abide_dev_utils 0.9.7 → 0.11.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/.rubocop.yml +7 -1
- data/Gemfile.lock +82 -64
- data/Rakefile +28 -0
- data/abide_dev_utils.gemspec +3 -1
- data/lib/abide_dev_utils/cem/benchmark.rb +291 -0
- data/lib/abide_dev_utils/cem/coverage_report.rb +348 -0
- data/lib/abide_dev_utils/cem/generate/reference.rb +116 -0
- data/lib/abide_dev_utils/cem/generate.rb +10 -0
- data/lib/abide_dev_utils/cem/mapping/mapper.rb +155 -0
- data/lib/abide_dev_utils/cem.rb +74 -0
- data/lib/abide_dev_utils/cli/cem.rb +153 -0
- data/lib/abide_dev_utils/cli/jira.rb +1 -1
- data/lib/abide_dev_utils/cli/xccdf.rb +15 -1
- data/lib/abide_dev_utils/cli.rb +2 -0
- data/lib/abide_dev_utils/errors/cem.rb +22 -0
- data/lib/abide_dev_utils/errors/general.rb +8 -2
- data/lib/abide_dev_utils/errors/ppt.rb +4 -0
- data/lib/abide_dev_utils/errors.rb +6 -0
- data/lib/abide_dev_utils/files.rb +34 -0
- data/lib/abide_dev_utils/markdown.rb +104 -0
- data/lib/abide_dev_utils/ppt/facter_utils.rb +140 -0
- data/lib/abide_dev_utils/ppt/hiera.rb +297 -0
- data/lib/abide_dev_utils/ppt/puppet_module.rb +74 -0
- data/lib/abide_dev_utils/ppt.rb +3 -5
- data/lib/abide_dev_utils/validate.rb +14 -0
- data/lib/abide_dev_utils/version.rb +1 -1
- data/lib/abide_dev_utils/xccdf/diff/benchmark/number_title.rb +270 -0
- data/lib/abide_dev_utils/xccdf/diff/benchmark/profile.rb +104 -0
- data/lib/abide_dev_utils/xccdf/diff/benchmark/property.rb +127 -0
- data/lib/abide_dev_utils/xccdf/diff/benchmark/property_existence.rb +47 -0
- data/lib/abide_dev_utils/xccdf/diff/benchmark.rb +267 -0
- data/lib/abide_dev_utils/xccdf/diff/utils.rb +30 -0
- data/lib/abide_dev_utils/xccdf/diff.rb +233 -0
- data/lib/abide_dev_utils/xccdf/parser/objects/digest_object.rb +118 -0
- data/lib/abide_dev_utils/xccdf/parser/objects/numbered_object.rb +104 -0
- data/lib/abide_dev_utils/xccdf/parser/objects.rb +741 -0
- data/lib/abide_dev_utils/xccdf/parser.rb +52 -0
- data/lib/abide_dev_utils/xccdf.rb +14 -124
- data/new_diff.rb +48 -0
- metadata +60 -9
- data/lib/abide_dev_utils/ppt/coverage.rb +0 -86
|
@@ -0,0 +1,291 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'abide_dev_utils/errors'
|
|
4
|
+
require 'abide_dev_utils/ppt/facter_utils'
|
|
5
|
+
require 'abide_dev_utils/cem/mapping/mapper'
|
|
6
|
+
|
|
7
|
+
module AbideDevUtils
|
|
8
|
+
module CEM
|
|
9
|
+
# Repesents a benchmark for purposes of organizing data for markdown representation
|
|
10
|
+
class Benchmark
|
|
11
|
+
attr_reader :osname, :major_version, :os_facts, :osfamily, :hiera_conf, :module_name, :framework, :rules
|
|
12
|
+
|
|
13
|
+
def initialize(osname, major_version, hiera_conf, module_name, framework: 'cis')
|
|
14
|
+
@osname = osname
|
|
15
|
+
@major_version = major_version
|
|
16
|
+
@os_facts = AbideDevUtils::Ppt::FacterUtils.recursive_facts_for_os(@osname, @major_version)
|
|
17
|
+
@osfamily = @os_facts['os']['family']
