Value> ‘type’ to OVAL variable ‘datatype’ export matching constraints mapping as specified in Table 16 of XCCDF v1.2 standard:

http://csrc.nist.gov/publications/nistpubs/800-126-rev2/SP800-126r2.pdf#page=30&zoom=auto,69,313

ssg.build_renumber.create_xccdf_id_to_cce_id_mapping(xccdftree)[source]
ssg.build_renumber.rules_with_ids_generator(xccdftree)[source]
ssg.build_renumber.verify_correct_form_of_referenced_cce_identifiers(xccdftree)[source]

In SSG benchmarks, the CCEs till unassigned have the form of e.g. “RHEL7-CCE-TBD” (or any other format possibly not matching the above two requirements)

If this is the case for specific SSG product, drop such CCE identifiers from the XCCDF since they are in invalid format!

ssg.build_stig module

ssg.build_stig.get_description_root(srg)[source]
ssg.build_stig.get_severity(input_severity)[source]
ssg.build_stig.map_versions_to_rule_ids(reference_file_name)[source]
ssg.build_stig.parse_srgs(xml_path)[source]

ssg.build_yaml module

class ssg.build_yaml.Benchmark(id_)[source]

Bases: XCCDFEntity

Represents XCCDF Benchmark

GENERIC_FILENAME = 'benchmark.yml'
KEYS = {'cpes': <function Benchmark.<lambda>>, 'definition_location': <function XCCDFEntity.<lambda>>, 'description': <function Benchmark.<lambda>>, 'front_matter': <function Benchmark.<lambda>>, 'groups': <function Benchmark.<lambda>>, 'id_': <function XCCDFEntity.<lambda>>, 'notice_description': <function Benchmark.<lambda>>, 'notice_id': <function Benchmark.<lambda>>, 'platforms': <function Benchmark.<lambda>>, 'product_cpe_names': <function Benchmark.<lambda>>, 'profiles': <function Benchmark.<lambda>>, 'rear_matter': <function Benchmark.<lambda>>, 'rules': <function Benchmark.<lambda>>, 'status': <function Benchmark.<lambda>>, 'title': <function XCCDFEntity.<lambda>>, 'values': <function Benchmark.<lambda>>, 'version': <function Benchmark.<lambda>>}
MANDATORY_KEYS = {'description', 'front_matter', 'rear_matter', 'status', 'title'}
add_group(group, env_yaml=None, product_cpes=None)[source]
add_profiles_from_dir(dir_, env_yaml, product_cpes)[source]
add_rule(rule)[source]
add_value(value)[source]
drop_rules_not_included_in_a_profile()[source]
classmethod from_yaml(yaml_file, env_yaml=None, product_cpes=None)[source]
get_benchmark_xml_for_profiles(env_yaml, profiles, rule_and_variables_dict)[source]
get_components_not_included_in_a_profiles(profiles, rules_and_variables_dict)[source]
get_not_used_cpe_platforms(profiles)[source]
get_rules_selected_in_all_profiles(profiles=None)[source]
get_used_cpe_platforms(profiles)[source]
static get_variables_of_rules(profiles, rule_ids, rules_and_variables_dict)[source]
load_entities(rules_by_id, values_by_id, groups_by_id)[source]
classmethod process_input_dict(input_contents, env_yaml, product_cpes)[source]

Take the contents of the definition as a dictionary, and add defaults or raise errors if a required member is not present.

Extend this if you want to add, remove or alter the result that will constitute the new instance.

represent_as_dict()[source]

Produce a dict representation of the class.

Extend this method if you need the representation to be different from the object.

to_file(file_name, env_yaml=None)[source]
to_xccdf()[source]

We can easily extend this script to generate a valid XCCDF instead of SSG SHORTHAND.

to_xml_element(env_yaml=None, product_cpes=None, components_to_not_include=None)[source]
unselect_empty_groups()[source]
class ssg.build_yaml.BuildLoader(profiles_dir, env_yaml, product_cpes, sce_metadata_path=None)[source]

Bases: DirectoryLoader

export_group_to_file(filename)[source]
load_components()[source]
class ssg.build_yaml.DirectoryLoader(profiles_dir, env_yaml, product_cpes)[source]

Bases: object

load_benchmark_or_group(guide_directory)[source]

Loads a given benchmark or group from the specified benchmark_file or group_file, in the context of guide_directory, profiles_dir and env_yaml.

Returns the loaded group or benchmark.

process_directory_tree(start_dir, extra_group_dirs=None)[source]
process_directory_trees(directories)[source]
save_all_entities(base_dir)[source]
save_entities(entities, destdir)[source]
class ssg.build_yaml.Group(id_)[source]

