diff --git a/generate_arf.sh b/generate_arf.sh new file mode 100755 index 0000000..8305160 --- /dev/null +++ b/generate_arf.sh @@ -0,0 +1,92 @@ +#!/usr/bin/env bash +# This script generate ARF results. +# Requirements: +# - cmake +# - make +# - openscap-utils +# - openscap-scanner +# - python3-pyyaml +# - python3-jinja2 +# - python3-setuptools +# - git +# - scap-security-guide +# Usage: ./generate_arf MODE FETCH PRODUCT ARF_FILE SKIP_BUILD +# MODE [latest, ssg] use scap-security-guide or latest content from github +# FETCH [yes, no] scanner fetch remote resources +# PRODUCT build or use security content for one specific product +# ARF_FILE Writes results to a given ARF_FILE. +# SKIP_BUILD [yes] Skip build of latest content(Have affect with mode latest). + + +set -e -o pipefail + + +build_content() { + product=$1 + + echo "Build - Start" + + git clone https://github.com/ComplianceAsCode/content.git + cd content/ + git checkout master + + ./build_product "${product}" + cd .. + echo "Build - Done" +} + +run_oscap_scan() { + ds=$1 + fetch=$2 + file=$3 + echo "Scans - Start" + oscap xccdf eval ${fetch} --profile "(all)" --results-arf ${file} ${ds} || EXIT_CODE=$? + echo $EXIT_CODE + if [ ! -f "$file" ]; then + echo "$file does not exist." + exit 2 + fi +} + + +if [ "$1" = "" ]; then + echo "ERROR: Missing MODE parameter!" + exit 1 +fi + + +if [ "$2" = "" ]; then + echo "ERROR: Missing FETCH parameter!" + exit 1 +fi + + +if [ "$3" = "" ]; then + echo "ERROR: Missing PRODUCT parameter!" + exit 1 +fi + +if [ "$4" = "" ]; then + echo "ERROR: Missing PRODUCT parameter!" + exit 1 +fi + +file=$4 +product=$3 + +fetch="--fetch-remote-resources" +if [ "$2" = "no" ]; then + fetch="" +fi + + +if [ "$1" = "latest" ]; then + if [ "$5" != "yes" ]; then + build_content "${product}" + fi + run_oscap_scan "./content/build/ssg-${product}-ds.xml" "${fetch}" "${file}" +fi + +if [ "$1" = "ssg" ]; then + run_oscap_scan "/usr/share/xml/scap/ssg/content/ssg-${product}-ds.xml" "${fetch}" "${file}" +fi