feat: add cac content rules transformation

.mega-linter.yml

@@ -6,4 +6,7 @@ ENABLE_LINTERS:
   - MARKDOWN_MARKDOWNLINT
   - BASH_SHELLCHECK
 
-REPOSITORY_KICS_ARGUMENTS: "--fail-on high"
+ADDITIONAL_EXCLUDED_DIRECTORIES:
+  - content_dir
+
+REPOSITORY_KICS_ARGUMENTS: "--fail-on high"

pyproject.toml

@@ -109,6 +109,9 @@ module = "ruamel"
 ignore_missing_imports = true
 
 [[tool.mypy.overrides]]
-module = "ssg.products"
+module = "responses"
 ignore_missing_imports = true
 
+[[tool.mypy.overrides]]
+module = "ssg.*"
+ignore_missing_imports = true

tests/data/content_dir/controls/abcd-levels.yml

@@ -0,0 +1,69 @@
+---
+policy: ABCD Benchmark for securing Linux systems with levels
+title: ABCD Benchmark for securing Linux systems with levels
+id: abcd-levels
+version: 1.2.3
+source: https://www.abcd.com/linux.pdf
+levels:
+  - id: low
+  - id: medium
+    inherits_from:
+      - low
+  - id: high
+    inherits_from:
+      - medium
+
+controls:
+  - id: S1
+    title: User session timeout
+
+  - id: S2
+    levels:
+      - low
+    rules:
+      - var_password_pam_minlen=1
+
+  - id: S3
+    levels:
+      - medium
+
+  - id: S4
+    title: Configure authentication
+    controls:
+      - id: S4.a
+        title: Disable administrator accounts
+        levels:
+          - low
+
+      - id: S4.b
+        title: Enforce password quality standards
+        levels:
+          - high
+        rules:
+          - var_password_pam_minlen=2
+
+  # S5, S6 and S7 are used to test if level inheritance is working correctly
+  # when multiple levels select the same rule
+  - id: S5
+    title: Default Crypto Policy
+    levels:
+      - low
+    rules:
+      - configure_crypto_policy
+      - var_system_crypto_policy=default_policy
+
+  - id: S6
+    title: FIPS Crypto Policy
+    levels:
+      - medium
+    rules:
+      - configure_crypto_policy
+      - var_system_crypto_policy=fips
+
+  - id: S7
+    title: Future Crypto Policy
+    levels:
+      - high
+    rules:
+      - configure_crypto_policy
+      - var_system_crypto_policy=future

tests/data/content_dir/linux_os/guide/benchmark.yml

@@ -0,0 +1,29 @@
+---
+documentation_complete: true
+
+title: Guide to the Secure Configuration of {{{ full_name }}}
+
+status: draft
+
+description: |
+    This guide presents a catalog of security-relevant configuration settings for {{{ full_name }}}.
+    It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF)
+    in order to support security automation.  The SCAP content is available in the <tt>scap-security-guide</tt>
+    package which is developed at {{{ weblink(link="https://www.open-scap.org/security-policies/scap-security-guide") }}}.
+
+notice:
+    id: terms_of_use
+    description: |
+        Do not attempt to implement any of the settings in this guide without first testing them
+        in a non-operational environment. The creators of this guidance assume no responsibility
+        whatsoever for its use by other parties, and makes no guarantees, expressed or implied,
+        about its quality, reliability, or any other characteristic.
+
+front-matter: |
+    The SCAP Security Guide Project<br/>
+    {{{ weblink(link="https://www.open-scap.org/security-policies/scap-security-guide") }}}
+
+rear-matter: |
+    Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of
+    Red Hat, Inc. in the United States and other countries. All other names are registered
+    trademarks or trademarks of their respective companies.

tests/data/content_dir/linux_os/guide/test/configure_crypto_policy/rule.yml

@@ -0,0 +1,50 @@
+documentation_complete: true
+
+
+title: 'Test Configure System Cryptography Policy'
+
+description: |-
+    This is a modified copy from original rule.yml. For testing purposes only.
+    To configure the system cryptography policy to use ciphers only from the <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt>
+
+rationale: |-
+    Centralized cryptographic policies simplify applying secure ciphers across an operating
+    system and the applications that run on that operating system. Use of weak or untested
+    encryption algorithms undermines the purposes of utilizing encryption to protect data.
+
+severity: high
+
+identifiers:
+    cce@rhcos4: CCE-82541-4
+    cce@rhel8: CCE-80935-0
+    cce@rhel9: CCE-83450-7
+    cce@rhel10: CCE-89085-5
+    cce@sle15: CCE-85776-3
+
+references:
+    disa: CCI-000068,CCI-003123,CCI-002450,CCI-000877,CCI-002418,CCI-001453,CCI-002890
+    hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.312(e)(1),164.312(e)(2)(ii)
+    nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
+    ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1
+    srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
+    stigid@ol8: OL08-00-010020
+    stigid@rhel8: RHEL-08-010020
+
+ocil_clause: 'cryptographic policy is not configured or is configured incorrectly'
+
+ocil: |-
+    To verify that cryptography policy has been configured correctly, run the following command:
+    <pre>$ update-crypto-policies --show</pre>
+    The output should return <pre>{{{ xccdf_value("var_system_crypto_policy") }}}</pre>.
+
+warnings:
+    - general: |-
+        The system needs to be rebooted for these changes to take effect.
+
+fixtext: |-
+    Configure {{{ full_name }}} to use system cryptography policy.
+    Run the following command:
+
+    $ sudo update-crypto-policies --set {{{ xccdf_value("var_system_crypto_policy") }}}
+
+srg_requirement: '{{{ full_name }}} must use {{{ xccdf_value("var_system_crypto_policy") }}} for the system cryptography policy.'

tests/data/content_dir/linux_os/guide/test/file_groupownership_sshd_private_key/rule.yml

@@ -0,0 +1,38 @@
+documentation_complete: true
+
+title: 'Test Verify Group Ownership on SSH Server Private *_key Key Files'
+
+{{% set dedicated_ssh_groupname = groups.get("dedicated_ssh_keyowner", {}).get("name") %}}
+
+description: |-
+    SSH server private keys, files that match the <code>/etc/ssh/*_key</code> glob, must be
+    group-owned by <code>{{{ dedicated_ssh_groupname if dedicated_ssh_groupname else 'root' }}}</code> group.
+
+rationale: |-
+    If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86126-0
+    cce@rhel9: CCE-86127-8
+    cce@rhel10: CCE-90288-2
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/ssh/*_key", group="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_group_owner(file="/etc/ssh/*_key", group="root") }}}
+
+template:
+    name: file_groupowner
+    vars:
+        filepath:
+            - /etc/ssh/
+        file_regex:
+            - ^.*_key$
+        gid_or_name: '{{{ dedicated_ssh_groupname if dedicated_ssh_groupname else '0' }}}'
+
+warnings:
+    - general: |-
+        Remediation is not possible at bootable container build time because SSH host
+        keys are generated post-deployment.

tests/data/content_dir/linux_os/guide/test/group.yml

@@ -0,0 +1,9 @@
+documentation_complete: true
+
+title: Services
+
+description: |-
+    The best protection against vulnerable software is running less software. This section
+    describes how to review the software which {{{ full_name }}} installs on a system and disable
+    software which is not needed. It then enumerates the software packages installed on a default
+    {{{ full_name }}} system and provides guidance about which ones can be safely disabled.