-
Notifications
You must be signed in to change notification settings - Fork 24
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixes #16411: Change the packaging to pass via the Rudder api to inst…
…all the plugin
- Loading branch information
Showing
10 changed files
with
282 additions
and
83 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,24 +1,33 @@ | ||
FILES = ncf techniques | ||
# Usage: $(GET) <destination_file> <url> <hash> | ||
PROXY_ENV = $(if $(PROXY), http_proxy=$(PROXY) ftp_proxy=$(PROXY)) | ||
# No accept encoding to prevent the webserver form altering the distributed file | ||
# Pass an empty string to skip hash check | ||
# grep 'GET=' */SOURCES/Makefile to patch everywhere | ||
GET=get() { $(PROXY_ENV) curl -s -L -o "$$1.part" "$$2" && { openssl dgst -sha256 "$$1.part" | grep -q "$$3" || { echo "Wrong checksum, aborting"; exit 1; }; } && mv "$$1.part" "$$1"; }; get | ||
|
||
RUDDER_SYNCHRONIZE_SHA256 = fcfd9ea8c574c120424f16b661f8f75696a410e243ee030a79dc8dd3743e6f42 | ||
FILES = remove-configuration rudder-synchronize openscap-policies.json techniques | ||
SCRIPTS = postinst prerm | ||
OTHER_ARCHIVES = target/external-report.txz | ||
|
||
TECHNIQUES=$(shell ls -1 configuration-repository/ncf/50_techniques) | ||
|
||
include ../makefiles/common-plugin.mk | ||
|
||
target/ncf: | ||
cp -a configuration-repository/ncf target | ||
|
||
target/techniques: | ||
cp -a configuration-repository/techniques target | ||
mkdir -p target/techniques/ncf_techniques | ||
for technique in "$(TECHNIQUES)"; \ | ||
do \ | ||
cd target && mkdir -p techniques/plugin_openscap_report/$$technique && cd -; \ | ||
cd target/techniques/ncf_techniques && ln -rs ../plugin_openscap_report/$$technique $$techniques && cd -; \ | ||
done; | ||
cp -r configuration/techniques target/techniques | ||
|
||
target/remove-configuration: | ||
cp packaging/remove-configuration target/remove-configuration | ||
|
||
target/openscap-policies.json: | ||
tools/openscap-policies | ||
|
||
target/rudder-synchronize: | ||
$(GET) target/rudder-synchronize https://repository.rudder.io/tools/rudder-synchronize $(RUDDER_SYNCHRONIZE_SHA256) | ||
|
||
target/external-report.txz: | ||
cp -a src/node-external-reports.properties target/ | ||
tar cJ -C target -f target/external-report.txz node-external-reports.properties | ||
|
||
clean: | ||
rm -f $(FULL_NAME)-*.rpkg pom.xml | ||
rm -rf target |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
25 changes: 0 additions & 25 deletions
25
...nfiguration-repository/ncf/50_techniques/plugin_openscap_report/plugin_openscap_report.cf
This file was deleted.
Oops, something went wrong.
22 changes: 0 additions & 22 deletions
22
openscap-report/configuration-repository/techniques/plugin_openscap_report/category.xml
This file was deleted.
Oops, something went wrong.