Bases: XCCDFEntity

Represents XCCDF Group

GENERIC_FILENAME = 'group.yml'
KEYS = {'conflicts': <function Group.<lambda>>, 'cpe_platform_names': <function Group.<lambda>>, 'definition_location': <function XCCDFEntity.<lambda>>, 'description': <function Group.<lambda>>, 'groups': <function Group.<lambda>>, 'id_': <function XCCDFEntity.<lambda>>, 'inherited_platforms': <function Group.<lambda>>, 'platform': <function Group.<lambda>>, 'platforms': <function Group.<lambda>>, 'requires': <function Group.<lambda>>, 'rules': <function Group.<lambda>>, 'title': <function XCCDFEntity.<lambda>>, 'values': <function Group.<lambda>>, 'warnings': <function Group.<lambda>>}
MANDATORY_KEYS = {'description', 'front_matter', 'rear_matter', 'status', 'title'}
add_group(group, env_yaml=None, product_cpes=None)[source]
add_rule(rule, env_yaml=None, product_cpes=None)[source]
add_value(value)[source]
contains_rules(rule_ids)[source]
contains_variables(variable_ids)[source]
get_not_included_components(rule_ids_list, variables_ids_list)[source]
get_used_cpe_platforms(rule_ids_list)[source]
load_entities(rules_by_id, values_by_id, groups_by_id)[source]
classmethod process_input_dict(input_contents, env_yaml, product_cpes=None)[source]

Take the contents of the definition as a dictionary, and add defaults or raise errors if a required member is not present.

Extend this if you want to add, remove or alter the result that will constitute the new instance.

remove_rules_with_ids_not_listed(rule_ids_list)[source]
represent_as_dict()[source]

Produce a dict representation of the class.

Extend this method if you need the representation to be different from the object.

to_xml_element(env_yaml=None, components_to_not_include=None)[source]
class ssg.build_yaml.LinearLoader(env_yaml, resolved_path)[source]

Bases: object

add_fixes_to_rules()[source]
export_benchmark_to_file(filename)[source]
export_benchmark_to_xml(rule_and_variables_dict)[source]
export_ocil_to_file(filename)[source]
export_ocil_to_xml(benchmark=None)[source]
find_first_groups_ids(start_dir)[source]
get_benchmark_xml()[source]
get_benchmark_xml_by_profile(rule_and_variables_dict)[source]
load_benchmark(directory)[source]
load_compiled_content()[source]
load_entities_by_id(filenames, destination, cls)[source]
class ssg.build_yaml.Platform(id_)[source]

Bases: XCCDFEntity

KEYS = {'ansible_conditional': <function Platform.<lambda>>, 'bash_conditional': <function Platform.<lambda>>, 'definition_location': <function XCCDFEntity.<lambda>>, 'id_': <function XCCDFEntity.<lambda>>, 'name': <function Platform.<lambda>>, 'original_expression': <function Platform.<lambda>>, 'title': <function XCCDFEntity.<lambda>>, 'xml_content': <function Platform.<lambda>>}
MANDATORY_KEYS = ['name', 'xml_content', 'original_expression', 'bash_conditional', 'ansible_conditional']
classmethod from_text(expression, product_cpes)[source]
classmethod from_yaml(yaml_file, env_yaml=None, product_cpes=None)[source]
get_fact_refs()[source]
get_remediation_conditional(language)[source]
get_xml()[source]
ns = 'http://cpe.mitre.org/language/2.0'
prefix = 'cpe-lang'
to_xml_element()[source]
update_conditional_from_cpe_items(language, product_cpes)[source]
class ssg.build_yaml.Rule(id_)[source]

Bases: XCCDFEntity, Templatable

Represents XCCDF Rule

GENERIC_FILENAME = 'rule.yml'
ID_LABEL = 'rule_id'
KEYS = {'bash_conditional': <function Rule.<lambda>>, 'checktext': <function Rule.<lambda>>, 'components': <function Rule.<lambda>>, 'conflicts': <function Rule.<lambda>>, 'control_references': <function Rule.<lambda>>, 'cpe_platform_names': <function Rule.<lambda>>, 'definition_location': <function XCCDFEntity.<lambda>>, 'description': <function Rule.<lambda>>, 'fixes': <function Rule.<lambda>>, 'fixtext': <function Rule.<lambda>>, 'id_': <function XCCDFEntity.<lambda>>, 'identifiers': <function Rule.<lambda>>, 'inherited_cpe_platform_names': <function Rule.<lambda>>, 'inherited_platforms': <function Rule.<lambda>>, 'ocil': <function Rule.<lambda>>, 'ocil_clause': <function Rule.<lambda>>, 'oval_external_content': <function Rule.<lambda>>, 'platform': <function Rule.<lambda>>, 'platforms': <function Rule.<lambda>>, 'policy_specific_content': <function Rule.<lambda>>, 'rationale': <function Rule.<lambda>>, 'references': <function Rule.<lambda>>, 'requires': <function Rule.<lambda>>, 'sce_metadata': <function Rule.<lambda>>, 'severity': <function Rule.<lambda>>, 'srg_requirement': <function Rule.<lambda>>, 'template': <function Templatable.<lambda>>, 'title': <function XCCDFEntity.<lambda>>, 'vuldiscussion': <function Rule.<lambda>>, 'warnings': <function Rule.<lambda>>}
MANDATORY_KEYS = {'description', 'rationale', 'severity', 'title'}
PRODUCT_REFERENCES = ('stigid', 'cis')
add_control_reference(ref_type, ref_value)[source]
add_fixes(fixes)[source]
add_stig_references(stig_references)[source]
find_policy_specific_content(rule_root)[source]
classmethod from_yaml(yaml_file, env_yaml=None, product_cpes=None, sce_metadata=None)[source]
get_template_context(env_yaml)[source]
load_policy_specific_content(rule_filename, env_yaml)[source]
make_refs_and_identifiers_product_specific(product)[source]
merge_control_references()[source]
normalize(product)[source]
read_policy_specific_content(env_yaml, files)[source]
read_policy_specific_content_file(env_yaml, filename)[source]
to_ocil()[source]
to_xml_element(env_yaml=None)[source]
triage_policy_specific_content(product_name, filenames)[source]
validate_identifiers(yaml_file)[source]
validate_references(yaml_file)[source]
class ssg.build_yaml.Value(id_)[source]

