inspec_tools 2.0.7

data/lib/data/attributes.yml

@@ -0,0 +1,23 @@
+---
+benchmark.title: PostgreSQL 9.x Security Technical Implementation Guide
+benchmark.id: PostgreSQL_9-x_STIG
+benchmark.description: 'This Security Technical Implementation Guide is published
+  as a tool to improve the security of Department of Defense (DoD) information systems.
+  The requirements are derived from the National Institute of Standards and Technology
+  (NIST) 800-53 and related documents. Comments or proposed revisions to this document
+  should be sent via email to the following address: disa.stig_spt@mail.mil.'
+benchmark.version: '1'
+benchmark.status: accepted
+benchmark.status.date: '2017-01-20'
+benchmark.notice.id: terms-of-use
+benchmark.plaintext: 'Release: 1 Benchmark Date: 20 Jan 2017'
+benchmark.plaintext.id: release-info
+reference.href: http://iase.disa.mil
+reference.dc.publisher: DISA
+reference.dc.source: STIG.DOD.MIL
+reference.dc.title: DPMS Target PostgreSQL 9.x
+reference.dc.subject: PostgreSQL 9.x
+reference.dc.type: DPMS Target
+reference.dc.identifier: '3087'
+content_ref.name: M
+content_ref.href: DPMS_XCCDF_Benchmark_PostgreSQL_9-x_STIG.xml

