|
|
914530 |
From 3f813a216322041210ebf952fc1d8efc553d488d Mon Sep 17 00:00:00 2001
|
|
|
914530 |
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
|
|
914530 |
Date: Tue, 21 Aug 2018 12:22:41 +0200
|
|
|
914530 |
Subject: [PATCH 1/3] Refactored code to enable supply of ssh options via env
|
|
|
914530 |
var.
|
|
|
914530 |
|
|
|
914530 |
---
|
|
|
914530 |
utils/oscap-ssh | 125 +++++++++++++++++++++++++++++-----------------
|
|
|
914530 |
utils/oscap-ssh.8 | 8 ++-
|
|
|
914530 |
2 files changed, 86 insertions(+), 47 deletions(-)
|
|
|
914530 |
|
|
|
914530 |
diff --git a/utils/oscap-ssh b/utils/oscap-ssh
|
|
|
914530 |
index 63c95456e..d6404600c 100755
|
|
|
914530 |
--- a/utils/oscap-ssh
|
|
|
914530 |
+++ b/utils/oscap-ssh
|
|
|
914530 |
@@ -80,11 +80,37 @@ function usage()
|
|
|
914530 |
echo "specific option for oscap-ssh (must be first argument):"
|
|
|
914530 |
echo " --sudo"
|
|
|
914530 |
echo
|
|
|
914530 |
+ echo "To supply additional options to ssh/scp, define the SSH_ADDITIONAL_OPTIONS variable"
|
|
|
914530 |
+ echo "For instance, to ignore known hosts records, define SSH_ADDITIONAL_OPTIONS='-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'"
|
|
|
914530 |
+ echo
|
|
|
914530 |
+ echo "specific option for oscap-ssh (must be first argument):"
|
|
|
914530 |
+ echo
|
|
|
914530 |
echo "See \`man oscap\` to learn more about semantics of these options."
|
|
|
914530 |
}
|
|
|
914530 |
|
|
|
914530 |
OSCAP_SUDO=""
|
|
|
914530 |
-SSH_ADDITIONAL_ARGS=""
|
|
|
914530 |
+# SSH_ADDITIONAL_OPTIONS may be defined in the calling shell
|
|
|
914530 |
+SSH_TTY_ALLOCATION_OPTION=""
|
|
|
914530 |
+
|
|
|
914530 |
+# $1: The SSH command.
|
|
|
914530 |
+# $2: More of additional options (optional, space-separated string)
|
|
|
914530 |
+function ssh_execute_with_options {
|
|
|
914530 |
+ ssh -o ControlPath="$MASTER_SOCKET" $SSH_ADDITIONAL_OPTIONS $2 -p "$SSH_PORT" "$SSH_HOST" "$1"
|
|
|
914530 |
+}
|
|
|
914530 |
+
|
|
|
914530 |
+# $1: Local filename to copy
|
|
|
914530 |
+# $2: Remote destination
|
|
|
914530 |
+function scp_copy_to_temp_dir {
|
|
|
914530 |
+ scp -o ControlPath="$MASTER_SOCKET" -P "$SSH_PORT" $SSH_ADDITIONAL_OPTIONS "$1" "$SSH_HOST:$REMOTE_TEMP_DIR/$2"
|
|
|
914530 |
+}
|
|
|
914530 |
+
|
|
|
914530 |
+# $1: Remote filename to get
|
|
|
914530 |
+# $2: Local destination
|
|
|
914530 |
+function scp_retreive_from_temp_dir {
|
|
|
914530 |
+ scp -o ControlPath="$MASTER_SOCKET" -P "$SSH_PORT" $SSH_ADDITIONAL_OPTIONS "$SSH_HOST:$REMOTE_TEMP_DIR/$1" "$2"
|
|
|
914530 |
+}
|
|
|
914530 |
+
|
|
|
914530 |
+function sanity_check_arguments {
|
|
|
914530 |
if [ $# -lt 1 ]; then
|
|
|
914530 |
echo "No arguments provided."
