|
|
76240a |
From 7901659fa169db8ac5ffd7c610a798c785a3556b Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
76240a |
Date: Fri, 9 Jul 2021 14:41:03 +0200
|
|
|
76240a |
Subject: [PATCH 01/12] ensure that higher policy levels can override variables
|
|
|
76240a |
of lower levels
|
|
|
76240a |
|
|
|
76240a |
---
|
|
|
76240a |
ssg/controls.py | 13 ++++++++++---
|
|
|
76240a |
1 file changed, 10 insertions(+), 3 deletions(-)
|
|
|
76240a |
|
|
|
76240a |
diff --git a/ssg/controls.py b/ssg/controls.py
|
|
|
76240a |
index 297d80e46c5..165cdf0511a 100644
|
|
|
76240a |
--- a/ssg/controls.py
|
|
|
76240a |
+++ b/ssg/controls.py
|
|
|
76240a |
@@ -202,9 +202,16 @@ def get_all_controls_of_level(self, policy_id, level_id):
|
|
|
76240a |
|
|
|
76240a |
all_policy_controls = self.get_all_controls(policy_id)
|
|
|
76240a |
eligible_controls = []
|
|
|
76240a |
- for c in all_policy_controls:
|
|
|
76240a |
- if len(level_ids.intersection(c.levels)) > 0:
|
|
|
76240a |
- eligible_controls.append(c)
|
|
|
76240a |
+ defined_variables = []
|
|
|
76240a |
+ # we will go level by level, from top to bottom
|
|
|
76240a |
+ # this is done to enable overriding of variables by higher levels
|
|
|
76240a |
+ for lv in level_ids:
|
|
|
76240a |
+ for c in all_policy_controls:
|
|
|
76240a |
+ if lv in c.levels:
|
|
|
76240a |
+ # if the control has a variable, check if it is not already defined
|
|
|
76240a |
+ if c.variables.keys().isdisjoint(defined_variables):
|
|
|
76240a |
+ eligible_controls.append(c)
|
|
|
76240a |
+ defined_variables += [*c.variables.keys()]
|
|
|
76240a |
return eligible_controls
|
|
|
76240a |
|
|
|
76240a |
def get_all_controls(self, policy_id):
|
|
|
76240a |
|
|
|
76240a |
From 66e612a9668009cc553fcf1abbf2c9477155c0c2 Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
76240a |
Date: Thu, 5 Aug 2021 14:02:25 +0200
|
|
|
76240a |
Subject: [PATCH 02/12] use ordered sets emulated by ordereddict
|
|
|
76240a |
|
|
|
76240a |
because of compatibility with python2
|
|
|
76240a |
---
|
|
|
76240a |
ssg/controls.py | 21 ++++++++++++++-------
|
|
|
76240a |
1 file changed, 14 insertions(+), 7 deletions(-)
|
|
|
76240a |
|
|
|
76240a |
diff --git a/ssg/controls.py b/ssg/controls.py
|
|
|
76240a |
index 165cdf0511a..611a647e125 100644
|
|
|
76240a |
--- a/ssg/controls.py
|
|
|
76240a |
+++ b/ssg/controls.py
|
|
|
76240a |
@@ -2,6 +2,7 @@
|
|
|
76240a |
import logging
|
|
|
76240a |
import os
|
|
|
76240a |
from glob import glob
|
|
|
76240a |
+from collections import OrderedDict
|
|
|
76240a |
|
|
|
76240a |
import ssg.build_yaml
|
|
|
76240a |
import ssg.yaml
|
|
|
76240a |
@@ -152,16 +153,18 @@ def get_level(self, level_id):
|
|
|
76240a |
raise ValueError(msg)
|
|
|
76240a |
|
|
|
76240a |
def get_level_with_ancestors(self, level_id):
|
|
|
76240a |
- levels = set()
|
|
|
76240a |
+ # use OrderedDict for Python2 compatibility instead of ordered set
|
|
|
76240a |
+ levels = OrderedDict()
|
|
|
76240a |
level = self.get_level(level_id)
|
|
|
76240a |
- levels.add(level)
|
|
|
76240a |
+ levels[level] = ""
|
|
|
76240a |
if level.inherits_from:
|
|
|
76240a |
for lv in level.inherits_from:
|
|
|
76240a |
- levels.update(self.get_level_with_ancestors(lv))
|
|
|
76240a |
+ eligible_levels = [l for l in self.get_level_with_ancestors(lv).keys() if l not in levels.keys()]
|
|
|
76240a |
+ for l in eligible_levels:
|
|
|
76240a |
+ levels[l] = ""
|
|
|
76240a |
return levels
|
|
|
76240a |
|
|
|
76240a |
|
|
|
76240a |
-
|
|
|
76240a |
class ControlsManager():
|
|
|
76240a |
def __init__(self, controls_dir, env_yaml=None):
|
|
|
76240a |
self.controls_dir = os.path.abspath(controls_dir)
|
|
|
76240a |
@@ -198,20 +201,24 @@ def _get_policy(self, policy_id):
|
|
|
76240a |
def get_all_controls_of_level(self, policy_id, level_id):
|
|
|
76240a |
policy = self._get_policy(policy_id)
|
|
|
76240a |
levels = policy.get_level_with_ancestors(level_id)
|
|
|
76240a |
- level_ids = set([lv.id for lv in levels])
|
|
|
76240a |
+ # we use OrderedDict here with empty values instead of ordered set
|
|
|
76240a |
+ # cause we want to be compatible with python 2
|
|
|
76240a |
+ level_ids = OrderedDict()
|
|
|
76240a |
+ for lv in levels.keys():
|
|
|
76240a |
+ level_ids[lv.id] = ""
