From 69740bd7bf0f0b0178cd5cfce75d2ada91ad3e4d Mon Sep 17 00:00:00 2001 From: Fen Labalme Date: Sat, 30 Mar 2019 21:30:20 -0400 Subject: [PATCH] better safe character checking; govready-scan frontend --- govready | 4 +-- scripts/govready-scan.sh | 72 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+), 2 deletions(-) create mode 100755 scripts/govready-scan.sh diff --git a/govready b/govready index 7c504e7..d05c1d6 100755 --- a/govready +++ b/govready @@ -802,10 +802,10 @@ _parse_config(){ fi # Following sed should find only lines with an `=`, ignore blank lines, and ignore bad code - eval $(sed '/^[:space:]*#/d;/^[:space:]*$/d;s/=/ /;' < "$CONFIGFILE" | while read -r key val + eval $(sed '/^[[:space:]]*#/d;/^[[:space:]]*$/d;s/=/ /;' < "$CONFIGFILE" | while read -r key val do # Only allow safe characters - val=$(echo "$val" | sed 's/[^-[:alnum:]\._\/]//g') + val=$(echo "$val" | sed 's/[^-[[:alnum:]]\._\/]//g') str="$key='$val'" echo "$str" done) diff --git a/scripts/govready-scan.sh b/scripts/govready-scan.sh new file mode 100755 index 0000000..253b7c9 --- /dev/null +++ b/scripts/govready-scan.sh @@ -0,0 +1,72 @@ +#!/usr/bin/env bash + +if [ $# -eq 0 ]; then + echo "Usage: $0 instance-names..." + echo " This script runs 'govready scan' on instances accessible via SSH and" + echo " collects the results in a dated sub-directory along with a summary." + echo " Generally run from myfisma/ directory after 'govready init'." + echo " Override OSCAP variables with 'GOVREADY_' prefix, e.g.:" + echo " GOVREADY_OSCAP_USER=your_name govready-scan.sh my-instance" + echo "Requires:" + echo " https://github.com/GovReady/govready (with 'govready' script in PATH)" + echo " https://github.com/OpenSCAP/openscap (install normally)" + echo " https://github.com/ComplianceAsCode/content/ (SCAP Security Guide)" + exit 0 +fi + +DB_DATE=$(date "+%Y%m%d-%H%M") +GOV_OUT=${DB_DATE}/govready_out +SUMMARY=${DB_DATE}/summary.txt + +OSCAP_VERSION=$(oscap -V|head -1) + +mkdir -p ${DB_DATE}/govready_out + +export GOVREADY_OSCAP_USER="${GOVREADY_OSCAP_USER:-monitor}" +export GOVREADY_OSCAP_SUDO="${GOVREADY_OSCAP_SUDO:-sudo}" +export GOVREADY_OSCAP_PORT="${GOVREADY_OSCAP_PORT:-22}" +export GOVREADY_PROFILE="${GOVREADY_PROFILE:-xccdf_org.ssgproject.content_profile_stig-rhel7-disa}" +export GOVREADY_XCCDF="${GOVREADY_XCCDF:-ssg-rhel7-ds.xml}" + +# The `govready scan` script expects XCCDF files to be in a "scap" sub-directory. +if [ ! -d "scap" ]; then + echo "No 'scap' subdirectory found." + if [ -d "/usr/local/share/xml/scap/ssg/content" ]; then + echo "Consider 'ln -s /usr/local/share/xml/scap/ssg/content scap'" + else + echo "Create a link called 'scap' to your SCAP Security Guide content" + fi + exit 1 +fi +if [ -f "scap/${GOVREADY_XCCDF}" ]; then + SSG_VERSION="$(sed -n '//{s/.*\(.*\)<\/version>.*/\1/;p}' scap/${GOVREADY_XCCDF})" +fi +[ -z ${SSG_VERSION} ] && SSG_VERSION="(unknown)" + +echo "Results from scanning instances on ${DB_DATE}" | tee "${SUMMARY}" +echo "Using ${OSCAP_VERSION}" | tee -a "${SUMMARY}" +echo "Using profile ${GOVREADY_PROFILE}" | tee -a "${SUMMARY}" +echo "From XCCDF data stream file ${GOVREADY_XCCDF} version ${SSG_VERSION}" | tee -a "${SUMMARY}" + +govready_scan() { + INSTANCE="${1}" + echo "*${DB_DATE}/${INSTANCE}*" | tee -a "${SUMMARY}" + GOVREADY_OSCAP_HOST=${INSTANCE} govready scan | tee "${GOV_OUT}/${INSTANCE}.txt" + cp "scans/${GOVREADY_PROFILE}/${INSTANCE}/results.html" "${DB_DATE}/results-${INSTANCE}.html" + grep 'This profile identifies' "${GOV_OUT}/${INSTANCE}.txt" | tee -a "${SUMMARY}" +} + +# scan instances +for name in "$@"; do + govready_scan "${name}" +done + +# clean up summary +replace 'This profile identifies ' '- ' -- "${SUMMARY}" +replace 'medium severity' 'med severity' -- "${SUMMARY}" +replace 'low severity' ' low severity' -- "${SUMMARY}" +replace 'selected controls' 'controls' -- "${SUMMARY}" +sed -i 's/ \([0-9]\) / \1 /g' ${SUMMARY} + +echo "" +ls -l ${DB_DATE}