|
|
|
914530 |
usage
|
|
|
914530 |
@@ -95,7 +121,7 @@ elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
|
|
|
914530 |
elif [ "$1" == "sudo" ] || [ "$1" == "--sudo" ]; then
|
|
|
914530 |
OSCAP_SUDO="sudo"
|
|
|
914530 |
# force pseudo-tty allocation so that users can type their password if necessary
|
|
|
914530 |
- SSH_ADDITIONAL_ARGS="-t"
|
|
|
914530 |
+ SSH_TTY_ALLOCATION_OPTION="-t"
|
|
|
914530 |
shift
|
|
|
914530 |
fi
|
|
|
914530 |
if [ $# -lt 2 ]; then
|
|
|
914530 |
@@ -103,38 +129,45 @@ if [ $# -lt 2 ]; then
|
|
|
914530 |
usage
|
|
|
914530 |
die
|
|
|
914530 |
fi
|
|
|
914530 |
+}
|
|
|
914530 |
|
|
|
914530 |
-SSH_HOST="$1"
|
|
|
914530 |
-SSH_PORT="$2"
|
|
|
914530 |
-
|
|
|
914530 |
-if [ "$3" == "--v" ] || [ "$3" == "--version" ]; then
|
|
|
914530 |
+function check_oscap_arguments {
|
|
|
914530 |
+if [ "$1" == "--v" ] || [ "$1" == "--version" ]; then
|
|
|
914530 |
true
|
|
|
914530 |
-elif [ "$3" == "-h" ] || [ "$3" == "--help" ]; then
|
|
|
914530 |
+elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
|
|
|
914530 |
true
|
|
|
914530 |
-elif [ "$3" == "info" ]; then
|
|
|
914530 |
+elif [ "$1" == "info" ]; then
|
|
|
914530 |
true
|
|
|
914530 |
-elif [ "$3 $4" == "xccdf eval" ]; then
|
|
|
914530 |
+elif [ "$1 $2" == "xccdf eval" ]; then
|
|
|
914530 |
true
|
|
|
914530 |
-elif [ "$3 $4" == "oval eval" ]; then
|
|
|
914530 |
+elif [ "$1 $2" == "oval eval" ]; then
|
|
|
914530 |
true
|
|
|
914530 |
-elif [ "$3 $4" == "oval collect" ]; then
|
|
|
914530 |
+elif [ "$1 $2" == "oval collect" ]; then
|
|
|
914530 |
true
|
|
|
914530 |
else
|
|
|
914530 |
die "This script only supports '-h', '--help', '--v', '--version', 'info', 'xccdf eval', 'oval eval' and 'oval collect'."
|
|
|
914530 |
fi
|
|
|
914530 |
+}
|
|
|
914530 |
+
|
|
|
914530 |
+sanity_check_arguments "$@"
|
|
|
914530 |
+
|
|
|
914530 |
+SSH_HOST="$1"
|
|
|
914530 |
+SSH_PORT="$2"
|
|
|
914530 |
|
|
|
914530 |
shift 2
|
|
|
914530 |
|
|
|
914530 |
+check_oscap_arguments "$@"
|
|
|
914530 |
+
|
|
|
914530 |
MASTER_SOCKET_DIR=$(mktemp -d)
|
|
|
914530 |
MASTER_SOCKET="$MASTER_SOCKET_DIR/ssh_socket"
|
|
|
914530 |
|
|
|
914530 |
echo "Connecting to '$SSH_HOST' on port '$SSH_PORT'..."
|
|
|
914530 |
-ssh -M -f -N -o ServerAliveInterval=60 -o ControlPath="$MASTER_SOCKET" -p "$SSH_PORT" "$SSH_HOST" || die "Failed to connect!"
|
|
|
914530 |
+ssh -M -f -N -o ServerAliveInterval=60 -o ControlPath="$MASTER_SOCKET" -p "$SSH_PORT" $SSH_ADDITIONAL_OPTIONS "$SSH_HOST" || die "Failed to connect!"
|
|
|
914530 |
echo "Connected!"
|
|
|
914530 |
|
|
|
914530 |
-REMOTE_TEMP_DIR=$(ssh -o ControlPath="$MASTER_SOCKET" -p "$SSH_PORT" "$SSH_HOST" mktemp -d) || die "Failed to create remote temporary directory!"
|
|
|
914530 |
+REMOTE_TEMP_DIR=$(ssh_execute_with_options "mktemp -d") || die "Failed to create remote temporary directory!"
