From fa5da8aa5fd59a05beff19de1bca1fa99a48ce85 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 10 Sep 2024 15:43:13 -0500 Subject: [PATCH] Revert "Add tools used for upadting CCIs" This reverts commit 5293e972af2e9de8595efbc7fac96de16525abef. This commit is to keep the scripts used in the git history. --- utils/clean_up_dupkeys.py | 91 --------------------------------------- utils/update_cci.py | 90 -------------------------------------- 2 files changed, 181 deletions(-) delete mode 100644 utils/clean_up_dupkeys.py delete mode 100755 utils/update_cci.py diff --git a/utils/clean_up_dupkeys.py b/utils/clean_up_dupkeys.py deleted file mode 100644 index bfa5f5300af4..000000000000 --- a/utils/clean_up_dupkeys.py +++ /dev/null @@ -1,91 +0,0 @@ -import re -from pprint import pprint - - - -if __name__ == "__main__": - paths = [ -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml", -"/home/mburket/Developer/ComplianceAsCode/content/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml", -] - for path in paths: - offending_lines = list() - with open(path, 'r') as fp: - lines = fp.readlines() - for idx, line in enumerate(lines): - if re.match(r'\s+disa:', line): - offending_lines.append(idx) - if len(offending_lines) == 2: - del lines[offending_lines[0]] - pprint(offending_lines) - with open(path, 'w') as fp: - fp.writelines(lines) diff --git a/utils/update_cci.py b/utils/update_cci.py deleted file mode 100755 index d19f2e3bd1d0..000000000000 --- a/utils/update_cci.py +++ /dev/null @@ -1,90 +0,0 @@ -#!/usr/bin/env python3 - -import json -import os.path -import re -import sys - -from collections import defaultdict -from typing import List - -import ssg.environment -import ssg.yaml -from utils.find_unused_rules import SSG_ROOT -from ssg.xml import open_xml, PREFIX_TO_NS -from ssg.controls import ControlsManager - -PRODUCT = "rhel9" -RHEL9_XML = os.path.join(SSG_ROOT, "shared", "references", "disa-stig-rhel9-v2r1-xccdf-manual.xml") -PRODUCT_YAML = os.path.join(SSG_ROOT, "products", PRODUCT, "product.yml") -BUILD_YAML = os.path.join(SSG_ROOT, "build", "build_config.yml") -REALLY_BAD_SECTION_REGEX = r'^\s+disa:.+$' - -def main() -> int: - rule_dirs_path = os.path.join(SSG_ROOT, "build", "rule_dirs.json") - env_yaml = ssg.environment.open_environment(BUILD_YAML, PRODUCT_YAML) - - - with open(rule_dirs_path, 'r') as json_fp: - rules = json.load(json_fp) - root = open_xml(RHEL9_XML).getroot() - stigid_to_cci = defaultdict(set) - for rule in root.findall('.//xccdf-1.1:Rule', PREFIX_TO_NS): - stig_id = rule.find('xccdf-1.1:version', PREFIX_TO_NS).text - ccis_elems = rule.findall( - "xccdf-1.1:ident[@system='http://cyber.mil/cci']", PREFIX_TO_NS) - for cci in ccis_elems: - stigid_to_cci[stig_id].add(cci.text) - controls_root = os.path.join(SSG_ROOT, "controls") - ctrl_manager = ControlsManager(controls_root, env_yaml) - ctrl_manager.load() - for stig_id, ccis in stigid_to_cci.items(): - control = ctrl_manager.get_control('stig_rhel9', stig_id) - if len(control.rules) < 1: - # print(f"{stig_id} has no rules.", file=sys.stderr) - continue - for rule in control.rules: - if '=' in rule: - continue - rule_obj = rules[rule] - rule_yaml_path = os.path.join(rule_obj['dir'], 'rule.yml') - with open(rule_yaml_path, 'r') as fp: - old_content = fp.readlines() - new_content = list() - ref_start_line = 0 - for index, line in enumerate(old_content): - if 'references:' in line: - ref_start_line = index - new_content.append(line) - continue - if not re.match(REALLY_BAD_SECTION_REGEX, line): - new_content.append(line) - else: - new_content.append(f"{' ' * 4}disa: {','.join(ccis)}\n") - if new_content != old_content: - validate_file(new_content, rule_yaml_path) - with open(rule_yaml_path, 'w') as fp: - fp.writelines(new_content) - continue - - new_line = f'{" " * 4}disa: {','.join(ccis)}\n' - if ref_start_line == 0: - raise ValueError - new_content.insert(ref_start_line+2, new_line) - if new_content != old_content: - with open(rule_yaml_path, 'w') as fp: - fp.writelines(new_content) - continue - return 0 - - -def validate_file(lines: List[str], filename: str): - offenders = list() - for idx, line in enumerate(lines): - if re.match(REALLY_BAD_SECTION_REGEX, line): - offenders.append(str(idx)) - if len(offenders) > 1: - print(f"Failure on lines {','.join(offenders)} in {filename}", file=sys.stderr) - -if __name__ == "__main__": - raise SystemExit(main())