Bases: XCCDFEntity

Represents XCCDF Value

KEYS = {'definition_location': <function XCCDFEntity.<lambda>>, 'description': <function Value.<lambda>>, 'id_': <function XCCDFEntity.<lambda>>, 'interactive': <function Value.<lambda>>, 'operator': <function Value.<lambda>>, 'options': <function Value.<lambda>>, 'title': <function XCCDFEntity.<lambda>>, 'type': <function Value.<lambda>>, 'warnings': <function Value.<lambda>>}
MANDATORY_KEYS = {'description', 'title', 'type'}
classmethod from_yaml(yaml_file, env_yaml=None, product_cpes=None)[source]
classmethod process_input_dict(input_contents, env_yaml, product_cpes=None)[source]

Take the contents of the definition as a dictionary, and add defaults or raise errors if a required member is not present.

Extend this if you want to add, remove or alter the result that will constitute the new instance.

to_xml_element()[source]
ssg.build_yaml.add_benchmark_metadata(element, contributors_file)[source]
ssg.build_yaml.add_nondata_subelements(element, subelement, attribute, attr_data)[source]

Add multiple iterations of a sublement that contains an attribute but no data For example, <requires id=”my_required_id”/>

ssg.build_yaml.add_platform_if_not_defined(platform, product_cpes)[source]
ssg.build_yaml.add_reference_elements(element, references, ref_uri_dict)[source]
ssg.build_yaml.add_reference_title_elements(benchmark_el, env_yaml)[source]
ssg.build_yaml.add_warning_elements(element, warnings)[source]
ssg.build_yaml.check_warnings(xccdf_structure)[source]
ssg.build_yaml.noop_rule_filterfunc(rule)[source]
ssg.build_yaml.reorder_according_to_ordering(unordered, ordering, regex=None)[source]
ssg.build_yaml.rule_filter_from_def(filterdef)[source]

ssg.checks module

ssg.checks.get_content_ref_if_exists_and_not_remote(check)[source]

Given an OVAL check element, examine the xccdf_ns:check-content-ref

If it exists and it isn’t remote, pass it as the return value. Otherwise, return None.

..see-also:: is_content_href_remote

ssg.checks.get_oval_contents(rule_obj, oval_id)[source]

Returns the tuple (path, contents) of the check described by the given oval_id or product.

ssg.checks.get_oval_path(rule_obj, oval_id)[source]

For the given oval_id or product, return the full path to the check in the given rule.

ssg.checks.is_content_href_remote(check_content_ref)[source]

Given an OVAL check-content-ref element, examine the ‘href’ attribute.

If it starts with ‘http://’ or ‘https://’, return True, otherwise return False.

Raises RuntimeError if the href element doesn’t exist.

ssg.checks.set_applicable_platforms(oval_contents, new_platforms)[source]

Returns a modified contents which updates the platforms to the new platforms.

ssg.constants module

class ssg.constants.OvalNamespaces[source]

Bases: object

definition = 'http://oval.mitre.org/XMLSchema/oval-definitions-5'
independent = 'http://oval.mitre.org/XMLSchema/oval-definitions-5#independent'
linux = 'http://oval.mitre.org/XMLSchema/oval-definitions-5#linux'
oval = 'http://oval.mitre.org/XMLSchema/oval-common-5'
class ssg.constants.Reference(id, name, url, regex_with_groups)

Bases: tuple

id

Alias for field number 0

name

Alias for field number 1

regex_with_groups

Alias for field number 3

url

Alias for field number 2

ssg.contributors module

ssg.contributors.generate()[source]

ssg.fixes module

ssg.fixes.applicable_platforms(fix_path)[source]
ssg.fixes.find_platform_line(fix_contents)[source]

Parses the platform configuration item to determine the line number that the platforms configuration option is on. If this key is not found, None is returned instead.

Note that this performs no validation on the contents of the file besides this and does not return the current value of the platform.

If the configuration specification changes any, please update the corresponding parsing in ssg.build_remediations.parse_from_file_with_jinja (…).

ssg.fixes.get_fix_contents(rule_obj, lang, fix_id)[source]

Returns the tuple (path, contents) of the fix described by the given fix_id or product.

ssg.fixes.get_fix_path(rule_obj, lang, fix_id)[source]

For the given fix_id or product, return the full path to the fix of the given language in the rule described by the given rule_obj.

ssg.fixes.set_applicable_platforms(fix_contents, new_platforms)[source]

Returns a modified contents which updates the platforms to the new platforms.

ssg.id_translate module

class ssg.id_translate.IDTranslator(content_id)[source]

Bases: object

This class is designed to handle the mapping of meaningful, human-readable names to IDs in the formats required by the SCAP checking systems, such as OVAL and OCIL.

generate_id(tagname, name)[source]
translate(tree, store_defname=False)[source]
translate_oval_document(oval_document, store_defname=False)[source]

ssg.jinja module

class ssg.jinja.AbsolutePathFileSystemLoader(encoding='utf-8')[source]

Bases: BaseLoader

Loads templates from the file system. This loader insists on absolute paths and fails if a relative path is provided.