|
|
|
914530 |
|
|
|
914530 |
-args=("$@")
|
|
|
914530 |
+oscap_args=("$@")
|
|
|
914530 |
|
|
|
914530 |
LOCAL_CONTENT_PATH=""
|
|
|
914530 |
LOCAL_TAILORING_PATH=""
|
|
|
914530 |
@@ -151,38 +184,38 @@ OVAL_RESULTS=""
|
|
|
914530 |
for i in $(seq 0 `expr $# - 1`); do
|
|
|
914530 |
let j=i+1
|
|
|
914530 |
|
|
|
914530 |
- case "${args[i]}" in
|
|
|
914530 |
+ case "${oscap_args[i]}" in
|
|
|
914530 |
("--tailoring-file")
|
|
|
914530 |
- LOCAL_TAILORING_PATH=${args[j]}
|
|
|
914530 |
- args[j]="$REMOTE_TEMP_DIR/tailoring.xml"
|
|
|
914530 |
+ LOCAL_TAILORING_PATH=${oscap_args[j]}
|
|
|
914530 |
+ oscap_args[j]="$REMOTE_TEMP_DIR/tailoring.xml"
|
|
|
914530 |
;;
|
|
|
914530 |
("--cpe")
|
|
|
914530 |
- LOCAL_CPE_PATH=${args[j]}
|
|
|
914530 |
- args[j]="$REMOTE_TEMP_DIR/cpe.xml"
|
|
|
914530 |
+ LOCAL_CPE_PATH=${oscap_args[j]}
|
|
|
914530 |
+ oscap_args[j]="$REMOTE_TEMP_DIR/cpe.xml"
|
|
|
914530 |
;;
|
|
|
914530 |
("--variables")
|
|
|
914530 |
- LOCAL_VARIABLES_PATH=${args[j]}
|
|
|
914530 |
- args[j]="$REMOTE_TEMP_DIR/variables.xml"
|
|
|
914530 |
+ LOCAL_VARIABLES_PATH=${oscap_args[j]}
|
|
|
914530 |
+ oscap_args[j]="$REMOTE_TEMP_DIR/variables.xml"
|
|
|
914530 |
;;
|
|
|
914530 |
("--directives")
|
|
|
914530 |
- LOCAL_DIRECTIVES_PATH=${args[j]}
|
|
|
914530 |
- args[j]="$REMOTE_TEMP_DIR/directives.xml"
|
|
|
914530 |
+ LOCAL_DIRECTIVES_PATH=${oscap_args[j]}
|
|
|
914530 |
+ oscap_args[j]="$REMOTE_TEMP_DIR/directives.xml"
|
|
|
914530 |
;;
|
|
|
914530 |
("--results")
|
|
|
914530 |
- TARGET_RESULTS=${args[j]}
|
|
|
914530 |
- args[j]="$REMOTE_TEMP_DIR/results.xml"
|
|
|
914530 |
+ TARGET_RESULTS=${oscap_args[j]}
|
|
|
914530 |
+ oscap_args[j]="$REMOTE_TEMP_DIR/results.xml"
|
|
|
914530 |
;;
|
|
|
914530 |
("--results-arf")
|
|
|
914530 |
- TARGET_RESULTS_ARF=${args[j]}
|
|
|
914530 |
- args[j]="$REMOTE_TEMP_DIR/results-arf.xml"
|
|
|
914530 |
+ TARGET_RESULTS_ARF=${oscap_args[j]}
|
|
|
914530 |
+ oscap_args[j]="$REMOTE_TEMP_DIR/results-arf.xml"
|
|
|
914530 |
;;
|
|
|
914530 |
("--report")
|
|
|
914530 |
- TARGET_REPORT=${args[j]}
|
|
|
914530 |
- args[j]="$REMOTE_TEMP_DIR/report.html"
|
|
|
914530 |
+ TARGET_REPORT=${oscap_args[j]}
|
|
|
914530 |
+ oscap_args[j]="$REMOTE_TEMP_DIR/report.html"
|
|
|
914530 |
;;
|
|
|
914530 |
("--syschar")
|
|
|
914530 |
- TARGET_SYSCHAR=${args[j]}
|
|
|
914530 |
- args[j]="$REMOTE_TEMP_DIR/syschar.xml"
|
|
|
914530 |
+ TARGET_SYSCHAR=${oscap_args[j]}
|
|
|
914530 |
+ oscap_args[j]="$REMOTE_TEMP_DIR/syschar.xml"
|
|
|
914530 |
;;
|
|
|
914530 |
("--oval-results")
|
|
|
914530 |
OVAL_RESULTS="yes"
|
|
|
914530 |
@@ -194,8 +227,8 @@ done
|
|
|
914530 |
|
|
|
914530 |
if [ "$1" != "--v" ] && [ "$1" != "--version" ] && [ "$1" != "-h" ] && [ "$1" != "--help" ]; then
|
|
|
914530 |
# Last argument should be the content path
|
|
|
914530 |
- LOCAL_CONTENT_PATH="${args[`expr $# - 1`]}"
|
|
|
914530 |
- args[`expr $# - 1`]="$REMOTE_TEMP_DIR/input.xml"
|
|
|
914530 |
+ LOCAL_CONTENT_PATH="${oscap_args[`expr $# - 1`]}"
|
|
|
914530 |
+ oscap_args[`expr $# - 1`]="$REMOTE_TEMP_DIR/input.xml"
|
|
|
914530 |
fi
|
|
|
914530 |
|
|
|
914530 |
[ "$LOCAL_CONTENT_PATH" == "" ] || [ -f "$LOCAL_CONTENT_PATH" ] || die "Expected the last argument to be an input file, '$LOCAL_CONTENT_PATH' isn't a valid file path or the file doesn't exist!"
