smart_proxy_openscap 0.7.2

data/Gemfile

@@ -0,0 +1,14 @@
+source 'https://rubygems.org'
+gemspec
+
+group :development do
+  gem 'test-unit'
+  gem 'pry'
+  gem 'rubocop'
+  gem 'rack', '~> 1.6.8' if Gem::Version.new(RUBY_VERSION) < Gem::Version.new('2.2')
+  gem 'smart_proxy', :github => "theforeman/smart-proxy", :branch => 'develop'
+end
+
+# load local gemfile
+local_gemfile = File.join(File.dirname(__FILE__), 'Gemfile.local.rb')
+self.instance_eval(Bundler.read_file(local_gemfile)) if File.exist?(local_gemfile)

data/README.md

@@ -0,0 +1,107 @@
+# OpenSCAP plug-in for Foreman Proxy
+
+A plug-in to the Foreman Proxy which receives bzip2ed ARF files
+and forwards them as JSON to the Foreman.
+smart_proxy_openscap plugin is required for the normal operation of OpenSCAP in the Foreman.
+
+## How it works
+
+Incoming ARF files are authenticated using either puppet certificate or Katello certificate of
+the client machine. The ARF files are parsed on the proxy and posted to the Foreman as JSON reports 
+and the ARF files are saved in a reports directory, where they can be accessed for full HTML report or 
+downloaded as bzip2ed xml report.
+If posting is failed, the ARF files are saved in queue for later retry.
+
+Learn more about [Foreman-OpenSCAP](https://github.com/theforeman/foreman_openscap) workflow.
+
+## Installation from RPMs
+
+- Install smart_proxy_openscap
+
+  ```
+  # yum install rubygem-smart_proxy_openscap
+  ```
+
+## Installation from upstream git
+- Add smart_proxy_openscap to your smart proxy `bundler.d/openscap.rb` gemfile:
+ 
+  ```
+  ~$ gem 'smart_proxy_openscap', :git => 'https://github.com/theforeman/smart_proxy_openscap.git'
+  ```
+
+If you don't install through RPM and you are using bundler, you may need to create 
+/var/spool/foreman-proxy & /usr/share/foreman-proxy/openscap directories manually and 
+set it's owner to the user under which foreman-proxy runs.
+
+## Configuration
+
+  ```
+  cp /etc/foreman-proxy/settings.d/openscap.yml{.example,}
+  ```
+Configure the following parameters so it would look like:
+  
+  ```
+  ---
+  :enabled: true
+  
+  # Log file for the forwarding script.
+  :openscap_send_log_file: /var/log/foreman-proxy/openscap-send.log
+  
+  # Directory where OpenSCAP audits are stored
+  # before they are forwarded to Foreman
+  :spooldir: /var/spool/foreman-proxy/openscap
+  
+  # Directory where OpenSCAP content XML are stored
+  # So we will not request the XML from Foreman each time
+  :contentdir: /var/lib/openscap/content
+  # Directory where OpenSCAP report XML are stored
+  # So Foreman can request arf xml reports
+  :reportsdir: /usr/share/foreman-proxy/openscap/content
+  ```
+
+- Deploy
+
+  ```
+  ~# service foreman-proxy restart
+  ```
+
+## Usage
+
+![Openscap design](http://shlomizadok.github.io/foreman_openscap/static/images/reports_design.png)
+
+### Exposed APIs
+
+* POST "/compliance/arf/:policy" - API to recieve ARF files, parse them and post to the Foreman. `:policy` is the policy ID from Foreman. expects ARF bzip2 file as POST body
+
+* GET "/compliance/arf/:id/:cname/:date/:digest/xml" - API to download bizped2 ARF file. `:id` - ArfReport id, `:cname` - Host name, `:date` - Report date, `:digest` - Digest of the Arf file
+
+* GET "/compliance/arf/:id/:cname/:date/:digest/html" - API to fetch full HTML report. `:id` - ArfReport id, `:cname` - Host name, `:date` - Report date, `:digest` - Digest of the Arf file
+
+* GET "/compliance/policies/:policy_id/content" - API to download and serve SCAP content file for policy. `:policy_id` - Policy id from Foreman
+
+* POST "/compliance/scap_content/policies" - API to extract policies from SCAP content. expects SCAP content posted as the POST body
+
+* POST "/compliance/scap_content/validator" - API to validate SCAP content. expects SCAP content posted as the POST body
+
+* POST "/compliance/scap_content/guide/:policy" - API to return Policy's HTML guide. `:policy` - policy name. expects SCAP content posted as the POST body
+
+### Binaries
+
+* `smart_proxy_openscap_send` - Sends failed ARF files to Foreman (in case first try failed). When installed with RPM, a cron jobs is configured to run every 30 minutes.
+
+## Copyright
+
+Copyright (c) 2014--2015 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.