|
|
|
76240a |
|
|
|
76240a |
all_policy_controls = self.get_all_controls(policy_id)
|
|
|
76240a |
eligible_controls = []
|
|
|
76240a |
defined_variables = []
|
|
|
76240a |
# we will go level by level, from top to bottom
|
|
|
76240a |
# this is done to enable overriding of variables by higher levels
|
|
|
76240a |
- for lv in level_ids:
|
|
|
76240a |
+ for lv in level_ids.keys():
|
|
|
76240a |
for c in all_policy_controls:
|
|
|
76240a |
if lv in c.levels:
|
|
|
76240a |
# if the control has a variable, check if it is not already defined
|
|
|
76240a |
if c.variables.keys().isdisjoint(defined_variables):
|
|
|
76240a |
eligible_controls.append(c)
|
|
|
76240a |
- defined_variables += [*c.variables.keys()]
|
|
|
76240a |
+ defined_variables += list(c.variables.keys())
|
|
|
76240a |
return eligible_controls
|
|
|
76240a |
|
|
|
76240a |
def get_all_controls(self, policy_id):
|
|
|
76240a |
|
|
|
76240a |
From 95a23a31293a0a63361ddf1831866cd5ae1ab61e Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
76240a |
Date: Thu, 5 Aug 2021 16:30:10 +0200
|
|
|
76240a |
Subject: [PATCH 03/12] rework handling of variables when returning all
|
|
|
76240a |
controls of a level
|
|
|
76240a |
|
|
|
76240a |
currently only the top most level variables are kept in the controls
|
|
|
76240a |
if there is a control with lower level which has the same variable defined, it is deep copied and the variable definition is removed only from the resulting control
|
|
|
76240a |
the original control stays in tact
|
|
|
76240a |
---
|
|
|
76240a |
ssg/controls.py | 27 +++++++++++++++++++++------
|
|
|
76240a |
1 file changed, 21 insertions(+), 6 deletions(-)
|
|
|
76240a |
|
|
|
76240a |
diff --git a/ssg/controls.py b/ssg/controls.py
|
|
|
76240a |
index 611a647e125..4ebb8bda3d7 100644
|
|
|
76240a |
--- a/ssg/controls.py
|
|
|
76240a |
+++ b/ssg/controls.py
|
|
|
76240a |
@@ -1,8 +1,8 @@
|
|
|
76240a |
import collections
|
|
|
76240a |
import logging
|
|
|
76240a |
import os
|
|
|
76240a |
+import copy
|
|
|
76240a |
from glob import glob
|
|
|
76240a |
-from collections import OrderedDict
|
|
|
76240a |
|
|
|
76240a |
import ssg.build_yaml
|
|
|
76240a |
import ssg.yaml
|
|
|
76240a |
@@ -154,7 +154,7 @@ def get_level(self, level_id):
|
|
|
76240a |
|
|
|
76240a |
def get_level_with_ancestors(self, level_id):
|
|
|
76240a |
# use OrderedDict for Python2 compatibility instead of ordered set
|
|
|
76240a |
- levels = OrderedDict()
|
|
|
76240a |
+ levels = collections.OrderedDict()
|
|
|
76240a |
level = self.get_level(level_id)
|
|
|
76240a |
levels[level] = ""
|
|
|
76240a |
if level.inherits_from:
|
|
|
76240a |
@@ -201,24 +201,39 @@ def _get_policy(self, policy_id):
|
|
|
76240a |
def get_all_controls_of_level(self, policy_id, level_id):
|
|
|
76240a |
policy = self._get_policy(policy_id)
|
|
|
76240a |
levels = policy.get_level_with_ancestors(level_id)
|
|
|
76240a |
+ print ("getting levels of " + level_id)
|
|
|
76240a |
+ print ([ l.id for l in levels.keys()])
|
|
|
76240a |
# we use OrderedDict here with empty values instead of ordered set
|
|
|
76240a |
# cause we want to be compatible with python 2
|
|
|
76240a |
- level_ids = OrderedDict()
|
|
|
76240a |
+ level_ids = collections.OrderedDict()
|
|
|
76240a |
for lv in levels.keys():
|
|
|
76240a |
level_ids[lv.id] = ""
|
|
|
76240a |
-
|
|
|
76240a |
+ print (level_ids.keys())
|
|
|
76240a |
all_policy_controls = self.get_all_controls(policy_id)
|
|
|
76240a |
eligible_controls = []
|
|
|
76240a |
defined_variables = []
|
|
|
76240a |
# we will go level by level, from top to bottom
|
|
|
76240a |
# this is done to enable overriding of variables by higher levels
|
|
|
76240a |
for lv in level_ids.keys():
|
|
|
76240a |
+ print ("going through level " +lv)
|
|
|
76240a |
for c in all_policy_controls:
|
|
|
76240a |
+ print (c.levels)
|
|
|
76240a |
if lv in c.levels:
|
|
|
76240a |
# if the control has a variable, check if it is not already defined
|
|
|
76240a |
- if c.variables.keys().isdisjoint(defined_variables):
|
|
|
76240a |
+ variables = list(c.variables.keys())
|
|
|
76240a |
+ if len(variables) == 0:
|
|
|
76240a |
eligible_controls.append(c)
|
|
|
76240a |
- defined_variables += list(c.variables.keys())
|
|
|
76240a |