|
|
|
914530 |
@@ -206,54 +239,54 @@ fi
|
|
|
914530 |
|
|
|
914530 |
if [ "$LOCAL_CONTENT_PATH" != "" ]; then
|
|
|
914530 |
echo "Copying input file '$LOCAL_CONTENT_PATH' to remote working directory '$REMOTE_TEMP_DIR'..."
|
|
|
914530 |
- scp -o ControlPath="$MASTER_SOCKET" -P "$SSH_PORT" "$LOCAL_CONTENT_PATH" "$SSH_HOST:$REMOTE_TEMP_DIR/input.xml" || die "Failed to copy input file to remote temporary directory!"
|
|
|
914530 |
+ scp_copy_to_temp_dir "$LOCAL_CONTENT_PATH" input.xml || die "Failed to copy input file to remote temporary directory!"
|
|
|
914530 |
fi
|
|
|
914530 |
if [ "$LOCAL_TAILORING_PATH" != "" ]; then
|
|
|
914530 |
echo "Copying tailoring file '$LOCAL_TAILORING_PATH' to remote working directory '$REMOTE_TEMP_DIR'..."
|
|
|
914530 |
- scp -o ControlPath="$MASTER_SOCKET" -P "$SSH_PORT" "$LOCAL_TAILORING_PATH" "$SSH_HOST:$REMOTE_TEMP_DIR/tailoring.xml" || die "Failed to copy tailoring file to remote temporary directory!"
|
|
|
914530 |
+ scp_copy_to_temp_dir "$LOCAL_TAILORING_PATH" tailoring.xml || die "Failed to copy tailoring file to remote temporary directory!"
|
|
|
914530 |
fi
|
|
|
914530 |
if [ "$LOCAL_CPE_PATH" != "" ]; then
|
|
|
914530 |
echo "Copying CPE file '$LOCAL_CPE_PATH' to remote working directory '$REMOTE_TEMP_DIR'..."
|
|
|
914530 |
- scp -o ControlPath="$MASTER_SOCKET" -P "$SSH_PORT" "$LOCAL_CPE_PATH" "$SSH_HOST:$REMOTE_TEMP_DIR/cpe.xml" || die "Failed to copy CPE file to remote temporary directory!"
|
|
|
914530 |
+ scp_copy_to_temp_dir "$LOCAL_CPE_PATH" cpe.xml || die "Failed to copy CPE file to remote temporary directory!"
|
|
|
914530 |
fi
|
|
|
914530 |
if [ "$LOCAL_VARIABLES_PATH" != "" ]; then
|
|
|
914530 |
echo "Copying OVAL variables file '$LOCAL_VARIABLES_PATH' to remote working directory '$REMOTE_TEMP_DIR'..."
|
|
|
914530 |
- scp -o ControlPath="$MASTER_SOCKET" -P "$SSH_PORT" "$LOCAL_VARIABLES_PATH" "$SSH_HOST:$REMOTE_TEMP_DIR/variables.xml" || die "Failed to copy OVAL variables file to remote temporary directory!"
|
|
|
914530 |
+ scp_copy_to_temp_dir "$LOCAL_VARIABLES_PATH" variables.xml || die "Failed to copy OVAL variables file to remote temporary directory!"
|
|
|
914530 |
fi
|
|
|
914530 |
if [ "$LOCAL_DIRECTIVES_PATH" != "" ]; then
|
|
|
914530 |
echo "Copying OVAL directives file '$LOCAL_DIRECTIVES_PATH' to remote working directory '$REMOTE_TEMP_DIR'..."
|
|
|
914530 |
- scp -o ControlPath="$MASTER_SOCKET" -P "$SSH_PORT" "$LOCAL_DIRECTIVES_PATH" "$SSH_HOST:$REMOTE_TEMP_DIR/directives.xml" || die "Failed to copy OVAL directives file to remote temporary directory!"
|
|
|
914530 |
+ scp_copy_to_temp_dir "$LOCAL_DIRECTIVES_PATH" directives.xml || die "Failed to copy OVAL directives file to remote temporary directory!"
|
|
|
914530 |
fi
|
|
|
914530 |
|
|
|
914530 |
echo "Starting the evaluation..."
