Add possibility to generate STIG viewer input from the scan.

[matejak]

This task has subtasks:

• The --stig-viewer option is accepted by oscapd-evaluate.
• Both ARF results and SV results (i.e. the XML result that is readable by STIG viewer) are produced when needed.
• Both files are delivered to the host filesystem (i.e. the ARF and optionally the SV result).

As it is not possible to generate SV result from an ARF, the scanning session now has to support returning of more than one file. In the past, the EvaluationSpec.evaluate function returned the ARF file as a string (or None). This PR refactors the code, so it returns a dictionary or None. The dictionary will have the arf key and it may have the stig key, if the stig viewer results were generated. As a result, the existing code had to be made compliant with this API change.

[pep8speaks]

Hello @matejak! Thanks for submitting the PR.

• In the file openscap_daemon/evaluation_spec.py, following are the PEP8 issues :

Line 289:80: E501 line too long (80 > 79 characters) Line 357:80: E501 line too long (84 > 79 characters) Line 435:80: E501 line too long (81 > 79 characters) Line 472:80: E501 line too long (80 > 79 characters) Line 480:80: E501 line too long (80 > 79 characters) Line 495:25: E128 continuation line under-indented for visual indent Line 546:80: E501 line too long (80 > 79 characters) Line 555:80: E501 line too long (81 > 79 characters) Line 566:80: E501 line too long (80 > 79 characters)

• In the file openscap_daemon/system.py, following are the PEP8 issues :

Line 129:80: E501 line too long (80 > 79 characters) Line 211:80: E501 line too long (80 > 79 characters) Line 231:80: E501 line too long (80 > 79 characters) Line 482:80: E501 line too long (80 > 79 characters) Line 515:80: E501 line too long (80 > 79 characters) Line 676:80: E501 line too long (81 > 79 characters)

[matusmarhefka]

@matejak I tested by building the image from your branch and then performing the scan, but it looks like the generated stig.xml file is not valid and does not contain stig viewer IDs:

$ sudo atomic scan --scan_type configuration_compliance --scanner_args xccdf-id=scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml,profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa,report,stig-viewer rh7
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2018-02-06-18-23-06-383314:/scanin -v /var/lib/atomic/openscap/2018-02-06-18-23-06-383314:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro openscap oscapd-evaluate scan --targets chroots-in-dir:///scanin --output /scanout --no-cve-scan --fix_type bash -j1 --xccdf-id scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --report --stig-viewer

[...]

Files associated with this scan are in /var/lib/atomic/openscap/2018-02-06-18-23-06-383314.

$ ls /var/lib/atomic/openscap/2018-02-06-18-23-06-383314/a0c96d207269f3a4572f8815c2c61f18221261662f49a3e5e1e6d2b838a2946f/
arf.xml  fix.sh  json  report.html  stig.xml

$ grep "SV-" /var/lib/atomic/openscap/2018-02-06-18-23-06-383314/a0c96d207269f3a4572f8815c2c61f18221261662f49a3e5e1e6d2b838a2946f/stig.xml 
$ echo $?
1

$ docker run --rm -it openscap rpm -qa | grep openscap
openscap-1.2.16-1.fc27.x86_64
openscap-utils-1.2.16-1.fc27.x86_64
openscap-scanner-1.2.16-1.fc27.x86_64

[matejak]

I confirm that this is an issue. However, it is not related to this PR, but to with the F27 stock scap-security-guide. When using a more up-to-date SSG (e.g. from git), it works as expected.

[matusmarhefka]

Confirmed, the issue was with not up-to-date SSG. With the updated one the feature works correctly.