diff --git a/.gitignore b/.gitignore index 300dd31..08fa126 100644 --- a/.gitignore +++ b/.gitignore @@ -40,3 +40,4 @@ /scap-security-guide-0.1.54.tar.bz2 /scap-security-guide-0.1.55.tar.bz2 /scap-security-guide-0.1.56.tar.bz2 +/scap-security-guide-0.1.57.tar.bz2 diff --git a/scap-security-guide-0.1.57-build-system-pr-7025.patch b/scap-security-guide-0.1.57-build-system-pr-7025.patch deleted file mode 100644 index fd69a4b..0000000 --- a/scap-security-guide-0.1.57-build-system-pr-7025.patch +++ /dev/null @@ -1,477 +0,0 @@ -From aae5be64cdeb4a41caa3f3273342373cc4f4e9b2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 19 May 2021 18:01:14 +0200 -Subject: [PATCH 1/4] Add options for building Ansible and Bash content - -This patch adds 2 new options SSG_ANSIBLE_PLAYBOOKS_ENABLED and -SSG_BASH_SCRIPTS_ENABLED which will allow user to turn on or off -building and installing profile Bash remediation scripts and profile -Ansible Playbooks. They are enabled by default, therefore the default -behavior doesn't change, but people can turn them off to speed up the -build. These options can be useful when calling cmake in downstream spec -files. ---- - CMakeLists.txt | 4 +++ - cmake/SSGCommon.cmake | 60 +++++++++++++++++++++++-------------------- - 2 files changed, 36 insertions(+), 28 deletions(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 32a0ddd240a..c309efde9bd 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -46,6 +46,8 @@ option(SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED "If enabled, shellcheck vali - option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used to validate URLs in all the HTML guides and tables." TRUE) - option(SSG_SVG_IN_XCCDF_ENABLED "If enabled, the built XCCDFs will include the SVG SCAP Security Guide logo." TRUE) - option(SSG_SEPARATE_SCAP_FILES_ENABLED "If enabled, separate SCAP files (OVAL, XCCDF, CPE dict, ...) will be installed alongside the source data-streams" TRUE) -+option(SSG_ANSIBLE_PLAYBOOKS_ENABLED "If enabled, Ansible Playbooks for each profile will be built and installed." TRUE) -+option(SSG_BASH_SCRIPTS_ENABLED "If enabled, Bash remediation scripts for each profile will be built and installed." TRUE) - option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE) - option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE) - set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.") -@@ -240,6 +242,8 @@ message(STATUS "OVAL schematron validation: ${SSG_OVAL_SCHEMATRON_VALIDATION_ENA - message(STATUS "shellcheck bash fixes validation: ${SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED}") - message(STATUS "SVG logo in XCCDFs: ${SSG_SVG_IN_XCCDF_ENABLED}") - message(STATUS "Separate SCAP files: ${SSG_SEPARATE_SCAP_FILES_ENABLED}") -+message(STATUS "Ansible Playbooks: ${SSG_ANSIBLE_PLAYBOOKS_ENABLED}") -+message(STATUS "Bash scripts: ${SSG_BASH_SCRIPTS_ENABLED}") - if (SSG_JINJA2_CACHE_ENABLED) - message(STATUS "jinja2 cache: enabled") - message(STATUS "jinja2 cache dir: ${SSG_JINJA2_CACHE_DIR}") -diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake -index 889c0cf1d3c..9b109f86b9f 100644 ---- a/cmake/SSGCommon.cmake -+++ b/cmake/SSGCommon.cmake -@@ -789,7 +789,7 @@ macro(ssg_build_product PRODUCT) - - add_dependencies(zipfile "generate-ssg-${PRODUCT}-ds.xml") - -- if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}") -+ if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_ENABLED) - add_dependencies( - ${PRODUCT}-content - generate-${PRODUCT}-ansible-playbooks -@@ -803,7 +803,7 @@ macro(ssg_build_product PRODUCT) - add_dependencies(zipfile ${PRODUCT}-profile-playbooks) - endif() - -- if ("${PRODUCT_BASH_REMEDIATION_ENABLED}") -+ if ("${PRODUCT_BASH_REMEDIATION_ENABLED}" AND SSG_BASH_SCRIPTS_ENABLED) - ssg_build_profile_bash_scripts(${PRODUCT}) - add_custom_target( - ${PRODUCT}-profile-bash-scripts -@@ -873,30 +873,34 @@ macro(ssg_build_product PRODUCT) - endif() - " - ) -- install( -- CODE " -- file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/ansible/${PRODUCT}-playbook-*.yml\") \n -- if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}) -- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}\" -- TYPE FILE FILES \${ROLE_FILES}) -- else() -- file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}\" -- TYPE FILE FILES \${ROLE_FILES}) -- endif() -- " -- ) -- install( -- CODE " -- file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/bash/${PRODUCT}-script-*.sh\") \n -- if(NOT IS_ABSOLUTE ${SSG_BASH_ROLE_INSTALL_DIR}) -- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_BASH_ROLE_INSTALL_DIR}\" -- TYPE FILE FILES \${ROLE_FILES}) -- else() -- file(INSTALL DESTINATION \"${SSG_BASH_ROLE_INSTALL_DIR}\" -- TYPE FILE FILES \${ROLE_FILES}) -- endif() -- " -- ) -+ if(SSG_ANSIBLE_PLAYBOOKS_ENABLED) -+ install( -+ CODE " -+ file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/ansible/${PRODUCT}-playbook-*.yml\") \n -+ if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}) -+ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}\" -+ TYPE FILE FILES \${ROLE_FILES}) -+ else() -+ file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}\" -+ TYPE FILE FILES \${ROLE_FILES}) -+ endif() -+ " -+ ) -+ endif() -+ if(SSG_BASH_SCRIPTS_ENABLED) -+ install( -+ CODE " -+ file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/bash/${PRODUCT}-script-*.sh\") \n -+ if(NOT IS_ABSOLUTE ${SSG_BASH_ROLE_INSTALL_DIR}) -+ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_BASH_ROLE_INSTALL_DIR}\" -+ TYPE FILE FILES \${ROLE_FILES}) -+ else() -+ file(INSTALL DESTINATION \"${SSG_BASH_ROLE_INSTALL_DIR}\" -+ TYPE FILE FILES \${ROLE_FILES}) -+ endif() -+ " -+ ) -+ endif() - - # grab all the kickstarts (if any) and install them - file(GLOB KICKSTART_FILES "${CMAKE_CURRENT_SOURCE_DIR}/kickstart/ssg-${PRODUCT}-*-ks.cfg") -@@ -968,7 +972,7 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) - - ssg_build_html_guides(${DERIVATIVE}) - -- if ("${PRODUCT_BASH_REMEDIATION_ENABLED}") -+ if ("${PRODUCT_BASH_REMEDIATION_ENABLED}" AND SSG_BASH_SCRIPTS_ENABLED) - ssg_build_profile_bash_scripts(${DERIVATIVE}) - add_custom_target( - ${DERIVATIVE}-profile-bash-scripts -@@ -977,7 +981,7 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) - add_dependencies(${DERIVATIVE} ${DERIVATIVE}-profile-bash-scripts) - endif() - -- if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}") -+ if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_ENABLED) - ssg_build_profile_playbooks(${DERIVATIVE}) - add_custom_target( - ${DERIVATIVE}-profile-playbooks - -From c7c7baa84ce722304224373c556a2d03edb0f76c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Thu, 20 May 2021 09:14:21 +0200 -Subject: [PATCH 2/4] Do not build HTML guide for the virtual default profile - -The virtual '(default)' profile is a profile that doesn't contain -any rules, so the built HTML guide also doesn't contain any rules -which means it contains only group descriptions. This HTML guide -has no use for the users and it only increases the built size. ---- - ssg/build_guides.py | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/ssg/build_guides.py b/ssg/build_guides.py -index 3b2a9469240..2e37d80eef3 100644 ---- a/ssg/build_guides.py -+++ b/ssg/build_guides.py -@@ -105,10 +105,6 @@ def get_benchmark_profile_pairs(input_tree, benchmarks): - for benchmark_id in benchmarks.keys(): - profiles = get_profile_choices_for_input(input_tree, benchmark_id, - None) -- -- # add the default profile -- profiles[""] = "(default)" -- - for profile_id in profiles: - pair = (benchmark_id, profile_id, profiles[profile_id]) - benchmark_profile_pairs.append(pair) - -From f2c265013dd5fe75fd47c8ce7afe9e2ecc7cf16f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Thu, 20 May 2021 09:49:51 +0200 -Subject: [PATCH 3/4] Add option to disable SCAP 1.2 data streams - -This commit adds a new