93 lines
1.9 KiB
Bash
Executable File
93 lines
1.9 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# This script generate ARF results.
|
|
# Requirements:
|
|
# - cmake
|
|
# - make
|
|
# - openscap-utils
|
|
# - openscap-scanner
|
|
# - python3-pyyaml
|
|
# - python3-jinja2
|
|
# - python3-setuptools
|
|
# - git
|
|
# - scap-security-guide
|
|
# Usage: ./generate_arf MODE FETCH PRODUCT ARF_FILE SKIP_BUILD
|
|
# MODE [latest, ssg] use scap-security-guide or latest content from github
|
|
# FETCH [yes, no] scanner fetch remote resources
|
|
# PRODUCT build or use security content for one specific product
|
|
# ARF_FILE Writes results to a given ARF_FILE.
|
|
# SKIP_BUILD [yes] Skip build of latest content(Have affect with mode latest).
|
|
|
|
|
|
set -e -o pipefail
|
|
|
|
|
|
build_content() {
|
|
product=$1
|
|
|
|
echo "Build - Start"
|
|
|
|
git clone https://github.com/ComplianceAsCode/content.git
|
|
cd content/
|
|
git checkout master
|
|
|
|
./build_product "${product}"
|
|
cd ..
|
|
echo "Build - Done"
|
|
}
|
|
|
|
run_oscap_scan() {
|
|
ds=$1
|
|
fetch=$2
|
|
file=$3
|
|
echo "Scans - Start"
|
|
oscap xccdf eval ${fetch} --profile "(all)" --results-arf ${file} ${ds} || EXIT_CODE=$?
|
|
echo $EXIT_CODE
|
|
if [ ! -f "$file" ]; then
|
|
echo "$file does not exist."
|
|
exit 2
|
|
fi
|
|
}
|
|
|
|
|
|
if [ "$1" = "" ]; then
|
|
echo "ERROR: Missing MODE parameter!"
|
|
exit 1
|
|
fi
|
|
|
|
|
|
if [ "$2" = "" ]; then
|
|
echo "ERROR: Missing FETCH parameter!"
|
|
exit 1
|
|
fi
|
|
|
|
|
|
if [ "$3" = "" ]; then
|
|
echo "ERROR: Missing PRODUCT parameter!"
|
|
exit 1
|
|
fi
|
|
|
|
if [ "$4" = "" ]; then
|
|
echo "ERROR: Missing PRODUCT parameter!"
|
|
exit 1
|
|
fi
|
|
|
|
file=$4
|
|
product=$3
|
|
|
|
fetch="--fetch-remote-resources"
|
|
if [ "$2" = "no" ]; then
|
|
fetch=""
|
|
fi
|
|
|
|
|
|
if [ "$1" = "latest" ]; then
|
|
if [ "$5" != "yes" ]; then
|
|
build_content "${product}"
|
|
fi
|
|
run_oscap_scan "./content/build/ssg-${product}-ds.xml" "${fetch}" "${file}"
|
|
fi
|
|
|
|
if [ "$1" = "ssg" ]; then
|
|
run_oscap_scan "/usr/share/xml/scap/ssg/content/ssg-${product}-ds.xml" "${fetch}" "${file}"
|
|
fi
|