+ for var in variables:
|
|
|
76240a |
+ if var in defined_variables:
|
|
|
76240a |
+ # if it is, create new instance of the control and remove the variable
|
|
|
76240a |
+ # we are going from the top level to the bottom
|
|
|
76240a |
+ # so we don't want to overwrite variables
|
|
|
76240a |
+ new_c = copy.deepcopy(c)
|
|
|
76240a |
+ del new_c.variables[var]
|
|
|
76240a |
+ eligible_controls.append(new_c)
|
|
|
76240a |
+ else:
|
|
|
76240a |
+ defined_variables.append(var)
|
|
|
76240a |
+ eligible_controls.append(c)
|
|
|
76240a |
return eligible_controls
|
|
|
76240a |
|
|
|
76240a |
def get_all_controls(self, policy_id):
|
|
|
76240a |
|
|
|
76240a |
From a2dd7e9386c757a523b57646bdc5a9ffa99f68c5 Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
76240a |
Date: Thu, 5 Aug 2021 16:31:25 +0200
|
|
|
76240a |
Subject: [PATCH 04/12] add tests for defining of variables
|
|
|
76240a |
|
|
|
76240a |
---
|
|
|
76240a |
tests/unit/ssg-module/data/controls_dir/abcd-levels.yml | 6 ++++++
|
|
|
76240a |
tests/unit/ssg-module/test_controls.py | 5 +++++
|
|
|
76240a |
2 files changed, 11 insertions(+)
|
|
|
76240a |
|
|
|
76240a |
diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
|
|
76240a |
index aded77c12a6..b98a7cd4e19 100644
|
|
|
76240a |
--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
|
|
76240a |
+++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
|
|
76240a |
@@ -19,10 +19,14 @@ controls:
|
|
|
76240a |
- id: S2
|
|
|
76240a |
levels:
|
|
|
76240a |
- low
|
|
|
76240a |
+ rules:
|
|
|
76240a |
+ - var_password_pam_minlen=1
|
|
|
76240a |
|
|
|
76240a |
- id: S3
|
|
|
76240a |
levels:
|
|
|
76240a |
- medium
|
|
|
76240a |
+ rules:
|
|
|
76240a |
+ - var_password_pam_minlen=2
|
|
|
76240a |
|
|
|
76240a |
- id: S4
|
|
|
76240a |
title: Configure authentication
|
|
|
76240a |
@@ -36,3 +40,5 @@ controls:
|
|
|
76240a |
title: Enforce password quality standards
|
|
|
76240a |
levels:
|
|
|
76240a |
- high
|
|
|
76240a |
+ rules:
|
|
|
76240a |
+ - var_password_pam_minlen=3
|
|
|
76240a |
diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py
|
|
|
76240a |
index ff9b04f26c9..06fcb0c375d 100644
|
|
|
76240a |
--- a/tests/unit/ssg-module/test_controls.py
|
|
|
76240a |
+++ b/tests/unit/ssg-module/test_controls.py
|
|
|
76240a |
@@ -87,6 +87,11 @@ def test_controls_levels():
|
|
|
76240a |
assert len(low_controls) == 4
|
|
|
76240a |
assert len(medium_controls) == 5
|
|
|
76240a |
|
|
|
76240a |
+ # test overriding of variables in levels
|
|
|
76240a |
+ assert c_2.variables["var_password_pam_minlen"] == "1"
|
|
|
76240a |
+ assert c_3.variables["var_password_pam_minlen"] == "2"
|
|
|
76240a |
+ assert c_4b.variables["var_password_pam_minlen"] == "3"
|
|
|
76240a |
+
|
|
|
76240a |
|
|
|
76240a |
def test_controls_load_product():
|
|
|
76240a |
ssg_root = \
|
|
|
76240a |
|
|
|
76240a |
From 82b90a9720dadab7d6060f0ccbcd902b1c097904 Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
76240a |
Date: Fri, 6 Aug 2021 09:30:47 +0200
|
|
|
76240a |
Subject: [PATCH 05/12] make overriding of variables optional
|
|
|
76240a |
|
|
|
76240a |
---
|
|
|
76240a |
ssg/controls.py | 38 +++++++++++++++++++-------------------
|
|
|
76240a |
1 file changed, 19 insertions(+), 19 deletions(-)
|
|
|
76240a |
|
|
|
76240a |
diff --git a/ssg/controls.py b/ssg/controls.py
|
|
|
76240a |
index 4ebb8bda3d7..90639fbe4c7 100644
|
|
|
76240a |
--- a/ssg/controls.py
|
|
|
76240a |
+++ b/ssg/controls.py
|
|
|
76240a |
@@ -198,42 +198,42 @@ def _get_policy(self, policy_id):
|
|
|
76240a |
raise ValueError(msg)
|
|
|
76240a |
return policy
|
|
|
76240a |
|
|
|
76240a |
- def get_all_controls_of_level(self, policy_id, level_id):
|
|
|
76240a |
+ def get_all_controls_of_level(self, policy_id, level_id, override_vars=True):
|
|
|
76240a |
+ # if override_vars is enabled, then variables from higher levels will
|
|
|
76240a |
+ # override variables efined in controls of lower levels
|
|
|
76240a |
policy = self._get_policy(policy_id)
|
|
|
76240a |
levels = policy.get_level_with_ancestors(level_id)
|
|
|
76240a |
- print ("getting levels of " + level_id)
|
|
|
76240a |
- print ([ l.id for l in levels.keys()])
|
|
|
76240a |
# we use OrderedDict here with empty values instead of ordered set
|
