├── .gitignore ├── lib ├── openscap │ ├── version.rb │ ├── exceptions.rb │ ├── xccdf.rb │ ├── xccdf │ │ ├── value.rb │ │ ├── group.rb │ │ ├── ident.rb │ │ ├── policy.rb │ │ ├── profile.rb │ │ ├── reference.rb │ │ ├── fix.rb │ │ ├── tailoring.rb │ │ ├── policy_model.rb │ │ ├── ruleresult.rb │ │ ├── rule.rb │ │ ├── benchmark.rb │ │ ├── testresult.rb │ │ ├── item.rb │ │ └── session.rb │ ├── libc.rb │ ├── openscap.rb │ ├── text.rb │ ├── ds │ │ ├── sds.rb │ │ └── arf.rb │ └── source.rb └── openscap.rb ├── runtest.sh ├── Rakefile ├── test ├── text_test.rb ├── openscap_test.rb ├── xccdf │ ├── policy_test.rb │ ├── profile_test.rb │ ├── tailoring_test.rb │ ├── session_test.rb │ ├── arf_test.rb │ ├── testresult_test.rb │ ├── session_ds_test.rb │ └── benchmark_test.rb ├── data │ ├── invalid.xml │ ├── tailoring.xml │ ├── sds-complex.xml │ └── testresult.xml ├── common │ └── testcase.rb ├── ds │ ├── sds_test.rb │ └── arf_test.rb ├── source_test.rb └── integration │ └── arf_waiver_test.rb ├── .rubocop.yml ├── .rubocop_todo.yml ├── openscap.gemspec ├── README.md └── COPYING /.gitignore: -------------------------------------------------------------------------------- 1 | .buildpath 2 | .project 3 | .settings 4 | test/output 5 | .idea 6 | openscap-*.gem 7 | -------------------------------------------------------------------------------- /lib/openscap/version.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | module OpenSCAP 4 | VERSION = '0.4.9' 5 | end 6 | -------------------------------------------------------------------------------- /lib/openscap/exceptions.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | module OpenSCAP 4 | class OpenSCAPError < StandardError 5 | end 6 | end 7 | -------------------------------------------------------------------------------- /runtest.sh: -------------------------------------------------------------------------------- 1 | set -e -o pipefail 2 | set -x 3 | 4 | rm -f openscap-*.gem 5 | gem build openscap.gemspec 6 | gem install openscap-*.gem 7 | rake test 8 | rubocop 9 | -------------------------------------------------------------------------------- /lib/openscap.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap/openscap' 4 | require 'openscap/exceptions' 5 | require 'openscap/xccdf/session' 6 | 7 | module OpenSCAP 8 | end 9 | -------------------------------------------------------------------------------- /lib/openscap/xccdf.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap/openscap' 4 | 5 | module OpenSCAP 6 | module Xccdf 7 | NUMERIC = :float 8 | 9 | class Item 10 | end 11 | end 12 | end 13 | -------------------------------------------------------------------------------- /lib/openscap/xccdf/value.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap/exceptions' 4 | require 'openscap/xccdf/item' 5 | 6 | module OpenSCAP 7 | module Xccdf 8 | class Value < Item 9 | end 10 | end 11 | end 12 | -------------------------------------------------------------------------------- /lib/openscap/libc.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'ffi' 4 | 5 | module OpenSCAP 6 | module LibC 7 | extend FFI::Library 8 | 9 | ffi_lib FFI::Library::LIBC 10 | 11 | attach_function :free, [:pointer], :void 12 | end 13 | end 14 | -------------------------------------------------------------------------------- /lib/openscap/xccdf/group.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap/exceptions' 4 | require 'openscap/xccdf' 5 | require 'openscap/xccdf/item' 6 | 7 | module OpenSCAP 8 | module Xccdf 9 | class Group < Item 10 | end 11 | end 12 | end 13 | -------------------------------------------------------------------------------- /Rakefile: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'bundler' 4 | 5 | Bundler::GemHelper.install_tasks :name => 'openscap' 6 | 7 | task :test do 8 | $LOAD_PATH.unshift('lib') 9 | $LOAD_PATH.unshift('test') 10 | Dir.glob('./test/**/*_test.rb') { |f| require f } 11 | end 12 | -------------------------------------------------------------------------------- /test/text_test.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap' 4 | require 'openscap/text' 5 | require 'common/testcase' 6 | 7 | class TestText < OpenSCAP::TestCase 8 | def test_text_new 9 | t = OpenSCAP::Text.new 10 | t.destroy 11 | end 12 | 13 | def test_text_set_text 14 | t = OpenSCAP::Text.new 15 | t.text = 'blah' 16 | assert t.text == 'blah', "Text was: #{t.text}" 17 | t.destroy 18 | end 19 | end 20 | -------------------------------------------------------------------------------- /.rubocop.yml: -------------------------------------------------------------------------------- 1 | inherit_from: 2 | - .rubocop_todo.yml 3 | 4 | Metrics/AbcSize: 5 | Max: 16 6 | Exclude: 7 | - 'test/**/*' 8 | 9 | Metrics/LineLength: 10 | Max: 110 11 | Exclude: 12 | - 'test/**/*' 13 | 14 | Metrics/MethodLength: 15 | Max: 13 16 | Exclude: 17 | - 'test/**/*' 18 | 19 | Style/HashSyntax: 20 | EnforcedStyle: hash_rockets 21 | 22 | Style/SymbolArray: 23 | EnforcedStyle: brackets 24 | 25 | Naming/UncommunicativeMethodParamName: 26 | Exclude: 27 | - '**/*' 28 | -------------------------------------------------------------------------------- /test/openscap_test.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'common/testcase' 4 | require 'openscap' 5 | 6 | class TestOscapVersion < OpenSCAP::TestCase 7 | def test_oscap_version 8 | OpenSCAP.oscap_init 9 | version = OpenSCAP.oscap_get_version 10 | OpenSCAP.oscap_cleanup 11 | assert version.include?('.') 12 | end 13 | 14 | def test_double_read_error 15 | assert !OpenSCAP.error? 16 | msg = OpenSCAP.full_error 17 | assert msg.nil? 18 | msg = OpenSCAP.full_error 19 | assert msg.nil? 20 | end 21 | end 22 | -------------------------------------------------------------------------------- /lib/openscap/xccdf/ident.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | module OpenSCAP 4 | module Xccdf 5 | class Ident 6 | def initialize(raw) 7 | raise OpenSCAP::OpenSCAPError, "Cannot initialize #{self.class.name} with '#{raw}'" \ 8 | unless raw.is_a?(FFI::Pointer) 9 | 10 | @raw = raw 11 | end 12 | 13 | def system 14 | OpenSCAP.xccdf_ident_get_system(@raw) 15 | end 16 | 17 | def id 18 | OpenSCAP.xccdf_ident_get_id(@raw) 19 | end 20 | end 21 | end 22 | attach_function :xccdf_ident_get_system, [:pointer], :string 23 | attach_function :xccdf_ident_get_id, [:pointer], :string 24 | end 25 | -------------------------------------------------------------------------------- /test/xccdf/policy_test.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'common/testcase' 4 | require 'openscap' 5 | require 'openscap/source' 6 | require 'openscap/xccdf/benchmark' 7 | require 'openscap/xccdf/policy' 8 | require 'openscap/xccdf/policy_model' 9 | 10 | class TestPolicy < OpenSCAP::TestCase 11 | def test_new_policy_model 12 | @s = OpenSCAP::Source.new '../data/xccdf.xml' 13 | b = OpenSCAP::Xccdf::Benchmark.new @s 14 | pm = OpenSCAP::Xccdf::PolicyModel.new b 15 | assert !b.nil? 16 | assert pm.policies.size == 1, pm.policies.to_s 17 | assert pm.policies['xccdf_org.ssgproject.content_profile_common'] 18 | pm.destroy 19 | end 20 | end 21 | -------------------------------------------------------------------------------- /lib/openscap/xccdf/policy.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap/exceptions' 4 | 5 | module OpenSCAP 6 | module Xccdf 7 | class Policy 8 | attr_reader :raw 9 | 10 | def initialize(p) 11 | case p 12 | when FFI::Pointer 13 | @raw = p 14 | else 15 | raise OpenSCAP::OpenSCAPError, 16 | "Cannot initialize OpenSCAP::Xccdf::Policy with '#{p}'" 17 | end 18 | OpenSCAP.raise! if @raw.null? 19 | end 20 | 21 | def id 22 | OpenSCAP.xccdf_policy_get_id raw 23 | end 24 | end 25 | end 26 | 27 | attach_function :xccdf_policy_get_id, [:pointer], :string 28 | end 29 | -------------------------------------------------------------------------------- /test/xccdf/profile_test.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'common/testcase' 4 | require 'openscap' 5 | require 'openscap/source' 6 | require 'openscap/xccdf/benchmark' 7 | require 'openscap/xccdf/profile' 8 | 9 | class TestProfile < OpenSCAP::TestCase 10 | def test_new_from_file 11 | @s = OpenSCAP::Source.new '../data/xccdf.xml' 12 | b = OpenSCAP::Xccdf::Benchmark.new @s 13 | assert !b.nil? 14 | assert b.profiles.size == 1, b.profiles.to_s 15 | profile1 = b.profiles['xccdf_org.ssgproject.content_profile_common'] 16 | assert profile1 17 | assert profile1.title == 'Common Profile for General-Purpose Fedora Systems' 18 | b.destroy 19 | end 20 | end 21 | -------------------------------------------------------------------------------- /.rubocop_todo.yml: -------------------------------------------------------------------------------- 1 | # This configuration was generated by `rubocop --auto-gen-config` 2 | # on 2014-12-19 20:39:58 +0100 using RuboCop version 0.28.0. 3 | # The point is for the user to remove these configuration records 4 | # one by one as the offenses are removed from the code base. 5 | # Note that changes in the inspected code, or installation of new 6 | # versions of RuboCop, may require this file to be generated again. 7 | 8 | # Offense count: 1 9 | # Cop supports --auto-correct. 10 | # Configuration parameters: EnforcedStyle, SupportedStyles. 