0478061f62
Upstream tag: v0.2.5 Upstream commit: 961a0636 If you need to do any change in this pull request, you need to locally fetch the source branch of it and push it (with a fix) to your fork (as it is not possible to push to the branch created in the Packit’s fork): ``` git fetch https://src.fedoraproject.org/forks/packit/rpms/openscap-report.git refs/heads/*:refs/remotes/packit/* git checkout packit/0.2.5-rawhide-update-propose_downstream ```
112 lines
2.3 KiB
Bash
Executable File
112 lines
2.3 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# This script generates ARF results.
|
|
# Supported OS:
|
|
# - Fedora
|
|
# - RHEL8/9
|
|
# - Centos8/9
|
|
# Requirements:
|
|
# - cmake
|
|
# - make
|
|
# - openscap-utils
|
|
# - openscap-scanner
|
|
# - python3-pyyaml
|
|
# - python3-jinja2
|
|
# - python3-setuptools
|
|
# - git
|
|
# - scap-security-guide
|
|
# Usage: ./generate_arf MODE FETCH PRODUCT ARF_FILE SKIP_BUILD
|
|
# MODE [latest, ssg] use scap-security-guide or latest content from github
|
|
# FETCH [yes, no] scanner fetch remote resources
|
|
# ARF_FILE Writes results to a given ARF_FILE.
|
|
# SKIP_BUILD [yes] Skip build of latest content(Have affect with mode latest).
|
|
|
|
|
|
set -e -o pipefail
|
|
|
|
|
|
build_content() {
|
|
product=$1
|
|
|
|
echo "Build - Start"
|
|
|
|
git clone https://github.com/ComplianceAsCode/content.git
|
|
cd content/
|
|
git checkout master
|
|
|
|
cd build/
|
|
cmake ../
|
|
make -j4 "${product}"
|
|
|
|
cd ../../
|
|
echo "Build - Done"
|
|
}
|
|
|
|
run_oscap_scan() {
|
|
ds=$1
|
|
fetch=$2
|
|
file=$3
|
|
echo "Scans - Start"
|
|
oscap xccdf eval ${fetch} --profile "(all)" --results-arf ${file} ${ds} || EXIT_CODE=$?
|
|
echo $EXIT_CODE
|
|
if [ ! -f "$file" ]; then
|
|
echo "$file does not exist."
|
|
exit 2
|
|
fi
|
|
}
|
|
|
|
get_product() {
|
|
cpe_name=$(grep "CPE_NAME=" < /etc/os-release | sed 's/CPE_NAME=//g' | sed 's/["]//g')
|
|
if [[ "${cpe_name}" =~ fedora ]]; then
|
|
echo "fedora"
|
|
elif [[ "${cpe_name}" =~ redhat.*8 ]]; then
|
|
echo "rhel8"
|
|
elif [[ "${cpe_name}" =~ redhat.*9 ]]; then
|
|
echo "rhel9"
|
|
elif [[ "${cpe_name}" =~ centos.*8 ]]; then
|
|
echo "centos8"
|
|
elif [[ "${cpe_name}" =~ centos.*9 ]]; then
|
|
echo "cs9"
|
|
else
|
|
echo $cpe_name
|
|
echo "ERROR: Not supported OS!"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
if [ "$1" = "" ]; then
|
|
echo "ERROR: Missing MODE parameter!"
|
|
exit 1
|
|
fi
|
|
|
|
|
|
if [ "$2" = "" ]; then
|
|
echo "ERROR: Missing FETCH parameter!"
|
|
exit 1
|
|
fi
|
|
|
|
|
|
if [ "$3" = "" ]; then
|
|
echo "ERROR: Missing ARF_FILE parameter!"
|
|
exit 1
|
|
fi
|
|
file=$3
|
|
|
|
product=$(get_product)
|
|
|
|
fetch="--fetch-remote-resources"
|
|
if [ "$2" = "no" ]; then
|
|
fetch=""
|
|
fi
|
|
|
|
|
|
if [ "$1" = "latest" ]; then
|
|
if [ "$4" != "yes" ]; then
|
|
build_content "${product}"
|
|
fi
|
|
run_oscap_scan "./content/build/ssg-${product}-ds.xml" "${fetch}" "${file}"
|
|
fi
|
|
|
|
if [ "$1" = "ssg" ]; then
|
|
run_oscap_scan "/usr/share/xml/scap/ssg/content/ssg-${product}-ds.xml" "${fetch}" "${file}"
|
|
fi
|