data/lib/data/cci2html.xsl

@@ -0,0 +1,136 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cci="http://iase.disa.mil/cci">
+
+	<xsl:decimal-format NaN=""/>
+
+	<xsl:variable name="apos">'</xsl:variable>
+
+	<!-- default search order -->
+	<xsl:param name="sortorder" select="'800-53'"/>
+
+	<xsl:template match="/">
+		<html>
+			<head>
+				<style type="text/css">
+					BODY { font-family: sans-serif; }
+					TD { border: none; font-size: 12pt; vertical-align: top; }
+					TR.header, TD.header { font-weight: bold; }
+				</style>
+				<title>CCI List</title>
+			</head>
+			<body>
+				<xsl:apply-templates select="cci:cci_list"/>
+			</body>
+		</html>
+	</xsl:template>
+
+	<xsl:template match="cci:cci_list">
+		<b>CCI List</b><br />
+		<b>Version <xsl:value-of select="cci:metadata/cci:version"/></b><br />
+		<b>Date <xsl:value-of select="cci:metadata/cci:publishdate"/></b>
+		<hr/>
+		<xsl:choose>
+			<xsl:when test="$sortorder = 'publishdate'">
+				<xsl:apply-templates select="cci:cci_items/cci:cci_item">
+					<xsl:sort data-type="text" select="publishdate"/>
+				</xsl:apply-templates>				
+			</xsl:when>
+			<xsl:when test="$sortorder = '800-53'">
+				<xsl:apply-templates select="cci:cci_items/cci:cci_item">
+					<xsl:sort data-type="text" select="concat(substring(cci:references/cci:reference[@title = 'NIST SP 800-53 Revision 4']/@index, 1, 2), 'Z', format-number(substring-before(substring-after(cci:references/cci:reference[@title = 'NIST SP 800-53 Revision 4']/@index, '-'), ' '), '000'), format-number(substring-after(cci:references/cci:reference[@title = 'NIST SP 800-53 Revision 4']/@index, '-'), '000'), translate(substring(substring-after(cci:references/cci:reference[@title = 'NIST SP 800-53 Revision 4']/@index, ' '), 1, 1), '(abcdefghijklmnopqrstuvwxyz', '-//////////////////////////'),  translate(substring(substring-after(cci:references/cci:reference[@title = 'NIST SP 800-53 Revision 4']/@index, ' '), 1, 1), 'abcdefghijklmnopqrstuvwxyz(', 'abcdefghijklmnopqrstuvwxyz'), format-number(substring-before(substring-after(cci:references/cci:reference[@title = 'NIST SP 800-53 Revision 4']/@index, '('), ')'), '000'), translate(substring(substring-after(substring-after(cci:references/cci:reference[@title = 'NIST SP 800-53 Revision 4']/@index, '('), '('), 1, 1), '0123456789abcdefghijklmnopqrstuvwxyz', '----------//////////////////////////'),  translate(substring(substring-after(substring-after(cci:references/cci:reference[@title = 'NIST SP 800-53 Revision 4']/@index, '('), '('), 1, 1), 'abcdefghijklmnopqrstuvwxyz', 'abcdefghijklmnopqrstuvwxyz'), format-number(substring-before(substring-after(substring-after(cci:references/cci:reference[@title = 'NIST SP 800-53 Revision 4']/@index, '('), '('), ')'), '000'))"/>
+				</xsl:apply-templates>
+			</xsl:when>
+			<xsl:when test="$sortorder = 'type'">
+				<xsl:apply-templates select="cci:cci_items/cci:cci_item">
+					<xsl:sort data-type="text" select="cci:type"/>
+				</xsl:apply-templates>
+			</xsl:when>
+			<xsl:when test="$sortorder = 'status'">
+				<xsl:apply-templates select="cci:cci_items/cci:cci_item">
+					<xsl:sort data-type="text" select="cci:status"/>
+				</xsl:apply-templates>
+			</xsl:when>
+			<xsl:otherwise>
+				<xsl:apply-templates select="cci:cci_items/cci:cci_item">
+					<xsl:sort data-type="text" select="@id"/>
+				</xsl:apply-templates>
+			</xsl:otherwise>
+		</xsl:choose>
+	</xsl:template>	
+
+	<xsl:template match="cci:cci_item">
+		<table width="100%">
+			<tr>
+				<td width="15%" class="header"><xsl:value-of select="'CCI:'"/></td>
+				<td width="35%"><xsl:value-of select="@id"/></td>
+				<td width="15%" class="header"><xsl:value-of select="'Status:'"/></td>
+				<td width="35%"><xsl:value-of select="cci:status"/></td>
+			</tr>
+			<tr>
+				<td class="header"><xsl:value-of select="'Contributor:'"/></td>
+				<td><xsl:value-of select="cci:contributor"/></td>
+				<td class="header"><xsl:value-of select="'Published Date:'"/></td>
+				<td><xsl:value-of select="cci:publishdate"/></td>
+			</tr>
+			<tr>
+				<td class="header"><xsl:value-of select="'Definition:'"/></td>
+				<td colspan="3"><xsl:value-of select="translate(cci:definition,'^',$apos)"/></td>
+			</tr>
+			<xsl:if test="cci:type != ''">
+				<tr>
+					<td class="header"><xsl:value-of select="'Type:'"/></td>
+					<td colspan="3">
+						<xsl:for-each select="cci:type">
+							<xsl:value-of select="."/>
+							<xsl:if test="position() &lt; count(../cci:type)">, </xsl:if>
+						</xsl:for-each>
+					</td>
+				</tr>
+			</xsl:if>
+			<xsl:if test="cci:note != ''">
+				<tr>
+					<td class="header"><xsl:value-of select="'Note:'"/></td>
+					<td colspan="3"><xsl:value-of select="cci:note"/></td>
+				</tr>
+			</xsl:if>
+			<xsl:if test="cci:parameter != ''">
+				<tr>
+					<td class="header"><xsl:value-of select="'Parameter:'"/></td>
+					<td colspan="3"><xsl:value-of select="cci:parameter"/></td>
+				</tr>
+			</xsl:if>
+			<xsl:apply-templates select="cci:references/cci:reference">
+				<xsl:sort select="@creator"/>
+				<xsl:sort select="@title"/>
+				<xsl:sort select="@version"/>
+			</xsl:apply-templates>
+		</table>
+		<hr />
+	</xsl:template>	
+	
+	<xsl:template match="cci:reference">
+		<tr>
+			<td class="header">
+				<xsl:if test="position() = 1">
+					References:
+				</xsl:if>
+			</td>
+			<td colspan="3">
+				<xsl:value-of select="@creator"/>
+				<xsl:value-of select="':  '"/>
+				<a>
+					<xsl:attribute name="href">
+						<xsl:value-of select="@location"/>
+					</xsl:attribute>
+					<xsl:value-of select="@title"/>
+					<xsl:value-of select="' (v'"/>
+					<xsl:value-of select="@version"/>
+					<xsl:value-of select="')'"/>
+				</a>
+				<xsl:value-of select="':  '"/>
+				<xsl:value-of select="@index"/>
+			</td>
+		</tr>
+	</xsl:template>
+	
+</xsl:stylesheet>

