-
Notifications
You must be signed in to change notification settings - Fork 24
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixes #16024: Make a plugin from the current openSCAP technique
- Loading branch information
Showing
11 changed files
with
933 additions
and
0 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
Copyright 2011 Normation SAS | ||
|
||
This program is free software: you can redistribute it and/or modify | ||
it under the terms of the GNU General Public License as published by | ||
the Free Software Foundation, either version 3 of the License, or | ||
(at your option) any later version. | ||
|
||
In accordance with the terms of section 7 (7. Additional Terms.) of | ||
the GNU General Public License version 3, the copyright holders add | ||
the following Additional permissions: | ||
Notwithstanding to the terms of section 5 (5. Conveying Modified Source | ||
Versions) and 6 (6. Conveying Non-Source Forms.) of the GNU General | ||
Public License version 3, when you create a Related Module, this | ||
Related Module is not considered as a part of the work and may be | ||
distributed under the license agreement of your choice. | ||
A "Related Module" means a set of sources files including their | ||
documentation that, without modification of the Source Code, enables | ||
supplementary functions or services in addition to those offered by | ||
the Software. | ||
|
||
This program is distributed in the hope that it will be useful, | ||
but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
GNU General Public License for more details. | ||
|
||
You should have received a copy of the GNU General Public License | ||
along with this program. If not, see <http://www.gnu.org/licenses/>. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
FILES = ncf techniques | ||
SCRIPTS = postinst prerm | ||
OTHER_ARCHIVES = target/external-report.txz | ||
|
||
TECHNIQUES=$(shell ls -1 configuration-repository/ncf/50_techniques) | ||
|
||
include ../makefiles/common-plugin.mk | ||
|
||
target/ncf: | ||
cp -a configuration-repository/ncf target | ||
|
||
target/techniques: | ||
cp -a configuration-repository/techniques target | ||
mkdir -p target/techniques/ncf_techniques | ||
for technique in "$(TECHNIQUES)"; \ | ||
do \ | ||
cd target && mkdir -p techniques/plugin_openscap_report/$$technique && cd -; \ | ||
cd target/techniques/ncf_techniques && ln -rs ../plugin_openscap_report/$$technique $$techniques && cd -; \ | ||
done; | ||
|
||
target/external-report.txz: | ||
cp -a src/node-external-reports.properties target/ | ||
tar cJ -C target -f target/external-report.txz node-external-reports.properties | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
# Rudder plugin: OpenSCAP-report | ||
|
||
This project is part of Rudder - IT infrastructure Automation and Compliance. | ||
See: http://rudder.io for more information. | ||
See repository main README for information about licensing, contribution, and other general information. | ||
|
||
|
||
// Everything after this line goes into Rudder documentation | ||
// ====doc==== | ||
[OpenSCAP-plugin] | ||
= OpenSCAP | ||
|
||
OpenSCAP is an ecosystem that provides several tools to assist admnistrators and auditors with assessment, measurement, and enforcement of security baselines. It allows the use of different profiles aligned with different standards such as PCI-DSS. | ||
|
||
The plugin aims to upload automatically the openSCAP auditing results to the Rudder Server, and, if you have the `external-reports-plugin`, to integrate these reports directly in the Rudder node webpage. | ||
|
||
== Installation | ||
|
||
As most of the Rudder plugins, you must install the plugin with the rudder-pkg tool on your Server Rudder. | ||
|
||
.... | ||
/opt/rudder/bin/rudder-pkg install-file <path to the rpkg> | ||
.... | ||
|
||
This will *add one Rudder technique to your Rudder Server*. | ||
|
||
|
||
=== Usage | ||
|
||
In order to use the technique provided and get reports from your nodes, you will need to decline it in different directives following your requirements. | ||
|
||
The technique comes with two parameters: | ||
|
||
* `profile` which is the profile name you want to audit | ||