97 changes: 97 additions & 0 deletions
97
openscap-report/configuration/techniques/plugin_openscap_report.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
{ | ||
"type": "ncf_technique", | ||
"version": 1, | ||
"data": { | ||
"bundle_args": [ | ||
"profile", | ||
"scap_file" | ||
], | ||
"bundle_name": "plugin_openscap_report", | ||
"description": "This technique will trigger an openscap audit every hour on the agent.", | ||
"name": "plugin_openscap_report", | ||
"version": "1.0", | ||
"parameter": [ | ||
{ | ||
"constraints": { | ||
"allow_empty_string": false, | ||
"allow_whitespace_string": false, | ||
"max_length": 16384 | ||
}, | ||
"id": "0bad6c1e-59c9-44ca-a935-210af4188643", | ||
"name": "profile" | ||
}, | ||
{ | ||
"constraints": { | ||
"allow_empty_string": false, | ||
"allow_whitespace_string": false, | ||
"max_length": 16384 | ||
}, | ||
"id": "182dffe7-4310-4e01-bdd0-3f7db8272e2f", | ||
"name": "scap_file" | ||
} | ||
], | ||
"method_calls": [ | ||
{ | ||
"args": [ | ||
"openscap", | ||
"5", | ||
"5", | ||
"0", | ||
"10", | ||
"15", | ||
"1", | ||
"0", | ||
"1", | ||
"0", | ||
"nodups" | ||
], | ||
"class_context": "any", | ||
"method_name": "schedule_simple", | ||
"component": "Schedule Simple" | ||
}, | ||
{ | ||
"args": [ | ||
"openscap-scanner", | ||
"", | ||
"", | ||
"" | ||
], | ||
"class_context": "any", | ||
"method_name": "package_present", | ||
"component": "Package present" | ||
}, | ||
{ | ||
"args": [ | ||
"scap-security-guide", | ||
"", | ||
"", | ||
"" | ||
], | ||
"class_context": "any", | ||
"method_name": "package_present", | ||
"component": "Package present" | ||
}, | ||
{ | ||
"args": [ | ||
"oscap xccdf eval --profile ${profile} --report /var/rudder/tmp/openscap_report.html ${scap_file}", | ||
"0,2", | ||
"254" | ||
], | ||
"class_context": "any.(schedule_simple_openscap_repaired)", | ||
"method_name": "command_execution_result", | ||
"component": "run scan Openscap" | ||
}, | ||
{ | ||
"args": [ | ||
"root", | ||
"report.html", | ||
"/var/rudder/tmp/openscap_report.html", | ||
"1d" | ||
], | ||
"class_context": "any", | ||
"method_name": "sharedfile_to_node", | ||
"component": "send report to server" | ||
} | ||
] | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,50 @@ | ||
#!/bin/bash | ||
set -x | ||
PLUGIN_FULL_NAME="rudder-plugin-openscap-policies" | ||
PLUGIN_NAME="openscap-policies" | ||
PRETTY_NAME="OpenSCAP Policies" | ||
CONFIGURATION_PATH=/var/rudder/packages/$PLUGIN_FULL_NAME | ||
|
||
# Import Ansible Technique | ||
FOLDERS="ncf/50_techniques/plugin_openscap_report techniques/plugin_openscap_report techniques/ncf_techniques" | ||
cd /var/rudder/configuration-repository/ | ||
# Code below should be mostly comon between the plugins | ||
SOURCE_DIR=${CONFIGURATION_PATH}/techniques | ||
CONFIG_REPO=/var/rudder/configuration-repository | ||
|
||
CATEGORY="$PRETTY_NAME plugin" | ||
C_CATEGORY=$(echo $CATEGORY | sed "s/[^a-zA-Z0-9_]/_/g") | ||
FOLDERS="techniques/$C_CATEGORY techniques/ncf_techniques" | ||
|
||
mkdir -p $CONFIG_REPO/techniques/$C_CATEGORY | ||
|
||
cat <<EOT > $CONFIG_REPO/techniques/$C_CATEGORY/category.xml | ||
<xml> | ||
<name>$CATEGORY</name> | ||
<description> | ||
Techniques from the $PRETTY_NAME plugin | ||
</description> | ||
</xml> | ||
EOT | ||
|
||
|
||
for file in $SOURCE_DIR/*; do | ||
BASE=$(echo $file | sed "s/.*\///" | sed "s/\.[^.]*$//") | ||
C_BASE=$(echo $BASE | sed "s/[^a-zA-Z0-9_]/_/g") | ||
mkdir -p $CONFIG_REPO/techniques/$C_CATEGORY/$C_BASE | ||
cd $CONFIG_REPO/techniques/ncf_techniques && ln -nrs $CONFIG_REPO/techniques/$C_CATEGORY/$C_BASE && cd - | ||
done | ||
|
||
cd $CONFIG_REPO | ||
git reset | ||
for folder in $FOLDERS | ||
for file in $FOLDERS | ||
do | ||
chown -R ncf-api-venv:rudder $folder | ||
chmod 664 -R $folder | ||
chmod -R +X $folder | ||
git add $folder | ||
git add $file | ||
done | ||
git commit -m "OpenSCAP-report plugin installation" | ||
/opt/rudder/bin/rudder-fix-repository-permissions | ||