|
|
18
|
+
@hiera_conf = hiera_conf
|
|
19
|
+
@module_name = module_name
|
|
20
|
+
@framework = framework
|
|
21
|
+
@rules = {}
|
|
22
|
+
@map_cache = {}
|
|
23
|
+
@rules_in_map = {}
|
|
24
|
+
load_rules
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
# Creates Benchmark objects from a Puppet module
|
|
28
|
+
# @param pupmod [AbideDevUtils::Ppt::PuppetModule] A PuppetModule instance
|
|
29
|
+
# @param skip_errors [Boolean] True skips errors and loads non-erroring benchmarks, false raises the error.
|
|
30
|
+
# @return [Array<AbideDevUtils::CEM::Benchmark>] Array of Benchmark instances
|
|
31
|
+
def self.benchmarks_from_puppet_module(pupmod, ignore_all_errors: false, ignore_framework_mismatch: true)
|
|
32
|
+
frameworks = pupmod.hiera_conf.local_hiera_files(hierarchy_name: 'Mapping Data').each_with_object([]) do |hf, ary|
|
|
33
|
+
parts = hf.path.split(pupmod.hiera_conf.default_datadir)[-1].split('/')
|
|
34
|
+
ary << parts[2] unless ary.include?(parts[2])
|
|
35
|
+
end
|
|
36
|
+
pupmod.supported_os.each_with_object([]) do |supp_os, ary|
|
|
37
|
+
osname, majver = supp_os.split('::')
|
|
38
|
+
if majver.is_a?(Array)
|
|
39
|
+
majver.sort.each do |v|
|
|
40
|
+
frameworks.each do |fw|
|
|
41
|
+
benchmark = Benchmark.new(osname, v, pupmod.hiera_conf, pupmod.name(strip_namespace: true), framework: fw)
|
|
42
|
+
ary << benchmark
|
|
43
|
+
rescue StandardError => e
|
|
44
|
+
raise e unless ignore_all_errors || (e.instance_of?(AbideDevUtils::Errors::MappingDataFrameworkMismatchError) && ignore_framework_mismatch)
|
|
45
|
+
end
|
|
46
|
+
end
|
|
47
|
+
else
|
|
48
|
+
frameworks.each do |fw|
|
|
49
|
+
benchmark = Benchmark.new(osname, majver, pupmod.hiera_conf, pupmod.name(strip_namespace: true), framework: fw)
|
|
50
|
+
ary << benchmark
|
|
51
|
+
rescue StandardError => e
|
|
52
|
+
raise e unless ignore_all_errors || (e.instance_of?(AbideDevUtils::Errors::MappingDataFrameworkMismatchError) && ignore_framework_mismatch)
|
|
53
|
+
end
|
|
54
|
+
end
|
|
55
|
+
end
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
def mapper
|
|
59
|
+
@mapper ||= AbideDevUtils::CEM::Mapping::Mapper.new(module_name, framework, load_mapping_data)
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
def map_data
|
|
63
|
+
mapper.map_data
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
def resource_data
|
|
67
|
+
@resource_data ||= load_resource_data
|
|
68
|
+
end
|
|
69
|
+
|
|
70
|
+
def title
|
|
71
|
+
mapper.title
|
|
72
|
+
end
|
|
73
|
+
|
|
74
|
+
def version
|
|
75
|
+
mapper.version
|
|
76
|
+
end
|
|
77
|
+
|
|
78
|
+
def title_key
|
|
79
|
+
@title_key ||= "#{title} #{version}"
|
|
80
|
+
end
|
|
81
|
+
|
|
82
|
+
def add_rule(rule_hash)
|
|
83
|
+
@rules << rule_hash
|
|
84
|
+
end
|
|
85
|
+
|
|
86
|
+
def rules_in_map(mtype, level: nil, profile: nil)
|
|
87
|
+
real_mtype = map_type(mtype)
|
|
88
|
+
cache_key = [real_mtype, level, profile].compact.join('-')
|
|
89
|
+
return @rules_in_map[cache_key] if @rules_in_map.key?(cache_key)
|
|
90
|
+
|
|
91
|
+
all_rim = mapper.each_with_array_like(real_mtype) do |(lvl, profs), arr|
|
|
92
|
+
next if lvl == 'benchmark' || (!level.nil? && lvl != level)
|
|
93
|
+
|
|
94
|
+
profs.each do |prof, maps|
|
|
95
|
+
next if !profile.nil? && prof != profile
|
|
96
|
+
|
|
97
|
+
# CIS and STIG differ in that STIG does not have profiles
|
|
98
|
+
control_ids = maps.respond_to?(:keys) ? maps.keys : prof
|
|
99
|
+
arr << control_ids
|
|
100
|
+
end
|
|
101
|
+
end
|
|
102
|
+
@rules_in_map[cache_key] = all_rim.flatten.uniq
|
|
103
|
+
@rules_in_map[cache_key]
|
|
104
|
+
end
|
|
105
|
+
|
|
106
|
+
def map(control_id, level: nil, profile: nil)
|
|
107
|
+
mapper.get(control_id, level: level, profile: profile)
|
|
108
|
+
end
|
|
109
|
+
|
|
110
|
+
def map_type(control_id)
|
|
111
|
+
mapper.map_type(control_id)
|
|
112
|
+
end
|
|
113
|
+
|
|
114
|
+
private
|
|
115
|
+
|
|
116
|
+
def load_rules
|
|
117
|
+
resource_data["#{module_name}::resources"].each do |_, rdata|
|
|
118
|
+
unless rdata.key?('controls')
|
|
119
|
+
puts "Controls key not found in #{rdata}"
|
|
120
|
+
next
|
|
121
|
+
end
|
|
122
|
+
rdata['controls'].each do |control, control_data|
|
|
123
|
+
rule_title = map(control)
|
|
124
|
+
next if rule_title.nil? || rule_title.empty?