|
|
76240a |
# cause we want to be compatible with python 2
|
|
|
76240a |
level_ids = collections.OrderedDict()
|
|
|
76240a |
for lv in levels.keys():
|
|
|
76240a |
level_ids[lv.id] = ""
|
|
|
76240a |
- print (level_ids.keys())
|
|
|
76240a |
all_policy_controls = self.get_all_controls(policy_id)
|
|
|
76240a |
eligible_controls = []
|
|
|
76240a |
defined_variables = []
|
|
|
76240a |
# we will go level by level, from top to bottom
|
|
|
76240a |
# this is done to enable overriding of variables by higher levels
|
|
|
76240a |
for lv in level_ids.keys():
|
|
|
76240a |
- print ("going through level " +lv)
|
|
|
76240a |
for c in all_policy_controls:
|
|
|
76240a |
- print (c.levels)
|
|
|
76240a |
if lv in c.levels:
|
|
|
76240a |
- # if the control has a variable, check if it is not already defined
|
|
|
76240a |
- variables = list(c.variables.keys())
|
|
|
76240a |
- if len(variables) == 0:
|
|
|
76240a |
+ if override_vars == False:
|
|
|
76240a |
eligible_controls.append(c)
|
|
|
76240a |
- for var in variables:
|
|
|
76240a |
- if var in defined_variables:
|
|
|
76240a |
- # if it is, create new instance of the control and remove the variable
|
|
|
76240a |
- # we are going from the top level to the bottom
|
|
|
76240a |
- # so we don't want to overwrite variables
|
|
|
76240a |
- new_c = copy.deepcopy(c)
|
|
|
76240a |
- del new_c.variables[var]
|
|
|
76240a |
- eligible_controls.append(new_c)
|
|
|
76240a |
- else:
|
|
|
76240a |
- defined_variables.append(var)
|
|
|
76240a |
+ else:
|
|
|
76240a |
+ # if the control has a variable, check if it is not already defined
|
|
|
76240a |
+ variables = list(c.variables.keys())
|
|
|
76240a |
+ if len(variables) == 0:
|
|
|
76240a |
eligible_controls.append(c)
|
|
|
76240a |
+ for var in variables:
|
|
|
76240a |
+ if var in defined_variables:
|
|
|
76240a |
+ # if it is, create new instance of the control and remove the variable
|
|
|
76240a |
+ # we are going from the top level to the bottom
|
|
|
76240a |
+ # so we don't want to overwrite variables
|
|
|
76240a |
+ new_c = copy.deepcopy(c)
|
|
|
76240a |
+ del new_c.variables[var]
|
|
|
76240a |
+ eligible_controls.append(new_c)
|
|
|
76240a |
+ else:
|
|
|
76240a |
+ defined_variables.append(var)
|
|
|
76240a |
+ eligible_controls.append(c)
|
|
|
76240a |
return eligible_controls
|
|
|
76240a |
|
|
|
76240a |
def get_all_controls(self, policy_id):
|
|
|
76240a |
|
|
|
76240a |
From 47df80d086e96deb4eab88d5f813bffb380006a8 Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
76240a |
Date: Wed, 11 Aug 2021 12:38:42 +0200
|
|
|
76240a |
Subject: [PATCH 06/12] fix a typo
|
|
|
76240a |
|
|
|
76240a |
---
|
|
|
76240a |
ssg/controls.py | 2 +-
|
|
|
76240a |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
76240a |
|
|
|
76240a |
diff --git a/ssg/controls.py b/ssg/controls.py
|
|
|
76240a |
index 90639fbe4c7..10a304bf8c2 100644
|
|
|
76240a |
--- a/ssg/controls.py
|
|
|
76240a |
+++ b/ssg/controls.py
|
|
|
76240a |
@@ -200,7 +200,7 @@ def _get_policy(self, policy_id):
|
|
|
76240a |
|
|
|
76240a |
def get_all_controls_of_level(self, policy_id, level_id, override_vars=True):
|
|
|
76240a |
# if override_vars is enabled, then variables from higher levels will
|
|
|
76240a |
- # override variables efined in controls of lower levels
|
|
|
76240a |
+ # override variables defined in controls of lower levels
|
|
|
76240a |
policy = self._get_policy(policy_id)
|
|
|
76240a |
levels = policy.get_level_with_ancestors(level_id)
|
|
|
76240a |
# we use OrderedDict here with empty values instead of ordered set
|
|
|
76240a |
|
|
|
76240a |
From 8e59037ed07aad33a55e8297ee5bce0f51c0dee6 Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
76240a |
Date: Wed, 11 Aug 2021 17:02:11 +0200
|
|
|
76240a |
Subject: [PATCH 07/12] update tests to check that overriding of variables
|
|
|
76240a |
works
|
|
|
76240a |
|
|
|
76240a |
---
|
|
|
76240a |
.../ssg-module/data/controls_dir/abcd-levels.yml | 4 +---
|
|
|
76240a |
tests/unit/ssg-module/test_controls.py | 16 ++++++++++++++--
|
|
|
76240a |
2 files changed, 15 insertions(+), 5 deletions(-)
|
|
|
76240a |
|
|
|
76240a |
diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
|
|
76240a |
index b98a7cd4e19..99efafd832e 100644