11 | Style/AndOr: 12 | Enabled: false 13 | 14 | # Offense count: 36 15 | Style/Documentation: 16 | Enabled: false 17 | 18 | # Offense count: 6 19 | # Configuration parameters: MinBodyLength. 20 | Style/GuardClause: 21 | Enabled: false 22 | -------------------------------------------------------------------------------- /test/xccdf/tailoring_test.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap' 4 | require 'openscap/source' 5 | require 'openscap/xccdf/tailoring' 6 | require 'common/testcase' 7 | 8 | class TailoringTest < OpenSCAP::TestCase 9 | def test_new_from_file 10 | tailoring = tailoring_from_file 11 | tailoring.destroy 12 | refute tailoring.raw 13 | end 14 | 15 | def test_profiles 16 | profiles = tailoring_from_file.profiles 17 | assert_equal 1, profiles.length 18 | assert profiles.values.first.is_a?(OpenSCAP::Xccdf::Profile) 19 | end 20 | 21 | private 22 | 23 | def tailoring_from_file 24 | source = OpenSCAP::Source.new '../data/tailoring.xml' 25 | tailoring = OpenSCAP::Xccdf::Tailoring.new source, nil 26 | source.destroy 27 | assert tailoring 28 | tailoring 29 | end 30 | end 31 | -------------------------------------------------------------------------------- /test/xccdf/session_test.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap' 4 | require 'common/testcase' 5 | 6 | class TestSession < OpenSCAP::TestCase 7 | def test_session_new_bad 8 | msg = nil 9 | begin 10 | OpenSCAP::Xccdf::Session.new('') 11 | assert false 12 | rescue OpenSCAP::OpenSCAPError => e 13 | msg = e.to_s 14 | end 15 | assert msg.start_with?("Unable to open file: ''"), 'Message was: ' + msg 16 | end 17 | 18 | def test_session_new_nil 19 | msg = nil 20 | begin 21 | OpenSCAP::Xccdf::Session.new(nil) 22 | assert false 23 | rescue OpenSCAP::OpenSCAPError => e 24 | msg = e.to_s 25 | end 26 | assert msg.start_with?('No filename specified!'), 'Message was: ' + msg 27 | end 28 | 29 | def test_sds_false 30 | @s = OpenSCAP::Xccdf::Session.new('../data/xccdf.xml') 31 | refute @s.sds? 32 | end 33 | end 34 | -------------------------------------------------------------------------------- /lib/openscap/xccdf/profile.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap/text' 4 | 5 | module OpenSCAP 6 | module Xccdf 7 | class Profile 8 | attr_reader :raw 9 | 10 | def initialize(p) 11 | case p 12 | when FFI::Pointer 13 | @raw = p 14 | else 15 | raise OpenSCAP::OpenSCAPError, "Cannot initialize #{self.class.name} with #{p}" 16 | end 17 | end 18 | 19 | def id 20 | OpenSCAP.xccdf_profile_get_id raw 21 | end 22 | 23 | def title(prefered_lang = nil) 24 | textlist = OpenSCAP::TextList.new(OpenSCAP.xccdf_profile_get_title(@raw)) 25 | title = textlist.plaintext(prefered_lang) 26 | textlist.destroy 27 | title 28 | end 29 | end 30 | end 31 | 32 | attach_function :xccdf_profile_get_id, [:pointer], :string 33 | attach_function :xccdf_profile_get_title, [:pointer], :pointer 34 | end 35 | -------------------------------------------------------------------------------- /openscap.gemspec: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'date' 4 | require File.expand_path('lib/openscap/version', __dir__) 5 | 6 | GEMSPEC = Gem::Specification.new do |gem| 7 | gem.name = 'openscap' 8 | gem.version = OpenSCAP::VERSION 9 | gem.date = Date.today.to_s 10 | gem.platform = Gem::Platform::RUBY 11 | 12 | gem.author = 'Simon Lukasik' 13 | gem.email = 'isimluk@fedoraproject.org' 14 | gem.homepage = 'https://github.com/OpenSCAP/ruby-openscap' 15 | gem.license = 'GPL-2.0' 16 | 17 | gem.summary = 'A FFI wrapper around the OpenSCAP library' 18 | gem.description = "A FFI wrapper around the OpenSCAP library. 19 | Currently it provides only subset of libopenscap functionality." 20 | 21 | gem.add_development_dependency 'bundler', '>=1.0.0' 22 | gem.add_runtime_dependency 'ffi', '>= 1.0.9' 23 | 24 | gem.files = Dir['{lib,test}/**/*'] + ['COPYING', 'README.md', 'Rakefile'] 25 | gem.require_path = 'lib' 26 | end 27 | -------------------------------------------------------------------------------- /lib/openscap/xccdf/reference.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | module OpenSCAP 4 | module Xccdf 5 | class Reference 6 | def initialize(raw) 7 | raise OpenSCAP::OpenSCAPError, "Cannot initialize #{self.class.name} with '#{raw}'" \ 8 | unless raw.is_a?(FFI::Pointer) 9 | 10 | @raw = raw 11 | end 12 | 13 | def title 14 | OpenSCAP.oscap_reference_get_title(@raw) 15 | end 16 | 17 | def href 18 | OpenSCAP.oscap_reference_get_href(@raw) 19 | end 20 | 21 | def html_link 22 | "#{title}" 23 | end 24 | 25 | def to_hash 26 | { 27 | :title => title, 28 | :href => href, 29 | :html_link => html_link 30 | } 31 | end 32 | end 33 | end 34 | attach_function :oscap_reference_get_href, [:pointer], :string 35 | attach_function :oscap_reference_get_title, [:pointer], :string 36 | end 37 | -------------------------------------------------------------------------------- /test/data/invalid.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 1.0 4 | incomplete 5 | 6 | is kinda compulsory 7 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /lib/openscap/openscap.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'ffi' 4 | 5 | module OpenSCAP 6 | extend FFI::Library 7 | ffi_lib ['libopenscap.so.8', 'libopenscap.so.25', 'openscap'] 8 | 9 | def self.error? 10 | oscap_err 11 | end 12 | 13 | def self.full_error 14 | err = oscap_err_get_full_error 15 | err.null? ? nil : err.read_string 16 | end 17 | 18 | def self.raise!(msg = nil) 19 | err = full_error 20 | if err.nil? 21 | err = msg.nil? ? '(unknown error)' : msg 22 | else 23 | err += "\n#{msg}" 24 | end 25 | raise OpenSCAPError, err 26 | end 27 | 28 | attach_function :oscap_init, [], :void 29 | attach_function :oscap_cleanup, [], :void 30 | attach_function :oscap_get_version, [], :string 31 | 32 | attach_function :oscap_document_type_to_string, [:int], :string 33 | 34 | attach_function :oscap_err, [], :bool 35 | attach_function :oscap_err_get_full_error, [], :pointer 36 | private_class_method :oscap_err, :oscap_err_get_full_error 37 | end 38 | -------------------------------------------------------------------------------- /test/common/testcase.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'test/unit' 4 | 5 | module OpenSCAP 6 | class TestCase < Test::Unit::TestCase 7 | def setup 8 | workdir = 'test/output' 9 | if Dir.pwd.end_with? 'test/output' 10 | cleanup # Older TestCase do not run cleanup method. 11 | end 12 | FileUtils.rm_rf workdir 13 | Dir.mkdir workdir 14 | Dir.chdir workdir 15 | @s = nil 16 | OpenSCAP.oscap_init 17 | end 18 | 19 | def cleanup 20 | @s&.destroy 21 | Dir.chdir '../..' 22 | OpenSCAP.raise! if OpenSCAP.error? 23 | OpenSCAP.oscap_cleanup 24 | end 25 | 26 | protected 27 | 28 | def assert_default_score(scores, low, high) 29 | assert scores.size == 1 30 | s = scores['urn:xccdf:scoring:default'] 31 | assert !s.nil? 32 | assert s[:system] == 'urn:xccdf:scoring:default' 33 | assert low < s[:value] 34 | assert s[:value] < high 35 | assert s[:max] == 100 36 | end 37 | end 38 | end 39 | -------------------------------------------------------------------------------- /lib/openscap/xccdf/fix.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | module OpenSCAP 4 | module Xccdf 5 | class Fix 6 | def initialize(raw) 7 | raise OpenSCAP::OpenSCAPError, "Cannot initialize #{self.class.name} with '#{raw}'" \ 8 | unless raw.is_a?(FFI::Pointer) 9 | 10 | @raw = raw 11 | end 12 | 13 | def id 14 | OpenSCAP.xccdf_fix_get_id(@raw) 15 | end 16 | 17 | def platform 18 | OpenSCAP.xccdf_fix_get_platform(@raw) 19 | end 20 | 21 | # system is a reserved word in Rails, so didn't use it 22 | def fix_system 23 | OpenSCAP.xccdf_fix_get_system(@raw) 24 | end 25 | 26 | def content 27 | OpenSCAP.xccdf_fix_get_content(@raw) 28 | end 29 | 30 | def to_hash 31 | { 32 | :id => id, 33 | :platform => platform, 34 | :system => fix_system, 35 | :content => content 36 | } 37 | end 38 | end 39 | end 40 | attach_function :xccdf_fix_get_id, [:pointer], :string 41 | attach_function :xccdf_fix_get_platform, [:pointer], :string 42 | attach_function :xccdf_fix_get_system, [:pointer], :string 43 | attach_function :xccdf_fix_get_content, [:pointer], :string 44 | end 45 | -------------------------------------------------------------------------------- /lib/openscap/text.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | module OpenSCAP 4 | class Text 5 | attr_reader :raw 6 | 7 | def initialize 8 | @raw = OpenSCAP.oscap_text_new 9 | end 10 | 11 | def text=(str) 12 | OpenSCAP.raise! unless OpenSCAP.oscap_text_set_text(raw, str) 13 | end 14 | 15 | def text 16 | OpenSCAP.oscap_text_get_text(raw) 17 | end 18 | 19 | def destroy 20 | OpenSCAP.oscap_text_free(raw) 21 | @raw = nil 22 | end 23 | end 24 | 25 | class TextList 26 | def initialize(oscap_text_iterator) 27 | @raw = oscap_text_iterator 28 | end 29 | 30 | def plaintext(lang = nil) 31 | OpenSCAP.oscap_textlist_get_preferred_plaintext @raw, lang 32 | end 33 | 34 | def destroy 35 | OpenSCAP.oscap_text_iterator_free @raw 36 | end 37 | end 38 | 39 | attach_function :oscap_text_new, [], :pointer 40 | attach_function :oscap_text_set_text, [:pointer, :string], :bool 41 | attach_function :oscap_text_get_text, [:pointer], :string 42 | attach_function :oscap_text_free, [:pointer], :void 43 | 44 | attach_function :oscap_textlist_get_preferred_plaintext, [:pointer, :string], :string 45 | attach_function :oscap_text_iterator_free, [:pointer], :void 46 | end 47 | -------------------------------------------------------------------------------- /test/xccdf/arf_test.