option that enables to turn on building -the SCAP 1.2 source data streams (ssg-*-ds-1.2.xml). This option -will help people who don't want to build and ship this file. -The default setting is TRUE which means the default behavior -shouldn't change. ---- - CMakeLists.txt | 2 + - cmake/SSGCommon.cmake | 100 +++++++++++++++++++++++++++--------------- - 2 files changed, 67 insertions(+), 35 deletions(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index c309efde9bd..55b991cedfa 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -41,6 +41,7 @@ set(SSG_TARGET_OVAL_MINOR_VERSION "11" CACHE STRING "Which minor version of OVAL - - set(SSG_TARGET_OVAL_VERSION "${SSG_TARGET_OVAL_MAJOR_VERSION}.${SSG_TARGET_OVAL_MINOR_VERSION}") - -+option(SSG_BUILD_SCAP_12_DS "If enabled, ssg-*-ds-1.2.xml will be built along with ssg-*-ds.xml" TRUE) - option(SSG_OVAL_SCHEMATRON_VALIDATION_ENABLED "If enabled, schematron validation will be performed as part of the ctest tests. Schematron takes a lot of time to complete but can find more issues than just plain XSD validation." TRUE) - option(SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED "If enabled, shellcheck validation of bash fixes will be performed as part of the ctest tests. Shellcheck tests don't pass right now, this option is discouraged until that's fixed." FALSE) - option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used to validate URLs in all the HTML guides and tables." TRUE) -@@ -238,6 +239,7 @@ message(STATUS " ") - message(STATUS "Build options:") - message(STATUS "SSG vendor string: ${SSG_VENDOR}") - message(STATUS "Target OVAL version: ${SSG_TARGET_OVAL_VERSION}") -+message(STATUS "Build SCAP 1.2 source data streams: ${SSG_BUILD_SCAP_12_DS}") - message(STATUS "OVAL schematron validation: ${SSG_OVAL_SCHEMATRON_VALIDATION_ENABLED}") - message(STATUS "shellcheck bash fixes validation: ${SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED}") - message(STATUS "SVG logo in XCCDFs: ${SSG_SVG_IN_XCCDF_ENABLED}") -diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake -index 9b109f86b9f..412db46c687 100644 ---- a/cmake/SSGCommon.cmake -+++ b/cmake/SSGCommon.cmake -@@ -555,7 +555,6 @@ macro(ssg_build_sds PRODUCT) - if("${PRODUCT}" MATCHES "rhel(6|7)") - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" - # use --skip-valid here to avoid repeatedly validating everything - COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -@@ -563,10 +562,8 @@ macro(ssg_build_sds PRODUCT) - COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" - DEPENDS generate-ssg-${PRODUCT}-oval.xml -@@ -578,22 +575,19 @@ macro(ssg_build_sds PRODUCT) - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" - DEPENDS generate-ssg-${PRODUCT}-pcidss-xccdf-1.2.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" -- COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml and ssg-${PRODUCT}-ds-1.2.xml" -+ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml" - ) - else() - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" - # use --skip-valid here to avoid repeatedly validating everything - COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" - DEPENDS generate-ssg-${PRODUCT}-oval.xml -@@ -603,14 +597,30 @@ macro(ssg_build_sds PRODUCT) - DEPENDS generate-ssg-${PRODUCT}-cpe-dictionary.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml" - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" -- COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml and ssg-${PRODUCT}-ds-1.2.xml" -+ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml" -+ ) -+ endif() -+ -+ if(SSG_BUILD_SCAP_12_DS) -+ add_custom_command( -+ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -+ WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -+ COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-1.2.xml" -+ ) -+ add_custom_target( -+ generate-ssg-${PRODUCT}-ds.xml -+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -+ ) -+ else() -+ add_custom_target( -+ generate-ssg-${PRODUCT}-ds.xml -+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - ) - endif() -- add_custom_target( -- generate-ssg-${PRODUCT}-ds.xml -- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -- ) - - if("${PRODUCT}" MATCHES "rhel(6|7|8|9)") - add_test( -@@ -626,10 +636,12 @@ macro(ssg_build_sds PRODUCT) - NAME "validate-ssg-${PRODUCT}-ds.xml" - COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - ) -- add_test( -- NAME "validate-ssg-${PRODUCT}-ds-1.2.xml" -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -- ) -+ if(SSG_BUILD_SCAP_12_DS) -+ add_test( -+ NAME "validate-ssg-${PRODUCT}-ds-1.2.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -+ ) -+ endif() - endif() - endmacro() - -@@ -640,7 +652,6 @@ macro(ssg_build_html_guides PRODUCT) - COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_all_guides.py" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/guides" build - DEPENDS generate-ssg-${PRODUCT}-ds.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - COMMENT "[${PRODUCT}-guides] generating HTML guides for all profiles in ssg-${PRODUCT}-ds.xml" - ) - add_custom_target( -@@ -854,8 +865,10 @@ macro(ssg_build_product PRODUCT) - install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - DESTINATION "${SSG_CONTENT_INSTALL_DIR}") - -- install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -- DESTINATION "${SSG_CONTENT_INSTALL_DIR}") -+ if(SSG_BUILD_SCAP_12_DS) -+ install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -+ DESTINATION "${SSG_CONTENT_INSTALL_DIR}") -+ endif() - - # This is a common cmake trick, we need the globbing to happen at build time - # and not configure time. -@@ -927,21 +940,34 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds-1.2.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" ${DERIVATIVE} --id-name ssg - COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" ${DERIVATIVE} --id-name ssg - COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" -- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" - DEPENDS generate-ssg-${ORIGINAL}-ds.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds.xml" -- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds-1.2.xml" - DEPENDS "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" -- COMMENT "[${DERIVATIVE}-content] generating ssg-${DERIVATIVE}-ds.xml and ssg-${DERIVATIVE}-ds-1.2.xml" -- ) -- add_custom_target( -- generate-ssg-${DERIVATIVE}-ds.xml -- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" -- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" -+ COMMENT "[${DERIVATIVE}-content] generating ssg-${DERIVATIVE}-ds.xml" - ) -+ if (SSG_BUILD_SCAP_12_DS) -+ add_custom_command( -+ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds-1.2.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" ${DERIVATIVE} --id-name ssg -+ COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" -+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds-1.2.xml" -+ DEPENDS "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" -+ COMMENT "[${DERIVATIVE}-content] generating ssg-${DERIVATIVE}-ds-1.2.xml" -+ ) -+ add_custom_target( -+ generate-ssg-${DERIVATIVE}-ds.xml -+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" -+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" -+ ) -+ else() -+ add_custom_target( -+ generate-ssg-${DERIVATIVE}-ds.xml -+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" -+ ) -+ endif() -+ - define_validate_product("${PRODUCT}") - if ("${VALIDATE_PRODUCT}" OR "${FORCE_VALIDATE_EVERYTHING}") - add_test( -@@ -952,10 +978,12 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) - NAME "validate-ssg-${DERIVATIVE}-ds.xml" - COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" - ) -- add_test( -- NAME "validate-ssg-${DERIVATIVE}-ds-1.2.xml" -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" -- ) -+ if (SSG_BUILD_SCAP_12_DS) -+ add_test( -+ NAME "validate-ssg-${DERIVATIVE}-ds-1.2.