|
|
|
76240a |
--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
|
|
76240a |
+++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
|
|
76240a |
@@ -25,8 +25,6 @@ controls:
|
|
|
76240a |
- id: S3
|
|
|
76240a |
levels:
|
|
|
76240a |
- medium
|
|
|
76240a |
- rules:
|
|
|
76240a |
- - var_password_pam_minlen=2
|
|
|
76240a |
|
|
|
76240a |
- id: S4
|
|
|
76240a |
title: Configure authentication
|
|
|
76240a |
@@ -41,4 +39,4 @@ controls:
|
|
|
76240a |
levels:
|
|
|
76240a |
- high
|
|
|
76240a |
rules:
|
|
|
76240a |
- - var_password_pam_minlen=3
|
|
|
76240a |
+ - var_password_pam_minlen=2
|
|
|
76240a |
diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py
|
|
|
76240a |
index 06fcb0c375d..124b344d141 100644
|
|
|
76240a |
--- a/tests/unit/ssg-module/test_controls.py
|
|
|
76240a |
+++ b/tests/unit/ssg-module/test_controls.py
|
|
|
76240a |
@@ -89,8 +89,20 @@ def test_controls_levels():
|
|
|
76240a |
|
|
|
76240a |
# test overriding of variables in levels
|
|
|
76240a |
assert c_2.variables["var_password_pam_minlen"] == "1"
|
|
|
76240a |
- assert c_3.variables["var_password_pam_minlen"] == "2"
|
|
|
76240a |
- assert c_4b.variables["var_password_pam_minlen"] == "3"
|
|
|
76240a |
+ assert "var_password_pam_minlen" not in c_3.variables.keys()
|
|
|
76240a |
+ assert c_4b.variables["var_password_pam_minlen"] == "2"
|
|
|
76240a |
+
|
|
|
76240a |
+ for c in low_controls:
|
|
|
76240a |
+ if "var_password_pam_minlen" in c.variables.keys():
|
|
|
76240a |
+ assert c.variables["var_password_pam_minlen"] == "1"
|
|
|
76240a |
+
|
|
|
76240a |
+ for c in medium_controls:
|
|
|
76240a |
+ if "var_password_pam_minlen" in c.variables.keys():
|
|
|
76240a |
+ assert c.variables["var_password_pam_minlen"] == "1"
|
|
|
76240a |
+
|
|
|
76240a |
+ for c in high_controls:
|
|
|
76240a |
+ if "var_password_pam_minlen" in c.variables.keys():
|
|
|
76240a |
+ assert c.variables["var_password_pam_minlen"] == "2"
|
|
|
76240a |
|
|
|
76240a |
|
|
|
76240a |
def test_controls_load_product():
|
|
|
76240a |
|
|
|
76240a |
From dae4fc52a627eac6595bb73e3ffb1a0c50e78fdd Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
76240a |
Date: Wed, 11 Aug 2021 17:02:32 +0200
|
|
|
76240a |
Subject: [PATCH 08/12] make overriding of variables hardcoded when requesting
|
|
|
76240a |
controls of a certain level
|
|
|
76240a |
|
|
|
76240a |
---
|
|
|
76240a |
ssg/controls.py | 34 +++++++++++++++-------------------
|
|
|
76240a |
1 file changed, 15 insertions(+), 19 deletions(-)
|
|
|
76240a |
|
|
|
76240a |
diff --git a/ssg/controls.py b/ssg/controls.py
|
|
|
76240a |
index 10a304bf8c2..7923f0cb379 100644
|
|
|
76240a |
--- a/ssg/controls.py
|
|
|
76240a |
+++ b/ssg/controls.py
|
|
|
76240a |
@@ -198,9 +198,7 @@ def _get_policy(self, policy_id):
|
|
|
76240a |
raise ValueError(msg)
|
|
|
76240a |
return policy
|
|
|
76240a |
|
|
|
76240a |
- def get_all_controls_of_level(self, policy_id, level_id, override_vars=True):
|
|
|
76240a |
- # if override_vars is enabled, then variables from higher levels will
|
|
|
76240a |
- # override variables defined in controls of lower levels
|
|
|
76240a |
+ def get_all_controls_of_level(self, policy_id, level_id):
|
|
|
76240a |
policy = self._get_policy(policy_id)
|
|
|
76240a |
levels = policy.get_level_with_ancestors(level_id)
|
|
|
76240a |
# we use OrderedDict here with empty values instead of ordered set
|
|
|
76240a |
@@ -216,24 +214,22 @@ def get_all_controls_of_level(self, policy_id, level_id, override_vars=True):
|
|
|
76240a |
for lv in level_ids.keys():
|
|
|
76240a |
for c in all_policy_controls:
|
|
|
76240a |
if lv in c.levels:
|
|
|
76240a |
- if override_vars == False:
|
|
|
76240a |
+ # if the control has a variable, check if it is not already defined
|
|
|
76240a |
+ variables = list(c.variables.keys())
|
|
|
76240a |
+ if len(variables) == 0:
|
|
|
76240a |
eligible_controls.append(c)
|
|
|
76240a |
- else:
|
|
|
76240a |
- # if the control has a variable, check if it is not already defined
|
|
|
76240a |
- variables = list(c.variables.keys())
|
|
|
76240a |
- if len(variables) == 0:
|
|
|
76240a |
+ continue
|
|
|
76240a |
+ for var in variables:
|
|
|
76240a |
+ if var in defined_variables:
|
|
|
76240a |
