Skip to content

Commit

Permalink
feat: allow use of OpenSCAP result files in task xccdf_result_to_osca…
Browse files Browse the repository at this point in the history 
…l_ar (#1411)

* feat: Allow use of OpenSCAP result files in task xccdf_result_to_oscal_ar

Before this commit if you wanted to use result files from OpenSCAP
in the task xccdf_result_to_oscal_ar you had to extract the
`TestResult` element and place it as the root of the XML
document, otherwise the resulting OSCAL document would be
blank. Thus making it impossible to directly use output from
OpenSCAP with the task.

With this commit the task will detect that the root element
is not `TestResult` and then it will find the `TestResult`
element in the XML document. This allows the use of files
created by OpenSCAP using the `--results` and `--results-arf`
switches.

Signed-off-by: Matthew Burket <mburket@redhat.com>

* Add tests for OpenSCAP results files for task xccdf_result_to_oscal_ar_test

Signed-off-by: Matthew Burket <mburket@redhat.com>

---------

Signed-off-by: Matthew Burket <mburket@redhat.com>
  • Loading branch information
@Mab879
Mab879 committed Dec 11, 2023
1 parent 72b0f6f commit eeb715c
Show file tree
Hide file tree
Showing 8 changed files with 478 additions and 1 deletion.
49 changes: 49 additions & 0 deletions tests/data/tasks/xccdf/input-oscap-arf-results/results_arf.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<arf:asset-report-collection xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
xmlns:core="http://scap.nist.gov/schema/reporting-core/1.1"
xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1">
<arf:reports>
<arf:report id="xccdf1">
<arf:content>
<TestResult xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_cis" start-time="2021-06-08T02:35:55+00:00" end-time="2021-06-08T02:54:51+00:00" version="0.1.57" test-system="cpe:/a:redhat:openscap:1.3.3">
<benchmark href="/content/ssg-rhel7-ds.xml" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"/>
<title>OSCAP Scan Result</title>
<profile idref="xccdf_org.ssgproject.content_profile_cis"/>
<target>kube-c18ler8d06m877hrn7jg-roks8-default-00000319.iks.mycorp</target>
<target-facts>
<fact name="urn:xccdf:fact:identifier" type="string">chroot:///host</fact>
<fact name="urn:xccdf:fact:scanner:name" type="string">OpenSCAP</fact>
<fact name="urn:xccdf:fact:scanner:version" type="string">1.3.3</fact>
</target-facts>
<target-id-ref system="http://scap.nist.gov/schema/asset-identification/1.1" name="asset0" href=""/>
<platform idref="cpe:/a:pam"/>
<platform idref="cpe:/o:redhat:enterprise_linux:7::workstation"/>
<platform idref="cpe:/o:redhat:enterprise_linux:7::client"/>
<platform idref="cpe:/o:redhat:enterprise_linux:7::server"/>
<platform idref="cpe:/a:grub2"/>
<platform idref="cpe:/o:redhat:enterprise_linux:7::computenode"/>
<platform idref="cpe:/o:redhat:enterprise_linux:7"/>
<platform idref="cpe:/a:login_defs"/>
<platform idref="cpe:/a:non-uefi"/>
<platform idref="cpe:/a:machine"/>
<platform idref="cpe:/a:yum"/>

<rule-result idref="xccdf_org.ssgproject.content_rule_prefer_64bit_os" role="full" time="2021-06-08T02:35:55+00:00" severity="medium" weight="1.000000">
<result>notselected</result>
<ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83691-6</ident>
</rule-result>
<rule-result idref="xccdf_org.ssgproject.content_rule_disable_prelink" role="full" time="2021-06-08T02:35:55+00:00" severity="medium" weight="1.000000">
<result>pass</result>
<ident system="https://nvd.nist.gov/cce/index.cfm">CCE-27078-5</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg-disable_prelink:def:1" href="#oval0"/>
</check>
</rule-result>

<score system="urn:xccdf:scoring:default" maximum="100.000000">74.713684</score>
</TestResult>

</arf:content>
</arf:report>
</arf:reports>
</arf:asset-report-collection>
39 changes: 39 additions & 0 deletions tests/data/tasks/xccdf/input-oscap-results/results.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_FEDORA" resolved="1" xml:lang="en-US" style="SCAP_1.2">
<TestResult xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_cis" start-time="2021-06-08T02:35:55+00:00" end-time="2021-06-08T02:54:51+00:00" version="0.1.57" test-system="cpe:/a:redhat:openscap:1.3.3">
<benchmark href="/content/ssg-rhel7-ds.xml" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"/>
<title>OSCAP Scan Result</title>
<profile idref="xccdf_org.ssgproject.content_profile_cis"/>
<target>kube-c18ler8d06m877hrn7jg-roks8-default-00000319.iks.mycorp</target>
<target-facts>
<fact name="urn:xccdf:fact:identifier" type="string">chroot:///host</fact>
<fact name="urn:xccdf:fact:scanner:name" type="string">OpenSCAP</fact>
<fact name="urn:xccdf:fact:scanner:version" type="string">1.3.3</fact>
</target-facts>
<target-id-ref system="http://scap.nist.gov/schema/asset-identification/1.1" name="asset0" href=""/>
<platform idref="cpe:/a:pam"/>
<platform idref="cpe:/o:redhat:enterprise_linux:7::workstation"/>
<platform idref="cpe:/o:redhat:enterprise_linux:7::client"/>
<platform idref="cpe:/o:redhat:enterprise_linux:7::server"/>
<platform idref="cpe:/a:grub2"/>
<platform idref="cpe:/o:redhat:enterprise_linux:7::computenode"/>
<platform idref="cpe:/o:redhat:enterprise_linux:7"/>
<platform idref="cpe:/a:login_defs"/>
<platform idref="cpe:/a:non-uefi"/>
<platform idref="cpe:/a:machine"/>
<platform idref="cpe:/a:yum"/>