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" -+ ) -+ endif() - endif() - - add_custom_target(${DERIVATIVE} ALL) -@@ -1004,8 +1032,10 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) - install(FILES "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" - DESTINATION "${SSG_CONTENT_INSTALL_DIR}") - -- install(FILES "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" -- DESTINATION "${SSG_CONTENT_INSTALL_DIR}") -+ if(SSG_BUILD_SCAP_12_DS) -+ install(FILES "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" -+ DESTINATION "${SSG_CONTENT_INSTALL_DIR}") -+ endif() - - # This is a common cmake trick, we need the globbing to happen at build time - # and not configure time. - -From 466d3cb4dac4688e234a0fd0eff7fb6e6ae4c578 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Fri, 21 May 2021 09:50:25 +0200 -Subject: [PATCH 4/4] Add options for Bash and Ansible to build_product - -This will allow people to build easily without Bash scripts -or without Ansible Playbooks. ---- - build_product | 22 +++++++++++++++++++++- - 1 file changed, 21 insertions(+), 1 deletion(-) - -diff --git a/build_product b/build_product -index cf84199e22e..8a186fbae0e 100755 ---- a/build_product -+++ b/build_product -@@ -7,6 +7,8 @@ - # ARG_OPTIONAL_SINGLE([jobs],[j],[Count of simultaneous jobs],[auto]) - # ARG_OPTIONAL_BOOLEAN([debug],[],[Make a debug build with draft profiles],[off]) - # ARG_OPTIONAL_BOOLEAN([derivatives],[],[Also build derivatives of products if applicable],[off]) -+# ARG_OPTIONAL_BOOLEAN([ansible-playbooks],[],[Build Ansible Playbooks for every profile],[on]) -+# ARG_OPTIONAL_BOOLEAN([bash-scripts],[],[Build Bash remediation scripts for every profile],[on]) - # ARG_OPTIONAL_BOOLEAN([datastream-only],[],[Build the datastream only. Do not build any of the guides, tables, etc],[off]) - # ARG_USE_ENV([ADDITIONAL_CMAKE_OPTIONS],[],[Whitespace-separated string of arguments to pass to CMake]) - # ARG_POSITIONAL_INF([product],[Products to build, ALL means all products],[0],[ALL]) -@@ -71,19 +73,23 @@ _arg_builder="auto" - _arg_jobs="auto" - _arg_debug="off" - _arg_derivatives="off" -+_arg_ansible_playbooks="on" -+_arg_bash_scripts="on" - _arg_datastream_only="off" - - - print_help() - { - printf '%s\n' "Wipes out contents of the 'build' directory and builds only and only the given products." -- printf 'Usage: %s [-o|--oval ] [-b|--builder ] [-j|--jobs ] [--(no-)debug] [--(no-)derivatives] [--(no-)datastream-only] [-h|--help] [] ... [] ...\n' "$0" -+ printf 'Usage: %s [-o|--oval ] [-b|--builder ] [-j|--jobs ] [--(no-)debug] [--(no-)derivatives] [--(no-)ansible-playbooks] [--(no-)bash-scripts] [--(no-)datastream-only] [-h|--help] [] ... [] ...\n' "$0" - printf '\t%s\n' ": Products to build, ALL means all products (defaults for : 'ALL')" - printf '\t%s\n' "-o, --oval: OVAL version. Can be one of: '5.10', '5.11' and 'auto' (default: 'auto')" - printf '\t%s\n' "-b, --builder: Builder engine. Can be one of: 'make', 'ninja' and 'auto' (default: 'auto')" - printf '\t%s\n' "-j, --jobs: Count of simultaneous jobs (default: 'auto')" - printf '\t%s\n' "--debug, --no-debug: Make a debug build with draft profiles (off by default)" - printf '\t%s\n' "--derivatives, --no-derivatives: Also build derivatives of products if applicable (off by default)" -+ printf '\t%s\n' "--ansible-playbooks, --no-ansible-playbooks: Build Ansible Playbooks for every profile (on by default)" -+ printf '\t%s\n' "--bash-scripts, --no-bash-scripts: Build Bash remediation scripts for every profile (on by default)" - printf '\t%s\n' "--datastream-only, --no-datastream-only: Build the datastream only. Do not build any of the guides, tables, etc (off by default)" - printf '\t%s\n' "-h, --help: Prints help" - printf '\nEnvironment variables that are supported:\n' -@@ -140,6 +146,14 @@ parse_commandline() - _arg_derivatives="on" - test "${1:0:5}" = "--no-" && _arg_derivatives="off" - ;; -+ --no-ansible-playbooks|--ansible-playbooks) -+ _arg_ansible_playbooks="on" -+ test "${1:0:5}" = "--no-" && _arg_ansible_playbooks="off" -+ ;; -+ --no-bash-scripts|--bash-scripts) -+ _arg_bash_scripts="on" -+ test "${1:0:5}" = "--no-" && _arg_bash_scripts="off" -+ ;; - --no-datastream-only|--datastream-only) - _arg_datastream_only="on" - test "${1:0:5}" = "--no-" && _arg_datastream_only="off" -@@ -339,6 +353,12 @@ done - - CMAKE_OPTIONS=(${ADDITIONAL_CMAKE_OPTIONS} "${build_type_option}" "${oval_major_version_option}" "${oval_minor_version_option}" '-DSSG_PRODUCT_DEFAULT=OFF' "${cmake_enable_args[@]}" -G "$cmake_generator") - set_no_derivatives_options -+if [ "$_arg_ansible_playbooks" = off ] ; then -+ CMAKE_OPTIONS+=("-DSSG_ANSIBLE_PLAYBOOKS_ENABLED:BOOL=OFF") -+fi -+if [ "$_arg_bash_scripts" = off ] ; then -+ CMAKE_OPTIONS+=("-DSSG_BASH_SCRIPTS_ENABLED:BOOL=OFF") -+fi - EXPLICIT_BUILD_TARGETS=() - set_explict_build_targets - diff --git a/scap-security-guide-0.1.57-fix-build-scap-12-ds-pr-7049.patch b/scap-security-guide-0.1.57-fix-build-scap-12-ds-pr-7049.patch deleted file mode 100644 index 595f26a..0000000 --- a/scap-security-guide-0.1.57-fix-build-scap-12-ds-pr-7049.patch +++ /dev/null @@ -1,202 +0,0 @@ -From 35c61f74925f99536595824b0e787254ed89c64f Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 26 May 2021 11:36:58 +0200 -Subject: [PATCH 1/3] Fix output declararation of command generating ds - -The custom command declares that it outputs the derivative 1.2 ds and -this causes the actual command that generates the derivative 1.2 not to -be run. ---- - cmake/SSGCommon.cmake | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake -index 412db46c68..272b40ccf3 100644 ---- a/cmake/SSGCommon.cmake -+++ b/cmake/SSGCommon.cmake -@@ -939,7 +939,6 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) - - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" -- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" - COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" ${DERIVATIVE} --id-name ssg - COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" - DEPENDS generate-ssg-${ORIGINAL}-ds.xml - -From 551c225accec34e55ac1f011fbd5db7755b5f9ed Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 26 May 2021 14:46:26 +0200 -Subject: [PATCH 2/3] Fix order in which SCAP 1.2 and 1.3 are generated - -The data stream can be upgraded to 1.3, but not downgrated to 1.2. -Instead of chaining generation of DS version on each other, let's -generate a base ds from which SCAP 1.2 and 1.3 are generated. ---- - cmake/SSGCommon.cmake | 43 ++++++++++++++++++++++++------------------- - 1 file changed, 24 insertions(+), 19 deletions(-) - -diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake -index 272b40ccf3..977c3957d1 100644 ---- a/cmake/SSGCommon.cmake -+++ b/cmake/SSGCommon.cmake -@@ -554,16 +554,14 @@ endmacro() - macro(ssg_build_sds PRODUCT) - if("${PRODUCT}" MATCHES "rhel(6|7)") - add_custom_command( -- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" - WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" - # use --skip-valid here to avoid repeatedly validating everything -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" - DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" - DEPENDS generate-ssg-${PRODUCT}-oval.xml -@@ -575,19 +573,17 @@ macro(ssg_build_sds PRODUCT) - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" - DEPENDS generate-ssg-${PRODUCT}-pcidss-xccdf-1.2.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" -- COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml" -+ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-base.xml" - ) - else() - add_custom_command( -- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" - WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" - # use --skip-valid here to avoid repeatedly validating everything -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" - DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" - DEPENDS generate-ssg-${PRODUCT}-oval.xml -@@ -597,17 +593,26 @@ macro(ssg_build_sds PRODUCT) - DEPENDS generate-ssg-${PRODUCT}-cpe-dictionary.