diff --git a/lava-testcases/security-test/openscap/openscap.sh b/lava-testcases/security-test/openscap/openscap.sh new file mode 100644 index 0000000..769b6f7 --- /dev/null +++ b/lava-testcases/security-test/openscap/openscap.sh @@ -0,0 +1,61 @@ +#!/bin/bash + +set -x + + +#TEST_TMPDIR="/root/openscap" +OUTPUT="$(pwd)/output" +mkdir -p "$OUTPUT" +RESULT_FILE="${OUTPUT}/result.txt" + + +# 安装测试工具 +yum install -y openscap scap-security-guide +# mkdir -p "${TEST_TMPDIR}" +# cd "${TEST_TMPDIR}" + +# 获取系统版本 +cat /etc/os-release +VERSION_ID=$(grep '^VERSION_ID=' /etc/os-release | cut -d'=' -f2 | tr -d '"') +VERSION_NUM=$(echo "$VERSION_ID" | tr -d '.') +echo "$VERSION_NUM" + +# 执行oscap扫描,输出扫描结果到oscap-result.xml文件 +#ls /usr/share/xml/scap/ssg/content/ssg-openeuler*-ds.xml + +oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --results oscap-result.xml /usr/share/xml/scap/ssg/content/ssg-openeuler"$VERSION_NUM"-ds.xml || TRUE + +# 用 xmlstarlet 提取规则 ID 和结果,转化为lava解析脚本所需出的纯文本格式(如test_name pass/fail) +# 结果值标准化:OpenSCAP 的结果包括 pass, fail, error, notapplicable, notchecked 等,LAVA脚本支持pass|fail|skip|unknown,故需将结果文件中的notapplicable/notchecked → skip,error → fail 或 unknown +sudo dnf install -y xmlstarlet +xmlstarlet sel \ + -N x="http://checklists.nist.gov/xccdf/1.2" \ + -t \ + -m "//x:TestResult/x:rule-result" \ + -v "@idref" -o " " \ + -v "@severity" -o " " \ + -v "x:result" -n \ + oscap-result.xml | awk ' +BEGIN { + # 定义 severity 到分数的映射 + score["critical"] = 1 + score["high"] = 2 + score["medium"] = 3 + score["low"] = 4 + # 默认未定义的 severity 得分为 -1 +} +{ + rule = tolower( $ 1) + sev = tolower ($2) + res = tolower( $ 3) + if (res == "pass") out = "pass" + else if (res == "fail") out = "fail" + else if (res == "error") out = "fail" + else if (res ~ /^(notapplicable|notchecked|informational|notselected)$/) out = "skip" + else out = "unknown" + # 获取分数(若 severity 不存在于映射,默认为 -1) + s = (sev in score) ? score[sev] : -1 + # 输出格式为 rule fail/pass 1 critical + print rule " " out " " s " " sev +}' > $RESULT_FILE + diff --git a/lava-testcases/security-test/openscap/openscap.yaml b/lava-testcases/security-test/openscap/openscap.yaml new file mode 100644 index 0000000..8514824 --- /dev/null +++ b/lava-testcases/security-test/openscap/openscap.yaml @@ -0,0 +1,21 @@ +metadata: + name: openscap + format: "Lava-Test Test Definition 1.0" + description: "Run fio on RISC-V device" + maintainer: + - zhangju@iscas.ac.cn + os: + - openEuler-riscv64 + scope: + - security + devices: + - qemu + - lpi4a + - sg2042 + - spacemit-k1-bananapi-f3 +run: + steps: + - cd lava-testcases/security-test/openscap + - bash openscap.sh + - chmod +x ../../utils/send-to-lava.sh + - ../../utils/send-to-lava.sh ./output/result.txt diff --git a/lava-testcases/security-test/osv-scanner/osv-scanner.sh b/lava-testcases/security-test/osv-scanner/osv-scanner.sh new file mode 100644 index 0000000..c69d582 --- /dev/null +++ b/lava-testcases/security-test/osv-scanner/osv-scanner.sh @@ -0,0 +1,101 @@ +#!