|
|
125
|
+
|
|
126
|
+
rule_title.find { |id| map_type(id) == 'title' }
|
|
127
|
+
alternate_ids = map(rule_title)
|
|
128
|
+
|
|
129
|
+
next unless rule_title.is_a?(String)
|
|
130
|
+
|
|
131
|
+
@rules[rule_title] = {} unless @rules&.key?(rule_title)
|
|
132
|
+
@rules[rule_title]['number'] = alternate_ids.find { |id| map_type(id) == 'number' }
|
|
133
|
+
@rules[rule_title]['alternate_ids'] = alternate_ids
|
|
134
|
+
@rules[rule_title]['params'] = [] unless @rules[rule_title].key?('params')
|
|
135
|
+
@rules[rule_title]['level'] = [] unless @rules[rule_title].key?('level')
|
|
136
|
+
@rules[rule_title]['profile'] = [] unless @rules[rule_title].key?('profile')
|
|
137
|
+
param_hashes(control_data).each do |param_hash|
|
|
138
|
+
next if @rules[rule_title]['params'].include?(param_hash[:name])
|
|
139
|
+
|
|
140
|
+
@rules[rule_title]['params'] << param_hash
|
|
141
|
+
end
|
|
142
|
+
levels, profiles = find_levels_and_profiles(control)
|
|
143
|
+
unless @rules[rule_title]['level'] == levels
|
|
144
|
+
@rules[rule_title]['level'] = @rules[rule_title]['level'] | levels
|
|
145
|
+
end
|
|
146
|
+
unless @rules[rule_title]['profile'] == profiles
|
|
147
|
+
@rules[rule_title]['profile'] = @rules[rule_title]['profile'] | profiles
|
|
148
|
+
end
|
|
149
|
+
@rules[rule_title]['resource'] = rdata['type']
|
|
150
|
+
end
|
|
151
|
+
end
|
|
152
|
+
@rules = sort_rules
|
|
153
|
+
end
|
|
154
|
+
|
|
155
|
+
def param_hashes(control_data)
|
|
156
|
+
return [] if control_data.nil? || control_data.empty?
|
|
157
|
+
|
|
158
|
+
p_hashes = []
|
|
159
|
+
if !control_data.respond_to?(:each) && control_data == 'no_params'
|
|
160
|
+
p_hashes << no_params
|
|
161
|
+
else
|
|
162
|
+
control_data.each do |param, param_val|
|
|
163
|
+
p_hashes << {
|
|
164
|
+
name: param,
|
|
165
|
+
type: ruby_class_to_puppet_type(param_val.class.to_s),
|
|
166
|
+
default: param_val,
|
|
167
|
+
}
|
|
168
|
+
end
|
|
169
|
+
end
|
|
170
|
+
p_hashes
|
|
171
|
+
end
|
|
172
|
+
|
|
173
|
+
def no_params
|
|
174
|
+
{ name: 'No parameters', type: nil, default: nil }
|
|
175
|
+
end
|
|
176
|
+
|
|
177
|
+
# We sort the rules by their control number so they
|
|
178
|
+
# appear in the REFERENCE in benchmark order
|
|
179
|
+
def sort_rules
|
|
180
|
+
sorted = @rules.dup.sort_by do |_, v|
|
|
181
|
+
control_num_to_int(v['number'])
