ssg/constants.py

from __future__ import absolute_import
from __future__ import print_function

import os.path
import os
import time
import collections


SSG_PROJECT_NAME = "SCAP Security Guide Project"
SSG_BENCHMARK_LATEST_URI = "https://github.com/ComplianceAsCode/content/releases/latest"

SSG_REF_URIS = {
    'anssi': 'https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf',
    'bsi': 'https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf',
    'nist': 'http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf',
    'nist-csf': 'https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf',
    'isa-62443-2013': 'https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu',
    'isa-62443-2009': 'https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat',
    'cobit5': 'https://www.isaca.org/resources/cobit',
    'cis-csc': 'https://www.cisecurity.org/controls/',
    'cjis': 'https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf',
    'cui': 'http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf',
    'dcid': 'not_officially_available',
    'disa': 'https://public.cyber.mil/stigs/cci/',
    'pcidss': 'https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf',
    'pcidss4': 'https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf',
    'ospp': 'https://www.niap-ccevs.org/Profile/PP.cfm',
    'hipaa': 'https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf',
    'ism': 'https://www.cyber.gov.au/acsc/view-all-content/ism',
    'iso27001-2013': 'https://www.iso.org/contents/data/standard/05/45/54534.html',
    'nerc-cip': 'https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx',
    'stigid': 'https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux',
    'os-srg': 'https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os',
    'app-srg': 'https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers',
    'app-srg-ctr': 'https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=container-platform',
    'stigref': 'https://public.cyber.mil/stigs/srg-stig-tools/',
}

product_directories = [
    'alinux2',
    'alinux3',
    'anolis8',
    'anolis23',
    'al2023',
    'chromium',
    'debian11', 'debian12',
    'example',
    'eks',
    'fedora',
    'firefox',
    'macos1015',
    'ocp4',
    'rhcos4',
    'ol7', 'ol8', 'ol9', 'ol10',
    'openeuler2203',
    'opensuse',
    'openembedded',
    'rhel8', 'rhel9', 'rhel10',
    'rhv4',
    'sle12', 'sle15', 'slmicro5',
    'ubuntu1604', 'ubuntu1804', 'ubuntu2004', 'ubuntu2204',
]

JINJA_MACROS_DIRECTORY = os.path.abspath(os.path.join(os.path.dirname(os.path.dirname(
    __file__)), "shared", "macros"))

xml_version = """<?xml version="1.0" encoding="UTF-8"?>"""