data/lib/data/mapping.yml

@@ -0,0 +1,17 @@
+
+    # Setting csv_header to true will skip the csv file header
+    skip_csv_header: true
+    width   : 80
+
+
+    control.id: 0
+    control.title: 15
+    control.desc: 16
+    control.tags:
+            severity: 1
+            rid: 8
+            stig_id: 3
+            cci: 2
+            check: 12
+            fix: 10
+    

data/lib/data/rubocop.yml

@@ -0,0 +1,4 @@
+AllCops:
+  DisabledByDefault: true
+Style/StringLiterals:
+  Enabled: true

data/lib/data/stig.csv

@@ -0,0 +1 @@
+V_ID,Severity,CCI,Version,Title,Description,Service,IA Controls,ruleID,fixid,fixtext,checkid,checktext,,Response,Title,Description
     
 
     
 
     
      
 
     
 If the current settings do not provide enough information regarding the content of the event, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."
     xpack.security.http.filter.enabled: true 
     xpack.security.http.filter.allow: ""Managed access control points""
     xpack.security.http.filter.deny: _all          
     
     
     
      
 
     
 If the current settings do not provide enough information regarding the content of the event, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."
     
      
 
     
 If the current settings do not provide enough information regarding the content of the event, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."
  security:
    authc:
      realms:
        active_directory:
          type: active_directory
          order: 0 
          domain_name: ad.example.com
          url: ldaps://ad.example.com:636 
          unmapped_groups_as_roles: true ",,Guidance - System accounts cannot be disabled and elasticsearch does not enforce password complexity rules.,Ensure Elasticsearch passwords and credentials meet organizational requirements.,"Configure the centralized authentication service to enforce organization policies such as password strength, lockout, expiration, notification, and screen obfuscation."
      
 See the official documentation for the complete  guide on establishing SSL configuration: https://www.elastic.co/guide/en/x-pack/current/ssl-tls.html",None,"Application must utilize approved cryptography to protect passwords in transmission.
 
       
     
        
       
       
       
       
     
     
      
 
     
 If the current settings do not provide enough information regarding the content of the event, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."
      
 See the official documentation for the complete  guide on establishing SSL configuration: https://www.elastic.co/guide/en/x-pack/current/ssl-tls.html",None,"Application must utilize approved cryptography to protect the communication path between entities.   
 
     
      
 
     
 If the current settings do not provide enough information regarding the content of the event, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."
     
      
 
     
 If the current settings do not provide enough information regarding the content of the event, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."
     
      
 
     
 If the current settings do not provide enough information regarding the content of the event, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."
     
      
 
     
 If the current settings do not provide enough information regarding the content of the event, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."
      
 See the official documentation for the complete  guide on establishing SSL configuration: https://www.elastic.co/guide/en/x-pack/current/ssl-tls.html",None,"Application must utilize approved cryptography to protect data transmission.       
 
      
 See the official documentation for the complete  guide on establishing SSL configuration: https://www.elastic.co/guide/en/x-pack/current/ssl-tls.html",None,"Application must utilize approved cryptography to protect data transmission.      
 
      
 See the official documentation for the complete  guide on establishing SSL configuration: https://www.elastic.co/guide/en/x-pack/current/ssl-tls.html",None,"Application must utilize approved cryptography to establish confidentiality of transmitted data.      
 
     
      
 
     
 If the current settings do not provide enough information regarding the content of the event, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."
      
 See the official documentation for the complete  guide on establishing SSL configuration: https://www.elastic.co/guide/en/x-pack/current/ssl-tls.html",None,"Application must utilize approved cryptography to establish integrity during preparation of data transmission.      
 
     
      
 
     
 If the current settings do not provide enough information regarding the content of the event, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."
      
 See the official documentation for the complete  guide on establishing SSL configuration: https://www.elastic.co/guide/en/x-pack/current/ssl-tls.html",None,"Application must utilize bidirectional authentication for cryptographic device communication.      
 