data/Rakefile

@@ -0,0 +1,16 @@
+require 'rake'
+require 'rake/testtask'
+
+Bundler::GemHelper.install_tasks
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the Smart Proxy OpenSCAP.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << '.'
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.test_files = FileList['test/**/*_test.rb']
+  t.verbose = true
+end

data/bin/smart-proxy-arf-html

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+path = File.join(File.dirname(File.expand_path(__FILE__)), '..', 'lib')
+$:.unshift(path) if File.exist? path
+
+require 'smart_proxy_openscap/arf_html'
+
+Proxy::OpenSCAP::ArfHtml.new.generate_html ARGV[0], ARGV[1]

data/bin/smart-proxy-arf-json

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+path = File.join(File.dirname(File.expand_path(__FILE__)), '..', 'lib')
+$:.unshift(path) if File.exist? path
+
+require 'smart_proxy_openscap/arf_json'
+
+Proxy::OpenSCAP::ArfJson.new.as_json ARGV[0], ARGV[1], ARGV[2], ARGV[3]

data/bin/smart-proxy-openscap-send

@@ -0,0 +1,61 @@
+#!/usr/bin/env ruby
+#
+# Copyright (c) 2014--2015 Red Hat Inc.
+#
+# This software is licensed to you under the GNU General Public License,
+# version 3 (GPLv3). There is NO WARRANTY for this software, express or
+# implied, including the implied warranties of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv3
+# along with this software; if not, see http://www.gnu.org/licenses/gpl.txt
+#
+
+$LOAD_PATH.unshift '/usr/share/foreman-proxy/lib'
+$LOAD_PATH.unshift '/usr/share/foreman-proxy/modules'
+
+require 'smart_proxy'
+require 'smart_proxy_main'
+require 'smart_proxy_openscap'
+require 'smart_proxy_openscap/openscap_lib'
+
+loaded_settings = Proxy::OpenSCAP.plugin_settings
+
+# Don't run if OpenSCAP plugin is disabled or settings are missing.
+if !loaded_settings.enabled || loaded_settings.nil? || loaded_settings.empty?
+  exit 436
+end
+
+module Proxy
+  module Log
+    @@logger = ::Logger.new(Proxy::OpenSCAP.fullpath(Proxy::OpenSCAP.plugin_settings.openscap_send_log_file), 6, 1024*1024*10)
+    @@logger.level = ::Logger.const_get(Proxy::SETTINGS.log_level.upcase)
+  end
+end
+include Proxy::Log
+
+if !Proxy::SETTINGS.foreman_url
+  logger.error "Foreman URL not configured"
+  exit 437
+end
+
+lockfile = File.join(loaded_settings.spooldir, "spool.lock")
+
+Signal.trap("TERM") {
+  FileUtils.rm(lockfile) if File.exist?(lockfile)
+  exit
+}
+
+if File.exist? lockfile
+  logger.debug "Lock file #{lockfile} for openscap spool exists, not sending spool to server"
+  exit
+end
+
+begin
+  FileUtils.touch lockfile
+  Proxy::OpenSCAP::send_spool_to_foreman(loaded_settings)
+rescue StandardError => e
+  logger.error e
+  puts "#{e} See #{Proxy::OpenSCAP.fullpath(loaded_settings.openscap_send_log_file)}"
+  exit 438
+ensure
+  FileUtils.rm lockfile
+end