+ # if it is, create new instance of the control and remove the variable
|
|
|
76240a |
+ # we are going from the top level to the bottom
|
|
|
76240a |
+ # so we don't want to overwrite variables
|
|
|
76240a |
+ new_c = copy.deepcopy(c)
|
|
|
76240a |
+ del new_c.variables[var]
|
|
|
76240a |
+ eligible_controls.append(new_c)
|
|
|
76240a |
+ else:
|
|
|
76240a |
+ defined_variables.append(var)
|
|
|
76240a |
eligible_controls.append(c)
|
|
|
76240a |
- for var in variables:
|
|
|
76240a |
- if var in defined_variables:
|
|
|
76240a |
- # if it is, create new instance of the control and remove the variable
|
|
|
76240a |
- # we are going from the top level to the bottom
|
|
|
76240a |
- # so we don't want to overwrite variables
|
|
|
76240a |
- new_c = copy.deepcopy(c)
|
|
|
76240a |
- del new_c.variables[var]
|
|
|
76240a |
- eligible_controls.append(new_c)
|
|
|
76240a |
- else:
|
|
|
76240a |
- defined_variables.append(var)
|
|
|
76240a |
- eligible_controls.append(c)
|
|
|
76240a |
return eligible_controls
|
|
|
76240a |
|
|
|
76240a |
def get_all_controls(self, policy_id):
|
|
|
76240a |
|
|
|
76240a |
From c051e11c70b7e23ce3d4a8e0670da4fae72833c6 Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
76240a |
Date: Thu, 12 Aug 2021 15:30:39 +0200
|
|
|
76240a |
Subject: [PATCH 09/12] get rid of one ordereddict
|
|
|
76240a |
|
|
|
76240a |
---
|
|
|
76240a |
ssg/controls.py | 9 ++-------
|
|
|
76240a |
1 file changed, 2 insertions(+), 7 deletions(-)
|
|
|
76240a |
|
|
|
76240a |
diff --git a/ssg/controls.py b/ssg/controls.py
|
|
|
76240a |
index 7923f0cb379..891b13c891c 100644
|
|
|
76240a |
--- a/ssg/controls.py
|
|
|
76240a |
+++ b/ssg/controls.py
|
|
|
76240a |
@@ -201,19 +201,14 @@ def _get_policy(self, policy_id):
|
|
|
76240a |
def get_all_controls_of_level(self, policy_id, level_id):
|
|
|
76240a |
policy = self._get_policy(policy_id)
|
|
|
76240a |
levels = policy.get_level_with_ancestors(level_id)
|
|
|
76240a |
- # we use OrderedDict here with empty values instead of ordered set
|
|
|
76240a |
- # cause we want to be compatible with python 2
|
|
|
76240a |
- level_ids = collections.OrderedDict()
|
|
|
76240a |
- for lv in levels.keys():
|
|
|
76240a |
- level_ids[lv.id] = ""
|
|
|
76240a |
all_policy_controls = self.get_all_controls(policy_id)
|
|
|
76240a |
eligible_controls = []
|
|
|
76240a |
defined_variables = []
|
|
|
76240a |
# we will go level by level, from top to bottom
|
|
|
76240a |
# this is done to enable overriding of variables by higher levels
|
|
|
76240a |
- for lv in level_ids.keys():
|
|
|
76240a |
+ for lv in levels.keys():
|
|
|
76240a |
for c in all_policy_controls:
|
|
|
76240a |
- if lv in c.levels:
|
|
|
76240a |
+ if lv.id in c.levels:
|
|
|
76240a |
# if the control has a variable, check if it is not already defined
|
|
|
76240a |
variables = list(c.variables.keys())
|
|
|
76240a |
if len(variables) == 0:
|
|
|
76240a |
|
|
|
76240a |
From 4dd5cb1326932cf020785a8c2472998eb2e7775e Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
76240a |
Date: Thu, 12 Aug 2021 16:44:57 +0200
|
|
|
76240a |
Subject: [PATCH 10/12] fix overriding of variables
|
|
|
76240a |
|
|
|
76240a |
when there were multiple variables overridden, it caused problems by creating multiple copies of controls
|
|
|
76240a |
---
|
|
|
76240a |
ssg/controls.py | 16 +++++++++-------
|
|
|
76240a |
1 file changed, 9 insertions(+), 7 deletions(-)
|
|
|
76240a |
|
|
|
76240a |
diff --git a/ssg/controls.py b/ssg/controls.py
|
|
|
76240a |
index 891b13c891c..8b69676313c 100644
|
|
|
76240a |
--- a/ssg/controls.py
|
|
|
76240a |
+++ b/ssg/controls.py
|
|
|
76240a |
@@ -214,17 +214,19 @@ def get_all_controls_of_level(self, policy_id, level_id):
|
|
|
76240a |
if len(variables) == 0:
|
|
|
76240a |
eligible_controls.append(c)
|
|
|
76240a |
continue
|
|
|
76240a |
+ variables_to_remove = [] # contains list of variables which are already defined and should be removed from the control
|
|
|
76240a |
for var in variables:
|
|
|
76240a |
if var in defined_variables:
|
|
|
76240a |
- # if it is, create new instance of the control and remove the variable
|
|
|
76240a |
- # we are going from the top level to the bottom
|
|
|
76240a |
- # so we don't want to overwrite variables
|
|
|
76240a |