|
|
|
914530 |
# changing directory because of --oval-results support. oval results files are
|
|
|
914530 |
# dumped into PWD, and we can't be sure by the file names - we need controlled
|
|
|
914530 |
# environment
|
|
|
914530 |
-ssh -o ControlPath="$MASTER_SOCKET" $SSH_ADDITIONAL_ARGS -p "$SSH_PORT" "$SSH_HOST" "cd $REMOTE_TEMP_DIR; $OSCAP_SUDO oscap ${args[*]}"
|
|
|
914530 |
+ssh_execute_with_options "cd $REMOTE_TEMP_DIR; $OSCAP_SUDO oscap ${oscap_args[*]}" "$SSH_TTY_ALLOCATION_OPTION"
|
|
|
914530 |
OSCAP_EXIT_CODE=$?
|
|
|
914530 |
echo "oscap exit code: $OSCAP_EXIT_CODE"
|
|
|
914530 |
|
|
|
914530 |
echo "Copying back requested files..."
|
|
|
914530 |
if [ "$TARGET_RESULTS" != "" ]; then
|
|
|
914530 |
- scp -o ControlPath="$MASTER_SOCKET" -P "$SSH_PORT" "$SSH_HOST:$REMOTE_TEMP_DIR/results.xml" "$TARGET_RESULTS" || die "Failed to copy the results file back to local machine!"
|
|
|
914530 |
+ scp_retreive_from_temp_dir results.xml "$TARGET_RESULTS" || die "Failed to copy the results file back to local machine!"
|
|
|
914530 |
fi
|
|
|
914530 |
if [ "$TARGET_RESULTS_ARF" != "" ]; then
|
|
|
914530 |
- scp -o ControlPath="$MASTER_SOCKET" -P "$SSH_PORT" "$SSH_HOST:$REMOTE_TEMP_DIR/results-arf.xml" "$TARGET_RESULTS_ARF" || die "Failed to copy the ARF file back to local machine!"
|
|
|
914530 |
+ scp_retreive_from_temp_dir results-arf.xml "$TARGET_RESULTS_ARF" || die "Failed to copy the ARF file back to local machine!"
|
|
|
914530 |
fi
|
|
|
914530 |
if [ "$TARGET_REPORT" != "" ]; then
|
|
|
914530 |
- scp -o ControlPath="$MASTER_SOCKET" -P "$SSH_PORT" "$SSH_HOST:$REMOTE_TEMP_DIR/report.html" "$TARGET_REPORT" || die "Failed to copy the HTML report back to local machine!"
|
|
|
914530 |
+ scp_retreive_from_temp_dir report.html "$TARGET_REPORT" || die "Failed to copy the HTML report back to local machine!"
|
|
|
914530 |
fi
|
|
|
914530 |
if [ "$TARGET_SYSCHAR" != "" ]; then
|
|
|
914530 |
- scp -o ControlPath="$MASTER_SOCKET" -P "$SSH_PORT" "$SSH_HOST:$REMOTE_TEMP_DIR/syschar.xml" "$TARGET_SYSCHAR" || die "Failed to copy the OVAL syschar file back to local machine!"
|
|
|
914530 |
+ scp_retreive_from_temp_dir syschar.xml "$TARGET_SYSCHAR" || die "Failed to copy the OVAL syschar file back to local machine!"
|
|
|
914530 |
fi
|
|
|
914530 |
if [ "$OVAL_RESULTS" == "yes" ]; then
|
|
|
914530 |
- scp -o ControlPath="$MASTER_SOCKET" -P "$SSH_PORT" "$SSH_HOST:$REMOTE_TEMP_DIR/*.result.xml" "./" || die "Failed to copy OVAL result files back to local machine!"
|
|
|
914530 |
+ scp_retreive_from_temp_dir '*.result.xml' "./" || die "Failed to copy OVAL result files back to local machine!"
|
|
|
914530 |
fi
|
|
|
914530 |
|
|
|
914530 |
echo "Removing remote temporary directory..."
|
|
|
914530 |
-ssh -o ControlPath="$MASTER_SOCKET" -p "$SSH_PORT" "$SSH_HOST" "rm -r $REMOTE_TEMP_DIR" || die "Failed to remove remote temporary directory!"
|
|
|
914530 |
+ssh_execute_with_options "rm -r $REMOTE_TEMP_DIR" || die "Failed to remove remote temporary directory!"
|
|
|
914530 |
echo "Disconnecting ssh and removing master ssh socket directory..."
|
|
|
914530 |
-ssh -o ControlPath="$MASTER_SOCKET" -p "$SSH_PORT" "$SSH_HOST" -O exit || die "Failed to disconnect!"
|
|
|
914530 |
+ssh -o ControlPath="$MASTER_SOCKET" $SSH_ADDITIONAL_OPTIONS -p "$SSH_PORT" "$SSH_HOST" -O exit || die "Failed to disconnect!"
|
|
|
914530 |
rm -r "$MASTER_SOCKET_DIR" || die "Failed to remove local master SSH socket directory!"