<rule-result idref="xccdf_org.ssgproject.content_rule_prefer_64bit_os" role="full" time="2021-06-08T02:35:55+00:00" severity="medium" weight="1.000000">
<result>notselected</result>
<ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83691-6</ident>
</rule-result>
<rule-result idref="xccdf_org.ssgproject.content_rule_disable_prelink" role="full" time="2021-06-08T02:35:55+00:00" severity="medium" weight="1.000000">
<result>pass</result>
<ident system="https://nvd.nist.gov/cce/index.cfm">CCE-27078-5</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg-disable_prelink:def:1" href="#oval0"/>
</check>
</rule-result>
<score system="urn:xccdf:scoring:default" maximum="100.000000">74.713684</score>
</TestResult>
</Benchmark>
165 changes: 165 additions & 0 deletions tests/data/tasks/xccdf/output-oscap-arf-results/results_arf.oscal.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,165 @@
{
"results": [
{
"uuid": "56666738-0f9a-4e38-9aac-c0fad00a5821",
"title": "XCCDF",
"description": "XCCDF Scan Results",
"start": "2021-06-08T02:35:55+00:00",
"end": "2021-06-08T02:35:55+00:00",
"local-definitions": {
"components": [
{
"uuid": "56666738-0f9a-4e38-9aac-c0fad00a5821",
"type": "Service",
"title": "rhel7",
"description": "rhel7",
"status": {
"state": "operational"
}
}
],
"inventory-items": [
{
"uuid": "56666738-0f9a-4e38-9aac-c0fad00a5821",
"description": "inventory",
"props": [
{
"name": "target",
"ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
"value": "kube-c18ler8d06m877hrn7jg-roks8-default-00000319.iks.mycorp"
},
{
"name": "target_type",
"ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
"value": "rhel7"
}
],
"implemented-components": [
{
"component-uuid": "56666738-0f9a-4e38-9aac-c0fad00a5821"
}
]
}
],
"assessment-assets": {
"components": [
{
"uuid": "56666738-0f9a-4e38-9aac-c0fad00a5821",
"type": "Validator",
"title": "OpenSCAP",
"description": "OpenSCAP",
"props": [
{
"name": "scanner_name",
"ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
"value": "OpenSCAP"
},
{
"name": "scanner_version",
"ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
"value": "1.3.3"
},
{
"name": "version",
"ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP"
},
{
"name": "severity",
"ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
"value": "medium"
},
{
"name": "weight",
"ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
"value": "1.000000"
},
{
"name": "benchmark_id",
"ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
"value": "xccdf_org.ssgproject.content_benchmark_RHEL-7"
},
{
"name": "benchmark_href",
"ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
"value": "/content/ssg-rhel7-ds.xml"
},
{
"name": "id",
"ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
"value": "xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_cis"
}
],
"status": {
"state": "operational"
}
}
],
"assessment-platforms": [
{
"uuid": "56666738-0f9a-4e38-9aac-c0fad00a5821"
}
]
}
},
"reviewed-controls": {
"control-selections": [
{}
]
},
"observations": [
{
"uuid": "56666738-0f9a-4e38-9aac-c0fad00a5821",
"description": "xccdf_org.ssgproject.content_rule_prefer_64bit_os",
"props": [
{
"name": "idref",
"ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
"value": "xccdf_org.ssgproject.content_rule_prefer_64bit_os"
},
{
"name": "result",
"ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
"value": "notselected"
}
],
"methods": [
"TEST-AUTOMATED"
],
"subjects": [
{
"subject-uuid": "56666738-0f9a-4e38-9aac-c0fad00a5821",
"type": "inventory-item"
}
],
"collected": "2023-11-30T23:00:03+00:00"
},
{
"uuid": "56666738-0f9a-4e38-9aac-c0fad00a5821",
"description": "xccdf_org.ssgproject.content_rule_disable_prelink",
"props": [
{
"name": "idref",
"ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
"value": "xccdf_org.ssgproject.content_rule_disable_prelink"
},
{
"name": "result",
"ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/ar/OpenSCAP",
"value": "pass"
}
],
"methods": [
"TEST-AUTOMATED"
],
"subjects": [
{
"subject-uuid": "56666738-0f9a-4e38-9aac-c0fad00a5821",
"type": "inventory-item"
}
],
"collected": "2023-11-30T23:00:03+00:00"
}
]
}
]
}

0 comments on commit eeb715c

Please sign in to comment.