|
|
182
|
+
end
|
|
183
|
+
sorted.to_h
|
|
184
|
+
end
|
|
185
|
+
|
|
186
|
+
# In order to sort the rules by their control number,
|
|
187
|
+
# we need to convert the control number to an integer.
|
|
188
|
+
# This is a rough conversion, but should be sufficient
|
|
189
|
+
# for the purposes of sorting. The multipliers are
|
|
190
|
+
# the 20th, 15th, 10th, and 5th numbers in the Fibonacci
|
|
191
|
+
# sequence, then 1 after that. The reason for this is to
|
|
192
|
+
# ensure a "spiraled" wieghting of the sections in the control
|
|
193
|
+
# number, with 1st section having the most sorting weight, 2nd
|
|
194
|
+
# having second most, etc. However, the differences in the multipliers
|
|
195
|
+
# are such that it would be difficult for the product of a lesser-weighted
|
|
196
|
+
# section to be greater than a greater-weighted section.
|
|
197
|
+
def control_num_to_int(control_num)
|
|
198
|
+
multipliers = [6765, 610, 55, 5, 1]
|
|
199
|
+
nsum = 0
|
|
200
|
+
midx = 0
|
|
201
|
+
control_num.split('.').each do |num|
|
|
202
|
+
multiplier = midx >= multipliers.length ? 1 : multipliers[midx]
|
|
203
|
+
nsum += num.to_i * multiplier
|
|
204
|
+
midx += 1
|
|
205
|
+
end
|
|
206
|
+
nsum
|
|
207
|
+
end
|
|
208
|
+
|
|
209
|
+
def find_levels_and_profiles(control_id)
|
|
210
|
+
levels = []
|
|
211
|
+
profiles = []
|
|
212
|
+
mapper.each_like(control_id) do |lvl, profile_hash|
|
|
213
|
+
next if lvl == 'benchmark'
|
|
214
|
+
|
|
215
|
+
profile_hash.each do |prof, _|
|
|
216
|
+
unless map(control_id, level: lvl, profile: prof).nil?
|
|
217
|
+
levels << lvl
|
|
218
|
+
profiles << prof
|
|
219
|
+
end
|
|
220
|
+
end
|
|
221
|
+
end
|
|
222
|
+
[levels, profiles]
|
|
223
|
+
end
|
|
224
|
+
|
|
225
|
+
def ruby_class_to_puppet_type(class_name)
|
|
226
|
+
pup_type = class_name.split('::').last.capitalize
|
|
227
|
+
case pup_type
|
|
228
|
+
when %r{(Trueclass|Falseclass)}
|
|
229
|
+
'Boolean'
|
|
230
|
+
when %r{(String|Pathname)}
|
|
231
|
+
'String'
|
|
232
|
+
when %r{(Integer|Fixnum)}
|
|
233
|
+
'Integer'
|
|
234
|
+
when %r{(Float|Double)}
|
|
235
|
+
'Float'
|
|
236
|
+
else
|
|
237
|
+
pup_type
|
|
238
|
+
end
|
|
239
|
+
end
|
|
240
|
+
|
|
241
|
+
def load_mapping_data
|
|
242
|
+
files = case module_name
|
|
243
|
+
when /_windows$/
|
|
244
|
+
cem_windows_mapping_files
|
|
245
|
+
when /_linux$/
|
|
246
|
+
cem_linux_mapping_files
|
|
247
|
+
else
|
|
248
|
+
raise "Module name '#{module_name}' is not a CEM module"
|
|
249
|
+
end
|
|
250
|
+
validate_mapping_files_framework(files).each_with_object({}) do |f, h|
|
|
251
|
+
next unless f.path.include?(framework)
|
|
252
|
+
|
|
253
|
+
h[File.basename(f.path, '.yaml')] = YAML.load_file(f.path)
|
|
254
|
+
end
|
|
255
|
+
end
|
|
256
|
+
|
|
257
|
+
def cem_linux_mapping_files
|
|
258
|
+
facts = [['os.name', osname], ['os.release.major', major_version]]
|
|
259
|
+
mapping_files = hiera_conf.local_hiera_files_with_facts(*facts, hierarchy_name: 'Mapping Data')
|
|
260
|
+
raise AbideDevUtils::Errors::MappingFilesNotFoundError, facts if mapping_files.nil? || mapping_files.empty?
|
|
261
|
+
|
|
262
|
+
mapping_files
|
|
263
|
+
end
|
|
264
|
+
|
|
265
|
+
def cem_windows_mapping_files
|
|
266
|
+
facts = ['os.release.major', major_version]
|
|
267
|
+
mapping_files = hiera_conf.local_hiera_files_with_fact(facts[0], facts[1], hierarchy_name: 'Mapping Data')
|
|
268
|
+
raise AbideDevUtils::Errors::MappingFilesNotFoundError, facts if mapping_files.nil? || mapping_files.empty?
|
|
269
|
+
|
|
270
|
+
mapping_files
|
|
271
|
+
end
|
|
272
|
+
|
|
273
|
+
def validate_mapping_files_framework(files)
|
|
274
|
+
validated_files = files.select { |f| f.path_parts.include?(framework) }
|
|
275
|
+
if validated_files.nil? || validated_files.empty?