|
|
|
914530 |
|
|
|
914530 |
exit $OSCAP_EXIT_CODE
|
|
|
914530 |
diff --git a/utils/oscap-ssh.8 b/utils/oscap-ssh.8
|
|
|
914530 |
index 874bf31bf..38d96e76f 100644
|
|
|
914530 |
--- a/utils/oscap-ssh.8
|
|
|
914530 |
+++ b/utils/oscap-ssh.8
|
|
|
914530 |
@@ -60,10 +60,16 @@ Supported options are:
|
|
|
914530 |
Specific option for oscap-ssh (must be first argument):
|
|
|
914530 |
--sudo
|
|
|
914530 |
|
|
|
914530 |
-.SH EXEMPLARY USAGE
|
|
|
914530 |
+.SS Environment variables
|
|
|
914530 |
+oscap-ssh checks out the SSH_ADDITIONAL_OPTIONS environment variable, and pastes its contents into the command-line of ssh to the location where options are expected.
|
|
|
914530 |
+Supply the variable in form of a string that corresponds to a section of the ssh command-line and that consists of options you want to pass.
|
|
|
914530 |
+
|
|
|
914530 |
+.SH EXAMPLE USAGE
|
|
|
914530 |
.SS Simple XCCDF evaluation
|
|
|
914530 |
The following command evaluates a remote Fedora machine as root. HTML report is written out as report.html on the local machine. Can be executed from any machine that has ssh, scp and bash. The local machine does not need to have openscap installed.
|
|
|
914530 |
+It also uses the SSH_ADDITIONAL_OPTIONS variable to configure ssh in such way that contents of the known_hosts file are ignored.
|
|
|
914530 |
|
|
|
914530 |
+$ export SSH_ADDITIONAL_OPTIONS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
|
|
|
914530 |
$ oscap-ssh root@192.168.1.13 22 xccdf eval --profile xccdf_org.ssgproject.content_profile_common --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
|
|
|
914530 |
|
|
|
914530 |
.SS XCCDF Evaluation with tailoring file
|
|
|
914530 |
|
|
|
914530 |
From be470f5c51279efafa384ec8f28ca1e0a5c447ed Mon Sep 17 00:00:00 2001
|
|
|
914530 |
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
|
|
914530 |
Date: Tue, 21 Aug 2018 12:24:24 +0200
|
|
|
914530 |
Subject: [PATCH 2/3] Fixed indentation inside functions.
|
|
|
914530 |
|
|
|
914530 |
---
|
|
|
914530 |
utils/oscap-ssh | 66 ++++++++++++++++++++++++-------------------------
|
|
|
914530 |
1 file changed, 33 insertions(+), 33 deletions(-)
|
|
|
914530 |
|
|
|
914530 |
diff --git a/utils/oscap-ssh b/utils/oscap-ssh
|
|
|
914530 |
index d6404600c..08bc698d2 100755
|
|
|
914530 |
--- a/utils/oscap-ssh
|
|
|
914530 |
+++ b/utils/oscap-ssh
|
|
|
914530 |
@@ -111,42 +111,42 @@ function scp_retreive_from_temp_dir {
|
|
|
914530 |
}
|
|
|
914530 |
|
|
|
914530 |
function sanity_check_arguments {
|
|
|
914530 |
-if [ $# -lt 1 ]; then
|
|
|
914530 |
- echo "No arguments provided."
|
|
|
914530 |
- usage
|
|
|
914530 |
- die
|
|
|
914530 |
-elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
|
|
|
914530 |
- usage
|
|
|
914530 |
- die
|
|
|
914530 |
-elif [ "$1" == "sudo" ] || [ "$1" == "--sudo" ]; then
|
|
|
914530 |
- OSCAP_SUDO="sudo"
|
|
|
914530 |
- # force pseudo-tty allocation so that users can type their password if necessary
|
|
|
914530 |
- SSH_TTY_ALLOCATION_OPTION="-t"
|
|
|
914530 |
- shift
|
|
|
914530 |
-fi
|
|
|
914530 |
-if [ $# -lt 2 ]; then
|
|
|
914530 |
- echo "Missing ssh host and ssh port."
|
|
|
914530 |
- usage
|
|
|
914530 |
- die
|
|
|
914530 |
-fi
|
|
|
914530 |
+ if [ $# -lt 1 ]; then
|
|
|
914530 |
+ echo "No arguments provided."