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml" - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" -- COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml" -+ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-base.xml" - ) - endif() - -+ add_custom_command( -+ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ COMMENT "[${PRODUCT}-content] Updating data stream ssg-${PRODUCT}-ds.xml to 1.3" -+ ) -+ - if(SSG_BUILD_SCAP_12_DS) - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" - COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-1.2.xml" - ) - add_custom_target( - -From 97b1df0349c9c685cc07a0d3e3fd88385e0cd15d Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 26 May 2021 14:51:32 +0200 -Subject: [PATCH 3/3] Move product base ds to product dir - -The base ds is used to facilitate generation of SCAP 1.2 and SCAP 1.3 -data streams. -The base ds is an intermediary product and can be stored in the product -specific dir. ---- - cmake/SSGCommon.cmake | 30 +++++++++++++++--------------- - 1 file changed, 15 insertions(+), 15 deletions(-) - -diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake -index 977c3957d1..111b2b32ed 100644 ---- a/cmake/SSGCommon.cmake -+++ b/cmake/SSGCommon.cmake -@@ -554,14 +554,14 @@ endmacro() - macro(ssg_build_sds PRODUCT) - if("${PRODUCT}" MATCHES "rhel(6|7)") - add_custom_command( -- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ OUTPUT "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" - WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" - # use --skip-valid here to avoid repeatedly validating everything -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -- COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" - DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" - DEPENDS generate-ssg-${PRODUCT}-oval.xml -@@ -577,13 +577,13 @@ macro(ssg_build_sds PRODUCT) - ) - else() - add_custom_command( -- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ OUTPUT "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" - WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" - # use --skip-valid here to avoid repeatedly validating everything -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -- COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" - DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml - DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" - DEPENDS generate-ssg-${PRODUCT}-oval.xml -@@ -600,9 +600,9 @@ macro(ssg_build_sds PRODUCT) - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" - COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" -- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ DEPENDS "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" - COMMENT "[${PRODUCT}-content] Updating data stream ssg-${PRODUCT}-ds.xml to 1.3" - ) - -@@ -610,9 +610,9 @@ macro(ssg_build_sds PRODUCT) - add_custom_command( - OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" -- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" - COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" -- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" -+ DEPENDS "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" - COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-1.2.xml" - ) - add_custom_target( diff --git a/scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch b/scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch new file mode 100644 index 0000000..79a2711 --- /dev/null +++ b/scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch @@ -0,0 +1,55 @@ +From 460922d3b258ba5b437afc99b5b02d2690788db9 Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Tue, 27 Jul 2021 15:20:08 -0400 +Subject: [PATCH] Remove FragmentPath