>>> loader = AbsolutePathFileSystemLoader()

Per default the template encoding is 'utf-8' which can be changed by setting the encoding parameter to something else.

get_source(environment, template)[source]

Get the template source, filename and reload helper for a template. It’s passed the environment and template name and has to return a tuple in the form (source, filename, uptodate) or raise a TemplateNotFound error if it can’t locate the template.

The source part of the returned tuple must be the source of the template as a string. The filename should be the name of the file on the filesystem if it was loaded from there, otherwise None. The filename is used by Python for the tracebacks if no loader extension is used.

The last item in the tuple is the uptodate function. If auto reloading is enabled it’s always called to check if the template changed. No arguments are passed so the function must store the old state somewhere (for example in a closure). If it returns False the template will be reloaded.

exception ssg.jinja.MacroError[source]

Bases: RuntimeError

ssg.jinja.add_python_functions(substitutions_dict)[source]
ssg.jinja.expand_yaml_path(path, parameter)[source]
ssg.jinja.load_macros(substitutions_dict=None)[source]

Augment the substitutions_dict dict with project Jinja macros in /shared/.

ssg.jinja.process_file(filepath, substitutions_dict)[source]

Process the jinja file at the given path with the specified substitutions. Return the result as a string. Note that this will not load the project macros; use process_file_with_macros(…) for that.

ssg.jinja.process_file_with_macros(filepath, substitutions_dict)[source]

Process the file with jinja macros at the given path with the specified substitutions. Return the result as a string.

See also: process_file

ssg.jinja.raise_exception(message)[source]
ssg.jinja.render_template(data, template_path, output_path, loader)[source]
ssg.jinja.update_substitutions_dict(filename, substitutions_dict)[source]

Treat the given filename as a jinja2 file containing macro definitions, and export definitions that don’t start with _ into the substitutions_dict, a name->macro dictionary. During macro compilation, symbols already existing in substitutions_dict may be used by those definitions.

ssg.jinja.url_encode(source)[source]

ssg.oval module

ssg.oval.applicable_platforms(oval_file, oval_version_string=None)[source]

Returns the applicable platforms for a given oval file

ssg.oval.parse_affected(oval_contents)[source]

Returns the tuple (start_affected, end_affected, platform_indents) for the passed oval file contents. start_affected is the line number of starting tag of the <affected> element, end_affected is the line number of the closing tag of the </affected> element, and platform_indents is a string containing the indenting characters before the contents of the <affected> element.

ssg.parse_oval module

class ssg.parse_oval.ElementFinder(oval_groups)[source]

Bases: object

find_element(start_element, target_element_name, sought_attrib)[source]
ssg.parse_oval.find_extending_defs(oval_groups, defn)[source]
ssg.parse_oval.get_container_groups(fname)[source]
ssg.parse_oval.resolve_definition(oval_groups, defn)[source]

ssg.playbook_builder module

class ssg.playbook_builder.PlaybookBuilder(product_yaml_path, input_dir, output_dir, rules_dir, profiles_dir, build_config_yaml)[source]

Bases: object

build(profile_id=None, rule_id=None)[source]

Creates Playbooks for a specified profile. If profile is not given, creates playbooks for all profiles in the product. If the rule_id is not given, Playbooks are created for every rule.

choose_variable_value(var_id, variables, refinements)[source]

Determine value of variable based on profile refinements.

create_playbook(snippet_path, rule_id, variables, refinements, output_dir)[source]

Creates a Playbook from Ansible snippet for the given rule specified by rule ID, fills in the profile values and saves it into output_dir.

create_playbook_for_single_rule(profile, rule_id, variables)[source]

Creates a Playbook for given rule specified by a rule_id. Created Playbooks are parametrized by variables according to profile selection. Playbooks are written into a new subdirectory in output_dir.

create_playbooks_for_all_rules(variables)[source]
create_playbooks_for_all_rules_in_profile(profile, variables)[source]

Creates a Playbook for each rule selected in a profile from tasks extracted from snippets. Created Playbooks are parametrized by variables according to profile selection. Playbooks are written into a new subdirectory in output_dir.

get_benchmark_variables()[source]

Get all variables, their selectors and values used in a given benchmark. Returns a dictionary where keys are variable IDs and values are dictionaries where keys are selectors and values are variable values.

get_data_from_snippet(snippet_yaml, variables, refinements)[source]

Extracts and resolves tasks and variables from Ansible snippet.

open_profile(profile_path)[source]

Opens and parses profile at the given profile_path.

ssg.products module

class ssg.products.Product(filename)[source]

Bases: object

expand_by_acquired_data(property_dict)[source]
get(key, default=None)[source]
read_properties_from_directory(path)[source]
static transform_default_and_overrides_mappings_to_mapping(mappings)[source]
write(filename)[source]
ssg.products.get_all(ssg_root)[source]

Analyzes all products in the SSG root and sorts them into two categories: those which use linux_os and those which use their own directory. Returns a namedtuple of sets, (linux, other).