|
|
276
|
+
raise AbideDevUtils::Errors::MappingDataFrameworkMismatchError, framework
|
|
277
|
+
end
|
|
278
|
+
|
|
279
|
+
validated_files
|
|
280
|
+
end
|
|
281
|
+
|
|
282
|
+
def load_resource_data
|
|
283
|
+
facts = [['os.family', osfamily], ['os.name', osname], ['os.release.major', major_version]]
|
|
284
|
+
rdata_files = hiera_conf.local_hiera_files_with_facts(*facts, hierarchy_name: 'Resource Data')
|
|
285
|
+
raise AbideDevUtils::Errors::ResourceDataNotFoundError, facts if rdata_files.nil? || rdata_files.empty?
|
|
286
|
+
|
|
287
|
+
YAML.load_file(rdata_files[0].path)
|
|
288
|
+
end
|
|
289
|
+
end
|
|
290
|
+
end
|
|
291
|
+
end
|
|
@@ -0,0 +1,348 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'date'
|
|
4
|
+
require 'json'
|
|
5
|
+
require 'pathname'
|
|
6
|
+
require 'yaml'
|
|
7
|
+
require 'abide_dev_utils/ppt'
|
|
8
|
+
require 'abide_dev_utils/validate'
|
|
9
|
+
require 'abide_dev_utils/cem/benchmark'
|
|
10
|
+
|
|
11
|
+
module AbideDevUtils
|
|
12
|
+
module CEM
|
|
13
|
+
# Methods and objects used to construct a report of what CEM enforces versus what
|
|
14
|
+
# the various compliance frameworks expect to be enforced.
|
|
15
|
+
module CoverageReport
|
|
16
|
+
# def self.generate(outfile: 'cem_coverage.yaml', **_filters)
|
|
17
|
+
# pupmod = AbideDevUtils::Ppt::PuppetModule.new
|
|
18
|
+
# # filter = Filter.new(pupmod, **filters)
|
|
19
|
+
# benchmarks = AbideDevUtils::CEM::Benchmark.benchmarks_from_puppet_module(pupmod)
|
|
20
|
+
# Report.new(benchmarks).generate(outfile: outfile)
|
|
21
|
+
# end
|
|
22
|
+
|
|
23
|
+
def self.basic_coverage(format_func: :to_yaml, ignore_benchmark_errors: false)
|
|
24
|
+
pupmod = AbideDevUtils::Ppt::PuppetModule.new
|
|
25
|
+
# filter = Filter.new(pupmod, **filters)
|
|
26
|
+
benchmarks = AbideDevUtils::CEM::Benchmark.benchmarks_from_puppet_module(pupmod,
|
|
27
|
+
ignore_all_errors: ignore_benchmark_errors)
|
|
28
|
+
benchmarks.map do |b|
|
|
29
|
+
AbideDevUtils::CEM::CoverageReport::BenchmarkReport.new(b).basic_coverage.send(format_func)
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
class Filter
|
|
34
|
+
KEY_FACT_MAP = {
|
|
35
|
+
os_family: 'os.family',
|
|
36
|
+
os_name: 'os.name',
|
|
37
|
+
os_release_major: 'os.release.major',
|
|
38
|
+
}.freeze
|
|
39
|
+
|
|
40
|
+
attr_reader(*KEY_FACT_MAP.keys)
|
|
41
|
+
|
|
42
|
+
def initialize(pupmod, **filters)
|
|
43
|
+
@pupmod = pupmod
|
|
44
|
+
@benchmark = filters[:benchmark]
|
|
45
|
+
@profile = filters[:profile]
|
|
46
|
+
@level = filters[:level]
|
|
47
|
+
KEY_FACT_MAP.each_key do |k|
|
|
48
|
+
instance_variable_set "@#{k}", filters[k]
|
|
49
|
+
end
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
def resource_data
|
|
53
|
+
@resource_data ||= find_resource_data
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
def mapping_data
|
|
57
|
+
@mapping_data ||= find_mapping_data
|
|
58
|
+
end
|
|
59
|
+
|
|
60
|
+
private
|
|
61
|
+
|
|
62
|
+
def find_resource_data
|
|
63
|
+
fact_array = fact_array_for(:os_family, :os_name, :os_release_major)
|
|
64
|
+
@pupmod.hiera_conf.local_hiera_files_with_facts(*fact_array, hierarchy_name: 'Resource Data').map do |f|