|
|
|
914530 |
+ usage
|
|
|
914530 |
+ die
|
|
|
914530 |
+ elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
|
|
|
914530 |
+ usage
|
|
|
914530 |
+ die
|
|
|
914530 |
+ elif [ "$1" == "sudo" ] || [ "$1" == "--sudo" ]; then
|
|
|
914530 |
+ OSCAP_SUDO="sudo"
|
|
|
914530 |
+ # force pseudo-tty allocation so that users can type their password if necessary
|
|
|
914530 |
+ SSH_TTY_ALLOCATION_OPTION="-t"
|
|
|
914530 |
+ shift
|
|
|
914530 |
+ fi
|
|
|
914530 |
+ if [ $# -lt 2 ]; then
|
|
|
914530 |
+ echo "Missing ssh host and ssh port."
|
|
|
914530 |
+ usage
|
|
|
914530 |
+ die
|
|
|
914530 |
+ fi
|
|
|
914530 |
}
|
|
|
914530 |
|
|
|
914530 |
function check_oscap_arguments {
|
|
|
914530 |
-if [ "$1" == "--v" ] || [ "$1" == "--version" ]; then
|
|
|
914530 |
- true
|
|
|
914530 |
-elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
|
|
|
914530 |
- true
|
|
|
914530 |
-elif [ "$1" == "info" ]; then
|
|
|
914530 |
- true
|
|
|
914530 |
-elif [ "$1 $2" == "xccdf eval" ]; then
|
|
|
914530 |
- true
|
|
|
914530 |
-elif [ "$1 $2" == "oval eval" ]; then
|
|
|
914530 |
- true
|
|
|
914530 |
-elif [ "$1 $2" == "oval collect" ]; then
|
|
|
914530 |
- true
|
|
|
914530 |
-else
|
|
|
914530 |
- die "This script only supports '-h', '--help', '--v', '--version', 'info', 'xccdf eval', 'oval eval' and 'oval collect'."
|
|
|
914530 |
-fi
|
|
|
914530 |
+ if [ "$1" == "--v" ] || [ "$1" == "--version" ]; then
|
|
|
914530 |
+ true
|
|
|
914530 |
+ elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
|
|
|
914530 |
+ true
|
|
|
914530 |
+ elif [ "$1" == "info" ]; then
|
|
|
914530 |
+ true
|
|
|
914530 |
+ elif [ "$1 $2" == "xccdf eval" ]; then
|
|
|
914530 |
+ true
|
|
|
914530 |
+ elif [ "$1 $2" == "oval eval" ]; then
|
|
|
914530 |
+ true
|
|
|
914530 |
+ elif [ "$1 $2" == "oval collect" ]; then
|
|
|
914530 |
+ true
|
|
|
914530 |
+ else
|
|
|
914530 |
+ die "This script only supports '-h', '--help', '--v', '--version', 'info', 'xccdf eval', 'oval eval' and 'oval collect'."
|
|
|
914530 |
+ fi
|
|
|
914530 |
}
|
|
|
914530 |
|
|
|
914530 |
sanity_check_arguments "$@"
|
|
|
914530 |
|
|
|
914530 |
From 78215f62d30fe3c9851d792a4f6e239f045342c1 Mon Sep 17 00:00:00 2001
|
|
|
914530 |
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
|
|
914530 |
Date: Mon, 27 Aug 2018 15:34:18 +0200
|
|
|
914530 |
Subject: [PATCH 3/3] Improved the code style.
|
|
|
914530 |
|
|
|
914530 |
* Rewritten more of ssh calls into functions.
|
|
|
914530 |
* Improved the option check message.
|
|
|
914530 |
---
|
|
|
914530 |
utils/oscap-ssh | 21 +++++++++++++--------
|
|
|
914530 |
1 file changed, 13 insertions(+), 8 deletions(-)
|
|
|
914530 |
|
|
|
914530 |
diff --git a/utils/oscap-ssh b/utils/oscap-ssh
|
|
|
914530 |
index 08bc698d2..ee6eb9c81 100755
|
|
|
914530 |
--- a/utils/oscap-ssh
|
|
|
914530 |
+++ b/utils/oscap-ssh
|
|
|
914530 |
@@ -92,9 +92,14 @@ OSCAP_SUDO=""
|
|
|
914530 |
# SSH_ADDITIONAL_OPTIONS may be defined in the calling shell
|
|
|
914530 |
SSH_TTY_ALLOCATION_OPTION=""
|
|
|
914530 |
|
|
|
914530 |
-# $1: The SSH command.
|
|
|
914530 |
-# $2: More of additional options (optional, space-separated string)
|
|
|
914530 |
+# $1, $2, ... SSH options (pass them as separate arguments)
|
|
|
914530 |
function ssh_execute_with_options {
|
|
|
914530 |
+ ssh -o ControlPath="$MASTER_SOCKET" $SSH_ADDITIONAL_OPTIONS "$@" -p "$SSH_PORT" "$SSH_HOST"
|
|
|
914530 |
+}
|
|
|
914530 |
+
|
|
|
914530 |
+# $1: The SSH command.
