Class: LinuxAdmin::Scap

Inherits:

Object

• Object
• LinuxAdmin::Scap

Defined in:

lib/linux_admin/scap.rb

Constant Summary

PROFILE_ID =

"linux-admin-scap"

SSG_XML_PATH =

Pathname.new("/usr/share/xml/scap/ssg/content/")

Class Method Summary

• .openscap_available? ⇒ Boolean
• .ssg_available? ⇒ Boolean

Instance Method Summary

• #lockdown(*args) ⇒ Object
• #lockdown_profile(xccdf_file_path, profile_id) ⇒ Object

Class Method Details

.openscap_available? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/linux_admin/scap.rb', line 8

def self.openscap_available?
  require 'openscap'
  true
rescue LoadError
  false
end

.ssg_available? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/linux_admin/scap.rb', line 15

def self.ssg_available?
  xccdf_file && oval_file
end

Instance Method Details

#lockdown(*args) ⇒ Object

# File 'lib/linux_admin/scap.rb', line 19

def lockdown(*args)
  raise "OpenSCAP not available" unless self.class.openscap_available?
  raise "SCAP Security Guide not available" unless self.class.ssg_available?

  values = args.last.kind_of?(Hash) ? args.pop : {}
  rules = args

  raise "No SCAP rules provided" if rules.empty?

  with_xml_files(rules, values) do |xccdf_file_path|
    lockdown_profile(xccdf_file_path, PROFILE_ID)
  end
end

#lockdown_profile(xccdf_file_path, profile_id) ⇒ Object

# File 'lib/linux_admin/scap.rb', line 33

def lockdown_profile(xccdf_file_path, profile_id)
  raise "OpenSCAP not available" unless self.class.openscap_available?

  session = OpenSCAP::Xccdf::Session.new(xccdf_file_path)
  session.load
  session.profile = profile_id
  session.evaluate
  session.remediate
ensure
  session.destroy if session
end