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'common/testcase' 4 | require 'openscap' 5 | require 'openscap/ds/sds' 6 | require 'openscap/source' 7 | require 'openscap/xccdf/benchmark' 8 | 9 | class TestArf < OpenSCAP::TestCase 10 | def test_new_from_file 11 | b = benchmark_from_arf_file 12 | b.destroy 13 | end 14 | 15 | def test_idents 16 | b = benchmark_from_arf_file 17 | item = b.items['xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20140675'] 18 | idents = item.idents 19 | assert idents.size == 25 20 | end 21 | 22 | def test_ident_title_url 23 | b = benchmark_from_arf_file 24 | item = b.items['xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20140678'] 25 | idents = item.idents 26 | assert idents.size == 2 27 | ident = idents[0] 28 | expected_id = 'RHSA-2014-0678' 29 | expected_system = 'https://rhn.redhat.com/errata' 30 | assert_equal(expected_id, ident.id) 31 | assert_equal(expected_system, ident.system) 32 | end 33 | 34 | private 35 | 36 | def benchmark_from_arf_file 37 | arf = OpenSCAP::DS::Arf.new('../data/arf.xml') 38 | _test_results = arf.test_result 39 | source_datastream = arf.report_request 40 | bench_source = source_datastream.select_checklist! 41 | benchmark = OpenSCAP::Xccdf::Benchmark.new(bench_source) 42 | benchmark 43 | end 44 | end 45 | -------------------------------------------------------------------------------- /lib/openscap/ds/sds.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap/source' 4 | 5 | module OpenSCAP 6 | module DS 7 | class Sds 8 | attr_reader :raw 9 | 10 | def initialize(param) 11 | @raw = case param 12 | when OpenSCAP::Source 13 | OpenSCAP.ds_sds_session_new_from_source param.raw 14 | when Hash 15 | OpenSCAP.ds_sds_session_new_from_source param[:source].raw 16 | end 17 | OpenSCAP.raise! if @raw.null? 18 | end 19 | 20 | def select_checklist(p = {}) 21 | source_p = OpenSCAP.ds_sds_session_select_checklist(@raw, p[:datastream_id], p[:component_id], nil) 22 | OpenSCAP::Source.new source_p 23 | end 24 | 25 | def select_checklist!(p = {}) 26 | checklist = select_checklist(p) 27 | OpenSCAP.raise! if checklist.nil? or checklist.raw.null? 28 | checklist 29 | end 30 | 31 | def html_guide(profile = nil) 32 | html = OpenSCAP.ds_sds_session_get_html_guide(@raw, profile) 33 | OpenSCAP.raise! if html.nil? 34 | html 35 | end 36 | 37 | def destroy 38 | OpenSCAP.ds_sds_session_free(@raw) 39 | @raw = nil 40 | end 41 | end 42 | end 43 | 44 | attach_function :ds_sds_session_new_from_source, [:pointer], :pointer 45 | attach_function :ds_sds_session_free, [:pointer], :void 46 | attach_function :ds_sds_session_select_checklist, [:pointer, :string, :string, :string], :pointer 47 | attach_function :ds_sds_session_get_html_guide, [:pointer, :string], :string 48 | end 49 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![ruby-openscap icon](http://isimluk.fedorapeople.org/ruby-OpenSCAP-small.png) ruby-OpenSCAP 2 | ============= 3 | 4 | Description 5 | ------------- 6 | A FFI wrapper around the OpenSCAP library. 7 | 8 | Features/problems 9 | ------------- 10 | Current version supports minimal set of functions needed to build own scanner. This module 11 | is self documented by its test suite. 12 | 13 | Sample Scanner Implementation 14 | ------------- 15 | 16 | require 'openscap' 17 | s = OpenSCAP::Xccdf::Session.new("ssg-fedora-ds.xml") 18 | s.load 19 | s.profile = "xccdf_org.ssgproject.content_profile_common" 20 | s.evaluate 21 | s.export_results(:rds_file => "results.rds.xml") 22 | s.destroy 23 | 24 | Development Requirements 25 | ------------- 26 | On Fedora, command is 27 | 28 | dnf install ruby-devel rubygem-rake rubygem-ffi rubygem-bundler openscap 29 | 30 | On RHEL you can install requirements by issuing 31 | 32 | yum install ruby-devel rubygem-rake rubygem-bundler openscap 33 | gem install ffi # or install rubygem-ffi RPM package from EPEL 34 | 35 | 36 | Test Requirements 37 | ------------- 38 | On Fedora, more packages are necessary, but rubocop can be of the latest version 39 | 40 | dnf install rubygem-minitest rubygem-test-unit rubygems-devel bzip2 41 | gem install rubocop 42 | 43 | For tests on RHEL7, you need minitest package and specific older version of rubocop. 44 | Newer versions of rubocop requires Ruby >= 2.1.0 45 | 46 | yum install rubygem-minitest bzip2 47 | gem install rubocop -v 0.50.0 48 | 49 | Tests are then performed using script 50 | 51 | ./runtest.sh 52 | 53 | -------------------------------------------------------------------------------- /lib/openscap/xccdf/tailoring.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap/source' 4 | require 'openscap/xccdf/profile' 5 | 6 | module OpenSCAP 7 | module Xccdf 8 | class Tailoring 9 | attr_reader :raw 10 | 11 | def initialize(source, benchmark) 12 | case source 13 | when OpenSCAP::Source 14 | @raw = OpenSCAP.xccdf_tailoring_import_source source.raw, benchmark 15 | else 16 | raise OpenSCAP::OpenSCAPError, "Cannot initialize #{self.class.name} with '#{source}'" 17 | end 18 | OpenSCAP.raise! if @raw.null? 19 | end 20 | 21 | def profiles 22 | @profiles ||= profiles_init 23 | end 24 | 25 | def destroy 26 | OpenSCAP.xccdf_tailoring_free @raw 27 | @raw = nil 28 | end 29 | 30 | private 31 | 32 | def profiles_init 33 | profiles = {} 34 | profit = OpenSCAP.xccdf_tailoring_get_profiles raw 35 | while OpenSCAP.xccdf_profile_iterator_has_more profit 36 | profile_p = OpenSCAP.xccdf_profile_iterator_next profit 37 | profile = OpenSCAP::Xccdf::Profile.new profile_p 38 | profiles[profile.id] = profile 39 | end 40 | OpenSCAP.xccdf_profile_iterator_free profit 41 | profiles 42 | end 43 | end 44 | end 45 | 46 | attach_function :xccdf_tailoring_import_source, [:pointer, :pointer], :pointer 47 | attach_function :xccdf_tailoring_free, [:pointer], :void 48 | 49 | attach_function :xccdf_tailoring_get_profiles, [:pointer], :pointer 50 | attach_function :xccdf_profile_iterator_has_more, [:pointer], :bool 51 | attach_function :xccdf_profile_iterator_next, [:pointer], :pointer 52 | attach_function :xccdf_profile_iterator_free, [:pointer], :void 53 | end 54 | -------------------------------------------------------------------------------- /test/ds/sds_test.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap' 4 | require 'openscap/source' 5 | require 'openscap/ds/sds' 6 | require 'common/testcase' 7 | 8 | class TestSds < OpenSCAP::TestCase 9 | def test_new 10 | new_sds.destroy 11 | end 12 | 13 | def test_new_non_sds 14 | filename = '../data/xccdf.xml' 15 | @s = OpenSCAP::Source.new filename 16 | assert !@s.nil? 17 | msg = nil 18 | begin 19 | OpenSCAP::DS::Sds.new :source => @s 20 | assert false 21 | rescue OpenSCAP::OpenSCAPError => e 22 | msg = e.to_s 23 | end 24 | assert msg.start_with?('Could not create Source DataStream session: File is not Source DataStream.'), msg 25 | end 26 | 27 | def test_select_checklist 28 | sds = new_sds 29 | benchmark = sds.select_checklist! 30 | assert !benchmark.nil? 31 | sds.destroy 32 | end 33 | 34 | def test_show_guides 35 | sds = new_sds 36 | benchmark_source = sds.select_checklist! 37 | benchmark = OpenSCAP::Xccdf::Benchmark.new benchmark_source 38 | benchmark.profiles.each_key do |id| 39 | guide = sds.html_guide id 40 | assert !guide.nil? 41 | assert guide.include?(id) 42 | end 43 | benchmark.destroy 44 | sds.destroy 45 | end 46 | 47 | def tests_select_checklist_wrong 48 | sds = new_sds 49 | msg = nil 50 | begin 51 | benchmark = sds.select_checklist! :datastream_id => 'wrong' 52 | assert false 53 | rescue OpenSCAP::OpenSCAPError => e 54 | msg = e.to_s 55 | end 56 | assert msg.start_with?('Failed to locate a datastream with ID matching'), msg 57 | assert benchmark.nil? 58 | sds.destroy 59 | end 60 | 61 | private 62 | 63 | def new_sds 64 | filename = '../data/sds-complex.xml' 65 | @s = OpenSCAP::Source.new filename 66 | assert !@s.nil? 67 | sds = OpenSCAP::DS::Sds.new :source => @s 68 | assert !sds.nil? 69 | sds 70 | end 71 | end 72 | -------------------------------------------------------------------------------- /lib/openscap/xccdf/policy_model.