|
|
|
914530 |
+# $2: More of additional options (optional, pass one space-separated string)
|
|
|
914530 |
+function ssh_execute_with_command_and_options {
|
|
|
914530 |
ssh -o ControlPath="$MASTER_SOCKET" $SSH_ADDITIONAL_OPTIONS $2 -p "$SSH_PORT" "$SSH_HOST" "$1"
|
|
|
914530 |
}
|
|
|
914530 |
|
|
|
914530 |
@@ -145,7 +150,7 @@ function check_oscap_arguments {
|
|
|
914530 |
elif [ "$1 $2" == "oval collect" ]; then
|
|
|
914530 |
true
|
|
|
914530 |
else
|
|
|
914530 |
- die "This script only supports '-h', '--help', '--v', '--version', 'info', 'xccdf eval', 'oval eval' and 'oval collect'."
|
|
|
914530 |
+ die "This script only supports 'sudo' as first argument, '-h', '--help', '--v', '--version', 'info', 'xccdf eval', 'oval eval' and 'oval collect'."
|
|
|
914530 |
fi
|
|
|
914530 |
}
|
|
|
914530 |
|
|
|
914530 |
@@ -162,10 +167,10 @@ MASTER_SOCKET_DIR=$(mktemp -d)
|
|
|
914530 |
MASTER_SOCKET="$MASTER_SOCKET_DIR/ssh_socket"
|
|
|
914530 |
|
|
|
914530 |
echo "Connecting to '$SSH_HOST' on port '$SSH_PORT'..."
|
|
|
914530 |
-ssh -M -f -N -o ServerAliveInterval=60 -o ControlPath="$MASTER_SOCKET" -p "$SSH_PORT" $SSH_ADDITIONAL_OPTIONS "$SSH_HOST" || die "Failed to connect!"
|
|
|
914530 |
+ssh_execute_with_options -M -f -N -o ServerAliveInterval=60 || die "Failed to connect!"
|
|
|
914530 |
echo "Connected!"
|
|
|
914530 |
|
|
|
914530 |
-REMOTE_TEMP_DIR=$(ssh_execute_with_options "mktemp -d") || die "Failed to create remote temporary directory!"
|
|
|
914530 |
+REMOTE_TEMP_DIR=$(ssh_execute_with_command_and_options "mktemp -d") || die "Failed to create remote temporary directory!"
|
|
|
914530 |
|
|
|
914530 |
oscap_args=("$@")
|
|
|
914530 |
|
|
|
914530 |
@@ -262,7 +267,7 @@ echo "Starting the evaluation..."
|
|
|
914530 |
# changing directory because of --oval-results support. oval results files are
|
|
|
914530 |
# dumped into PWD, and we can't be sure by the file names - we need controlled
|
|
|
914530 |
# environment
|
|
|
914530 |
-ssh_execute_with_options "cd $REMOTE_TEMP_DIR; $OSCAP_SUDO oscap ${oscap_args[*]}" "$SSH_TTY_ALLOCATION_OPTION"
|
|
|
914530 |
+ssh_execute_with_command_and_options "cd $REMOTE_TEMP_DIR; $OSCAP_SUDO oscap ${oscap_args[*]}" "$SSH_TTY_ALLOCATION_OPTION"
|
|
|
914530 |
OSCAP_EXIT_CODE=$?
|
|
|
914530 |
echo "oscap exit code: $OSCAP_EXIT_CODE"
|
|
|
914530 |
|
|
|
914530 |
@@ -284,9 +289,9 @@ if [ "$OVAL_RESULTS" == "yes" ]; then
|
|
|
914530 |
fi
|
|
|
914530 |
|
|
|
914530 |
echo "Removing remote temporary directory..."
|
|
|
914530 |
-ssh_execute_with_options "rm -r $REMOTE_TEMP_DIR" || die "Failed to remove remote temporary directory!"
|
|
|
914530 |
+ssh_execute_with_command_and_options "rm -r $REMOTE_TEMP_DIR" || die "Failed to remove remote temporary directory!"
|
|
|
914530 |
echo "Disconnecting ssh and removing master ssh socket directory..."
|
|
|
914530 |
-ssh -o ControlPath="$MASTER_SOCKET" $SSH_ADDITIONAL_OPTIONS -p "$SSH_PORT" "$SSH_HOST" -O exit || die "Failed to disconnect!"
|
|
|
914530 |
+ssh_execute_with_options -O exit || die "Failed to disconnect!"
|
|
|
914530 |
rm -r "$MASTER_SOCKET_DIR" || die "Failed to remove local master SSH socket directory!"
|
|
|
914530 |
|
|
|
914530 |
exit $OSCAP_EXIT_CODE
|