git commit -m "$CATEGORY start installation" | ||
|
||
# Make extra scripts executables | ||
chmod +x $CONFIGURATION_PATH/rudder-synchronize | ||
|
||
# Import Techniques | ||
${CONFIGURATION_PATH}/rudder-synchronize import technique ${CONFIGURATION_PATH}/techniques | ||
git add techniques/$C_CATEGORY && git commit -m "$CATEGORY end installation" | ||
rudder server reload-techniques |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,18 +1,29 @@ | ||
#!/bin/bash | ||
set -x | ||
PLUGIN_FULL_NAME="rudder-plugin-openscap-policies" | ||
PLUGIN_NAME="openscap-policies" | ||
PRETTY_NAME="OpenSCAP Policies" | ||
CONFIGURATION_PATH=/var/rudder/packages/$PLUGIN_FULL_NAME | ||
CATEGORY="$PRETTY_NAME plugin" | ||
C_CATEGORY=$(echo $CATEGORY | sed "s/[^a-zA-Z0-9_]/_/g") | ||
|
||
# Import Ansible Technique | ||
NAME=plugin_openscap_report | ||
FOLDERS="ncf/50_techniques techniques dsc/ncf/50_techniques techniques/ncf_techniques" | ||
cd /var/rudder/configuration-repository/ | ||
git reset | ||
for folder in $FOLDERS | ||
do | ||
git rm -r $folder/$NAME | ||
done | ||
# Remove technique | ||
$CONFIGURATION_PATH/remove-configuration | ||
|
||
# Remove techniques symlink and ncf ones | ||
cd /var/rudder/configuration-repository | ||
|
||
TECHNIQUES=$(jq -r '.techniques[]' $CONFIGURATION_PATH/$PLUGIN_NAME.json | sed "s%^%$CONFIGURATION_PATH/techniques/%" | xargs jq -r '.data.bundle_name') | ||
for file in $TECHNIQUES; do | ||
git rm -rf --ignore-unmatch techniques/ncf_techniques/$file | ||
git rm -rf --ignore-unmatch ncf/50_techniques/$file | ||
done; | ||
|
||
# Remove category | ||
cd /var/rudder/configuration-repository/techniques | ||
git rm -rf $C_CATEGORY | ||
git commit -m "OpenSCAP-report plugin uninstallation" | ||
# need to be run 2 times to be updated, first one will fail | ||
# TODO #16053 | ||
rudder server reload-techniques || /bin/true | ||
|
||
rudder server reload-techniques | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
#!/usr/bin/python | ||
import sys, json, re | ||
# Hack to import rudder lib, remove, some day ... | ||
sys.path.insert(0, "/usr/share/rudder-api-client/") | ||
from rudder import RudderEndPoint, RudderError | ||
|
||
def canonify(string): | ||
string = string.encode("utf-8").decode("iso-8859-1") | ||
regex = re.compile("[^a-zA-Z0-9_]") | ||
return regex.sub("_", string) | ||
|
||
PLUGIN_NAME="openscap-policies" | ||
PLUGIN_FULLNAME="rudder-plugin-" + PLUGIN_NAME | ||
PLUGIN_PRETTY_NAME="OpenSCAP Policies" | ||
CATEGORY_NAME=canonify(PLUGIN_PRETTY_NAME + " plugin") | ||
|
||
with open('/var/rudder/run/api-token') as ftoken: | ||
TOKEN = ftoken.read() | ||
RUDDER_URL="https://localhost/rudder" | ||
TRACK_FILE_PATH="/var/rudder/packages/" + PLUGIN_FULLNAME + "/" + PLUGIN_NAME + ".json" | ||
|
||
endpoint = RudderEndPoint(RUDDER_URL, TOKEN, verify=False) | ||
RED = '\033[91m' | ||
ENDC = '\033[0m' | ||
GREEN = '\033[92m' | ||
|
||
def removeTechniques(techniques): | ||
techniquesEndpoint = RudderEndPoint("https://localhost/ncf", TOKEN, verify=False) | ||
for iTechnique in techniques: | ||
try: | ||
with open("/var/rudder/packages/" + PLUGIN_FULLNAME + "/techniques/" + iTechnique) as f: | ||
data = json.load(f)["data"] | ||
techniqueName = data["name"] | ||
if canonify(techniqueName) in TECHNIQUES: | ||
delete = techniquesEndpoint.request("DELETE", "/api/techniques/" + canonify(techniqueName) + "?path=/var/rudder/configuration-repository/ncf") | ||
print(GREEN + "Successfully removed technique %s"%techniqueName + ENDC) | ||
else: | ||
print(GREEN + "Could not find technique %s"%techniqueName + ENDC) | ||
except RudderError as e: | ||
print(RED + e.message + ENDC) | ||
|
||
try: | ||
with open(TRACK_FILE_PATH) as f: | ||
data = json.load(f) | ||
except Exception as e: | ||
print("Could not open %s"%TRACK_FILE_PATH) | ||
print(e) | ||
exit(1) | ||
|
||
TECHNIQUES = [iTechnique["name"] for iTechnique in endpoint.list_techniques()["techniques"]] | ||
|
||
removeTechniques(data["techniques"]) | ||
|
Oops, something went wrong.