- new_c = copy.deepcopy(c)
|
|
|
76240a |
- del new_c.variables[var]
|
|
|
76240a |
- eligible_controls.append(new_c)
|
|
|
76240a |
+ variables_to_remove.append(var)
|
|
|
76240a |
else:
|
|
|
76240a |
defined_variables.append(var)
|
|
|
76240a |
- eligible_controls.append(c)
|
|
|
76240a |
+ if len(variables_to_remove) == 0:
|
|
|
76240a |
+ eligible_controls.append(c)
|
|
|
76240a |
+ else:
|
|
|
76240a |
+ new_c = copy.deepcopy(c)
|
|
|
76240a |
+ for var in variables_to_remove:
|
|
|
76240a |
+ del new_c.variables[var]
|
|
|
76240a |
+ eligible_controls.append(new_c)
|
|
|
76240a |
return eligible_controls
|
|
|
76240a |
|
|
|
76240a |
def get_all_controls(self, policy_id):
|
|
|
76240a |
|
|
|
76240a |
From fbebba524cab090bc4c2f92b75257a7cc881ef5e Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
76240a |
Date: Thu, 12 Aug 2021 16:45:38 +0200
|
|
|
76240a |
Subject: [PATCH 11/12] extended tests to test for multiple overridden
|
|
|
76240a |
variables
|
|
|
76240a |
|
|
|
76240a |
---
|
|
|
76240a |
.../data/controls_dir/abcd-levels.yml | 2 ++
|
|
|
76240a |
tests/unit/ssg-module/test_controls.py | 19 +++++++++++++++++++
|
|
|
76240a |
2 files changed, 21 insertions(+)
|
|
|
76240a |
|
|
|
76240a |
diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
|
|
76240a |
index 99efafd832e..2e60ec43532 100644
|
|
|
76240a |
--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
|
|
76240a |
+++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
|
|
76240a |
@@ -21,6 +21,7 @@ controls:
|
|
|
76240a |
- low
|
|
|
76240a |
rules:
|
|
|
76240a |
- var_password_pam_minlen=1
|
|
|
76240a |
+ - var_some_variable=1
|
|
|
76240a |
|
|
|
76240a |
- id: S3
|
|
|
76240a |
levels:
|
|
|
76240a |
@@ -40,3 +41,4 @@ controls:
|
|
|
76240a |
- high
|
|
|
76240a |
rules:
|
|
|
76240a |
- var_password_pam_minlen=2
|
|
|
76240a |
+ - var_some_variable=3
|
|
|
76240a |
diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py
|
|
|
76240a |
index 124b344d141..1465661b04a 100644
|
|
|
76240a |
--- a/tests/unit/ssg-module/test_controls.py
|
|
|
76240a |
+++ b/tests/unit/ssg-module/test_controls.py
|
|
|
76240a |
@@ -104,6 +104,25 @@ def test_controls_levels():
|
|
|
76240a |
if "var_password_pam_minlen" in c.variables.keys():
|
|
|
76240a |
assert c.variables["var_password_pam_minlen"] == "2"
|
|
|
76240a |
|
|
|
76240a |
+ # now test if controls of lower level has the variable definition correctly removed
|
|
|
76240a |
+ # because it is overriden by higher level controls
|
|
|
76240a |
+ s2_high = [c for c in high_controls if c.id == "S2"]
|
|
|
76240a |
+ assert len(s2_high) == 1
|
|
|
76240a |
+ assert "var_some_variable" not in s2_high[0].variables.keys()
|
|
|
76240a |
+ assert "var_password_pam_minlen" not in s2_high[0].variables.keys()
|
|
|
76240a |
+ s4b_high = [c for c in high_controls if c.id == "S4.b"]
|
|
|
76240a |
+ assert len(s4b_high) == 1
|
|
|
76240a |
+ assert s4b_high[0].variables["var_some_variable"] == "3"
|
|
|
76240a |
+ assert s4b_high[0].variables["var_password_pam_minlen"] == "2"
|
|
|
76240a |
+
|
|
|
76240a |
+ # check that in low level the variable is correctly placed there in S2
|
|
|
76240a |
+ s2_low = [c for c in low_controls if c.id == "S2"]
|
|
|
76240a |
+ assert len(s2_low) == 1
|
|
|
76240a |
+ assert s2_low[0].variables["var_some_variable"] == "1"
|
|
|
76240a |
+ assert s2_low[0].variables["var_password_pam_minlen"] == "1"
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
|
|
|
76240a |
def test_controls_load_product():
|
|
|
76240a |
ssg_root = \
|
|
|
76240a |
|
|
|
76240a |
From 369de6b8374084d9d607979b712285912dbb65aa Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Matej Tyc <matyc@redhat.com>
|
|
|
76240a |
Date: Mon, 16 Aug 2021 10:39:22 +0200
|
|
|
76240a |
Subject: [PATCH 12/12] Style improvements
|
|
|
76240a |
|
|
|
76240a |
- Renamed get_level_with_ancestors to get_level_with_ancestors_sequence,
|
|
|
76240a |
and made it return a list - a dictionary result is quite confusing.
|
|
|
76240a |
- Removed some optimization in the variable deletion loops.
|
|
|
76240a |
- Extracted functionality to a _get_control_without_variables static
|
|
|
76240a |
method.
|
|
|
76240a |
- Defined variable removal steps using set operations.