|
|
65
|
+
YAML.load_file(f.path)
|
|
66
|
+
end
|
|
67
|
+
rescue NoMethodError
|
|
68
|
+
@pupmod.hiera_conf.local_hiera_files(hierarchy_name: 'Resource Data').map { |f| YAML.load_file(f.path) }
|
|
69
|
+
end
|
|
70
|
+
|
|
71
|
+
def find_mapping_data
|
|
72
|
+
fact_array = fact_array_for(:os_name, :os_release_major)
|
|
73
|
+
begin
|
|
74
|
+
data_array = @pupmod.hiera_conf.local_hiera_files_with_facts(*fact_array, hierarchy_name: 'Mapping Data').map do |f|
|
|
75
|
+
YAML.load_file(f.path)
|
|
76
|
+
end
|
|
77
|
+
rescue NoMethodError
|
|
78
|
+
data_array = @pupmod.hiera_conf.local_hiera_files(hierarchy_name: 'Mapping Data').map { |f| YAML.load_file(f.path) }
|
|
79
|
+
end
|
|
80
|
+
filter_mapping_data_array_by_benchmark!(data_array)
|
|
81
|
+
filter_mapping_data_array_by_profile!(data_array)
|
|
82
|
+
filter_mapping_data_array_by_level!(data_array)
|
|
83
|
+
data_array
|
|
84
|
+
end
|
|
85
|
+
|
|
86
|
+
def filter_mapping_data_array_by_benchmark!(data_array)
|
|
87
|
+
return unless @benchmark
|
|
88
|
+
|
|
89
|
+
data_array.select! do |d|
|
|
90
|
+
d.keys.all? do |k|
|
|
91
|
+
k == 'benchmark' || k.match?(/::#{@benchmark}::/)
|
|
92
|
+
end
|
|
93
|
+
end
|
|
94
|
+
end
|
|
95
|
+
|
|
96
|
+
def filter_mapping_data_array_by_profile!(data_array)
|
|
97
|
+
return unless @profile
|
|
98
|
+
|
|
99
|
+
data_array.reject! { |d| nested_hash_value(d, @profile).nil? }
|
|
100
|
+
end
|
|
101
|
+
|
|
102
|
+
def filter_mapping_data_array_by_level!(data_array)
|
|
103
|
+
return unless @level
|
|
104
|
+
|
|
105
|
+
data_array.reject! { |d| nested_hash_value(d, @level).nil? }
|
|
106
|
+
end
|
|
107
|
+
|
|
108
|
+
def nested_hash_value(obj, key)
|
|
109
|
+
if obj.respond_to?(:key?) && obj.key?(key)
|
|
110
|
+
obj[key]
|
|
111
|
+
elsif obj.respond_to?(:each)
|
|
112
|
+
r = nil
|
|
113
|
+
obj.find { |*a| r = nested_hash_value(a.last, key) }
|
|
114
|
+
r
|
|
115
|
+
end
|
|
116
|
+
end
|
|
117
|
+
|
|
118
|
+
def filter_stig_mapping_data(data_array); end
|
|
119
|
+
|
|
120
|
+
def fact_array_for(*keys)
|
|
121
|
+
keys.each_with_object([]) { |(k, _), a| a << fact_filter_value(k) }.compact
|
|
122
|
+
end
|
|
123
|
+
|
|
124
|
+
def fact_filter_value(key)
|
|
125
|
+
value = instance_variable_get("@#{key}")
|
|
126
|
+
return if value.nil? || value.empty?
|
|
127
|
+
|
|
128
|
+
[KEY_FACT_MAP[key], value]
|
|
129
|
+
end
|
|
130
|
+
end
|
|
131
|
+
|
|
132
|
+
class OldReport
|
|
133
|
+
def initialize(benchmarks)
|
|
134
|
+
@benchmarks = benchmarks
|
|
135
|
+
end
|
|
136
|
+
|
|
137
|
+
def self.generate
|
|
138
|
+
coverage = {}
|
|
139
|
+
coverage['classes'] = {}
|
|
140
|
+
all_cap = ClassUtils.find_all_classes_and_paths(puppet_class_dir)
|
|
141
|
+
invalid_classes = find_invalid_classes(all_cap)
|
|
142
|
+
valid_classes = find_valid_classes(all_cap, invalid_classes)
|
|
143
|
+
coverage['classes']['invalid'] = invalid_classes
|
|
144
|
+
coverage['classes']['valid'] = valid_classes
|
|
145
|
+
hiera = YAML.safe_load(File.open(hiera_path))
|
|
146
|
+
profile&.gsub!(/^profile_/, '') unless profile.nil?