datastream_namespace = "http://scap.nist.gov/schema/scap/source/1.2"
dc_namespace = "http://purl.org/dc/elements/1.1/"
ocil_namespace = "http://scap.nist.gov/schema/ocil/2.0"
cpe_language_namespace = "http://cpe.mitre.org/language/2.0"
cpe_dictionary_namespace = "http://cpe.mitre.org/dictionary/2.0"
oval_footer = "</oval_definitions>"
oval_namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5"
xlink_namespace = "http://www.w3.org/1999/xlink"
xhtml_namespace = "http://www.w3.org/1999/xhtml"
xsi_namespace = "http://www.w3.org/2001/XMLSchema-instance"
cat_namespace = "urn:oasis:names:tc:entity:xmlns:xml:catalog"
sce_namespace = "http://open-scap.org/page/SCE_xccdf_stream"
ocil_cs = "http://scap.nist.gov/schema/ocil/2"
bash_system = "urn:xccdf:fix:script:sh"
ansible_system = "urn:xccdf:fix:script:ansible"
ignition_system = "urn:xccdf:fix:script:ignition"
kubernetes_system = "urn:xccdf:fix:script:kubernetes"
blueprint_system = "urn:redhat:osbuild:blueprint"
puppet_system = "urn:xccdf:fix:script:puppet"
anaconda_system = "urn:redhat:anaconda:pre"
kickstart_system = "urn:xccdf:fix:script:kickstart"
cce_uri = "https://ncp.nist.gov/cce"
stig_ns = "https://public.cyber.mil/stigs/srg-stig-tools/"
ccn_ns = "https://www.ccn-cert.cni.es/pdf/guias/series-ccn-stic/guias-de-acceso-publico-ccn-stic/6768-ccn-stic-610a22-perfilado-de-seguridad-red-hat-enterprise-linux-9-0/file.html"
cis_ns = "https://www.cisecurity.org/benchmark/red_hat_linux/"
hipaa_ns = "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
anssi_ns = "https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf"
ospp_ns = "https://www.niap-ccevs.org/Profile/PP.cfm"
pcidss4_ns = "https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf"
cui_ns = 'http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf'
stig_refs = 'https://public.cyber.mil/stigs/'
disa_cciuri = "https://public.cyber.mil/stigs/cci/"
ssg_version_uri = \
    "https://github.com/ComplianceAsCode/content/releases/latest"
OSCAP_VENDOR = "org.ssgproject"
OSCAP_DS_STRING = "xccdf_%s.content_benchmark_" % OSCAP_VENDOR
OSCAP_BENCHMARK = "xccdf_%s.content_benchmark_" % OSCAP_VENDOR
OSCAP_PROFILE = "xccdf_%s.content_profile_" % OSCAP_VENDOR
OSCAP_GROUP = "xccdf_%s.content_group_" % OSCAP_VENDOR
OSCAP_RULE = "xccdf_%s.content_rule_" % OSCAP_VENDOR
OSCAP_VALUE = "xccdf_%s.content_value_" % OSCAP_VENDOR
OSCAP_GROUP_PCIDSS = "xccdf_%s.content_group_pcidss-req" % OSCAP_VENDOR
OSCAP_GROUP_VAL = "xccdf_%s.content_group_values" % OSCAP_VENDOR
OSCAP_GROUP_NON_PCI = "xccdf_%s.content_group_non-pci-dss" % OSCAP_VENDOR
OSCAP_PATH = "oscap"
OSCAP_PROFILE_ALL_ID = "(all)"
XCCDF11_NS = "http://checklists.nist.gov/xccdf/1.1"
XCCDF12_NS = "http://checklists.nist.gov/xccdf/1.2"
min_ansible_version = "2.9"
ansible_version_requirement_pre_task_name = \
    "Verify Ansible meets SCAP-Security-Guide version requirements."
standard_profiles = ['standard', 'pci-dss', 'desktop', 'server']
xslt_ns = "http://www.w3.org/1999/XSL/Transform"
SCE_SYSTEM = "http://open-scap.org/page/SCE"


OVAL_SUB_NS = dict(
    ind="independent",
    unix="unix",
    linux="linux",
)


PREFIX_TO_NS = {
    "oval-def": oval_namespace,
    "oval": "http://oval.mitre.org/XMLSchema/oval-common-5",
    "dc": dc_namespace,
    "ds": datastream_namespace,
    "ocil": ocil_namespace,
    "xccdf-1.1": XCCDF11_NS,
    "xccdf-1.2": XCCDF12_NS,
    "html": xhtml_namespace,
    "xlink": xlink_namespace,
    "cpe-dict": cpe_dictionary_namespace,
    "cat": cat_namespace,
    "cpe-lang": cpe_language_namespace,
    "sce": sce_namespace,
}

FIX_TYPE_TO_SYSTEM = {
    "bash": bash_system,
    "ansible": ansible_system,
    "ignition": ignition_system,
    "kubernetes": kubernetes_system,
    "blueprint": blueprint_system,
    "puppet": puppet_system,
    "anaconda": anaconda_system,
    "kickstart": kickstart_system,
}

for prefix, url_part in OVAL_SUB_NS.items():
    assert prefix not in PREFIX_TO_NS, \
        "Conflict between a namespace and OVAL sub-namespace '{prefix}'".format(prefix=prefix)
    PREFIX_TO_NS[prefix] = "{oval_ns}#{suffix}".format(oval_ns=PREFIX_TO_NS["oval-def"], suffix=url_part)


oval_header = (
    """
<oval_definitions
    xmlns="{0}"
    xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
    xmlns:ind="{0}#independent"
    xmlns:unix="{0}#unix"
    xmlns:linux="{0}#linux"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd
        {0} oval-definitions-schema.xsd
        {0}#independent independent-definitions-schema.xsd
        {0}#unix unix-definitions-schema.xsd
        {0}#linux linux-definitions-schema.xsd">"""
    .format(oval_namespace))

timestamp = time.strftime(
    "%Y-%m-%dT%H:%M:%S",
    time.gmtime(int(os.environ.get('SOURCE_DATE_EPOCH', time.time())))
)