|
|
|
76240a |
---
|
|
|
76240a |
ssg/controls.py | 54 +++++++++++++++++++++++++------------------------
|
|
|
76240a |
1 file changed, 28 insertions(+), 26 deletions(-)
|
|
|
76240a |
|
|
|
76240a |
diff --git a/ssg/controls.py b/ssg/controls.py
|
|
|
76240a |
index 8b69676313c..ca3187d5b16 100644
|
|
|
76240a |
--- a/ssg/controls.py
|
|
|
76240a |
+++ b/ssg/controls.py
|
|
|
76240a |
@@ -152,17 +152,17 @@ def get_level(self, level_id):
|
|
|
76240a |
)
|
|
|
76240a |
raise ValueError(msg)
|
|
|
76240a |
|
|
|
76240a |
- def get_level_with_ancestors(self, level_id):
|
|
|
76240a |
+ def get_level_with_ancestors_sequence(self, level_id):
|
|
|
76240a |
# use OrderedDict for Python2 compatibility instead of ordered set
|
|
|
76240a |
levels = collections.OrderedDict()
|
|
|
76240a |
level = self.get_level(level_id)
|
|
|
76240a |
levels[level] = ""
|
|
|
76240a |
if level.inherits_from:
|
|
|
76240a |
for lv in level.inherits_from:
|
|
|
76240a |
- eligible_levels = [l for l in self.get_level_with_ancestors(lv).keys() if l not in levels.keys()]
|
|
|
76240a |
+ eligible_levels = [l for l in self.get_level_with_ancestors_sequence(lv) if l not in levels.keys()]
|
|
|
76240a |
for l in eligible_levels:
|
|
|
76240a |
levels[l] = ""
|
|
|
76240a |
- return levels
|
|
|
76240a |
+ return list(levels.keys())
|
|
|
76240a |
|
|
|
76240a |
|
|
|
76240a |
class ControlsManager():
|
|
|
76240a |
@@ -200,35 +200,37 @@ def _get_policy(self, policy_id):
|
|
|
76240a |
|
|
|
76240a |
def get_all_controls_of_level(self, policy_id, level_id):
|
|
|
76240a |
policy = self._get_policy(policy_id)
|
|
|
76240a |
- levels = policy.get_level_with_ancestors(level_id)
|
|
|
76240a |
+ levels = policy.get_level_with_ancestors_sequence(level_id)
|
|
|
76240a |
all_policy_controls = self.get_all_controls(policy_id)
|
|
|
76240a |
eligible_controls = []
|
|
|
76240a |
- defined_variables = []
|
|
|
76240a |
+ already_defined_variables = set()
|
|
|
76240a |
# we will go level by level, from top to bottom
|
|
|
76240a |
# this is done to enable overriding of variables by higher levels
|
|
|
76240a |
- for lv in levels.keys():
|
|
|
76240a |
- for c in all_policy_controls:
|
|
|
76240a |
- if lv.id in c.levels:
|
|
|
76240a |
- # if the control has a variable, check if it is not already defined
|
|
|
76240a |
- variables = list(c.variables.keys())
|
|
|
76240a |
- if len(variables) == 0:
|
|
|
76240a |
- eligible_controls.append(c)
|
|
|
76240a |
- continue
|
|
|
76240a |
- variables_to_remove = [] # contains list of variables which are already defined and should be removed from the control
|
|
|
76240a |
- for var in variables:
|
|
|
76240a |
- if var in defined_variables:
|
|
|
76240a |
- variables_to_remove.append(var)
|
|
|
76240a |
- else:
|
|
|
76240a |
- defined_variables.append(var)
|
|
|
76240a |
- if len(variables_to_remove) == 0:
|
|
|
76240a |
- eligible_controls.append(c)
|
|
|
76240a |
- else:
|
|
|
76240a |
- new_c = copy.deepcopy(c)
|
|
|
76240a |
- for var in variables_to_remove:
|
|
|
76240a |
- del new_c.variables[var]
|
|
|
76240a |
- eligible_controls.append(new_c)
|
|
|
76240a |
+ for lv in levels:
|
|
|
76240a |
+ for control in all_policy_controls:
|
|
|
76240a |
+ if lv.id not in control.levels:
|
|
|
76240a |
+ continue
|
|
|
76240a |
+
|
|
|
76240a |
+ variables = set(control.variables.keys())
|
|
|
76240a |
+
|
|
|
76240a |
+ variables_to_remove = variables.intersection(already_defined_variables)
|
|
|
76240a |
+ already_defined_variables.update(variables)
|
|
|
76240a |
+
|
|
|
76240a |
+ new_c = self._get_control_without_variables(variables_to_remove, control)
|
|
|
76240a |
+ eligible_controls.append(new_c)
|
|
|
76240a |
+
|
|
|
76240a |
return eligible_controls
|
|
|
76240a |
|
|
|
76240a |
+ @staticmethod
|
|
|
76240a |
+ def _get_control_without_variables(variables_to_remove, control):
|
|
|
76240a |
+ if not variables_to_remove:
|
|
|
76240a |
+ return control
|
|
|
76240a |
+
|
|
|
76240a |
+ new_c = copy.deepcopy(control)
|
|
|
76240a |
+ for var in variables_to_remove:
|
|
|
76240a |
+ del new_c.variables[var]
|
|
|
76240a |
+ return new_c
|
|
|
76240a |
+
|
|
|
76240a |
def get_all_controls(self, policy_id):
|
|
|
76240a |
policy = self._get_policy(policy_id)
|
|
|
76240a |
return policy.controls_by_id.values()
|