     
      
 
     
 If the current settings do not provide enough information regarding the content of the event, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."

data/lib/data/threshold.yaml

@@ -0,0 +1,83 @@
+compliance:
+  min: -1
+  max: -1
+passed:
+  total:
+    min: -1
+    max: -1
+  critical:
+    min: -1
+    max: -1
+  high:
+    min: -1
+    max: -1
+  medium:
+    min: -1
+    max: -1
+  low:
+    min: -1
+    max: -1
+failed:
+  total:
+    min: -1
+    max: -1
+  critical:
+    min: -1
+    max: -1
+  high:
+    min: -1
+    max: -1
+  medium:
+    min: -1
+    max: -1
+  low:
+    min: -1
+    max: -1
+skipped:
+  total:
+    min: -1
+    max: -1
+  critical:
+    min: -1
+    max: -1
+  high:
+    min: -1
+    max: -1
+  medium:
+    min: -1
+    max: -1
+  low:
+    min: -1
+    max: -1
+no_impact:
+  total:
+    min: -1
+    max: -1
+  critical:
+    min: -1
+    max: -1
+  high:
+    min: -1
+    max: -1
+  medium:
+    min: -1
+    max: -1
+  low:
+    min: -1
+    max: -1
+error:
+  total:
+    min: -1
+    max: -1
+  critical:
+    min: -1
+    max: -1
+  high:
+    min: -1
+    max: -1
+  medium:
+    min: -1
+    max: -1
+  low:
+    min: -1
+    max: -1

data/lib/exceptions/impact_input_error.rb

@@ -0,0 +1,6 @@
+module Utils
+  class InspecUtil
+    class ImpactInputError < ::StandardError
+    end
+  end
+end

data/lib/exceptions/severity_input_error.rb

@@ -0,0 +1,6 @@
+module Utils
+  class InspecUtil
+    class SeverityInputError < ::StandardError
+    end
+  end
+end