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap/exceptions' 4 | require 'openscap/xccdf/benchmark' 5 | require 'openscap/xccdf/policy' 6 | 7 | module OpenSCAP 8 | module Xccdf 9 | class PolicyModel 10 | attr_reader :raw 11 | 12 | def initialize(b) 13 | case b 14 | when OpenSCAP::Xccdf::Benchmark 15 | @raw = OpenSCAP.xccdf_policy_model_new(b.raw) 16 | else 17 | raise OpenSCAP::OpenSCAPError, 18 | "Cannot initialize OpenSCAP::Xccdf::PolicyModel with '#{b}'" 19 | end 20 | OpenSCAP.raise! if @raw.null? 21 | end 22 | 23 | def policies 24 | @policies ||= policies_init 25 | end 26 | 27 | def destroy 28 | OpenSCAP.xccdf_policy_model_free @raw 29 | @raw = nil 30 | end 31 | 32 | private 33 | 34 | def policies_init 35 | policies = {} 36 | OpenSCAP.raise! unless OpenSCAP.xccdf_policy_model_build_all_useful_policies(raw).zero? 37 | polit = OpenSCAP.xccdf_policy_model_get_policies raw 38 | while OpenSCAP.xccdf_policy_iterator_has_more polit 39 | policy_p = OpenSCAP.xccdf_policy_iterator_next polit 40 | policy = OpenSCAP::Xccdf::Policy.new policy_p 41 | policies[policy.id] = policy 42 | end 43 | OpenSCAP.xccdf_policy_iterator_free polit 44 | policies 45 | end 46 | end 47 | end 48 | 49 | attach_function :xccdf_policy_model_new, [:pointer], :pointer 50 | attach_function :xccdf_policy_model_free, [:pointer], :void 51 | attach_function :xccdf_policy_model_build_all_useful_policies, [:pointer], :int 52 | 53 | attach_function :xccdf_policy_model_get_policies, [:pointer], :pointer 54 | attach_function :xccdf_policy_iterator_has_more, [:pointer], :bool 55 | attach_function :xccdf_policy_iterator_next, [:pointer], :pointer 56 | attach_function :xccdf_policy_iterator_free, [:pointer], :void 57 | end 58 | -------------------------------------------------------------------------------- /lib/openscap/ds/arf.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap/ds/sds' 4 | require 'openscap/source' 5 | require 'openscap/xccdf/testresult' 6 | require 'openscap/libc' 7 | 8 | module OpenSCAP 9 | module DS 10 | class Arf 11 | attr_reader :source 12 | 13 | def initialize(param) 14 | case param 15 | when String, Hash 16 | @source = OpenSCAP::Source.new(param) 17 | @session = OpenSCAP.ds_rds_session_new_from_source @source.raw 18 | else 19 | raise OpenSCAP::OpenSCAPError, "Cannot initialize #{self.class.name} with '#{param}'" 20 | end 21 | OpenSCAP.raise! if @session.null? 22 | end 23 | 24 | def destroy 25 | OpenSCAP.ds_rds_session_free(@session) 26 | @session = nil 27 | @source.destroy 28 | end 29 | 30 | def test_result(id = nil) 31 | source = OpenSCAP.ds_rds_session_select_report(@session, id) 32 | OpenSCAP.raise! if source.nil? 33 | OpenSCAP::Xccdf::TestResult.new(source) 34 | end 35 | 36 | def test_result=(tr) 37 | source = tr.source 38 | OpenSCAP.raise! unless OpenSCAP.ds_rds_session_replace_report_with_source(@session, source.raw).zero? 39 | end 40 | 41 | def report_request(id = nil) 42 | source_p = OpenSCAP.ds_rds_session_select_report_request(@session, id) 43 | source = OpenSCAP::Source.new source_p 44 | OpenSCAP::DS::Sds.new(source) 45 | end 46 | 47 | def html 48 | html_p = OpenSCAP.ds_rds_session_get_html_report @session 49 | OpenSCAP.raise! if OpenSCAP.error? 50 | return nil if html_p.null? 51 | 52 | html = html_p.read_string 53 | OpenSCAP::LibC.free html_p 54 | html 55 | end 56 | end 57 | end 58 | 59 | attach_function :ds_rds_session_new_from_source, [:pointer], :pointer 60 | attach_function :ds_rds_session_free, [:pointer], :void 61 | attach_function :ds_rds_session_select_report, [:pointer, :string], :pointer 62 | attach_function :ds_rds_session_replace_report_with_source, [:pointer, :pointer], :int 63 | attach_function :ds_rds_session_select_report_request, [:pointer, :string], :pointer 64 | attach_function :ds_rds_session_get_html_report, [:pointer], :pointer 65 | end 66 | -------------------------------------------------------------------------------- /lib/openscap/xccdf/ruleresult.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap/exceptions' 4 | require 'openscap/text' 5 | 6 | module OpenSCAP 7 | module Xccdf 8 | class RuleResult 9 | def initialize(t) 10 | case t 11 | when FFI::Pointer 12 | @rr = t 13 | else 14 | raise OpenSCAP::OpenSCAPError, "Cannot initialize #{self.class.name} with #{t}" 15 | end 16 | end 17 | 18 | def id 19 | OpenSCAP.xccdf_rule_result_get_idref @rr 20 | end 21 | 22 | def result 23 | OpenSCAP.xccdf_test_result_type_get_text \ 24 | OpenSCAP.xccdf_rule_result_get_result(@rr) 25 | end 26 | 27 | def override!(param) 28 | validate_xccdf_result! param[:new_result] 29 | t = OpenSCAP::Text.new 30 | t.text = param[:raw_text] 31 | unless OpenSCAP.xccdf_rule_result_override(@rr, 32 | OpenSCAP::XccdfResult[param[:new_result]], 33 | param[:time], param[:authority], t.raw) 34 | OpenSCAP.raise! 35 | end 36 | end 37 | 38 | def destroy 39 | OpenSCAP.xccdf_rule_result_free @rr 40 | end 41 | 42 | private 43 | 44 | def validate_xccdf_result!(result_label) 45 | if OpenSCAP::XccdfResult[result_label] > OpenSCAP::XccdfResult[:fixed] 46 | raise OpenSCAPError, "Could not recognize result type: '#{result_label}'" 47 | end 48 | end 49 | end 50 | end 51 | 52 | attach_function :xccdf_rule_result_get_idref, [:pointer], :string 53 | attach_function :xccdf_rule_result_free, [:pointer], :void 54 | attach_function :xccdf_rule_result_get_result, [:pointer], :int 55 | attach_function :xccdf_test_result_type_get_text, [:int], :string 56 | 57 | XccdfResult = enum(:pass, 1, 58 | :fail, 59 | :error, 60 | :unknown, 61 | :notapplicable, 62 | :notchecked, 63 | :notselected, 64 | :informational, 65 | :fixed) 66 | attach_function :xccdf_rule_result_override, 67 | [:pointer, XccdfResult, :string, :string, :pointer], :bool 68 | end 69 | -------------------------------------------------------------------------------- /lib/openscap/xccdf/rule.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap/exceptions' 4 | require 'openscap/xccdf/item' 5 | require 'openscap/xccdf/fix' 6 | require 'openscap/xccdf/ident' 7 | 8 | module OpenSCAP 9 | module Xccdf 10 | class Rule < Item 11 | def severity 12 | severity = OpenSCAP.xccdf_rule_get_severity(@raw) 13 | severity_mapping = { 14 | :xccdf_level_not_defined => 'Not defined', 15 | :xccdf_unknown => 'Unknown', 16 | :xccdf_info => 'Info', 17 | :xccdf_low => 'Low', 18 | :xccdf_medium => 'Medium', 19 | :xccdf_high => 'High' 20 | } 21 | severity_mapping[severity] || severity_mapping[:xccdf_unknown] 22 | end 23 | 24 | def fixes 25 | fixes = [] 26 | items_it = OpenSCAP.xccdf_rule_get_fixes(@raw) 27 | while OpenSCAP.xccdf_fix_iterator_has_more items_it 28 | fixes << OpenSCAP::Xccdf::Fix.new(OpenSCAP.xccdf_fix_iterator_next(items_it)) 29 | end 30 | OpenSCAP.xccdf_fix_iterator_free items_it 31 | fixes 32 | end 33 | 34 | def idents 35 | idents = [] 36 | idents_it = OpenSCAP.xccdf_rule_get_idents(@raw) 37 | while OpenSCAP.xccdf_ident_iterator_has_more idents_it 38 | idents << OpenSCAP::Xccdf::Ident.new(OpenSCAP.xccdf_ident_iterator_next(idents_it)) 39 | end 40 | OpenSCAP.xccdf_ident_iterator_free idents_it 41 | idents 42 | end 43 | end 44 | end 45 | XccdfSeverity = enum( 46 | :xccdf_level_not_defined, 0, 47 | :xccdf_unknown, 1, 48 | :xccdf_info, 49 | :xccdf_low, 50 | :xccdf_medium, 51 | :xccdf_high 52 | ) 53 | attach_function :xccdf_rule_get_severity, [:pointer], XccdfSeverity 54 | attach_function :xccdf_rule_get_fixes, [:pointer], :pointer 55 | attach_function :xccdf_fix_iterator_has_more, [:pointer], :bool 56 | attach_function :xccdf_fix_iterator_next, [:pointer], :pointer 57 | attach_function :xccdf_fix_iterator_free, [:pointer], :void 58 | 59 | attach_function :xccdf_rule_get_idents, [:pointer], :pointer 60 | attach_function :xccdf_ident_iterator_has_more, [:pointer], :bool 61 | attach_function :xccdf_ident_iterator_next, [:pointer], :pointer 62 | attach_function :xccdf_ident_iterator_free, [:pointer], :void 63 | end 64 | -------------------------------------------------------------------------------- /test/source_test.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap' 4 | require 'openscap/source' 5 | require 'common/testcase' 6 | 7 | class TestSource < OpenSCAP::TestCase 8 | def test_source_new_nil 9 | msg = nil 10 | begin 11 | OpenSCAP::Source.new(nil) 12 | assert false 13 | rescue OpenSCAP::OpenSCAPError => e 14 | msg = e.to_s 15 | end 16 | assert msg.start_with?('No filename specified!'), 'Message was: ' + msg 17 | end 18 | 19 | def test_source_new_ok 20 | s = OpenSCAP::Source.new('../data/xccdf.xml') 21 | s.destroy 22 | end 23 | 24 | def test_source_new_memory 25 | raw_data = File.read('../data/xccdf.xml') 26 | refute raw_data.empty? 27 | s = OpenSCAP::Source.new(:content => raw_data, :path => '/mytestpath') 28 | s.destroy 29 | end 30 | 31 | def test_type_xccdf 32 | s = OpenSCAP::Source.new('../data/xccdf.xml') 33 | assert s.type == 'XCCDF Checklist', "Type was #{s.type}" 34 | s.validate! 35 | s.destroy 36 | end 37 | 38 | def test_type_sds 39 | s = OpenSCAP::Source.new('../data/sds-complex.xml') 40 | assert s.type == 'SCAP Source Datastream', "Type was #{s.type}" 41 | s.validate! 42 | s.destroy 43 | end 44 | 45 | def test_type_test_result 46 | s = OpenSCAP::Source.new('../data/testresult.xml') 47 | assert s.type == 'XCCDF Checklist', "Type was #{s.type}" 48 | s.validate! 49 | s.destroy 50 | end 51 | 52 | def test_validate_invalid 53 | s = OpenSCAP::Source.new('../data/invalid.xml') 54 | msg = nil 55 | begin 56 | s.validate! 57 | assert false 58 | rescue OpenSCAP::OpenSCAPError => e 59 | msg = e.to_s 60 | end 61 | assert msg.start_with?('Invalid XCCDF Checklist (1.2) content in ../data/invalid.xml.'), 62 | 'Message was: ' + msg 63 | assert msg.include?("../data/invalid.xml:3: Element '{http"), 64 | 'Message was: ' + msg 65 | assert msg.include?('This element is not expected. Expected is'), 66 | 'Message was: ' + msg 67 | s.destroy 68 | end 69 | 70 | def test_save 71 | s = OpenSCAP::Source.new('../data/testresult.xml') 72 | filename = './newly_created.xml' 73 | assert !File.exist?(filename) 74 | s.save(filename) 75 | assert File.exist?