ssg.products.get_all_product_yamls(ssg_root)[source]
ssg.products.get_all_products_with_same_guide_directory(ssg_root, product_yaml)[source]
ssg.products.get_profile_files_from_root(env_yaml, product_yaml)[source]
ssg.products.get_profiles_directory(env_yaml)[source]
ssg.products.load_product_yaml(product_yaml_path)[source]

Reads a product data from disk and returns it. The returned product dictionary also contains derived useful information.

ssg.products.product_yaml_path(ssg_root, product)[source]

ssg.rule_dir_stats module

This module contains common code shared by utils/rule_dir_stats.py and utils/rule_dir_diff.py. This code includes functions for walking the output of the utils/rule_dir_json.py script, and filtering functions used in both scripts.

ssg.rule_dir_stats.filter_rule_ids(all_keys, queries)[source]

From a set of queries (a comma separated list of queries, where a query is either a rule id or a substring thereof), return the set of matching keys from all_keys. When queries is the literal string “all”, return all of the keys.

ssg.rule_dir_stats.get_affected_products(rule_obj)[source]

From a rule_obj, return the set of affected products from rule.yml

ssg.rule_dir_stats.get_all_affected_products(args, rule_obj)[source]

From a rule_obj, return the set of affected products from rule.yml, and all fixes and checks.

If args.strict is set, this function is equivalent to get_affected_products. Otherwise, it includes ovals and fix content based on the values of args.fixes_only and args.ovals_only.

ssg.rule_dir_stats.missing_oval(rule_obj)[source]

For a rule object, check if it is missing an oval.

ssg.rule_dir_stats.missing_remediation(rule_obj, r_type)[source]

For a rule object, check if it is missing a remediation of type r_type.

ssg.rule_dir_stats.product_names_oval(rule_obj)[source]

For a rule_obj, check the scope of the platforms versus the product name of the OVAL objects.

ssg.rule_dir_stats.product_names_remediation(rule_obj, r_type)[source]

For a rule_obj, check the scope of the platforms versus the product name of the remediations of type r_type.

ssg.rule_dir_stats.two_plus_oval(rule_obj)[source]

For a rule object, check if it has two or more OVALs.

ssg.rule_dir_stats.two_plus_remediation(rule_obj, r_type)[source]

For a rule object, check if it has two or more remediations of type r_type.

ssg.rule_dir_stats.walk_rule_stats(rule_output)[source]

Walk the output of a rule, generating statistics about affected ovals, remediations, and generating verbose output in a stable order.

Returns a tuple of (affected_ovals, affected_remediations, all_affected_remediations, affected_remediations_type, all_output)

ssg.rule_dir_stats.walk_rules(args, known_rules, oval_func, remediation_func)[source]

Walk a dictionary of known_rules, returning the number of visited rules and the output at each visited rule, conditionally calling oval_func and remediation_func based on the values of args.fixes_only and args.ovals_only. If the result of these functions are not Falsy, set the appropriate output content.

The input rule_obj structure is the value of known_rules[rule_id].

The output structure is a dict as follows:

{
    rule_id: {
        "oval": oval_func(args, rule_obj),
        "ansible": remediation_func(args, "ansible", rule_obj),
        "anaconda": remediation_func(args, "anaconda", rule_obj),
        "bash": remediation_func(args, "bash", rule_obj),
        "puppet": remediation_func(args, "puppet", rule_obj)
    },
    ...
}

The arguments supplied to oval_func are args and rule_obj. The arguments supplied to remediation_func are args, the remediation type, and rule_obj.

ssg.rule_dir_stats.walk_rules_diff(args, left_rules, right_rules, oval_func, remediation_func)[source]

Walk a two dictionary of known_rules (left_rules and right_rules) and generate five sets of output: left_only rules output, right_only rules output, shared left output, shared right output, and shared common output, as a five-tuple, where each tuple element is equivalent to walk_rules on the appropriate set of rules.

Does not understand renaming of rule_ids as this would depend on disk content to reflect these differences. Unless significantly more data is added to the rule_obj structure (contents of rule.yml, ovals, remediations, etc.), all information besides ‘title’ is not uniquely identifying or could be easily updated.

ssg.rule_dir_stats.walk_rules_diff_stats(results)[source]

Takes the results of walk_rules_diff (results) and generates five sets of output statistics: left_only rules output, right_only rules output, shared left output, shared right output, and shared common output, as a five-tuple, where each tuple element is equivalent to walk_rules_stats on the appropriate set of rules.

Can assert.

ssg.rule_dir_stats.walk_rules_parallel(args, left_rules, right_rules, oval_func, remediation_func)[source]

Walks two sets of known_rules (left_rules and right_rules) with identical keys and returns left_only, right_only, and common_only output from _walk_rule. If the outputted data for a rule when called on left_rules and right_rules is the same, it is added to common_only. Only rules which output different data will have their data added to left_only and right_only respectively.

Can assert.

ssg.rule_dir_stats.walk_rules_stats(args, known_rules, oval_func, remediation_func)[source]

Walk a dictionary of known_rules and generate simple aggregate statistics for all visited rules. The oval_func and remediation_func arguments behave according to walk_rules().

Returned values are visited_rules, affected_ovals, affected_remediation, a dictionary containing all fix types and the quantity of affected fixes, and the ordered output of all functions.