* `scap_file` which is the absolute path (on the node) of the SCAP content from which you will base the audit on | ||
|
||
SCAP content refers to document in the XCCDF, OVAL and Source DataStream formats. These documents can be presented in different forms and by different organizations to meet their security automation and technical implementation needs. You can find more informations on the https://github.com/ComplianceAsCode/content[ComplianceAsCode] GitHub project. | ||
|
||
By default, available `scap_files` are located on `/usr/share/xml/scap/ssg/content/` after install of the openSCAP agent on the nodes. Given profiles for specific scap_files can be obtain with the command: | ||
|
||
---- | ||
oscap info <scap_file> | ||
---- | ||
|
||
The technique will take care of the openSCAP agent installation and will by default, trigger an audit every hour on your nodes. The reporting file will then be uploaded on your Rudder Server under the folder: | ||
|
||
---- | ||
/var/rudder/shared-files/root/files/<node-id>/openscap_report.html | ||
---- | ||
|
||
|
||
== Rudder Webapp integration | ||
|
||
With the Rudder plugin `Node external reports` which allows to add external, static documents and reports in a new tab in the `node details` webpage, this plugin will display the reports directly in the web interface. | ||
A compatible configuration file is distributed with the `OpenSCAP-report` plugin, you can find it in `/var/rudder/packages/rudder-plugin-openscap-report/node-external-reports.properties` | ||
|
||
The complete documentation of the `Node-external-reports` plugin is available https://docs.rudder.io/reference/5.0/plugins/node-external-reports.html#_documents_naming_convention[here]. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
# | ||
# This file defines the release information about the plugin like | ||
# its version and its ABI compability. | ||
# | ||
# So version are not managed in pom.xml (safe for parent-pom version, | ||
# which can't be a parameter, and must be equals to rudder-branch here) | ||
# | ||
|
||
# Unique identifier of the plugin | ||
plugin-name=openscap-report | ||
# the full name is derived from rudder-plugin-name | ||
plugin-fullname=rudder-plugin-${plugin-name} | ||
|
||
# Human readable short/title descrption (used for one line text) | ||
plugin-title-description="""OpenSCAP audits managed by Rudder""" | ||
""" | ||
|
||
# WEB, HTML description. | ||
plugin-web-description=<p>OpenSCAP audits managed by Rudder</p> | ||
|
||
# Plugin version. It is build as follow: A.B-x.y(.z) with: | ||
# - A.B: Rudder major.minor | ||
# - x.y(.z): plugin major.minor.micro. Micro should be omitted. When omitted, z is assumed to be 0. | ||
# For the build, we split the information between two properties, rudder branch and plugin version, | ||
# which must be concaneted with "-" to build the plugin version. | ||
plugin-branch=0.1 | ||
|
||
# rudder branch comes from parent | ||
plugin-version=${rudder-branch}-${plugin-branch} | ||
|
25 changes: 25 additions & 0 deletions
25
...nfiguration-repository/ncf/50_techniques/plugin_openscap_report/plugin_openscap_report.cf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# @name plugin_openscap_report | ||
# @description This technique will trigger an openscap audit every hour on the agent. | ||
# @version 1.0 | ||
# @parameter {"id": "0bad6c1e-59c9-44ca-a935-210af4188643", "name": "profile", "constraints": {"allow_whitespace_string": false, "allow_empty_string": false, "max_length": 16384}} | ||
# @parameter {"id": "182dffe7-4310-4e01-bdd0-3f7db8272e2f", "name": "scap_file", "constraints": {"allow_whitespace_string": false, "allow_empty_string": false, "max_length": 16384}} | ||
|
||
bundle agent plugin_openscap_report(profile, scap_file) | ||
{ | ||
methods: | ||
"Schedule Simple_context_${report_data.directive_id}_0" usebundle => _method_reporting_context("Schedule Simple", "openscap"); | ||
"Schedule Simple" usebundle => schedule_simple("openscap", "5", "5", "0", "10", "15", "1", "0", "1", "0", "nodups"), | ||
ifvarclass => concat("any"); | ||
"Package present_context_${report_data.directive_id}_1" usebundle => _method_reporting_context("Package present", "openscap-scanner"); | ||
"Package present" usebundle => package_present("openscap-scanner", "", "", ""), | ||
