Script to - extract OpenScap reports from Satellite - generate an Ansible remediation playbook

mkremediate.sh

#!/bin/sh

N=$(tput sgr0)
B=$(tput bold)

banner() {
	_width=$(tput cols)
	tput bold
	python3 -c "print('#' * $_width)"
	tput sgr0
}
info() { echo -e "$N$@$N"; }
highlight() { echo -e "$B$@$N"; }

clear
banner
highlight "##$N mkremediate.sh"
banner
info "Script to
- extract OpenScap reports from Satellite
- generate an Ansible remediation playbook
"

set -e

read -p "${B}Enter Host to generate playbook [${N}edge-mgr1.virt.gonoph.net${B}]:$N " HOST
read -p "${B}Remediate ${N}F${B}ailed or ${N}E${B}verything? $N[F/e] " FAILED

echo

test -z "$HOST" && HOST=edge-mgr1.virt.gonoph.net
test -z "$FAILED" && FAILED=F
FAILED=$(cut -c 1 <<< $FAILED | tr a-z A-Z)

highlight "Remediate focus: \c"
case $FAILED in
	F) info Only Failed Checks;;
	E) info Everything;;
	*) info "Remediate should be F or E"; exit 1;;
esac

TDIR=$(mktemp -d)
eval "trap 'rm -rf $TDIR' EXIT"

highlight "Extracting$N $HOST$B last report id: \c"
hammer --output json  arf-report list --search "host=$HOST" | jq '.[0]' > $TDIR/reports.json
RID=$(jq .Id $TDIR/reports.json)
info $RID

highlight "Reading report info: \c"
hammer --output json arf-report info --id $RID > $TDIR/report.json
HN=$( jq '."Host name"' -r $TDIR/report.json )
DT=$( jq '."Reported at"' -r $TDIR/report.json )
DT=$( cut -d' ' -f1,2 <<< "$DT" | tr -dc '0-9' )
POLID=$( jq '."Policy Id"' -r $TDIR/report.json )
REPORT="$HN-$DT.xml.bz2"
info $REPORT

highlight "Reading policy #$POLID: \c"
hammer --output json policy info --id $POLID > $TDIR/policy.json
SCAP_cid=$(jq '."SCAP content Id"' -r $TDIR/policy.json )
SCAP_pid=$(jq '."SCAP Content profile Id"' -r $TDIR/policy.json )

T_fid=$(jq '."Tailoring file Id"' $TDIR/policy.json )
T_pid=$(jq '."Tailoring file profile Id"' $TDIR/policy.json)
info $SCAP_cid $SCAP_pid $T_fid $T_pid

highlight "SCAP content: \c"
hammer --output json scap-content info --id $SCAP_cid > $TDIR/content.json
info "$(jq ".Title" -r $TDIR/content.json )"

highlight "SCAP profile: $N\c"
hammer --output json scap-content-profile list | jq ".[] | select(.Id == $SCAP_pid)" > $TDIR/profile.json
jq -r '"\(.Title) [\(."Profile Id")]"' $TDIR/profile.json
PROF=$(jq '."Profile Id"' -r $TDIR/profile.json )

if [ "$FAILED" == "E" -a "$T_fid" != "null" ] ; then
	highlight "Tailoring profile: $N\c"
	hammer --output json scap-content-profile list | jq ".[] | select(.Id == $T_pid)" > $TDIR/taillor.json
	jq -r '"\(.Title) [\(."Profile Id")]"' $TDIR/taillor.json
	PROF=$(jq '."Profile Id"' -r $TDIR/taillor.json )
	TID=$(jq '."Tailoring File Id"' $TDIR/taillor.json )
	TFILE=$(jq '."Tailoring File Name"' -r $TDIR/taillor.json ).xml
	highlight "Tailoring file:$N [$TID] $TFILE"
	hammer tailoring-file download --id $TID --path $TDIR
else
	TID=""
	TFILE=""
fi

highlight "Downloading report: $N\c"
hammer arf-report download --id $RID --path $TDIR

if [ -n "$TFILE" ] ; then
	TAILORING_ARGS="--tailoring-file=$TDIR/$TFILE"
else
	TAILORING_ARGS=""
fi

if [ "$FAILED" == "E" ] ; then
	PROFILE_ARGS="--profile $PROF"
else
	PROFILE_ARGS=""
fi

banner
(
set -x
oscap xccdf generate fix \
	$TAILORING_ARGS \
	--fix-type ansible \
	$PROFILE_ARGS \
	--output /tmp/remediate-$HN.yml \
	$TDIR/$REPORT
)
banner

highlight Ansible Playbook is located:$N /tmp/remediate-$HN.yml