An effort is made to provide consistently ordered verbose_output by sorting all visited keys and the keys of ssg.build_remediations.REMEDIATION_MAP.

ssg.rule_yaml module

The rule_yaml module provides various utility functions for handling YAML files containing Jinja macros, without having to parse the macros.

ssg.rule_yaml.add_key_value(contents, key, start_line, new_value)[source]

Adds a new key to contents with the given value after line start_line, returning the result. Also adds a blank line afterwards.

Does not modify the value of contents.

ssg.rule_yaml.find_section_lines(file_contents, sec)[source]

Parses the given file_contents as YAML to find the section with the given identifier. Note that this does not call into the yaml library and thus correctly handles jinja macros at the expense of not being a strictly valid yaml parsing.

Returns a list of namedtuples (start, end) of the lines where section exists.

ssg.rule_yaml.get_section_lines(file_path, file_contents, key_name)[source]

From the given file_path and file_contents, find the lines describing the section key_name and returns the line range of the section.

ssg.rule_yaml.get_yaml_contents(rule_obj)[source]

From a rule_obj description, return a namedtuple of (path, contents); where path is the path to the rule YAML and contents is the list of lines in the file.

ssg.rule_yaml.has_duplicated_subkeys(file_path, file_contents, sections)[source]

Checks whether a section has duplicated keys. Note that these are silently eaten by the YAML parser we use.

ssg.rule_yaml.parse_from_yaml(file_contents, lines)[source]

Parse the given line range as a yaml, returning the parsed object.

ssg.rule_yaml.remove_lines(contents, lines)[source]

Remove the lines of the section from the parsed file, returning the new contents.

Does not modify the passed in contents.

ssg.rule_yaml.sort_section_keys(file_path, file_contents, sections, sort_func=None)[source]

Sort subkeys in a YAML file’s section.

ssg.rule_yaml.update_key_value(contents, key, old_value, new_value)[source]

Find key in the contents of a file and replace its value with the new value, returning the resulting file. This validates that the old value is constant and hasn’t changed since parsing its value.

Raises a ValueError when the key cannot be found in the given contents.

Does not modify the value of contents.

ssg.rules module

ssg.rules.applies_to_product(file_name, product)[source]

A OVAL or fix is filtered by product iff product is Falsy, file_name is “shared”, or file_name is product. Note that this does not filter by contents of the fix or check, only by the name of the file.

ssg.rules.find_rule_dirs(base_dir)[source]

Generator which yields all rule directories within a given base_dir, recursively

ssg.rules.find_rule_dirs_in_paths(base_dirs)[source]

Generator which yields all rule directories within a given directories list, recursively

ssg.rules.get_rule_dir_id(path)[source]

Returns the ID of a rule directory; correctly handles being passed either the directory path or the yaml metadata path.

ssg.rules.get_rule_dir_ovals(dir_path, product=None)[source]

Gets a list of OVALs contained in a rule directory. If product is None, returns all OVALs. If product is not None, returns applicable OVALs in order of priority:

{{{ product }}}.xml -> shared.xml

Only returns OVALs which exist.

ssg.rules.get_rule_dir_sces(dir_path, product=None)[source]

Get a list of SCEs contained in a rule directory. If product is None, returns all SCEs. If product is not None, returns applicable SCEs in order of priority:

{{{ product }}}.{{{ ext }}} -> shared.{{{ ext }}}

Only returns SCEs which exist.

ssg.rules.get_rule_dir_yaml(dir_path)[source]

Returns the path to the yaml metadata for a rule directory, regardless of if it exists.

ssg.rules.is_rule_dir(dir_path)[source]

Returns True iff dir_path is a valid rule directory which exists

To be valid, dir_path must exist and be a directory and the file returned by get_rule_dir_yaml(dir_path) must exist.

ssg.shims module

ssg.shims.input_func(prompt=None)[source]

ssg.templates module

class ssg.templates.Builder(env_yaml, resolved_rules_dir, templates_dir, remediations_dir, checks_dir, platforms_dir, cpe_items_dir)[source]

Bases: object

Class for building all templated content for a given product.

To generate content from templates, pass the env_yaml, path to the directory with resolved rule YAMLs, path to the directory that contains templates, path to the output directory for checks and a path to the output directory for remediations into the constructor. Then, call the method build() to perform a build.

build()[source]

Builds all templated content for all languages, writing the output to the correct build directories.

build_all_platforms()[source]
build_all_rules()[source]
build_cpe(cpe)[source]
build_extra_ovals()[source]
build_lang_for_templatable(templatable, lang)[source]

Builds templated content of a given Templatable for a selected language returning the filled template.

build_platform(platform)[source]

Builds templated content of a given Platform (all CPEs/Symbols) for all available languages, writing the output to the correct build directories and updating the platform it self.

build_rule(rule)[source]

Builds templated content of a given Rule for all available languages, writing the output to the correct build directories.

get_lang_contents_for_templatable(templatable, language)[source]

For the specified Templatable, build and return only the specified language content.

get_resolved_langs_to_generate(templatable)[source]

Given a specific Templatable instance, determine which languages are generated by the combination of the template supported_languages AND the Templatable’s template configuration ‘backends’.

process_template_lang_file(template_name, template_vars, lang, local_env_yaml)[source]

Processes template for a given template name and language and returns rendered content.