check from service_disabled + +In https://github.com/systemd/systemd/issues/582 it is documented that +systemd could eventually replace FragmentPath=/dev/null (on masked +services) with the actual service path -- not the fully (symlink) +resolved path as is currently the case. + +This matches the behavior currently seen in Ubuntu (all versions) and +RHEL 9/Fedora 34. + +Per discussion with Gabriel, Matej, Richard, and Matt, it is best to +remove this check, especially since ActiveState=Masked suffices. + +Resolves: #7280 +Resolves: #7248 + +Signed-off-by: Alexander Scheel +--- + shared/templates/service_disabled/oval.template | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/shared/templates/service_disabled/oval.template b/shared/templates/service_disabled/oval.template +index 33b52518307..e4ccb0566e7 100644 +--- a/shared/templates/service_disabled/oval.template ++++ b/shared/templates/service_disabled/oval.template +@@ -13,7 +13,6 @@ + + + +- + + + +@@ -41,18 +40,6 @@ + masked + + +- +- +- +- +- +- ^{{{ SERVICENAME }}}\.(service|socket)$ +- FragmentPath +- +- +- /dev/null +- +- + {{% else %}} + + {{% if init_system != "systemd" %}} diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 38e9acb..ceea514 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -4,16 +4,15 @@ %global _vpath_builddir build Name: scap-security-guide -Version: 0.1.56 -Release: 3%{?dist} +Version: 0.1.57 +Release: 1%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 BuildArch: noarch -Patch0: scap-security-guide-0.1.57-build-system-pr-7025.patch -Patch1: scap-security-guide-0.1.57-fix-build-scap-12-ds-pr-7049.patch +Patch0: scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch BuildRequires: libxslt BuildRequires: expat @@ -47,13 +46,26 @@ The %{name}-doc package contains HTML formatted documents containing hardening guidances that have been generated from XCCDF benchmarks present in %{name} package. +%if ( %{defined rhel} && (! %{defined centos}) ) +%package rule-playbooks +Summary: Ansible playbooks per each rule. +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} + +%description rule-playbooks +The %{name}-rule-playbooks package contains individual ansible playbooks per rule. +%endif + %prep %autosetup -p1 %define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_BUILD_SCAP_12_DS=OFF %define cmake_defines_specific %{nil} %if 0%{?rhel} -%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=TRUE -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF +%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON +%endif +%if 0%{?centos} +%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON %endif mkdir -p build @@ -72,12 +84,25 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md %{_datadir}/%{name}/ansible/*.yml %lang(en) %{_mandir}/man8/scap-security-guide.8.* %doc %{_docdir}/%{name}/LICENSE +%if ( %{defined rhel} && (! %{defined centos}) ) +%exclude %{_datadir}/%{name}/ansible/rule_playbooks +%endif %files doc %doc %{_docdir}/%{name}/guides/*.html %doc %{_docdir}/%{name}/tables/*.html +%if ( %{defined rhel} && (! %{defined centos}) ) +%files rule-playbooks +%defattr(-,root,root,-) +%{_datadir}/%{name}/ansible/rule_playbooks +%endif + %changelog +* Thu Jul 29 2021 Matej Tyc - 0.1.57-1 +- Update to latest upstream SCAP-Security-Guide-0.1.57 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.57 + * Fri Jul 23 2021 Fedora Release Engineering - 0.1.56-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild diff --git a/sources b/sources index cad4a93..cbe33b4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (scap-security-guide-0.1.56.tar.bz2) = 1c876f1a8e03f3f68de8fd5a8fd020567f0eecb1fb8b9c9f754453c2f22278944f50d06c0f4e771020e2e25facf6cecb1044d3ddb12e531428ca5aacfec3c86c +SHA512 (scap-security-guide-0.1.57.tar.bz2) = e0f030445cc8c629f94be156581a3732abb104e2e5a57a92c64e7fa168b2107e60ee8edfcf8d715c339180317f09378317d031d575673b5384f16208528d66a2