ifvarclass => concat("any"); | ||
"Package present_context_${report_data.directive_id}_2" usebundle => _method_reporting_context("Package present", "scap-security-guide"); | ||
"Package present" usebundle => package_present("scap-security-guide", "", "", ""), | ||
ifvarclass => concat("any"); | ||
"run scan Openscap_context_${report_data.directive_id}_3" usebundle => _method_reporting_context("run scan Openscap", "oscap xccdf eval --profile ${profile} --report /var/rudder/tmp/openscap_report.html ${scap_file}"); | ||
"run scan Openscap" usebundle => command_execution_result("oscap xccdf eval --profile ${profile} --report /var/rudder/tmp/openscap_report.html ${scap_file}", "0,2", "254"), | ||
ifvarclass => concat("any.(schedule_simple_openscap_repaired)"); | ||
"send report to server_context_${report_data.directive_id}_4" usebundle => _method_reporting_context("send report to server", "report.html"); | ||
"send report to server" usebundle => sharedfile_to_node("root", "report.html", "/var/rudder/tmp/openscap_report.html", "1d"), | ||
ifvarclass => concat("any"); | ||
} |
22 changes: 22 additions & 0 deletions
22
openscap-report/configuration-repository/techniques/plugin_openscap_report/category.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
<!-- | ||
Copyright 2019 Normation SAS | ||
This program is free software: you can redistribute it and/or modify | ||
it under the terms of the GNU General Public License as published by | ||
the Free Software Foundation, Version 3. | ||
This program is distributed in the hope that it will be useful, | ||
but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
GNU General Public License for more details. | ||
You should have received a copy of the GNU General Public License | ||
along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
--> | ||
|
||
<xml> | ||
<name>OpenSCAP-report</name> | ||
<description> | ||
Contains techniques from the OpenSCAP-report plugin. | ||
</description> | ||
</xml> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"type": "plugin", | ||
"name": "${plugin-id}", | ||
"version": "${plugin-version}", | ||
"build-date": "${maven.build.timestamp}", | ||
"build-commit": "${commit-id}", | ||
"content": { | ||
"files.txz": "/var/rudder/configuration-repository", | ||
"external-report.txz": "/var/rudder/packages/rudder-plugin-openscap-report" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
#!/bin/bash | ||
set -x | ||
|
||
# Import Ansible Technique | ||
FOLDERS="ncf/50_techniques/plugin_openscap_report techniques/plugin_openscap_report techniques/ncf_techniques" | ||
cd /var/rudder/configuration-repository/ | ||
git reset | ||
for folder in $FOLDERS | ||
do | ||
chown -R ncf-api-venv:rudder $folder | ||
chmod 664 -R $folder | ||
chmod -R +X $folder | ||
git add $folder | ||
done | ||
git commit -m "OpenSCAP-report plugin installation" | ||
rudder server reload-techniques |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
#!/bin/bash | ||
set -x | ||
|
||
# Import Ansible Technique | ||
NAME=plugin_openscap_report | ||
FOLDERS="ncf/50_techniques techniques dsc/ncf/50_techniques techniques/ncf_techniques" | ||
cd /var/rudder/configuration-repository/ | ||
git reset | ||
for folder in $FOLDERS | ||
do | ||
git rm -r $folder/$NAME | ||
done | ||
git commit -m "OpenSCAP-report plugin uninstallation" | ||
# need to be run 2 times to be updated, first one will fail | ||
# TODO #16053 | ||
rudder server reload-techniques || /bin/true | ||
rudder server reload-techniques | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# | ||
# | ||
# | ||
|
||
#The name of the tab in node details for report. | ||
#Must be non empty | ||
plugin.node-external-reports.tab-name=External Reports | ||
|
||
|
||
# | ||
# Configure several reports. | ||
# Value must be enclosed with "" only | ||
# if the string contains "@" | ||
# | ||
# The reports will appear sorted alpha-numerically | ||
# by key, so you can force order by prefixing with | ||
# a number. | ||
# | ||
plugin.node-external-reports.reports { | ||
|
||
04_openscap= { | ||
title=Openscap report | ||
description=This report display OS information | ||
dirname="/var/rudder/shared-files/root/files/@@node@@" | ||
filename="openscap_report.html" | ||
content-type=text/html | ||
} | ||
|
||
} |