#!/usr/bin/env python3 import xml.etree.ElementTree as ET # build the rhel9 content before running this script # dictionary translating stigid to list of ccis stigidtocci = {} # dictionary translating stigid to string containing title of the STIG rule stigidtotitle = {} # fill above mentioned dictionaries stigtree = ET.parse('shared/references/disa-stig-rhel9-v2r1-xccdf-manual.xml') stigroot = stigtree.getroot() # build list of dicts which maps stigid to ccis for rule in stigroot.findall('.//{http://checklists.nist.gov/xccdf/1.1}Rule'): stigid = rule.find('.//{http://checklists.nist.gov/xccdf/1.1}version').text ccis = [cci.text for cci in rule.findall(".//{http://checklists.nist.gov/xccdf/1.1}ident[@system='http://cyber.mil/cci']")] title = rule.find('.//{http://checklists.nist.gov/xccdf/1.1}title').text stigidtocci[stigid] = ccis stigidtotitle[stigid] = title ssgtree = ET.parse('build/ssg-rhel9-ds.xml') ssgroot = ssgtree.getroot() for ssgrule in ssgroot.findall('.//{http://checklists.nist.gov/xccdf/1.2}Rule'): rulename = ssgrule.attrib["id"] stigids = [stigid.text for stigid in ssgrule.findall("./{http://checklists.nist.gov/xccdf/1.2}reference[@href='https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux']")] if len(stigids) == 0: continue # rule has no stigids ccis = set() ccis.update([cci.text for cci in ssgrule.findall("./{http://checklists.nist.gov/xccdf/1.2}reference[@href='https://public.cyber.mil/stigs/cci/']")]) ccis_from_stig = set() stig_guide_titles = [] for stigid in stigids: try: ccis_from_stig.update(stigidtocci[stigid]) stig_guide_titles.append(stigidtotitle[stigid]) except KeyError: print (f"{rulename} contains stigid which does not exist in the original stig guide.") if ccis != ccis_from_stig: print(f"{rulename} seems to not have matching ccis when compared to original stig guide.") print(f"Stigid(s) from content: {stigids}") print (f"Related rule titles from original stig guide: {','.join(stig_guide_titles)}") print (f"CCIs from content: {ccis}") print (f"CCIs from stig guide: {ccis_from_stig}")