|
|
147
|
+
|
|
148
|
+
matcher = profile.nil? ? /^profile_/ : /^profile_#{profile}/
|
|
149
|
+
hiera.each do |k, v|
|
|
150
|
+
key_base = k.split('::')[-1]
|
|
151
|
+
coverage['benchmark'] = v if key_base == 'title'
|
|
152
|
+
next unless key_base.match?(matcher)
|
|
153
|
+
|
|
154
|
+
coverage[key_base] = generate_uncovered_data(v, valid_classes)
|
|
155
|
+
end
|
|
156
|
+
coverage
|
|
157
|
+
end
|
|
158
|
+
|
|
159
|
+
def self.generate_uncovered_data(ctrl_list, valid_classes)
|
|
160
|
+
out_hash = {}
|
|
161
|
+
out_hash[:num_total] = ctrl_list.length
|
|
162
|
+
out_hash[:uncovered] = []
|
|
163
|
+
out_hash[:covered] = []
|
|
164
|
+
ctrl_list.each do |c|
|
|
165
|
+
if valid_classes.include?(c)
|
|
166
|
+
out_hash[:covered] << c
|
|
167
|
+
else
|
|
168
|
+
out_hash[:uncovered] << c
|
|
169
|
+
end
|
|
170
|
+
end
|
|
171
|
+
out_hash[:num_covered] = out_hash[:covered].length
|
|
172
|
+
out_hash[:num_uncovered] = out_hash[:uncovered].length
|
|
173
|
+
out_hash[:coverage] = Float(
|
|
174
|
+
(Float(out_hash[:num_covered]) / Float(out_hash[:num_total])) * 100.0
|
|
175
|
+
).floor(3)
|
|
176
|
+
out_hash
|
|
177
|
+
end
|
|
178
|
+
|
|
179
|
+
def self.find_valid_classes(all_cap, invalid_classes)
|
|
180
|
+
all_classes = all_cap.dup.transpose[0]
|
|
181
|
+
return [] if all_classes.nil?
|
|
182
|
+
|
|
183
|
+
return all_classes - invalid_classes unless invalid_classes.nil?
|
|
184
|
+
|
|
185
|
+
all_classes
|
|
186
|
+
end
|
|
187
|
+
|
|
188
|
+
def self.find_invalid_classes(all_cap)
|
|
189
|
+
invalid_classes = []
|
|
190
|
+
all_cap.each do |cap|
|
|
191
|
+
invalid_classes << cap[0] unless class_valid?(cap[1])
|
|
192
|
+
end
|
|
193
|
+
invalid_classes
|
|
194
|
+
end
|
|
195
|
+
|
|
196
|
+
def self.class_valid?(manifest_path)
|
|
197
|
+
compiler = Puppet::Pal::Compiler.new(nil)
|
|
198
|
+
ast = compiler.parse_file(manifest_path)
|
|
199
|
+
ast.body.body.statements.each do |s|
|
|
200
|
+
next unless s.respond_to?(:arguments)
|
|
201
|
+
next unless s.arguments.respond_to?(:each)
|
|
202
|
+
|
|
203
|
+
s.arguments.each do |i|
|
|
204
|
+
return false if i.value == 'Not implemented'
|
|
205
|
+
end
|
|
206
|
+
end
|
|
207
|
+
true
|
|
208
|
+
end
|
|
209
|
+
end
|
|
210
|
+
|
|
211
|
+
# Class manages organizing report data into various output formats
|
|
212
|
+
class ReportOutput
|
|
213
|
+
attr_reader :controls_in_resource_data, :rules_in_map, :timestamp,
|
|
214
|
+
:title
|
|
215
|
+
|
|
216
|
+
def initialize(benchmark, controls_in_resource_data, rules_in_map)
|
|
217
|
+
@benchmark = benchmark
|
|
218
|
+
@controls_in_resource_data = controls_in_resource_data
|
|
219
|
+
@rules_in_map = rules_in_map
|
|
220
|
+
@timestamp = DateTime.now.iso8601
|
|
221
|
+
@title = "Coverage Report for #{@benchmark.title_key}"
|
|
222
|
+
end
|
|
223
|
+
|
|
224
|
+
def uncovered
|
|
225
|
+
@uncovered ||= rules_in_map - controls_in_resource_data
|
|
226
|
+
end
|
|
227
|
+
|
|
228
|
+
def uncovered_count
|
|
229
|
+
@uncovered_count ||= uncovered.length
|
|
230
|
+
end
|
|
231
|
+
|
|
232
|
+
def covered
|
|
233
|
+
@covered ||= rules_in_map - uncovered
|
|
234
|
+
end
|
|
235
|
+
|
|
236
|
+
def covered_count
|
|
237
|
+
@covered_count ||= covered.length
|
|
238
|
+
end
|
|
239
|
+
|
|
240
|
+
def total_count
|
|
241
|
+
@total_count ||= rules_in_map.length
|
|
242
|
+
end
|
|
243
|
+
|
|
244
