#!/usr/bin/python # # Copyright (c) 2016 Red Hat # Luke Hinds (lhinds@redhat.com) # This program and the accompanying materials # are made available under the terms of the Apache License, Version 2.0 # which accompanies this distribution, and is available at # # http://www.apache.org/licenses/LICENSE-2.0 # # 0.1: This script installs OpenSCAP on the remote host, and scans the # nominated node. Post scan a report is downloaded and if '--clean' is passed # all trace of the scan is removed from the remote system. import os import datetime import argparse __version__ = 0.1 __author__ = 'Luke Hinds (lhinds@redhat.com)' __url__ = 'https://wiki.opnfv.org/display/functest/Functest+Security' ''' Example Run: python ./OpenSCAP.py --host 192.168.0.24 --port 22 --user root --password p6ssw0rd oval --secpolicy /usr/share/xml/scap/ssg/content/ssg-rhel7-oval.xml --report report.html --results results.xml ''' # Variables needed.. pwd = os.getcwd() oscap = '/bin/oscap' currenttime = datetime.datetime.now().strftime('%Y-%m-%d_%H-%M-%S') # Set up the main parser parser = argparse.ArgumentParser(description='OpenSCAP Python Scanner') # Main args # Todo add required = True parser.add_argument('--user', action='store', dest='user', help='user') parser.add_argument('--password', action='store', dest='password', help='Password') parser.add_argument('--host', action='store', dest='host', help='host', required=True) parser.add_argument('--port', action='store', dest='port"', help='port', required=True) parser.add_argument('--dist', action='store', dest='dist', help='Distribution') parser.add_argument('--clean', action='store_true', dest='clean', help='Clean all files from host') # And the subparser subparsers = parser.add_subparsers( title='subcommands', description='valid subcommands', help='additional help') parser_xccdf = subparsers.add_parser('xccdf') parser_xccdf.set_defaults(which='xccdf') parser_oval = subparsers.add_parser('oval') parser_oval.set_defaults(which='oval') parser_oval_collect = subparsers.add_parser('oval-collect') parser_oval_collect.set_defaults(which='oval-collect') parser_xccdf.add_argument( '--profile', action='store', dest='profile', help='xccdf profile') parser_oval.add_argument( '--results', action='store', dest='results', help='Report name (inc extension (.html)') parser_oval.add_argument( '--report', action='store', dest='report', help='Report name (inc extension (.html)') parser_oval.add_argument( '--secpolicy', action='store', dest='secpolicy', help='Security Policy') parserout = parser.parse_args() args = vars(parser.parse_args()) def createfiles(): import connect global tmpdir localpath = os.getcwd() + '/scripts/createfiles.py' remotepath = '/tmp/createfiles.py' com = 'python /tmp/createfiles.py' connect = connect.connectionManager(parserout.host, parserout.user, parserout.password, localpath, remotepath, com) tmpdir = connect.remotescript() def install_pkg(): import connect com = 'yum -y install openscap-scanner scap-security-guide' connect = connect.connectionManager(parserout.host, parserout.user, parserout.password, com) install_pkg = connect.remotecmd() print install_pkg def run_scanner(): import connect if args['which'] == 'xccdf': print 'xccdf' com = '{0} xccdf eval'.format(oscap) connect = connect.connectionManager(parserout.host, parserout.user, parserout.password, com) elif args['which'] == 'oval': com = ('{0} oval eval --results {1}/{2}' + ' --report {1}/{3} {4}'.format(oscap, tmpdir.rstrip(), parserout.results, parserout.report, parserout.secpolicy)) connect = connect.connectionManager(parserout.host, parserout.user, parserout.password, com) run_tool = connect.remotecmd() else: com = '{0} oval-collect '.format(oscap) connect = connect.connectionManager(parserout.host, parserout.user, parserout.password, com) run_tool = connect.remotecmd() print run_tool def post_tasks(): import connect dl_folder = os.path.join(os.getcwd(), parserout.host + datetime.datetime.now(). strftime('%Y-%m-%d_%H-%M-%S')) os.mkdir(dl_folder, 0755) reportfile = '{0}/{1}'.format(tmpdir.rstrip(), parserout.report) connect = connect.connectionManager(parserout.host, parserout.user, parserout.password, dl_folder, reportfile, parserout.report, parserout.results) run_tool = connect.download_reports() print run_tool def removepkg(): import connect com = 'yum -y remove openscap-scanner scap-security-guide' connect = connect.connectionManager(parserout.host, parserout.user, parserout.password, com) yumremove = connect.remotecmd() print yumremove def cleandir(): import connect com = 'rm -r {0}'.format(tmpdir.rstrip()) connect = connect.connectionManager(parserout.host, parserout.user, parserout.password, com) deldir = connect.remotecmd() print deldir if __name__ == '__main__': print 'Creating temp file structure...\n' createfiles() print 'Install OpenSCAP scanner...\n' install_pkg() print 'Running scan...\n' run_scanner() print 'Post installation tasks...\n' post_tasks() if parserout.clean: print 'Cleaning down environment...\n' print 'Removing OpenSCAP...\n' removepkg() print 'Deleting tmp file and reports (remote)...\n' cleandir()