(filename) 76 | FileUtils.rm_rf filename 77 | end 78 | end 79 | -------------------------------------------------------------------------------- /lib/openscap/xccdf/benchmark.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap/source' 4 | require 'openscap/xccdf/profile' 5 | require 'openscap/xccdf/item' 6 | 7 | module OpenSCAP 8 | module Xccdf 9 | class Benchmark 10 | attr_reader :raw 11 | 12 | def initialize(p) 13 | case p 14 | when OpenSCAP::Source 15 | @raw = OpenSCAP.xccdf_benchmark_import_source p.raw 16 | else 17 | raise OpenSCAP::OpenSCAPError, 18 | "Cannot initialize OpenSCAP::Xccdf::Benchmark with '#{p}'" 19 | end 20 | OpenSCAP.raise! if @raw.null? 21 | end 22 | 23 | def profiles 24 | @profiles ||= profiles_init 25 | end 26 | 27 | def items 28 | @items ||= items_init 29 | end 30 | 31 | def destroy 32 | OpenSCAP.xccdf_benchmark_free @raw 33 | @raw = nil 34 | end 35 | 36 | private 37 | 38 | def profiles_init 39 | profiles = {} 40 | profit = OpenSCAP.xccdf_benchmark_get_profiles raw 41 | while OpenSCAP.xccdf_profile_iterator_has_more profit 42 | profile_p = OpenSCAP.xccdf_profile_iterator_next profit 43 | profile = OpenSCAP::Xccdf::Profile.new profile_p 44 | profiles[profile.id] = profile 45 | end 46 | OpenSCAP.xccdf_profile_iterator_free profit 47 | profiles 48 | end 49 | 50 | def items_init 51 | items = {} 52 | items_it = OpenSCAP.xccdf_item_get_content raw 53 | while OpenSCAP.xccdf_item_iterator_has_more items_it 54 | item_p = OpenSCAP.xccdf_item_iterator_next items_it 55 | item = OpenSCAP::Xccdf::Item.build item_p 56 | items.merge! item.sub_items 57 | items[item.id] = item 58 | # TODO: iterate through childs 59 | end 60 | OpenSCAP.xccdf_item_iterator_free items_it 61 | items 62 | end 63 | end 64 | end 65 | 66 | attach_function :xccdf_benchmark_import_source, [:pointer], :pointer 67 | attach_function :xccdf_benchmark_free, [:pointer], :void 68 | 69 | attach_function :xccdf_benchmark_get_profiles, [:pointer], :pointer 70 | attach_function :xccdf_profile_iterator_has_more, [:pointer], :bool 71 | attach_function :xccdf_profile_iterator_next, [:pointer], :pointer 72 | attach_function :xccdf_profile_iterator_free, [:pointer], :void 73 | end 74 | -------------------------------------------------------------------------------- /lib/openscap/source.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap' 4 | 5 | module OpenSCAP 6 | class Source 7 | attr_reader :raw 8 | 9 | def initialize(param) 10 | case param 11 | when nil 12 | raise OpenSCAPError, 'No filename specified!' 13 | when String 14 | @raw = OpenSCAP.oscap_source_new_from_file(param) 15 | when Hash 16 | @raw = create_from_memory param 17 | when FFI::Pointer 18 | @raw = param 19 | else 20 | raise OpenSCAP::OpenSCAPError, "Cannot initialize #{self.class.name} with '#{param}'" 21 | end 22 | OpenSCAP.raise! if @raw.null? 23 | end 24 | 25 | def type 26 | OpenSCAP.oscap_document_type_to_string(OpenSCAP.oscap_source_get_scap_type(@raw)) 27 | end 28 | 29 | def validate! 30 | e = FFI::MemoryPointer.new(:char, 4096) 31 | OpenSCAP.raise!(e.read_string) unless OpenSCAP.oscap_source_validate(@raw, XmlReporterCallback, e).zero? 32 | end 33 | 34 | def save(filepath = nil) 35 | OpenSCAP.raise! unless OpenSCAP.oscap_source_save_as(@raw, filepath).zero? 36 | end 37 | 38 | def destroy 39 | OpenSCAP.oscap_source_free(@raw) 40 | @raw = nil 41 | end 42 | 43 | private 44 | 45 | def create_from_memory(param) 46 | param[:length] = param[:content].length unless param[:length] 47 | buf = FFI::MemoryPointer.new(:char, param[:length]) 48 | buf.put_bytes(0, param[:content]) 49 | OpenSCAP.oscap_source_new_from_memory param[:content], param[:length], param[:path] 50 | end 51 | end 52 | 53 | attach_function :oscap_source_new_from_file, [:string], :pointer 54 | attach_function :oscap_source_new_from_memory, [:pointer, :int, :string], :pointer 55 | attach_function :oscap_source_get_scap_type, [:pointer], :int 56 | attach_function :oscap_source_free, [:pointer], :void 57 | attach_function :oscap_source_save_as, [:pointer, :string], :int 58 | 59 | callback :xml_reporter, [:string, :int, :string, :pointer], :int 60 | attach_function :oscap_source_validate, [:pointer, :xml_reporter, :pointer], :int 61 | XmlReporterCallback = proc do |filename, line_number, error_message, e| 62 | offset = e.get_string(0).length 63 | msg = "#{filename}:#{line_number}: #{error_message}" 64 | if msg.length + offset + 1 < e.size 65 | e.put_string(offset, msg) 66 | 0 67 | else 68 | 1 69 | end 70 | end 71 | end 72 | -------------------------------------------------------------------------------- /test/integration/arf_waiver_test.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap' 4 | require 'openscap/xccdf/benchmark' 5 | require 'openscap/xccdf/ruleresult' 6 | require 'openscap/xccdf/session' 7 | require 'openscap/xccdf/testresult' 8 | require 'openscap/ds/arf' 9 | require 'openscap/ds/sds' 10 | require 'common/testcase' 11 | 12 | class TestArfWaiver < OpenSCAP::TestCase 13 | def test_waiver_and_score 14 | assert_default_score tr.score, -1, 1 15 | assert_default_score tr.score!(benchmark), -1, 1 16 | 17 | rr.override!(:new_result => :pass, 18 | :time => 'yesterday', 19 | :authority => 'John Hacker', 20 | :raw_text => 'This should have passed') 21 | assert rr.result == 'pass' 22 | 23 | assert_default_score tr.score, -1, 1 24 | assert_default_score tr.score!(benchmark), 99, 101 25 | 26 | # create updated DOM (that includes the override element and new score) 27 | arf.test_result = tr 28 | arf.source.save('modified.rds.xml') 29 | tr.destroy 30 | arf.destroy 31 | 32 | arf2 = OpenSCAP::DS::Arf.new('modified.rds.xml') 33 | tr2 = arf2.test_result('xccdf1') 34 | assert_default_score tr.score, 99, 101 35 | rr2 = tr2.rr['xccdf_moc.elpmaxe.www_rule_first'] 36 | assert rr2.result == 'pass' 37 | tr2.destroy 38 | arf2.destroy 39 | end 40 | 41 | private 42 | 43 | def benchmark 44 | @benchmark ||= benchmark_init 45 | end 46 | 47 | def benchmark_init 48 | sds = arf.report_request 49 | bench_source = sds.select_checklist! 50 | bench = OpenSCAP::Xccdf::Benchmark.new bench_source 51 | sds.destroy 52 | bench 53 | end 54 | 55 | def rr 56 | @rr ||= rr_init 57 | end 58 | 59 | def rr_init 60 | assert tr.rr.size == 1 61 | rr = tr.rr['xccdf_moc.elpmaxe.www_rule_first'] 62 | assert rr.result == 'fail' 63 | rr 64 | end 65 | 66 | def tr 67 | @tr ||= tr_init 68 | end 69 | 70 | def tr_init 71 | tr = arf.test_result 72 | assert tr.score.size == 1 73 | score = tr.score['urn:xccdf:scoring:default'] 74 | assert score[:system] == 'urn:xccdf:scoring:default' 75 | assert score[:max] == 100.0 76 | assert score[:value] == 0.0 77 | tr 78 | end 79 | 80 | def arf 81 | @arf ||= arf_init 82 | end 83 | 84 | def arf_init 85 | @s = OpenSCAP::Xccdf::Session.new('../data/sds-complex.xml') 86 | @s.load 87 | @s.evaluate 88 | @s.export_results(:rds_file => 'report.rds.xml') 89 | OpenSCAP::DS::Arf.new('report.rds.xml') 90 | end 91 | end 92 | -------------------------------------------------------------------------------- /test/ds/arf_test.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap' 4 | require 'openscap/ds/arf' 5 | require 'common/testcase' 6 | 7 | class TestArf < OpenSCAP::TestCase 8 | REPORT = 'report.rds.xml' 9 | 10 | def test_arf_new_nil 11 | msg = nil 12 | begin 13 | OpenSCAP::DS::Arf.new(nil) 14 | assert false 15 | rescue OpenSCAP::OpenSCAPError => e 16 | msg = e.to_s 17 | end 18 | assert msg.start_with?("Cannot initialize OpenSCAP::DS::Arf with ''"), 'Message was: ' + msg 19 | end 20 | 21 | def test_arf_new_wrong_format 22 | msg = nil 23 | begin 24 | OpenSCAP::DS::Arf.new('../data/xccdf.xml') 25 | assert false 26 | rescue OpenSCAP::OpenSCAPError => e 27 | msg = e.to_s 28 | end 29 | assert msg.include?('Could not create Result DataStream session: File is not Result DataStream.'), 30 | 'Message was: ' + msg 31 | end 32 | 33 | def test_create_arf_and_get_html 34 | arf = new_arf 35 | html = arf.html 36 | arf.destroy 37 | assert html.start_with?(' raw_data, :path => REPORT 56 | arf.destroy 57 | end 58 | 59 | def test_new_bz_memory 60 | bziped_file = new_arf_bz 61 | raw_data = File.open(bziped_file, 'rb').read 62 | assert !raw_data.empty? 63 | len = File.size(bziped_file) 64 | FileUtils.rm bziped_file 65 | arf = OpenSCAP::DS::Arf.new :content => raw_data, :path => bziped_file, :length => len 66 | arf.destroy 67 | end 68 | 69 | def test_new_bz_file 70 | bziped_file = new_arf_bz 71 | arf = OpenSCAP::DS::Arf.new(bziped_file) 72 | arf.destroy 73 | FileUtils.rm bziped_file 74 | end 75 | 76 | private 77 | 78 | def new_arf_bz 79 | create_arf 80 | system('/usr/bin/bzip2 ' + REPORT) 81 | REPORT + '.bz2' 82 | end 83 | 84 | def new_arf 85 | create_arf 86 | OpenSCAP::DS::Arf.new(REPORT) 87 | end 88 | 89 | def create_arf 90 | @s = OpenSCAP::Xccdf::Session.new('../data/sds-complex.xml') 91 | @s.load(:component_id => 'scap_org.open-scap_cref_second-xccdf.xml') 92 | @s.profile = 'xccdf_moc.elpmaxe.www_profile_1' 93 | @s.evaluate 94 | @s.export_results(:rds_file => 'report.rds.xml') 95 | end 96 | end 97 | -------------------------------------------------------------------------------- /test/data/tailoring.