data/lib/happy_mapper_tools/benchmark.rb

@@ -0,0 +1,161 @@
+# encoding: utf-8
+
+require 'happymapper'
+require 'nokogiri'
+
+# see: https://github.com/dam5s/happymapper
+# Class Status maps from the 'status' from Benchmark XML file using HappyMapper
+module HappyMapperTools
+  module Benchmark
+    class Status
+      include HappyMapper
+      tag 'status'
+      attribute :date, String, tag: 'date'
+      content :status, String, tag: 'status'
+    end
+
+    # Class Notice maps from the 'notice' from Benchmark XML file using HappyMapper
+    class Notice
+      include HappyMapper
+      tag 'notice'
+      attribute :id, String, tag: 'id'
+      attribute :xml_lang, String, namespace: 'xml', tag: 'lang'
+      content :notice, String, tag: 'notice'
+    end
+
+    # Class ReferenceBenchmark maps from the 'reference' from Benchmark XML file using HappyMapper
+    class ReferenceBenchmark
+      include HappyMapper
+      tag 'reference'
+      attribute :href, String, tag: 'href'
+      element :dc_publisher, String, namespace: 'dc', tag: 'publisher'
+      element :dc_source, String, namespace: 'dc', tag: 'source'
+    end
+
+    # Class ReferenceGroup maps from the 'reference' from Benchmark XML file using HappyMapper
+    class ReferenceGroup
+      include HappyMapper
+      tag 'reference'
+      element :dc_title, String, namespace: 'dc', tag: 'title'
+      element :dc_publisher, String, namespace: 'dc', tag: 'publisher'
+      element :dc_type, String, namespace: 'dc', tag: 'type'
+      element :dc_subject, String, namespace: 'dc', tag: 'subject'
+      element :dc_identifier, String, namespace: 'dc', tag: 'identifier'
+    end
+
+    # Class Plaintext maps from the 'plain-text' from Benchmark XML file using HappyMapper
+    class Plaintext
+      include HappyMapper
+      tag 'plain-text'
+      attribute :id, String, tag: 'id'
+      content :plaintext, String
+    end
+
+    # Class Select maps from the 'Select' from Benchmark XML file using HappyMapper
+    class Select
+      include HappyMapper
+      tag 'Select'
+      attribute :idref, String, tag: 'idref'
+      attribute :selected, String, tag: 'selected'
+    end
+
+    # Class Ident maps from the 'ident' from Benchmark XML file using HappyMapper
+    class Ident
+      include HappyMapper
+      tag 'ident'
+      attribute :system, String, tag: 'system'
+      content :ident, String
+    end
+
+    # Class Fixtext maps from the 'fixtext' from Benchmark XML file using HappyMapper
+    class Fixtext
+      include HappyMapper
+      tag 'fixtext'
+      attribute :fixref, String, tag: 'fixref'
+      content :fixtext, String
+    end
+
+    # Class Fix maps from the 'fixtext' from Benchmark XML file using HappyMapper
+    class Fix
+      include HappyMapper
+      tag 'fixtext'
+      attribute :id, String, tag: 'id'
+    end
+
+    # Class ContentRef maps from the 'check-content-ref' from Benchmark XML file using HappyMapper
+    class ContentRef
+      include HappyMapper
+      tag 'check-content-ref'
+      attribute :name, String, tag: 'name'
+      attribute :href, String, tag: 'href'
+    end
+
+    # Class Check maps from the 'Check' from Benchmark XML file using HappyMapper
+    class Check
+      include HappyMapper
+      tag 'check'
+      attribute :system, String, tag: 'system'
+      element :content_ref, ContentRef, tag: 'check-content-ref'
+      element :content, String, tag: 'check-content'
+    end
+
+    # Class Profile maps from the 'Profile' from Benchmark XML file using HappyMapper
+    class Profile
+      include HappyMapper
+      tag 'Profile'
+      attribute :id, String, tag: 'id'
+      element :title, String, tag: 'title'
+      element :description, String, tag: 'description'
+      has_many :select, Select, tag: 'select'
+    end
+
+    # Class Rule maps from the 'Rule' from Benchmark XML file using HappyMapper
+    class Rule
+      include HappyMapper
+      tag 'Rule'
+      attribute :id, String, tag: 'id'
+      attribute :severity, String, tag: 'severity'
+      attribute :weight, String, tag: 'weight'
+      element :version, String, tag: 'version'
+      element :title, String, tag: 'title'
+      element :description, String, tag: 'description'
+      element :reference, ReferenceGroup, tag: 'reference'
+      has_many :ident, Ident, tag: 'ident'
+      element :fixtext, Fixtext, tag: 'fixtext'
+      element :fix, Fix, tag: 'fix'
+      element :check, Check, tag: 'check'
+    end
+
+    # Class Group maps from the 'Group' from Benchmark XML file using HappyMapper
+    class Group
+      include HappyMapper
+      tag 'Group'
+      attribute :id, String, tag: 'id'
+      element :title, String, tag: 'title'
+      element :description, String, tag: 'description'
+      element :rule, Rule, tag: 'Rule'
+    end
+
+    # Class Benchmark maps from the 'Benchmark' from Benchmark XML file using HappyMapper
+    class Benchmark
+      include HappyMapper
+      tag 'Benchmark'
+      register_namespace 'dsig', 'http://www.w3.org/2000/09/xmldsig#'
+      register_namespace 'xsi', 'http://www.w3.org/2001/XMLSchema-instance'
+      register_namespace 'cpe', 'http://cpe.mitre.org/language/2.0'
+      register_namespace 'xhtml', 'http://www.w3.org/1999/xhtml'
+      register_namespace 'dc', 'http://purl.org/dc/elements/1.1/'
+      attribute :id, String, tag: 'id'
+      attribute :xmlns, String, tag: 'xmlns'
+      element :status, Status, tag: 'status'
+      element :title, String, tag: 'title'
+      element :description, String, tag: 'description'
+      element :notice, Notice, tag: 'notice'
+      element :reference, ReferenceBenchmark, tag: 'reference'
+      element :plaintext, Plaintext, tag: 'plain-text'
+      element :version, String, tag: 'version'
+      has_many :profile, Profile, tag: 'Profile'
+      has_many :group, Group, tag: 'Group'
+    end
+  end
+end