Parse profiles from data stream files

New features:

- ability to parse profiles from data stream files

Important changes:

- strip namespaces from the xml file before parsing

Author: Ondrej Prazak

.gitignore

@@ -6,3 +6,4 @@
 /pkg/
 /spec/reports/
 /tmp/
+Gemfile.lock

lib/openscap_parser.rb

@@ -5,6 +5,7 @@
 require 'openscap_parser/rules'
 require 'openscap_parser/version'
 require 'openscap_parser/xml_report'
+require 'openscap_parser/ds'
 
 require 'date'
 

lib/openscap_parser/ds.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+require 'openscap_parser/xml_file'
+
+module OpenscapParser
+  class Ds
+    include OpenscapParser::XmlFile
+
+    def initialize(report)
+      report_xml report
+    end
+
+    def profiles
+      @profiles ||= profile_nodes
+    end
+
+    private
+
+    def profile_nodes
+      @report_xml.xpath(".//Profile").map do |node|
+        id = node.attribute('id')&.value
+        title = node.at_xpath('./title')&.text
+        description = node.at_xpath('./description')&.text
+        { :id => id, :title => title, :description => description }
+      end
+    end
+  end
+end

lib/openscap_parser/profile.rb

@@ -0,0 +1,9 @@
+module OpenscapParser
+  class Profile
+    attr_acessor :id, :title, :description
+
+    def to_h
+      { :id => id, :title => title, :description => description }
+    end
+  end
+end

lib/openscap_parser/profiles.rb

@@ -15,7 +15,7 @@ def profiles
         private
 
         def profile_node
-          @report_xml.at_xpath(".//xmlns:Profile\
+          @report_xml.at_xpath(".//Profile\
                              [contains('#{test_result_node['id']}', @id)]")
         end
 

lib/openscap_parser/rules.rb

@@ -6,7 +6,7 @@ module Rules
     def self.included(base)
       base.class_eval do
         def rule_ids
-          test_result_node.xpath('.//xmlns:rule-result/@idref').map(&:value)
+          test_result_node.xpath('.//rule-result/@idref').map(&:value)
         end
 
         def rule_objects

lib/openscap_parser/xml_file.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+require 'nokogiri'
+
+module OpenscapParser
+  module XmlFile
+    def report_xml(report_contents = '')
+      @report_xml ||= ::Nokogiri::XML.parse(report_contents)
+      @report_xml.remove_namespaces!
+    end
+  end
+end

lib/openscap_parser/xml_report.rb

@@ -1,24 +1,22 @@
 # frozen_string_literal: true
 require 'nokogiri'
+require 'openscap_parser/xml_file'
 
 module OpenscapParser
   # Methods related with parsing directly the XML from the Report
   # as opposed to using the OpenSCAP APIs
   module XMLReport
     def self.included(base)
       base.class_eval do
+        include OpenscapParser::XmlFile
+
         def host
           @report_xml.search('target').text
         end
 
         def description
           @report_xml.search('description').first.text
         end
-
-        def report_xml(report_contents = '')
-          @report_xml ||= ::Nokogiri::XML.parse(report_contents)
-          @report_xml.remove_namespaces! if @report_xml.namespaces.keys.include? 'xmlns:arf'
-        end
       end
     end
   end

test/ds_test.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+require 'test_helper'
+
+class DsTest < MiniTest::Test
+  context 'scap content' do
+    should 'be able to parse profiles' do
+      parser = create_parser('ssg-rhel7-ds.xml')
+      profile_titles = [
+        "United States Government Configuration Baseline",
+        "Standard System Security Profile for Red Hat Enterprise Linux 7",
+        "Criminal Justice Information Services (CJIS) Security Policy",
+        "C2S for Red Hat Enterprise Linux 7",
+        "Health Insurance Portability and Accountability Act (HIPAA)",
+        "Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)",
+        "DISA STIG for Red Hat Enterprise Linux 7",
+        "OSPP - Protection Profile for General Purpose Operating Systems v. 4.2",
+        "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7",
+        "Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)",
+        "PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7"
+      ]
+      assert_equal(profile_titles, parser.profiles.map { |profile| profile[:title] })
+    end
+  end
+
+  context 'tailoring file' do
+    should 'be able to parse profiles' do
+      parser = create_parser('ssg-rhel7-ds-tailoring.xml')
+      profile_titles = [
+        "Standard System Security Profile [CUSTOMIZED]",
+        "Common Profile for General-Purpose Systems [CUSTOMIZED]"
+      ]
+      assert_equal(profile_titles, parser.profiles.map { |profile| profile[:title] })
+    end
+  end
+
+  def create_parser(file)
+    scap_content = file_fixture(file).read
+    ::OpenscapParser::Ds.new(scap_content)
+  end
+end

test/fixtures/files/ssg-rhel7-ds-tailoring.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xccdf:Tailoring xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" id="xccdf_scap-workbench_tailoring_default">
+  <xccdf:benchmark href="/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml"/>
+  <xccdf:version time="2018-04-18T09:09:42">1</xccdf:version>
+  <xccdf:Profile id="xccdf_org.ssgproject.content_profile_standard_customized" extends="xccdf_org.ssgproject.content_profile_standard">
+    <xccdf:title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">Standard System Security Profile [CUSTOMIZED]</xccdf:title>
+    <xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">This profile contains rules to ensure standard security baseline
+of Red Hat Enterprise Linux 7 system. Regardless of your system's workload
+all of these checks should pass.</xccdf:description>
+    <xccdf:select idref="xccdf_org.ssgproject.content_group_gnome" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_enable_dconf_user_profile" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_group_gnome_login_screen" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_login_retries" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_group_gnome_screen_locking" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_info" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_session_user_locks" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_home_nosuid" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev" selected="true"/>
+  </xccdf:Profile>
+  <xccdf:Profile id="xccdf_org.ssgproject.content_profile_common_customized" extends="xccdf_org.ssgproject.content_profile_common">
+    <xccdf:title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">Common Profile for General-Purpose Systems [CUSTOMIZED]</xccdf:title>
+    <xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">This profile contains items common to general-purpose desktop and server installations.</xccdf:description>
+    <xccdf:select idref="xccdf_org.ssgproject.content_group_proxy" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_group_disabling_squid" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_service_squid_disabled" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_package_squid_removed" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_group_snmp" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_group_disabling_snmp_service" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_service_snmpd_disabled" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_package_net-snmp_removed" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_group_snmp_configure_server" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_snmpd_not_default_password" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_group_routing" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_group_disabling_quagga" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_service_zebra_disabled" selected="true"/>
+    <xccdf:select idref="xccdf_org.ssgproject.content_rule_package_quagga_removed" selected="true"/>
+  </xccdf:Profile>
+</xccdf:Tailoring>