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 1 5 | 6 | Upstream Firefox STIG [CUSTOMIZED] 7 | This profile is developed under the DoD consensus model and DISA FSO Vendor STIG process, 8 | serving as the upstream development environment for the Firefox STIG. 9 | 10 | As a result of the upstream/downstream relationship between the SCAP Security Guide project 11 | and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content. 12 | For official DISA FSO STIG content, refer to http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx. 13 | 14 | While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note 15 | that commercial support of this SCAP content is NOT available. This profile is provided as example 16 | SCAP content with no endorsement for suitability or production readiness. Support for this 17 | profile is provided by the upstream SCAP Security Guide community on a best-effort basis. The 18 | upstream project homepage is https://fedorahosted.org/scap-security-guide/. 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /test/xccdf/testresult_test.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap' 4 | require 'openscap/source' 5 | require 'openscap/xccdf/benchmark' 6 | require 'openscap/xccdf/testresult' 7 | require 'common/testcase' 8 | 9 | class TestTestResult < OpenSCAP::TestCase 10 | def test_testresult_new_bad 11 | source = OpenSCAP::Source.new('../data/xccdf.xml') 12 | assert !source.nil? 13 | msg = nil 14 | begin 15 | OpenSCAP::Xccdf::TestResult.new(source) 16 | assert false 17 | rescue OpenSCAP::OpenSCAPError => e 18 | msg = e.to_s 19 | end 20 | assert msg.start_with?("Expected 'TestResult' element while found 'Benchmark'."), 21 | 'Message was: ' + msg 22 | end 23 | 24 | def test_result_create_and_query_properties 25 | tr = new_tr 26 | assert tr.id == 'xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_common', 27 | "TestResult.id was '#{tr.id}" 28 | assert tr.profile == 'xccdf_org.ssgproject.content_profile_common', 29 | "TestResult.profile was '#{tr.profile}'" 30 | tr.destroy 31 | end 32 | 33 | def test_result_create_and_query_rr 34 | tr = new_tr 35 | assert tr.rr.size == 28 36 | assert tr.rr.key?('xccdf_org.ssgproject.content_rule_disable_prelink') 37 | assert tr.rr.key?('xccdf_org.ssgproject.content_rule_no_direct_root_logins') 38 | assert tr.rr['xccdf_org.ssgproject.content_rule_disable_prelink'].result == 'fail' 39 | assert tr.rr['xccdf_org.ssgproject.content_rule_no_direct_root_logins'].result == 'notchecked' 40 | tr.destroy 41 | end 42 | 43 | def test_override 44 | tr = new_tr 45 | rr = tr.rr['xccdf_org.ssgproject.content_rule_disable_prelink'] 46 | assert rr.result == 'fail' 47 | rr.override!(:new_result => :pass, 48 | :time => 'yesterday', 49 | :authority => 'John Hacker', 50 | :raw_text => 'We are testing prelink on this machine') 51 | assert rr.result == 'pass' 52 | tr.destroy 53 | end 54 | 55 | def test_score 56 | tr = new_tr 57 | assert_default_score tr.score, 34, 35 58 | tr.destroy 59 | end 60 | 61 | def test_waive_and_score 62 | tr = new_tr 63 | benchmark = benchmark_for_tr 64 | 65 | assert_default_score tr.score, 34, 35 66 | assert_default_score tr.score!(benchmark), 34, 35 67 | 68 | rr = tr.rr['xccdf_org.ssgproject.content_rule_disable_prelink'] 69 | assert rr.result == 'fail' 70 | rr.override!(:new_result => :pass, 71 | :time => 'yesterday', 72 | :authority => 'John Hacker', 73 | :raw_text => 'We are testing prelink on this machine') 74 | assert rr.result == 'pass' 75 | 76 | assert_default_score tr.score, 34, 35 77 | assert_default_score tr.score!(benchmark), 47, 48 78 | 79 | benchmark.destroy 80 | tr.destroy 81 | end 82 | 83 | private 84 | 85 | def benchmark_for_tr 86 | source = OpenSCAP::Source.new('../data/xccdf.xml') 87 | benchmark = OpenSCAP::Xccdf::Benchmark.new source 88 | source.destroy 89 | benchmark 90 | end 91 | 92 | def new_tr 93 | source = OpenSCAP::Source.new('../data/testresult.xml') 94 | assert !source.nil? 95 | tr = OpenSCAP::Xccdf::TestResult.new(source) 96 | source.destroy 97 | tr 98 | end 99 | end 100 | -------------------------------------------------------------------------------- /lib/openscap/xccdf/testresult.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap/source' 4 | require 'openscap/exceptions' 5 | require 'openscap/xccdf' 6 | require 'openscap/xccdf/ruleresult' 7 | 8 | module OpenSCAP 9 | module Xccdf 10 | class TestResult 11 | attr_reader :rr 12 | attr_reader :raw 13 | 14 | def initialize(t) 15 | case t 16 | when OpenSCAP::Source 17 | @raw = OpenSCAP.xccdf_result_import_source(t.raw) 18 | OpenSCAP.raise! if @raw.null? 19 | when FFI::Pointer 20 | @raw = OpenSCAP.xccdf_result_import_source(t) 21 | OpenSCAP.raise! if @raw.null? 22 | else 23 | raise OpenSCAP::OpenSCAPError, "Cannot initialize #{self.class.name} with #{t}" 24 | end 25 | init_ruleresults 26 | end 27 | 28 | def id 29 | OpenSCAP.xccdf_result_get_id(@raw) 30 | end 31 | 32 | def profile 33 | OpenSCAP.xccdf_result_get_profile(@raw) 34 | end 35 | 36 | def score 37 | @score ||= score_init 38 | end 39 | 40 | def score!(benchmark) 41 | # recalculate the scores in the scope of given benchmark 42 | @score = nil 43 | OpenSCAP.raise! unless OpenSCAP.xccdf_result_recalculate_scores(@raw, benchmark.raw).zero? 44 | score 45 | end 46 | 47 | def source 48 | source_p = OpenSCAP.xccdf_result_export_source(raw, nil) 49 | OpenSCAP::Source.new source_p 50 | end 51 | 52 | def destroy 53 | OpenSCAP.xccdf_result_free @raw 54 | @raw = nil 55 | end 56 | 57 | private 58 | 59 | def init_ruleresults 60 | @rr = {} 61 | rr_it = OpenSCAP.xccdf_result_get_rule_results(@raw) 62 | while OpenSCAP.xccdf_rule_result_iterator_has_more(rr_it) 63 | rr_raw = OpenSCAP.xccdf_rule_result_iterator_next(rr_it) 64 | rr = OpenSCAP::Xccdf::RuleResult.new rr_raw 65 | @rr[rr.id] = rr 66 | end 67 | OpenSCAP.xccdf_rule_result_iterator_free(rr_it) 68 | end 69 | 70 | def score_init 71 | scores = {} 72 | scorit = OpenSCAP.xccdf_result_get_scores(@raw) 73 | while OpenSCAP.xccdf_score_iterator_has_more(scorit) 74 | s = OpenSCAP.xccdf_score_iterator_next(scorit) 75 | scores[OpenSCAP.xccdf_score_get_system(s)] = { 76 | :system => OpenSCAP.xccdf_score_get_system(s), 77 | :value => OpenSCAP.xccdf_score_get_score(s), 78 | :max => OpenSCAP.xccdf_score_get_maximum(s) 79 | } 80 | end 81 | OpenSCAP.xccdf_score_iterator_free(scorit) 82 | scores 83 | end 84 | end 85 | end 86 | 87 | attach_function :xccdf_result_import_source, [:pointer], :pointer 88 | attach_function :xccdf_result_free, [:pointer], :void 89 | attach_function :xccdf_result_get_id, [:pointer], :string 90 | attach_function :xccdf_result_get_profile, [:pointer], :string 91 | attach_function :xccdf_result_recalculate_scores, [:pointer, :pointer], :int 92 | attach_function :xccdf_result_export_source, [:pointer, :string], :pointer 93 | 94 | attach_function :xccdf_result_get_rule_results, [:pointer], :pointer 95 | attach_function :xccdf_rule_result_iterator_has_more, [:pointer], :bool 96 | attach_function :xccdf_rule_result_iterator_free, [:pointer], :void 97 | attach_function :xccdf_rule_result_iterator_next, [:pointer], :pointer 98 | 99 | attach_function :xccdf_result_get_scores, [:pointer], :pointer 100 | attach_function :xccdf_score_iterator_has_more, [:pointer], :bool 101 | attach_function :xccdf_score_iterator_free, [:pointer], :void 102 | attach_function :xccdf_score_iterator_next, [:pointer], :pointer 103 | attach_function :xccdf_score_get_system, [:pointer], :string 104 | attach_function :xccdf_score_get_score, [:pointer], OpenSCAP::Xccdf::NUMERIC 105 | attach_function :xccdf_score_get_maximum, [:pointer], OpenSCAP::Xccdf::NUMERIC 106 | end 107 | -------------------------------------------------------------------------------- /test/xccdf/session_ds_test.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap' 4 | require 'common/testcase' 5 | 6 | class TestSessionDS < OpenSCAP::TestCase 7 | def test_sds_true 8 | @s = OpenSCAP::Xccdf::Session.new('../data/sds-complex.xml') 9 | assert @s.sds? 10 | end 11 | 12 | def test_session_load 13 | @s = OpenSCAP::Xccdf::Session.new('../data/sds-complex.xml') 14 | @s.load 15 | @s.evaluate 16 | end 17 | 18 | def test_session_load_ds_comp 19 | @s = OpenSCAP::Xccdf::Session.new('../data/sds-complex.xml') 20 | @s.load(:datastream_id => 'scap_org.open-scap_datastream_tst2', :component_id => 'scap_org.open-scap_cref_second-xccdf.xml2') 21 | @s.evaluate 22 | end 23 | 24 | def test_session_load_bad_datastream 25 | @s = OpenSCAP::Xccdf::Session.new('../data/sds-complex.xml') 26 | msg = nil 27 | begin 28 | @s.load(:datastream_id => 'nonexistent') 29 | assert false 30 | rescue OpenSCAP::OpenSCAPError => e 31 | msg = e.to_s 32 | end 33 | assert msg.start_with?("Failed to locate a datastream with ID matching 'nonexistent' ID and checklist inside matching '' ID.") 34 | end 35 | 36 | def test_session_load_bad_component 37 | @s = OpenSCAP::Xccdf::Session.new('../data/sds-complex.xml') 38 | msg = nil 39 | begin 40 | @s.load(:component_id => 'nonexistent') 41 | assert false 42 | rescue OpenSCAP::OpenSCAPError => e 43 | msg = e.to_s 44 | end 45 | assert msg.start_with?