write_lang_contents_for_templatable(filled_template, lang, templatable)[source]
class ssg.templates.Template(templates_root_directory, name)[source]

Bases: object

classmethod load_template(templates_root_directory, name)[source]
preprocess(parameters, lang)[source]
ssg.templates.TemplatingLang

alias of templating_language_attributes

ssg.templates.load_module(module_name, module_path)[source]

ssg.utils module

exception ssg.utils.SSGError[source]

Bases: RuntimeError

class ssg.utils.VersionSpecifier(op, evr_ver_dict)[source]

Bases: object

property cpe_id
property ev_ver
static evr_dict_to_str(evr, fully_formed_evr_string=False)[source]
property evr_op
property evr_ver
property oval_id
property title
property ver
class ssg.utils.VersionSpecifierSet(s=())[source]

Bases: set

property cpe_id
property oval_id
property title
ssg.utils.apply_formatting_on_dict_values(source_dict, string_dict, ignored_keys=frozenset({}))[source]

Uses Python built-in string replacement. It replaces strings marked by {token} if “token” is a key in the string_dict parameter. It skips keys in source_dict which are listed in ignored_keys parameter. This works only for dictionaries whose values are dicts or strings

ssg.utils.banner_anchor_wrap(banner_text)[source]
ssg.utils.banner_regexify(banner_text)[source]
ssg.utils.check_conflict_regex_directory(data)[source]

Validate that either all path are directories OR file_regex exists.

Throws ValueError.

ssg.utils.comparison_to_oval(op)[source]
ssg.utils.ensure_file_paths_and_file_regexes_are_correctly_defined(data)[source]

This function is common for the file_owner, file_groupowner and file_permissions templates. It ensures that the data structure meets certain rules, e.g. the file_path item is a list and number of list items in file_regex equals to number of items in file_path.

ssg.utils.enum(*args)[source]
ssg.utils.escape_comparison(op)[source]
ssg.utils.escape_id(text)[source]
ssg.utils.escape_regex(text)[source]
ssg.utils.escape_yaml_key(text)[source]
ssg.utils.get_cpu_count()[source]

Returns the most likely estimate of the number of CPUs in the machine for threading purposes, gracefully handling errors and possible exceptions.

ssg.utils.get_fixed_product_version(product, product_version)[source]
ssg.utils.is_applicable(platform, product)[source]

Function to check if a platform is applicable for the product. Handles when a platform is really a list of products.

Returns true iff product is applicable for the platform or list of products

ssg.utils.is_applicable_for_product(platform, product)[source]

Based on the platform dict specifier of the remediation script to determine if this remediation script is applicable for this product. Return ‘True’ if so, ‘False’ otherwise

ssg.utils.map_name(version)[source]

Maps SSG Makefile internal product name to official product name

ssg.utils.merge_dicts(left, right)[source]

Merges two dictionaries, keeing left and right as passed. If there are any common keys between left and right, the value from right is use.

Returns the merger of the left and right dictionaries

ssg.utils.mkdir_p(path)[source]
ssg.utils.name_to_platform(names)[source]

Converts one or more full names to a string containing one or more <platform> elements.

ssg.utils.parse_name(product)[source]

Returns a namedtuple of (name, version) from parsing a given product; e.g., “rhel7” -> (“rhel”, “7”)

ssg.utils.parse_platform(platform)[source]

From a platform line, returns the set of platforms listed.

ssg.utils.parse_template_boolean_value(data, parameter, default_value)[source]
ssg.utils.product_to_name(prod)[source]

Converts a vaguely-product-id-like thing into one or more full product names.

ssg.utils.product_to_platform(prods)[source]

Converts one or more product ids into a string with one or more <platform> elements.

ssg.utils.read_file_list(path)[source]

Reads the given file path and returns the contents as a list.

ssg.utils.recurse_or_substitute_or_do_nothing(v, string_dict, ignored_keys=frozenset({}))[source]
ssg.utils.required_key(_dict, _key)[source]

Returns the value of _key if it is in _dict; otherwise, raise an exception stating that it was not found but is required.

ssg.utils.sha256(text)[source]
ssg.utils.split_string_content(content)[source]

Split the string content and returns as a list.

ssg.utils.subset_dict(dictionary, keys)[source]

Restricts dictionary to only have keys from keys. Does not modify either dictionary or keys, returning the result instead.

ssg.utils.write_list_file(path, contents)[source]

Writes the given contents to path.

ssg.xccdf module

A couple generic XCCDF utilities used by build_all_guides.py and build_all_remediations.py

Author: Martin Preisler <mpreisle@redhat.com>

ssg.xccdf.get_benchmark_id_title_map(input_tree)[source]
ssg.xccdf.get_profile_choices_for_input(input_tree, benchmark_id, tailoring_tree)[source]

Returns a dictionary that maps profile_ids to their respective titles.

ssg.xccdf.get_profile_short_id(long_id)[source]

If given profile ID is the XCCDF 1.2 long ID this function shortens it

ssg.xccdf.scrape_benchmarks(root, namespace, dest)[source]

Add all benchmark elements in root to dest list

ssg.xml module

class ssg.xml.XMLBenchmark(root)[source]

Bases: XMLElement

Represents an XCCDF Benchmark read from an XML file.

find_all_cpe_platforms(idref)[source]
find_rule(rule_id)[source]
find_rules(rule_id)[source]
class ssg.xml.XMLCPEPlatform(root)[source]

Bases: XMLElement

find_all_check_fact_ref_elements()[source]
class ssg.xml.XMLComponent(root)[source]

Bases: XMLElement

Represents the element of the Data stream component that has relevant content.