/bin/bash + +set -x + + +#TEST_TMPDIR="/root/osv-scanner" +OUTPUT="$(pwd)/output" +mkdir -p "$OUTPUT" +RESULT_FILE="${OUTPUT}/result.txt" + +#安装扫描工具 +dnf install -y go jq +go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest +cp $(go env GOPATH)/bin/osv-scanner /usr/local/bin +#mkdir -p "${TEST_TMPDIR}" +#cd "${TEST_TMPDIR}" + +#执行系统软件包漏洞扫描,输出扫描结果到result.json文件中 +osv-scanner scan /var/lib/rpm --experimental-plugins os/rpm --format json --output "report.json" + +# 处理扫描结果为lava可识别的结果 + +if [ ! -f "report.json" ]; then + echo "Error: File $RESULT_JSON not found." + exit 1 +fi + +# --- 提取包名、版本号和严重等级 --- +data=$(jq -r ' + .results[]? | + .packages[]? | + . as $pkg_info | + .vulnerabilities[]? | + . as $vuln | + select(.affected != null) | + .affected[]? | + select(.package != null and .package.name != null) | + # 拼接 包名-版本号 作为唯一标识,同时提取严重等级 + "\($pkg_info.package.name)-\($pkg_info.package.version)\t\($vuln.database_specific.severity // "Unknown")" +' "report.json") + +# 定义严重等级映射值 +get_severity_score() { + local level="$1" + case "$(echo "$level" | tr '[:upper:]' '[:lower:]')" in + critical) echo 1 ;; + high) echo 2 ;; + medium) echo 3 ;; + low) echo 4 ;; + *) echo 99 ;; + esac +} + +score_to_level() { + local score="$1" + case "$score" in + 1) echo "Critical" ;; + 2) echo "High" ;; + 3) echo "Medium" ;; + 4) echo "Low" ;; + *) echo "Unknown" ;; + esac +} + +declare -A pkg_max_score +declare -A pkg_has_vuln + +# 如果 data 为空,写入 pass 并退出 +if [ -z "$data" ]; then + echo "osv-scanner pass" |tee -a "$RESULT_FILE" + exit 0 +fi + +# 遍历数据并聚合最高等级 +while IFS=$'\t' read -r pkg_ver severity; do + [ -z "$pkg_ver" ] && continue + + pkg_has_vuln["$pkg_ver"]=1 + current_score=$(get_severity_score "$severity") + + if [ -z "${pkg_max_score[$pkg_ver]}" ] || [ "$current_score" -lt "${pkg_max_score[$pkg_ver]}" ]; then + pkg_max_score["$pkg_ver"]=$current_score + fi +done <<< "$data" + +# 获取所有包名-版本列表 +all_packages=$(echo "$data" | cut -f1 | sort -u) + +for pkg_ver in $all_packages; do + if [ "${pkg_has_vuln[$pkg_ver]}" == "1" ]; then + # 获取该包的最高风险分数 + max_score=${pkg_max_score[$pkg_ver]} + # 将分数转换为文本等级 (Critical/High/Medium/Low) + level_text=$(score_to_level "$max_score") + # 这里我们将 分数 作为 measurement, 等级文本 作为units + # 输出格式: pkg-ver fail 1 Critical + echo "${pkg_ver} fail ${max_score} ${level_text}" | tee -a "$RESULT_FILE" + else + echo "${pkg_ver} pass 0 None" | tee -a "$RESULT_FILE" + fi +done diff --git a/lava-testcases/security-test/osv-scanner/osv-scanner.yaml b/lava-testcases/security-test/osv-scanner/osv-scanner.yaml new file mode 100644 index 0000000..92a46c5 --- /dev/null +++ b/lava-testcases/security-test/osv-scanner/osv-scanner.yaml @@ -0,0 +1,21 @@ +metadata: + name: osv-scanner + format: "Lava-Test Test Definition 1.0" + description: "Run fio on RISC-V device" + maintainer: + - zhangju@iscas.ac.cn + os: + - openEuler-riscv64 + scope: + - security + devices: + - qemu + - lpi4a + - sg2042 + - spacemit-k1-bananapi-f3 +run: + steps: + - cd lava-testcases/security-test/osv-scanner + - bash osv-scanner.sh + - chmod +x ../../utils/send-to-lava.sh + - ../../utils/send-to-lava.sh ./output/result.txt