("Failed to locate a datastream with ID matching '' ID and checklist inside matching 'nonexistent' ID.") 46 | end 47 | 48 | def test_session_set_profile 49 | @s = OpenSCAP::Xccdf::Session.new('../data/sds-complex.xml') 50 | @s.load(:component_id => 'scap_org.open-scap_cref_second-xccdf.xml') 51 | @s.profile = 'xccdf_moc.elpmaxe.www_profile_1' 52 | @s.evaluate 53 | end 54 | 55 | def test_session_set_profile_bad 56 | @s = OpenSCAP::Xccdf::Session.new('../data/sds-complex.xml') 57 | @s.load 58 | msg = nil 59 | begin 60 | @s.profile = 'xccdf_moc.elpmaxe.www_profile_1' 61 | assert false 62 | rescue OpenSCAP::OpenSCAPError => e 63 | msg = e.to_s 64 | end 65 | assert msg.start_with?("No profile 'xccdf_moc.elpmaxe.www_profile_1' found") 66 | end 67 | 68 | def test_session_export_rds 69 | @s = OpenSCAP::Xccdf::Session.new('../data/sds-complex.xml') 70 | @s.load 71 | @s.evaluate 72 | @s.export_results(:rds_file => 'report.rds.xml') 73 | assert_exported ['report.rds.xml'] 74 | end 75 | 76 | def test_session_export_xccdf_results 77 | @s = OpenSCAP::Xccdf::Session.new('../data/sds-complex.xml') 78 | @s.load(:component_id => 'scap_org.open-scap_cref_second-xccdf.xml') 79 | @s.profile = 'xccdf_moc.elpmaxe.www_profile_1' 80 | @s.evaluate 81 | @s.export_results(:xccdf_file => 'result.xccdf.xml') 82 | assert_exported ['result.xccdf.xml'] 83 | end 84 | 85 | def test_session_export_html_report 86 | @s = OpenSCAP::Xccdf::Session.new('../data/sds-complex.xml') 87 | @s.load(:component_id => 'scap_org.open-scap_cref_second-xccdf.xml') 88 | @s.profile = 'xccdf_moc.elpmaxe.www_profile_1' 89 | @s.evaluate 90 | @s.export_results(:report_file => 'report.html', :xccdf_file => 'result.xccdf.xml') 91 | assert_exported ['report.html', 'result.xccdf.xml'] 92 | end 93 | 94 | def test_session_export_oval_variables 95 | @s = OpenSCAP::Xccdf::Session.new('../data/sds-complex.xml') 96 | @s.load(:component_id => 'scap_org.open-scap_cref_second-xccdf.xml') 97 | @s.profile = 'xccdf_moc.elpmaxe.www_profile_1' 98 | @s.evaluate 99 | @s.export_results(:oval_variables => true) 100 | assert_exported [] 101 | end 102 | 103 | def test_remediate 104 | @s = OpenSCAP::Xccdf::Session.new('../data/sds-complex.xml') 105 | @s.load(:component_id => 'scap_org.open-scap_cref_second-xccdf.xml') 106 | @s.profile = 'xccdf_moc.elpmaxe.www_profile_1' 107 | @s.evaluate 108 | @s.remediate 109 | end 110 | 111 | def assert_exported(files) 112 | # libopenscap compiled with --enable-debug creates debug files 113 | FileUtils.rm_rf(Dir.glob('oscap_debug.log.*')) 114 | assert files.sort == Dir.glob('*').sort 115 | end 116 | end 117 | -------------------------------------------------------------------------------- /lib/openscap/xccdf/item.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'openscap/exceptions' 4 | require 'openscap/text' 5 | require 'openscap/xccdf/group' 6 | require 'openscap/xccdf/rule' 7 | require 'openscap/xccdf/reference' 8 | 9 | module OpenSCAP 10 | module Xccdf 11 | class Item 12 | def self.build(t) 13 | raise OpenSCAP::OpenSCAPError, "Cannot initialize #{self.class.name} with #{t}" \ 14 | unless t.is_a?(FFI::Pointer) 15 | 16 | # This is Abstract base class that enables you to build its child 17 | case OpenSCAP.xccdf_item_get_type t 18 | when :group 19 | OpenSCAP::Xccdf::Group.new t 20 | when :rule 21 | OpenSCAP::Xccdf::Rule.new t 22 | else 23 | raise OpenSCAP::OpenSCAPError, "Unknown #{self.class.name} type: #{OpenSCAP.xccdf_item_get_type t}" 24 | end 25 | end 26 | 27 | def initialize(t) 28 | if self.class == OpenSCAP::Xccdf::Item 29 | raise OpenSCAP::OpenSCAPError, "Cannot initialize #{self.class.name} abstract base class." 30 | end 31 | 32 | @raw = t 33 | end 34 | 35 | def id 36 | OpenSCAP.xccdf_item_get_id @raw 37 | end 38 | 39 | def title(prefered_lang = nil) 40 | textlist = OpenSCAP::TextList.new(OpenSCAP.xccdf_item_get_title(@raw)) 41 | title = textlist.plaintext(prefered_lang) 42 | textlist.destroy 43 | title 44 | end 45 | 46 | def description(prefered_lang = nil) 47 | textlist = OpenSCAP::TextList.new(OpenSCAP.xccdf_item_get_description(@raw)) 48 | description = textlist.plaintext(prefered_lang) 49 | textlist.destroy 50 | description 51 | end 52 | 53 | def rationale(prefered_lang = nil) 54 | textlist = OpenSCAP::TextList.new(OpenSCAP.xccdf_item_get_rationale(@raw)) 55 | rationale = textlist.plaintext(prefered_lang) 56 | textlist.destroy 57 | rationale 58 | end 59 | 60 | def references 61 | refs = [] 62 | refs_it = OpenSCAP.xccdf_item_get_references(@raw) 63 | while OpenSCAP.oscap_reference_iterator_has_more refs_it 64 | ref = OpenSCAP::Xccdf::Reference.new(OpenSCAP.oscap_reference_iterator_next(refs_it)) 65 | refs << ref 66 | end 67 | OpenSCAP.oscap_reference_iterator_free refs_it 68 | refs 69 | end 70 | 71 | def sub_items 72 | @sub_items ||= sub_items_init 73 | end 74 | 75 | def destroy 76 | OpenSCAP.xccdf_item_free @raw 77 | @raw = nil 78 | end 79 | 80 | private 81 | 82 | def sub_items_init 83 | collect = {} 84 | items_it = OpenSCAP.xccdf_item_get_content @raw 85 | while OpenSCAP.xccdf_item_iterator_has_more items_it 86 | item_p = OpenSCAP.xccdf_item_iterator_next items_it 87 | item = OpenSCAP::Xccdf::Item.build item_p 88 | collect.merge! item.sub_items 89 | collect[item.id] = item 90 | end 91 | OpenSCAP.xccdf_item_iterator_free items_it 92 | collect 93 | end 94 | end 95 | end 96 | 97 | attach_function :xccdf_item_get_id, [:pointer], :string 98 | attach_function :xccdf_item_get_content, [:pointer], :pointer 99 | attach_function :xccdf_item_free, [:pointer], :void 100 | attach_function :xccdf_item_get_title, [:pointer], :pointer 101 | attach_function :xccdf_item_get_description, [:pointer], :pointer 102 | attach_function :xccdf_item_get_rationale, [:pointer], :pointer 103 | 104 | XccdfItemType = enum(:benchmark, 0x0100, 105 | :profile, 0x0200, 106 | :result, 0x0400, 107 | :rule, 0x1000, 108 | :group, 0x2000, 109 | :value, 0x4000) 110 | attach_function :xccdf_item_get_type, [:pointer], XccdfItemType 111 | 112 | attach_function :xccdf_item_iterator_has_more, [:pointer], :bool 113 | attach_function :xccdf_item_iterator_next, [:pointer], :pointer 114 | attach_function :xccdf_item_iterator_free, [:pointer], :void 115 | 116 | attach_function :xccdf_item_get_references, [:pointer], :pointer 117 | attach_function :oscap_reference_iterator_has_more, [:pointer], :bool 118 | attach_function :oscap_reference_iterator_next, [:pointer], :pointer 119 | attach_function :oscap_reference_iterator_free, [:pointer], :void 120 | end 121 | -------------------------------------------------------------------------------- /lib/openscap/xccdf/session.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | module OpenSCAP 4 | module Xccdf 5 | class Session 6 | def initialize(input_filename) 7 | raise OpenSCAPError, 'No filename specified!' unless input_filename 8 | 9 | @input_filename = input_filename 10 | @s = OpenSCAP.xccdf_session_new(input_filename) 11 | OpenSCAP.raise! if @s.null? 12 | end 13 | 14 | def sds? 15 | OpenSCAP.xccdf_session_is_sds(@s) 16 | end 17 | 18 | def load(opts = {}) 19 | o = { 20 | :datastream_id => nil, 21 | :component_id => nil 22 | }.merge(opts) 23 | if sds? 24 | OpenSCAP.xccdf_session_set_datastream_id(@s, o[:datastream_id]) 25 | OpenSCAP.xccdf_session_set_component_id(@s, o[:component_id]) 26 | end 27 | OpenSCAP.raise! unless OpenSCAP.xccdf_session_load(@s).zero? 28 | OpenSCAP.raise! unless OpenSCAP.xccdf_session_load_check_engine_plugins(@s).zero? 29 | end 30 | 31 | def profile=(p) 32 | @profile = p 33 | if OpenSCAP.xccdf_session_set_profile_id(@s, p) == false 34 | raise OpenSCAPError, "No profile '" + p + "' found" 35 | end 36 | end 37 | 38 | def evaluate 39 | OpenSCAP.raise! unless OpenSCAP.xccdf_session_evaluate(@s).zero? 40 | end 41 | 42 | def remediate 43 | OpenSCAP.raise! unless OpenSCAP.xccdf_session_remediate(@s).zero? 44 | end 45 | 46 | def export_results(opts = {}) 47 | o = { 48 | :rds_file => nil, 49 | :xccdf_file => nil, 50 | :report_file => nil, 51 | :oval_results => false, 52 | :oval_variables => false, 53 | :engines_results => false 54 | }.merge!(opts) 55 | export_targets o 56 | export 57 | end 58 | 59 | def destroy 60 | OpenSCAP.xccdf_session_free(@s) 61 | @s = nil 62 | end 63 | 64 | private 65 | 66 | def export 67 | OpenSCAP.raise! unless OpenSCAP.xccdf_session_export_oval(@s).zero? 68 | OpenSCAP.raise! unless OpenSCAP.xccdf_session_export_check_engine_plugins(@s).zero? 69 | OpenSCAP.raise! unless OpenSCAP.xccdf_session_export_xccdf(@s).zero? 70 | OpenSCAP.raise! unless OpenSCAP.xccdf_session_export_arf(@s).zero? 71 | end 72 | 73 | def export_targets(opts = {}) 74 | OpenSCAP.raise! unless OpenSCAP.xccdf_session_set_arf_export(@s, opts[:rds_file]) 75 | OpenSCAP.raise! unless OpenSCAP.xccdf_session_set_xccdf_export(@s, opts[:xccdf_file]) 76 | OpenSCAP.raise! unless OpenSCAP.xccdf_session_set_report_export(@s, opts[:report_file]) 77 | OpenSCAP.xccdf_session_set_oval_results_export(@s, opts[:oval_results]) 78 | OpenSCAP.xccdf_session_set_oval_variables_export(@s, opts[:oval_variables]) 79 | OpenSCAP.xccdf_session_set_check_engine_plugins_results_export(@s, opts[:engines_results]) 80 | end 81 | end 82 | end 83 | 84 | attach_function :xccdf_session_new, [:string], :pointer 85 | attach_function :xccdf_session_free, [:pointer], :void 86 | attach_function :xccdf_session_load, [:pointer], :int 87 | attach_function :xccdf_session_load_check_engine_plugins, [:pointer], :int 88 | attach_function :xccdf_session_evaluate, [:pointer], :int 89 | attach_function :xccdf_session_remediate, [:pointer], :int 90 | attach_function :xccdf_session_export_oval, [:pointer], :int 91 | attach_function :xccdf_session_export_check_engine_plugins, [:pointer], :int 92 | attach_function :xccdf_session_export_xccdf, [:pointer], :int 93 | attach_function :xccdf_session_export_arf, [:pointer], :int 94 | 95 | attach_function :xccdf_session_is_sds, [:pointer], :bool 96 | 97 | attach_function :xccdf_session_set_profile_id, [:pointer, :string], :bool 98 | attach_function :xccdf_session_set_datastream_id, [:pointer, :string], :void 99 | attach_function :xccdf_session_set_component_id, [:pointer, :string], :void 100 | attach_function :xccdf_session_set_arf_export, [:pointer, :string], :bool 101 | attach_function :xccdf_session_set_xccdf_export, [:pointer, :string], :bool 102 | attach_function :xccdf_session_set_report_export, [:pointer, :string], :bool 103 | attach_function :xccdf_session_set_oval_variables_export, [:pointer, :bool], :void 104 | attach_function :xccdf_session_set_oval_results_export, [:pointer, :bool], :void 105 | attach_function :xccdf_session_set_check_engine_plugins_results_export, [:pointer, :bool], :void 106 | end 107 | -------------------------------------------------------------------------------- /test/xccdf/benchmark_test.