|
+
def percentage
|
|
245
|
+
@percentage ||= covered_count.to_f / total_count
|
|
246
|
+
end
|
|
247
|
+
|
|
248
|
+
def to_h
|
|
249
|
+
{
|
|
250
|
+
title: title,
|
|
251
|
+
timestamp: timestamp,
|
|
252
|
+
benchmark: benchmark_hash,
|
|
253
|
+
coverage: coverage_hash,
|
|
254
|
+
}
|
|
255
|
+
end
|
|
256
|
+
|
|
257
|
+
def to_json(opts = nil)
|
|
258
|
+
JSON.generate(to_h, opts)
|
|
259
|
+
end
|
|
260
|
+
|
|
261
|
+
def to_yaml
|
|
262
|
+
to_h.to_yaml
|
|
263
|
+
end
|
|
264
|
+
|
|
265
|
+
def benchmark_hash
|
|
266
|
+
{
|
|
267
|
+
title: @benchmark.title,
|
|
268
|
+
version: @benchmark.version,
|
|
269
|
+
framework: @benchmark.framework,
|
|
270
|
+
}
|
|
271
|
+
end
|
|
272
|
+
|
|
273
|
+
def coverage_hash
|
|
274
|
+
{
|
|
275
|
+
total_count: total_count,
|
|
276
|
+
uncovered_count: uncovered_count,
|
|
277
|
+
uncovered: uncovered,
|
|
278
|
+
covered_count: covered_count,
|
|
279
|
+
covered: covered,
|
|
280
|
+
percentage: percentage,
|
|
281
|
+
controls_in_resource_data: controls_in_resource_data,
|
|
282
|
+
rules_in_map: rules_in_map,
|
|
283
|
+
}
|
|
284
|
+
end
|
|
285
|
+
end
|
|
286
|
+
|
|
287
|
+
# Creates ReportOutput objects based on the given Benchmark
|
|
288
|
+
class BenchmarkReport
|
|
289
|
+
def initialize(benchmark)
|
|
290
|
+
@benchmark = benchmark
|
|
291
|
+
end
|
|
292
|
+
|
|
293
|
+
def controls_in_resource_data
|
|
294
|
+
@controls_in_resource_data ||= find_controls_in_resource_data
|
|
295
|
+
end
|
|
296
|
+
|
|
297
|
+
def controls_in_mapping_data
|
|
298
|
+
@controls_in_mapping_data ||= find_controls_in_mapping_data
|
|
299
|
+
end
|
|
300
|
+
|
|
301
|
+
def basic_coverage(level: nil, profile: nil)
|
|
302
|
+
map_type = @benchmark.map_type(controls_in_resource_data[0])
|
|
303
|
+
rules_in_map = @benchmark.rules_in_map(map_type, level: level, profile: profile)
|
|
304
|
+
AbideDevUtils::CEM::CoverageReport::ReportOutput.new(@benchmark, controls_in_resource_data, rules_in_map)
|
|
305
|
+
end
|
|
306
|
+
|
|
307
|
+
private
|
|
308
|
+
|
|
309
|
+
def find_controls_in_resource_data
|
|
310
|
+
controls = @benchmark.resource_data["#{@benchmark.module_name}::resources"].each_with_object([]) do |(rname, rval), arr|
|
|
311
|
+
arr << case rval['controls'].class.to_s
|
|
312
|
+
when 'Hash'
|
|
313
|
+
rval['controls'].keys
|
|
314
|
+
when 'Array'
|
|
315
|
+
rval['controls']
|
|
316
|
+
else
|
|
317
|
+
raise "Invalid controls type: #{rval['controls'].class}"
|
|
318
|
+
end
|
|
319
|
+
end
|
|
320
|
+
controls.flatten.uniq.select do |c|
|
|
321
|
+
case @benchmark.framework
|
|
322
|
+
when 'cis'
|
|
323
|
+
@benchmark.map_type(c) != 'vulnid'
|
|
324
|
+
when 'stig'
|
|
325
|
+
@benchmark.map_type(c) == 'vulnid'
|
|
326
|
+
else
|
|
327
|
+
raise "Cannot find controls for framework #{@benchmark.framework}"
|
|
328
|
+
end
|
|
329
|
+
end
|
|
330
|
+
end
|
|
331
|
+
|
|
332
|
+
def find_controls_in_mapping_data
|
|
333
|
+
controls = @benchmark.map_data[0].each_with_object([]) do |(_, mapping), arr|
|
|
334
|
+
mapping.each do |level, profs|
|
|
335
|
+
next if level == 'benchmark'
|
|
336
|
+
|
|
337
|
+
profs.each do |_, ctrls|
|
|
338
|
+
arr << ctrls.keys
|
|
339
|
+
arr << ctrls.values
|
|
340
|
+
end
|
|
341
|
+
end
|
|
342
|
+
end
|
|
343
|
+
controls.flatten.uniq
|
|
344
|
+
end
|
|
345
|
+
end
|
|
346
|
+
end
|
|
347
|
+
end
|
|
348
|
+
end
|