added initial firewall check script in python

@lhicks @gvolz

To test, run: saltstack/srg/firewall/check-stig.pfsense.py --help

This will print out all the STIG rules.

srg/firewall/check-stig-pfsense.py

@@ -4,6 +4,8 @@ import sys
 import os
 import csv
 import logging
+import shutil
+# custom made python module with helper methods
 import util
 
 SCRIPT_DIR = os.path.dirname(os.path.abspath(sys.argv[0]))
@@ -12,13 +14,32 @@ SCRIPT_DIR = os.path.dirname(os.path.abspath(sys.argv[0]))
 def sanitize(s):
     return s.replace("%", "%%")
 
-def print_findings(logging, findings):
+def print_findings(vuln, xml_out, findings):
+    '''
+    from srg.sh
+    export vuln
+    export comments=$(cat stdout)
+    export details=$(cat stderr)
+    perl -i -0pe 's/(?<=$ENV{vuln})(.*?)<COMMENTS><\/COMMENTS>/$1<COMMENTS>$ENV{comments}<\/COMMENTS>/s' $checklist
+    perl -i -0pe 's/(?<=$ENV{vuln})(.*?)<FINDING_DETAILS><\/FINDING_DETAILS>/$1<FINDING_DETAILS>$ENV{details}<\/FINDING_DETAILS>/s' $checklist
+    if [ ! -z "$details"  ]; then
+        perl -i -0pe 's/(?<=$ENV{vuln})(.*?)<STATUS>Not_Reviewed<\/STATUS>/$1<STATUS>Open<\/STATUS>/s' $checklist
+    else
+        perl -i -0pe 's/(?<=$ENV{vuln})(.*?)<STATUS>Not_Reviewed<\/STATUS>/$1<STATUS>NotAFinding<\/STATUS>/s' $checklist
+    '''
     # logging.info('Findings        : {}\n'.format(findings))
+    comments = "perl -i -0pe 's/(?<={})(.*?)<COMMENTS><\/COMMENTS>/$1<COMMENTS>{}<\/COMMENTS>/s' {}"
+    finding_details = "perl -i -0pe 's/(?<={})(.*?)<FINDING_DETAILS><\/FINDING_DETAILS>/$1<FINDING_DETAILS>{}<\/FINDING_DETAILS>/s' {}"
+    status = "perl -i -0pe 's/(?<={})(.*?)<STATUS>Not_Reviewed<\/STATUS>/$1<STATUS>{}<\/STATUS>/s' {}"
+    os.system(comments.format(vuln, findings, xml_out))
     if findings.finding != util.PASS:
         print(findings, file=sys.stderr)
+        os.system(finding_details.format(vuln, findings, xml_out))
+        os.system(status.format(vuln, "Open", xml_out))
     else:
         # print(findings, file=sys.stdout)
         print("NotAFinding", file=sys.stdout)
+        os.system(status.format(vuln, "NotAFinding", xml_out))
 
 def main():
 
@@ -56,7 +77,10 @@ def main():
         ch2 = logging.StreamHandler(open(log_filename, "w"))
         root.addHandler(ch1)
         root.addHandler(ch2)
-        out = open("firewall.ckl", "w")
+        xml_out = "FIREWALL.ckl"
+        if os.path.exists(xml_out):
+            os.remove(xml_out)
+        shutil.copy("./FIREWALL_SRG_TEMPLATE.ckl", xml_out)
         if len(sys.argv[1:]) == 0:
             parser.print_help()
             sys.exit()
@@ -70,15 +94,15 @@ def main():
                 rule_module = __import__(rule)
                 logging.info('Vulnerability ID: {}'.format(rule))
                 logging.info('Description     : {}'.format(desc))
-                findings = rule_module.run(out)
-                print_findings(logging, findings)
+                findings = rule_module.run(None)
+                print_findings(rule, xml_out, findings)
             else:
                 if args.__dict__[rule.replace("-", "_")]:
                     rule_module = __import__(rule)
                     logging.info('Vulnerability ID: {}'.format(rule))
                     logging.info('Description     : {}'.format(desc))
-                    findings = rule_module.run(out)
-                    print_findings(logging, findings)
+                    findings = rule_module.run(None)
+                    print_findings(rule, xml_out, findings)
 
 if __name__ == "__main__":
     main()