openscap-report/generate_arf.sh

112 lines
2.3 KiB
Bash
Raw Normal View History

2024-05-16 15:59:50 +00:00
#!/usr/bin/env bash
# This script generates ARF results.
# Supported OS:
# - Fedora
# - RHEL8/9
# - Centos8/9
# Requirements:
# - cmake
# - make
# - openscap-utils
# - openscap-scanner
# - python3-pyyaml
# - python3-jinja2
# - python3-setuptools
# - git
# - scap-security-guide
# Usage: ./generate_arf MODE FETCH PRODUCT ARF_FILE SKIP_BUILD
# MODE [latest, ssg] use scap-security-guide or latest content from github
# FETCH [yes, no] scanner fetch remote resources
# ARF_FILE Writes results to a given ARF_FILE.
# SKIP_BUILD [yes] Skip build of latest content(Have affect with mode latest).
set -e -o pipefail
build_content() {
product=$1
echo "Build - Start"
git clone https://github.com/ComplianceAsCode/content.git
cd content/
git checkout master
cd build/
cmake ../
make -j4 "${product}"
cd ../../
echo "Build - Done"
}
run_oscap_scan() {
ds=$1
fetch=$2
file=$3
echo "Scans - Start"
oscap xccdf eval ${fetch} --profile "(all)" --results-arf ${file} ${ds} || EXIT_CODE=$?
echo $EXIT_CODE
if [ ! -f "$file" ]; then
echo "$file does not exist."
exit 2
fi
}
get_product() {
cpe_name=$(grep "CPE_NAME=" < /etc/os-release | sed 's/CPE_NAME=//g' | sed 's/["]//g')
if [[ "${cpe_name}" =~ fedora ]]; then
echo "fedora"
elif [[ "${cpe_name}" =~ redhat.*8 ]]; then
echo "rhel8"
elif [[ "${cpe_name}" =~ redhat.*9 ]]; then
echo "rhel9"
elif [[ "${cpe_name}" =~ centos.*8 ]]; then
echo "centos8"
elif [[ "${cpe_name}" =~ centos.*9 ]]; then
echo "cs9"
else
echo $cpe_name
echo "ERROR: Not supported OS!"
exit 1
fi
}
if [ "$1" = "" ]; then
echo "ERROR: Missing MODE parameter!"
exit 1
fi
if [ "$2" = "" ]; then
echo "ERROR: Missing FETCH parameter!"
exit 1
fi
if [ "$3" = "" ]; then
echo "ERROR: Missing ARF_FILE parameter!"
exit 1
fi
file=$3
product=$(get_product)
fetch="--fetch-remote-resources"
if [ "$2" = "no" ]; then
fetch=""
fi
if [ "$1" = "latest" ]; then
if [ "$4" != "yes" ]; then
build_content "${product}"
fi
run_oscap_scan "./content/build/ssg-${product}-ds.xml" "${fetch}" "${file}"
fi
if [ "$1" = "ssg" ]; then
run_oscap_scan "/usr/share/xml/scap/ssg/content/ssg-${product}-ds.xml" "${fetch}" "${file}"
fi