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'common/testcase' 4 | require 'openscap' 5 | require 'openscap/ds/sds' 6 | require 'openscap/source' 7 | require 'openscap/xccdf/benchmark' 8 | 9 | class TestBenchmark < OpenSCAP::TestCase 10 | def test_new_from_file 11 | b = benchmark_from_file 12 | b.destroy 13 | end 14 | 15 | def test_new_from_sds 16 | @s = OpenSCAP::Source.new '../data/sds-complex.xml' 17 | sds = OpenSCAP::DS::Sds.new @s 18 | bench_source = sds.select_checklist! 19 | assert !bench_source.nil? 20 | b = OpenSCAP::Xccdf::Benchmark.new bench_source 21 | assert !b.nil? 22 | b.destroy 23 | sds.destroy 24 | end 25 | 26 | def test_new_from_wrong 27 | @s = OpenSCAP::Source.new '../data/testresult.xml' 28 | msg = nil 29 | begin 30 | OpenSCAP::Xccdf::Benchmark.new @s 31 | assert false 32 | rescue OpenSCAP::OpenSCAPError => e 33 | msg = e.to_s 34 | end 35 | assert msg.start_with?("Find element 'TestResult' while expecting element: 'Benchmark'"), msg 36 | end 37 | 38 | def test_items_in_benchmark 39 | b = benchmark_from_file 40 | assert b.items.size == 138 41 | rules_count = b.items.count { |_, i| i.is_a?(OpenSCAP::Xccdf::Rule) } 42 | groups_count = b.items.count { |_, i| i.is_a?(OpenSCAP::Xccdf::Group) } 43 | assert rules_count == 76, "Got #{rules_count} rules" 44 | assert groups_count == 62, "Got #{groups_count} groups" 45 | b.destroy 46 | end 47 | 48 | def test_items_title 49 | b = benchmark_from_file 50 | prelink_rule = b.items['xccdf_org.ssgproject.content_rule_disable_prelink'] 51 | assert prelink_rule.title == 'Prelinking Disabled', prelink_rule.title 52 | b.destroy 53 | end 54 | 55 | def test_items_description 56 | b = benchmark_from_file 57 | install_hids_rule = b.items['xccdf_org.ssgproject.content_rule_install_hids'] 58 | expected_result = "\nThe Red Hat platform includes a sophisticated auditing system\nand SELinux, which provide host-based intrusion detection capabilities.\n" 59 | assert install_hids_rule.description == expected_result, install_hids_rule.description 60 | b.destroy 61 | end 62 | 63 | def test_items_rationale 64 | b = benchmark_from_file 65 | aide_rule = b.items['xccdf_org.ssgproject.content_rule_package_aide_installed'] 66 | expected_rationale = "\nThe AIDE package must be installed if it is to be available for integrity checking.\n" 67 | assert aide_rule.rationale == expected_rationale, aide_rule.rationale 68 | b.destroy 69 | end 70 | 71 | def test_items_severity 72 | b = benchmark_from_file 73 | prelink_rule = b.items['xccdf_org.ssgproject.content_rule_disable_prelink'] 74 | assert prelink_rule.severity == 'Low', prelink_rule.severity 75 | b.destroy 76 | end 77 | 78 | def test_items_references 79 | b = benchmark_from_file 80 | install_hids_rule = b.items['xccdf_org.ssgproject.content_rule_install_hids'] 81 | expected_references = [{ :title => 'SC-7', 82 | :href => 'http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf', 83 | :html_link => "SC-7" }, 84 | { :title => '1263', 85 | :href => 'http://iase.disa.mil/cci/index.html', 86 | :html_link => "1263" }] 87 | assert_equal(expected_references, install_hids_rule.references.map(&:to_hash), 'Install hids references should be equal') 88 | b.destroy 89 | end 90 | 91 | def test_items_fixes 92 | b = benchmark_from_file 93 | login_defs_rule = b.items['xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs'] 94 | expected_content = ["var_accounts_minimum_age_login_defs=\"\"\ngrep -q ^PASS_MIN_DAYS /etc/login.defs && \\\nsed -i \"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS\\t$var_accounts_minimum_age_login_defs/g\" /etc/login.defs\nif ! [ $? -eq 0 ]\nthen\n echo -e \"PASS_MIN_DAYS\\t$var_accounts_minimum_age_login_defs\" >> /etc/login.defs\nfi\n"] 95 | expected_hashes = [{ 96 | :id => nil, 97 | :platform => nil, 98 | :content => expected_content.first, 99 | :system => 'urn:xccdf:fix:script:sh' 100 | }] 101 | assert_equal(expected_content, login_defs_rule.fixes.map(&:content), 'Fix content should match') 102 | assert_equal(expected_hashes, login_defs_rule.fixes.map(&:to_hash), 'Fix hash should match') 103 | b.destroy 104 | end 105 | 106 | private 107 | 108 | def benchmark_from_file 109 | source = OpenSCAP::Source.new '../data/xccdf.xml' 110 | b = OpenSCAP::Xccdf::Benchmark.new source 111 | source.destroy 112 | assert !b.nil? 113 | b 114 | end 115 | end 116 | -------------------------------------------------------------------------------- /test/data/sds-complex.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 5.10 46 | 0001-01-01T00:00:00+00:00 47 | 48 | 49 | 50 | 51 | x 52 | x 53 | 54 | x 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | oval:x:var:1 70 | 71 | 72 | 73 | 74 | x 75 | 76 | 77 | 78 | 79 | 80 | 81 | incomplete 82 | 1.0 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | incomplete 93 | 1.0 94 | 95 | is kinda compulsory 96 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | incomplete 114 | 1.0 115 | 116 | is kinda compulsory 117 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | -------------------------------------------------------------------------------- /test/data/testresult.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | OSCAP Scan Result 5 | root 6 | 7 | fedora20.mydomain 8 | 127.0.0.1 9 | 0:0:0:0:0:0:0:1 10 | 11 | OpenSCAP 12 | 1.0.9 13 | 00:00:00:00:00:00 14 | 15 | 16 | 17 | fail 18 | 19 | 20 | 21 | 22 | 23 | pass 24 | 25 | 26 | 27 | 28 | 29 | pass 30 | 31 | 32 | 33 | 34 | 35 | fail 36 | 37 | 38 | 39 | 40 | 41 | pass 42 | 43 | 44 | 45 | 46 | 47 | pass 48 | 49 | 50 | 51 | 52 | 53 | pass 54 | 55 | 56 | 57 | 58 | 59 | notchecked 60 | No candidate or applicable check found. 61 | 62 | 63 | 64 | To ensure root may not directly login to the system over physical consoles, 65 | run the following command: 66 | 
cat /etc/securetty
67 | If any output is returned, this is a finding. 68 | 69 | 70 | 71 | 72 | fail 73 | 74 | 75 | 76 | 77 | 78 | pass 79 | 80 | 81 | 82 | 83 | 84 | notselected 85 | 86 | 87 | 88 | Check the root home directory for a .mozilla directory. If 89 | one exists, ensure browsing is limited to local service administration. 90 | 91 | 92 | 93 | 94 | notselected 95 | 96 | 97 | 98 | 99 | 100 | 101 | To obtain a listing of all users, 102 | their UIDs, and their shells, run the command: 103 | 
$ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd
104 | Identify the system accounts from this listing. These will 105 | primarily be the accounts with UID numbers less than 500, other 106 | than root. 107 | 108 | 109 | 110 | 111 | pass 112 | 113 | 114 | 115 | 116 | 117 | notselected 118 | 119 | 120 | 121 | To view the root user's PATH, run the following command: 122 | 
# env | grep PATH
123 | If correctly configured, the PATH must: use vendor default settings, 124 | have no empty entries, and have no entries beginning with a character 125 | other than a slash (/). 126 | 127 | 128 | 129 | 130 | fail 131 | 132 | 133 | 134 | 135 | 136 | pass 137 | 138 | 139 | 140 | 141 | 142 | notselected 143 | 144 | 145 | 146 | To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, 147 | run the following command: 148 | 
# pwck -qr
149 | There should be no output. 150 | 151 | 152 | 153 | 154 | pass 155 | 156 | 157 | 158 | 159 | 160 | fail 161 | 162 | 163 | 164 | 165 | 166 | 167 | fail 168 | 169 | 170 | 171 | 172 | 173 | 174 | fail 175 | 176 | 177 | 178 | 179 | 180 | 181 | pass 182 | 183 | 184 | 185 | 186 | 187 | 188 | fail 189 | 190 | 191 | 192 | 193 | 194 | fail 195 | 196 | 197 | 198 | 199 | 200 | fail 201 | 202 | 203 | 204 | 205 | 206 | pass 207 | 208 | 209 | 210 | 211 | 212 | fail 213 | 214 | 215 | 216 | 217 | 218 | 219 | fail 220 | 221 | 222 | 223 | 224 | 34.722221 225 | 226 | -------------------------------------------------------------------------------- /COPYING: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | , 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. 340 | --------------------------------------------------------------------------------