PKG_MANAGER_TO_SYSTEM = {
    "yum": "rpm",
    "zypper": "rpm",
    "dnf": "rpm",
    "apt_get": "dpkg",
}

PKG_MANAGER_TO_CONFIG_FILE = {
    "yum": "/etc/yum.conf",
    "dnf": "/etc/dnf/dnf.conf",
    "zypper": "/etc/zypp/zypper.conf",
}

FULL_NAME_TO_PRODUCT_MAPPING = {
    "Alibaba Cloud Linux 2": "alinux2",
    "Alibaba Cloud Linux 3": "alinux3",
    "Anolis OS 8": "anolis8",
    "Anolis OS 23": "anolis23",
    "Amazon Linux 2023": "al2023",
    "Chromium": "chromium",
    "Debian 11": "debian11",
    "Debian 12": "debian12",
    "Example": "example",
    "Amazon Elastic Kubernetes Service": "eks",
    "Fedora": "fedora",
    "Firefox": "firefox",
    "Apple macOS 10.15": "macos1015",
    "Red Hat OpenShift Container Platform 4": "ocp4",
    "Red Hat Enterprise Linux CoreOS 4": "rhcos4",
    "Oracle Linux 7": "ol7",
    "Oracle Linux 8": "ol8",
    "Oracle Linux 9": "ol9",
    "Oracle Linux 10": "ol10",
    "openEuler 2203": "openeuler2203",
    "openSUSE": "opensuse",
    "Red Hat Enterprise Linux 8": "rhel8",
    "Red Hat Enterprise Linux 9": "rhel9",
    "Red Hat Enterprise Linux 10": "rhel10",
    "Red Hat Virtualization 4": "rhv4",
    "SUSE Linux Enterprise 12": "sle12",
    "SUSE Linux Enterprise 15": "sle15",
    "SUSE Linux Enterprise Micro 5": "slmicro5",
    "Ubuntu 16.04": "ubuntu1604",
    "Ubuntu 18.04": "ubuntu1804",
    "Ubuntu 20.04": "ubuntu2004",
    "Ubuntu 22.04": "ubuntu2204",
    "OpenEmbedded": "openembedded",
    "Not Applicable": "example",
}


# see xccdf-addremediations.xslt <- shared_constants.xslt
# if you want to know how the map was constructed
REF_PREFIX_MAP = {
    "nist": "NIST-800-53",
    "cui": "NIST-800-171",
    "pcidss": "PCI-DSS",
    "pcidss4": "PCI-DSSv4",
    "cjis": "CJIS",
    "stigid": "DISA-STIG",
}

Reference = collections.namedtuple("Reference", ("id", "name", "url", "regex_with_groups"))

REFERENCES = dict(
    anssi=Reference(
        id="anssi", name="ANSSI", url=anssi_ns,
        regex_with_groups=r"R(\d+)"),
    ccn=Reference(
        id="ccn", name="CCN", url="",
        regex_with_groups=r"A\.(\d+)\.SEC-(\w+)(\d+)"),
    cis=Reference(
        id="cis", name="CIS", url=cis_ns,
        regex_with_groups=r"(\d+)\.(\d+)(?:\.(\w+)(?:\.(\w+)(?:\.(\w+))?)?)?"),
    cui=Reference(
        id="cui", name=REF_PREFIX_MAP["cui"], url=cui_ns,
        regex_with_groups=r"(\d+)(?:\.(\w+)(?:\.(\w+)(?:\.(\w+))?)?)?"),
    nist=Reference(
        id="nist", name=REF_PREFIX_MAP["nist"], url="",
        regex_with_groups=r".*-(\d+)(?:\((\d+)\))?"),
    ospp=Reference(
        id="ospp", name="OSPP", url=SSG_REF_URIS["ospp"],
        regex_with_groups=r"(\w+)(?:\.(\d+)(?:\.([^\.]+)(?:\.([^\.]+))?)?)?"),
    pcidss=Reference(
        id="pcidss", name=REF_PREFIX_MAP["pcidss"], url="",
        regex_with_groups=r"Req-(\d+)(?:\.(\w+)(?:\.(\w+)(?:\.(\w+))?)?)?"),
    pcidss4=Reference(
        id="pcidss4", name=REF_PREFIX_MAP["pcidss4"], url="",
        regex_with_groups=r"(\d+)(?:\.(\w+)(?:\.(\w+)(?:\.(\w+))?)?)?"),
    srg=Reference(
        id="srg", name="SRG", url="",
        regex_with_groups=r"(SRG-OS-\d+-GPOS-\d+)"
    )
)


MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
                       "openeuler",
                       "opensuse", "sle", "ol", "ocp", "rhcos",
                       "example", "eks", "alinux", "anolis", "openembedded", "al",
                       "slmicro"]

MULTI_PLATFORM_MAPPING = {
    "multi_platform_alinux": ["alinux2", "alinux3"],
    "multi_platform_anolis": ["anolis8", "anolis23"],
    "multi_platform_debian": ["debian11", "debian12"],
    "multi_platform_example": ["example"],
    "multi_platform_eks": ["eks"],
    "multi_platform_fedora": ["fedora"],
    "multi_platform_openeuler": ["openeuler2203"],
    "multi_platform_opensuse": ["opensuse"],
    "multi_platform_ol": ["ol7", "ol8", "ol9", "ol10"],
    "multi_platform_ocp": ["ocp4"],
    "multi_platform_rhcos": ["rhcos4"],
    "multi_platform_rhel": ["rhel8", "rhel9", "rhel10"],
    "multi_platform_rhv": ["rhv4"],
    "multi_platform_sle": ["sle12", "sle15"],
    "multi_platform_slmicro": ["slmicro5"],
    "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204"],
    "multi_platform_openembedded": ["openembedded"],
    "multi_platform_al": ["al2023"],
}

RHEL_CENTOS_CPE_MAPPING = {
    "cpe:/o:redhat:enterprise_linux:8": "cpe:/o:centos:centos:8",
    "cpe:/o:redhat:enterprise_linux:9": "cpe:/o:centos:centos:9",
    "cpe:/o:redhat:enterprise_linux:10": "cpe:/o:centos:centos:10",
}

CENTOS_NOTICE = \
    "<div xmlns=\"http://www.w3.org/1999/xhtml\">\n" \
    "<p>This benchmark is a direct port of a <i>SCAP Security Guide </i> " \
    "benchmark developed for <i>Red Hat Enterprise Linux</i>. It has been " \
    "modified through an automated process to remove specific dependencies " \
    "on <i>Red Hat Enterprise Linux</i> and to function with <i>CentOS</i>. " \
    "The result is a generally useful <i>SCAP Security Guide</i> benchmark " \
    "with the following caveats:</p>\n" \
    "<ul>\n" \
    "<li><i>CentOS</i> is not an exact copy of " \
    "<i>Red Hat Enterprise Linux</i>. There may be configuration differences " \
    "that produce false positives and/or false negatives. If this occurs " \
    "please file a bug report.</li>\n" \
    "\n" \
    "<li><i>CentOS</i> has its own build system, compiler options, patchsets, " \
    "and is a community supported, non-commercial operating system. " \
    "<i>CentOS</i> does not inherit " \
    "certifications or evaluations from <i>Red Hat Enterprise Linux</i>. As " \
    "such, some configuration rules (such as those requiring " \
    "<i>FIPS 140-2</i> encryption) will continue to fail on <i>CentOS</i>.</li>\n" \
    "</ul>\n" \
    "\n" \
    "<p>Members of the <i>CentOS</i> community are invited to participate in " \
    "<a href=\"http://open-scap.org\">OpenSCAP</a> and " \
    "<a href=\"https://github.com/ComplianceAsCode/content\">" \
    "SCAP Security Guide</a> development. Bug reports and patches " \
    "can be sent to GitHub: " \
    "<a href=\"https://github.com/ComplianceAsCode/content\">" \
    "https://github.com/ComplianceAsCode/content</a>. " \
    "The mailing list is at " \
    "<a href=\"https://fedorahosted.org/mailman/listinfo/scap-security-guide\">" \
    "https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>" \
    ".</p>" \
    "</div>"

XCCDF_REFINABLE_PROPERTIES = ["weight", "severity", "role", "selector"]