This make it easier to access contents pertaining to a SCAP component.

find_boolean_question(ocil_id)[source]
find_ocil_boolean_question(question_id)[source]
find_ocil_questionnaire(def_id)[source]
find_ocil_test_action(test_action_ref)[source]
find_oval_definition(def_id)[source]
class ssg.xml.XMLContent(root)[source]

Bases: XMLElement

Can represent a Data Stream or an XCCDF Benchmark read from an XML file.

check_engines = [('OVAL', 'oval:oval_definitions'), ('OCIL', 'ocil:ocil')]
find_benchmark(id_)[source]
get_benchmarks()[source]
get_component_refs()[source]
get_uris()[source]
is_benchmark()[source]
class ssg.xml.XMLElement(root)[source]

Bases: object

Represents an generic element read from an XML file.

get_attr(attr)[source]
get_namespace()[source]
ns = {'catalog': 'urn:oasis:names:tc:entity:xmlns:xml:catalog', 'cpe-lang': 'http://cpe.mitre.org/language/2.0', 'ds': 'http://scap.nist.gov/schema/scap/source/1.2', 'ocil': 'http://scap.nist.gov/schema/ocil/2.0', 'oval': 'http://oval.mitre.org/XMLSchema/oval-definitions-5', 'xccdf-1.1': 'http://checklists.nist.gov/xccdf/1.1', 'xccdf-1.2': 'http://checklists.nist.gov/xccdf/1.2', 'xlink': 'http://www.w3.org/1999/xlink'}
class ssg.xml.XMLOcilQuestion(root)[source]

Bases: XMLComponent

get_question_test_element()[source]
class ssg.xml.XMLOcilQuestionnaire(root)[source]

Bases: XMLComponent

get_test_action_ref_element()[source]
class ssg.xml.XMLOcilTestAction(root)[source]

Bases: XMLComponent

class ssg.xml.XMLOvalDefinition(root)[source]

Bases: XMLComponent

get_criteria_element()[source]
get_elements()[source]
class ssg.xml.XMLRule(root)[source]

Bases: XMLElement

Represents an XCCDF Rule read from an XML file.

get_all_platform_elements()[source]
get_check_content_ref_element(check_element)[source]
get_check_element(check_system_uri)[source]
get_element_text(el)[source]
get_fix_element(fix_uri)[source]
get_version_element()[source]
join_text_elements()[source]

This function collects the text of almost all subelements. Similar to what itertext() would do, except that this function skips some elements that are not relevant for comparison.

This function also injects a line for each element whose text was collected, to facilitate tracking of where in the rule the text came from.

ssg.xml.add_xhtml_namespace(data)[source]

Given a xml blob, adds the xhtml namespace to all relevant tags.

ssg.xml.determine_xccdf_tree_namespace(tree)[source]
ssg.xml.get_element_namespace(self)[source]
ssg.xml.get_element_tag_without_ns(xml_tag)[source]
ssg.xml.get_namespaces_from(file)[source]

Return dictionary of namespaces in file. Return empty dictionary in case of error.

ssg.xml.map_elements_to_their_ids(tree, xpath_expr)[source]

Given an ElementTree and an XPath expression, iterate through matching elements and create 1:1 id->element mapping.

Raises AssertionError if a matching element doesn’t have the id attribute.

Returns mapping as a dictionary

ssg.xml.open_xml(filename)[source]

Given a filename, register all possible namespaces, and return the XML tree.

ssg.xml.oval_generated_header(product_name, schema_version, ssg_version)[source]
ssg.xml.parse_file(filename)[source]

Given a filename, return the root of the ElementTree

ssg.xml.register_namespaces(ns=None)[source]

Register all possible namespaces

ssg.yaml module

exception ssg.yaml.DocumentationNotComplete[source]

Bases: Exception

ssg.yaml.convert_string_to_bool(string)[source]

Returns True if string is “true” (in any letter case) returns False if “false” raises ValueError

ssg.yaml.open_and_expand(yaml_file, substitutions_dict=None)[source]

Process the file as a template, using substitutions_dict to perform expansion. Then, process the expansion result as a YAML content.

See also: _open_yaml

ssg.yaml.open_and_macro_expand(yaml_file, substitutions_dict=None)[source]

Do the same as open_and_expand, but load definitions of macros so they can be expanded in the template.

ssg.yaml.open_raw(yaml_file)[source]

Open given file-like object and parse it as YAML without performing any kind of template processing

See also: _open_yaml

ssg.yaml.ordered_dump(data, stream=None, Dumper=<class 'yaml.cyaml.CDumper'>, **kwds)[source]

Drop-in replacement for yaml.dump(), but preserves order of dictionaries

ssg.yaml.ordered_load(stream, Loader=<class 'yaml.cyaml.CLoader'>, object_pairs_hook=<class 'collections.OrderedDict'>)[source]

Drop-in replacement for yaml.load(), but preserves order of dictionaries

ssg.yaml.update_yaml_list_or_string(current_contents, new_contents, prepend=False)[source]

Module contents