data/bin/smart-proxy-policy-guide

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+path = File.join(File.dirname(File.expand_path(__FILE__)), '..', 'lib')
+$:.unshift(path) if File.exist? path
+
+require 'smart_proxy_openscap/policy_guide'
+
+Proxy::OpenSCAP::PolicyGuide.new.generate_guide *ARGV

data/bin/smart-proxy-scap-profiles

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+path = File.join(File.dirname(File.expand_path(__FILE__)), '..', 'lib')
+$:.unshift(path) if File.exist? path
+
+require 'smart_proxy_openscap/scap_profiles'
+
+Proxy::OpenSCAP::ScapProfiles.new.profiles ARGV[0], ARGV[1], ARGV[2]

data/bin/smart-proxy-scap-validation

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+path = File.join(File.dirname(File.expand_path(__FILE__)), '..', 'lib')
+$:.unshift(path) if File.exist? path
+
+require 'smart_proxy_openscap/scap_validation'
+
+Proxy::OpenSCAP::ScapValidation.new.validate ARGV[0], ARGV[1], ARGV[2]

data/bundler.d/openscap.rb

@@ -0,0 +1,6 @@
+# Drop this file into bundler.d/ in foreman-proxy root
+gem 'smart_proxy_openscap'
+
+group :openscap do
+  # plugin dependencies go here
+end

data/extra/rubygem-smart_proxy_openscap.spec

@@ -0,0 +1,101 @@
+%global gem_name smart_proxy_openscap
+
+%global foreman_proxy_bundlerd_dir /usr/share/foreman-proxy/bundler.d
+%global foreman_proxy_pluginconf_dir /etc/foreman-proxy/settings.d
+%global spool_dir /var/spool/foreman-proxy/openscap
+%global proxy_user foreman-proxy
+
+Name: rubygem-%{gem_name}
+Version: 0.3.0
+Release: 1%{?dist}
+Summary: OpenSCAP plug-in for Foreman's smart-proxy.
+Group: Applications/Internet
+License: GPLv2+
+URL: http://github.com/openscap/smart_proxy_openscap
+Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
+#Requires: ruby(release)
+Requires: ruby(rubygems)
+Requires: foreman-proxy >= 1.7.0-0.develop.201410221520
+Requires: crontabs
+#BuildRequires: ruby(release)
+BuildRequires: rubygems-devel
+BuildRequires: ruby
+BuildArch: noarch
+Provides: rubygem(%{gem_name}) = %{version}
+Obsoletes: rubygem-foreman-proxy_openscap
+
+%description
+A plug-in to the Foreman's smart-proxy which receives bzip2ed ARF files
+and forwards them to the Foreman.
+
+%prep
+gem unpack %{SOURCE0}
+%setup -q -D -T -n  %{gem_name}-%{version}
+gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec
+
+%build
+# Create the gem as gem install only works on a gem file
+gem build %{gem_name}.gemspec
+
+# %%gem_install compiles any C extensions and installs the gem into ./%gem_dir
+# by default, so that we can move it into the buildroot in %%install
+%gem_install
+
+%install
+mkdir -p %{buildroot}%{gem_dir}
+cp -a .%{gem_dir}/* \
+       %{buildroot}%{gem_dir}/
+mv %{buildroot}%{gem_instdir}/%{gem_name}.gemspec %{buildroot}/%{gem_spec}
+rm %{buildroot}%{gem_instdir}/extra/*.spec # this specfile
+
+# executables
+mkdir -p %{buildroot}%{_bindir}
+mv  %{buildroot}%{gem_instdir}/bin/* \
+	%{buildroot}%{_bindir}
+
+# bundler file
+mkdir -p %{buildroot}%{foreman_proxy_bundlerd_dir}
+mv %{buildroot}%{gem_instdir}/bundler.d/openscap.rb \
+   %{buildroot}%{foreman_proxy_bundlerd_dir}
+
+# sample config
+mkdir -p %{buildroot}%{foreman_proxy_pluginconf_dir}
+mv %{buildroot}%{gem_instdir}/settings.d/openscap.yml.example \
+   %{buildroot}%{foreman_proxy_pluginconf_dir}/
+
+# crontab
+mkdir -p %{buildroot}%{_sysconfdir}/cron.d/
+mv %{buildroot}%{gem_instdir}/extra/smart-proxy-openscap-send.cron \
+   %{buildroot}%{_sysconfdir}/cron.d/%{name}
+
+# create spool directory
+mkdir -p %{buildroot}%{spool_dir}
+
+%files
+%dir %{gem_instdir}
+%{gem_libdir}
+%exclude %{gem_cache}
+%{gem_spec}
+
+%attr(-,%{proxy_user},%{proxy_user}) %{spool_dir}
+%{foreman_proxy_bundlerd_dir}/openscap.rb
+%{_bindir}/smart-proxy-openscap-send
+%doc %{foreman_proxy_pluginconf_dir}/openscap.yml.example
+%config(noreplace) %attr(0644, root, root) %{_sysconfdir}/cron.d/%{name}
+
+%{gem_docdir}
+%{gem_instdir}/README.md
+%{gem_instdir}/COPYING
+
+%changelog
+* Tue Jan 20 2015 Šimon Lukašík <slukasik@redhat.com> - 0.3.0-1
+- new upstream release
+
+* Tue Jan 20 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.0-2
+- renamed to smart_proxy_openscap
+
+* Fri Oct 24 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.0-1
+- rebuilt
+
+* Fri Jul 18 2014 Šimon Lukašík <slukasik@redhat.com> - 0.0.1-1
+- Initial package