OVAL_TO_XCCDF_DATATYPE_CONSTRAINTS = {
    'int': 'number',
    'float': 'number',
    'boolean': 'boolean',
    'string': 'string',
    'evr_string': 'string',
    'version': 'string',
    'ios_version': 'string',
    'fileset_revision': 'string',
    'binary': 'string'
}

OVALTAG_TO_ABBREV = {
    'definition': 'def',
    'criteria': 'crit',
    'test': 'tst',
    'object': 'obj',
    'state': 'ste',
    'variable': 'var',
}

OCILTAG_TO_ABBREV = {
    'questionnaire': 'questionnaire',
    'action': 'testaction',
    'question': 'question',
    'artifact': 'artifact',
    'variable': 'variable',
}

OVALREFATTR_TO_TAG = {
    "definition_ref": "definition",
    "test_ref": "test",
    "object_ref": "object",
    "state_ref": "state",
    "var_ref": "variable",
}

OCILREFATTR_TO_TAG = {
    "question_ref": "question",
}

# Default platform to package mapping
XCCDF_PLATFORM_TO_PACKAGE = {
  "grub2": "grub2-common",
  "login_defs": "login",
  "sssd": "sssd-common",
  "zipl": "s390utils-base",
  "sssd-ldap": None,  # Force package check wrapping skip
  "uefi": None,
  "non-uefi": None,
  "not_s390x_arch": None,
  "s390x_arch": None,
  "not_aarch64_arch": None,
  "aarch64_arch": None,
  "ovirt": None,
  "no_ovirt": None,
}

# _version_name_map = {
MAKEFILE_ID_TO_PRODUCT_MAP = {
    'alinux': 'Alibaba Cloud Linux',
    'anolis': 'Anolis OS',
    'chromium': 'Google Chromium Browser',
    'fedora': 'Fedora',
    'firefox': 'Mozilla Firefox',
    'macos': 'Apple macOS',
    'rhel': 'Red Hat Enterprise Linux',
    'rhv': 'Red Hat Virtualization',
    'debian': 'Debian',
    'ubuntu': 'Ubuntu',
    'eap': 'JBoss Enterprise Application Platform',
    'fuse': 'JBoss Fuse',
    'openeuler': 'openEuler',
    'opensuse': 'openSUSE',
    'sle': 'SUSE Linux Enterprise',
    'slmicro': 'SUSE Linux Enterprise Micro',
    'example': 'Example',
    'ol': 'Oracle Linux',
    'ocp': 'Red Hat OpenShift Container Platform',
    'rhcos': 'Red Hat Enterprise Linux CoreOS',
    'eks': 'Amazon Elastic Kubernetes Service',
    'al': 'Amazon Linux',
    'openembedded': 'OpenEmbedded',
}

# References that can not be used with product-qualifiers
GLOBAL_REFERENCES = ("srg", "disa", "cis-csc",)

# Application constants
DEFAULT_DCONF_GDM_DIR = 'gdm.d'
DEFAULT_AIDE_CONF_PATH = '/etc/aide.conf'
DEFAULT_AIDE_BIN_PATH = '/usr/sbin/aide'
DEFAULT_FAILLOCK_PATH = '/var/run/faillock'
DEFAULT_SSH_DISTRIBUTED_CONFIG = 'false'
DEFAULT_PRODUCT = 'example'
DEFAULT_CHRONY_CONF_PATH = '/etc/chrony.conf'
DEFAULT_CHRONY_D_PATH = '/etc/chrony.d/'
DEFAULT_AUDISP_CONF_PATH = '/etc/audit'
DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE = 'false'


# Constants for OVAL object model
STR_TO_BOOL = {
    "false": False,
    "False": False,
    "true": True,
    "True": True,
}

BOOL_TO_STR = {True: "true", False: "false"}


class OvalNamespaces:
    oval = "http://oval.mitre.org/XMLSchema/oval-common-5"
    definition = oval_namespace
    independent = "http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
    linux = "http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"


OVAL_NAMESPACES = OvalNamespaces()

DERIVATIVES_PRODUCT_MAPPING = {
    "centos8": "rhel8",
    "cs9": "rhel9",
    "cs10": "rhel10",
}

BENCHMARKS = {
    "apple_os",
    "applications",
    "linux_os/guide",
    "products/chromium/guide",
    "products/firefox/guide",
}


SSG_IDENT_URIS = {
    'cce': cce_uri
}