data/extra/smart-proxy-openscap-send.cron

@@ -0,0 +1,2 @@
+# Send all collected OpenSCAP reports once every 30 minutes
+*/30 * * * * foreman-proxy smart-proxy-openscap-send >> /var/log/foreman-proxy/cron.log

data/lib/smart_proxy_openscap.rb

@@ -0,0 +1,14 @@
+#
+# Copyright (c) 2014 Red Hat Inc.
+#
+# This software is licensed to you under the GNU General Public License,
+# version 3 (GPLv3). There is NO WARRANTY for this software, express or
+# implied, including the implied warranties of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv3
+# along with this software; if not, see http://www.gnu.org/licenses/gpl.txt
+#
+
+require 'smart_proxy_openscap/openscap_plugin'
+
+module Proxy::OpenSCAP
+end

data/lib/smart_proxy_openscap/arf_html.rb

@@ -0,0 +1,22 @@
+require 'openscap'
+require 'openscap/ds/arf'
+
+module Proxy
+  module OpenSCAP
+    class ArfHtml
+      def generate_html(file_in, file_out)
+        ::OpenSCAP.oscap_init
+        File.write file_out, get_arf_html(file_in)
+      ensure
+        ::OpenSCAP.oscap_cleanup
+      end
+
+      def get_arf_html(file_in)
+        arf_object = ::OpenSCAP::DS::Arf.new(file_in)
+        # @TODO: Drop this when support for 1.8.7 ends
+        return arf_object.html if RUBY_VERSION.start_with? '1.8'
+        arf_object.html.force_encoding('UTF-8')
+      end
+    end
+  end
+end

data/lib/smart_proxy_openscap/arf_json.rb

@@ -0,0 +1,114 @@
+# encoding=utf-8
+require 'openscap'
+require 'openscap/ds/arf'
+require 'openscap/xccdf/testresult'
+require 'openscap/xccdf/ruleresult'
+require 'openscap/xccdf/rule'
+require 'openscap/xccdf/fix'
+require 'openscap/xccdf/benchmark'
+require 'json'
+require 'digest'
+
+module Proxy
+  module OpenSCAP
+    class ArfJson
+      def as_json(file_in, file_out, proxy_name, proxy_url)
+        ::OpenSCAP.oscap_init
+        arf_digest   = Digest::SHA256.hexdigest(File.read(file_in))
+
+        arf          = ::OpenSCAP::DS::Arf.new(file_in)
+        test_result  = arf.test_result
+
+        results      = test_result.rr
+        sds          = arf.report_request
+        bench_source = sds.select_checklist!
+        benchmark    = ::OpenSCAP::Xccdf::Benchmark.new(bench_source)
+        items        = benchmark.items
+
+        report = parse_results(items, results, arf_digest)
+        report[:openscap_proxy_name] = proxy_name
+        report[:openscap_proxy_url] = proxy_url
+
+        File.write file_out, report.to_json
+      ensure
+        cleanup test_result, benchmark, sds, arf
+      end
+
+      private
+
+      def parse_results(items, results, arf_digest)
+        report       = {}
+        report[:logs] = []
+        passed        = 0
+        failed        = 0
+        othered         = 0
+        results.each do |rr_id, result|
+          next if result.result == 'notapplicable' || result.result == 'notselected'
+          # get rules and their results
+          rule_data = items[rr_id]
+          report[:logs] << populate_result_data(rr_id, result.result, rule_data)
+          # create metrics for the results
+          case result.result
+            when 'pass', 'fixed'
+              passed += 1
+            when 'fail'
+              failed += 1
+            else
+              othered += 1
+          end
+        end
+        report[:digest]  = arf_digest
+        report[:metrics] = { :passed => passed, :failed => failed, :othered => othered }
+        report
+      end
+
+      def populate_result_data(result_id, rule_result, rule_data)
+        log               = {}
+        log[:source]      = ascii8bit_to_utf8(result_id)
+        log[:result]      = ascii8bit_to_utf8(rule_result)
+        log[:title]       = ascii8bit_to_utf8(rule_data.title)
+        log[:description] = ascii8bit_to_utf8(rule_data.description)
+        log[:rationale]   = ascii8bit_to_utf8(rule_data.rationale)
+        log[:references]  = hash_a8b(rule_data.references.map(&:to_hash))
+        log[:fixes]       = hash_a8b(rule_data.fixes.map(&:to_hash))
+        log[:severity]    = ascii8bit_to_utf8(rule_data.severity)
+        log
+      end
+
+      def cleanup(*args)
+        args.compact.map(&:destroy)
+        ::OpenSCAP.oscap_cleanup
+      end
+
+      # Unfortunately openscap in ruby 1.9.3 outputs data in Ascii-8bit.
+      # We transform it to UTF-8 for easier json integration.
+
+      # :invalid ::
+      #   If the value is invalid, #encode replaces invalid byte sequences in
+      #   +str+ with the replacement character.  The default is to raise the
+      #   Encoding::InvalidByteSequenceError exception
+      # :undef ::
+      #   If the value is undefined, #encode replaces characters which are
+      #   undefined in the destination encoding with the replacement character.
+      #   The default is to raise the Encoding::UndefinedConversionError.
+      # :replace ::
+      #   Sets the replacement string to the given value. The default replacement
+      #   string is "\uFFFD" for Unicode encoding forms, and "?" otherwise.
+      def ascii8bit_to_utf8(string)
+        return ascii8bit_to_utf8_legacy(string) if RUBY_VERSION.start_with? '1.8'
+        string.to_s.encode('utf-8', :invalid => :replace, :undef => :replace, :replace => '_')
+      end
+
+      # String#encode appeared first in 1.9, so we need a workaround for 1.8
+      def ascii8bit_to_utf8_legacy(string)
+        Iconv.conv('UTF-8//IGNORE', 'UTF-8', string.to_s)
+      end
+
+      def hash_a8b(ary)
+        ary.map do |hash|
+          Hash[hash.map { |key, value| [ascii8bit_to_utf8(key), ascii8bit_to_utf8(value)] }]
+        end
+      end
+    end
+  end
+end