diff --git a/.gitignore b/.gitignore index 1477619..444500d 100644 --- a/.gitignore +++ b/.gitignore @@ -38,3 +38,4 @@ /scap-security-guide-0.1.52.tar.bz2 /scap-security-guide-0.1.53.tar.bz2 /scap-security-guide-0.1.54.tar.bz2 +/scap-security-guide-0.1.56.tar.bz2 diff --git a/scap-security-guide-0.1.57-build-system-pr-7025.patch b/scap-security-guide-0.1.57-build-system-pr-7025.patch new file mode 100644 index 0000000..fd69a4b --- /dev/null +++ b/scap-security-guide-0.1.57-build-system-pr-7025.patch @@ -0,0 +1,477 @@ +From aae5be64cdeb4a41caa3f3273342373cc4f4e9b2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 19 May 2021 18:01:14 +0200 +Subject: [PATCH 1/4] Add options for building Ansible and Bash content + +This patch adds 2 new options SSG_ANSIBLE_PLAYBOOKS_ENABLED and +SSG_BASH_SCRIPTS_ENABLED which will allow user to turn on or off +building and installing profile Bash remediation scripts and profile +Ansible Playbooks. They are enabled by default, therefore the default +behavior doesn't change, but people can turn them off to speed up the +build. These options can be useful when calling cmake in downstream spec +files. +--- + CMakeLists.txt | 4 +++ + cmake/SSGCommon.cmake | 60 +++++++++++++++++++++++-------------------- + 2 files changed, 36 insertions(+), 28 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 32a0ddd240a..c309efde9bd 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -46,6 +46,8 @@ option(SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED "If enabled, shellcheck vali + option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used to validate URLs in all the HTML guides and tables." TRUE) + option(SSG_SVG_IN_XCCDF_ENABLED "If enabled, the built XCCDFs will include the SVG SCAP Security Guide logo." TRUE) + option(SSG_SEPARATE_SCAP_FILES_ENABLED "If enabled, separate SCAP files (OVAL, XCCDF, CPE dict, ...) will be installed alongside the source data-streams" TRUE) ++option(SSG_ANSIBLE_PLAYBOOKS_ENABLED "If enabled, Ansible Playbooks for each profile will be built and installed." TRUE) ++option(SSG_BASH_SCRIPTS_ENABLED "If enabled, Bash remediation scripts for each profile will be built and installed." TRUE) + option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE) + option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE) + set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.") +@@ -240,6 +242,8 @@ message(STATUS "OVAL schematron validation: ${SSG_OVAL_SCHEMATRON_VALIDATION_ENA + message(STATUS "shellcheck bash fixes validation: ${SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED}") + message(STATUS "SVG logo in XCCDFs: ${SSG_SVG_IN_XCCDF_ENABLED}") + message(STATUS "Separate SCAP files: ${SSG_SEPARATE_SCAP_FILES_ENABLED}") ++message(STATUS "Ansible Playbooks: ${SSG_ANSIBLE_PLAYBOOKS_ENABLED}") ++message(STATUS "Bash scripts: ${SSG_BASH_SCRIPTS_ENABLED}") + if (SSG_JINJA2_CACHE_ENABLED) + message(STATUS "jinja2 cache: enabled") + message(STATUS "jinja2 cache dir: ${SSG_JINJA2_CACHE_DIR}") +diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake +index 889c0cf1d3c..9b109f86b9f 100644 +--- a/cmake/SSGCommon.cmake ++++ b/cmake/SSGCommon.cmake +@@ -789,7 +789,7 @@ macro(ssg_build_product PRODUCT) + + add_dependencies(zipfile "generate-ssg-${PRODUCT}-ds.xml") + +- if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}") ++ if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_ENABLED) + add_dependencies( + ${PRODUCT}-content + generate-${PRODUCT}-ansible-playbooks +@@ -803,7 +803,7 @@ macro(ssg_build_product PRODUCT) + add_dependencies(zipfile ${PRODUCT}-profile-playbooks) + endif() + +- if ("${PRODUCT_BASH_REMEDIATION_ENABLED}") ++ if ("${PRODUCT_BASH_REMEDIATION_ENABLED}" AND SSG_BASH_SCRIPTS_ENABLED) + ssg_build_profile_bash_scripts(${PRODUCT}) + add_custom_target( + ${PRODUCT}-profile-bash-scripts +@@ -873,30 +873,34 @@ macro(ssg_build_product PRODUCT) + endif() + " + ) +- install( +- CODE " +- file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/ansible/${PRODUCT}-playbook-*.yml\") \n +- if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}) +- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}\" +- TYPE FILE FILES \${ROLE_FILES}) +- else() +- file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}\" +- TYPE FILE FILES \${ROLE_FILES}) +- endif() +- " +- ) +- install( +- CODE " +- file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/bash/${PRODUCT}-script-*.sh\") \n +- if(NOT IS_ABSOLUTE ${SSG_BASH_ROLE_INSTALL_DIR}) +- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_BASH_ROLE_INSTALL_DIR}\" +- TYPE FILE FILES \${ROLE_FILES}) +- else() +- file(INSTALL DESTINATION \"${SSG_BASH_ROLE_INSTALL_DIR}\" +- TYPE FILE FILES \${ROLE_FILES}) +- endif() +- " +- ) ++ if(SSG_ANSIBLE_PLAYBOOKS_ENABLED) ++ install( ++ CODE " ++ file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/ansible/${PRODUCT}-playbook-*.yml\") \n ++ if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}) ++ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}\" ++ TYPE FILE FILES \${ROLE_FILES}) ++ else() ++ file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}\" ++ TYPE FILE FILES \${ROLE_FILES}) ++ endif() ++ " ++ ) ++ endif() ++ if(SSG_BASH_SCRIPTS_ENABLED) ++ install( ++ CODE " ++ file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/bash/${PRODUCT}-script-*.sh\") \n ++ if(NOT IS_ABSOLUTE ${SSG_BASH_ROLE_INSTALL_DIR}) ++ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_BASH_ROLE_INSTALL_DIR}\" ++ TYPE FILE FILES \${ROLE_FILES}) ++ else() ++ file(INSTALL DESTINATION \"${SSG_BASH_ROLE_INSTALL_DIR}\" ++ TYPE FILE FILES \${ROLE_FILES}) ++ endif() ++ " ++ ) ++ endif() + + # grab all the kickstarts (if any) and install them + file(GLOB KICKSTART_FILES "${CMAKE_CURRENT_SOURCE_DIR}/kickstart/ssg-${PRODUCT}-*-ks.cfg") +@@ -968,7 +972,7 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) + + ssg_build_html_guides(${DERIVATIVE}) + +- if ("${PRODUCT_BASH_REMEDIATION_ENABLED}") ++ if ("${PRODUCT_BASH_REMEDIATION_ENABLED}" AND SSG_BASH_SCRIPTS_ENABLED) + ssg_build_profile_bash_scripts(${DERIVATIVE}) + add_custom_target( + ${DERIVATIVE}-profile-bash-scripts +@@ -977,7 +981,7 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) + add_dependencies(${DERIVATIVE} ${DERIVATIVE}-profile-bash-scripts) + endif() + +- if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}") ++ if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_ENABLED) + ssg_build_profile_playbooks(${DERIVATIVE}) + add_custom_target( + ${DERIVATIVE}-profile-playbooks + +From c7c7baa84ce722304224373c556a2d03edb0f76c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 20 May 2021 09:14:21 +0200 +Subject: [PATCH 2/4] Do not build HTML guide for the virtual default profile + +The virtual '(default)' profile is a profile that doesn't contain +any rules, so the built HTML guide also doesn't contain any rules +which means it contains only group descriptions. This HTML guide +has no use for the users and it only increases the built size. +--- + ssg/build_guides.py | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/ssg/build_guides.py b/ssg/build_guides.py +index 3b2a9469240..2e37d80eef3 100644 +--- a/ssg/build_guides.py ++++ b/ssg/build_guides.py +@@ -105,10 +105,6 @@ def get_benchmark_profile_pairs(input_tree, benchmarks): + for benchmark_id in benchmarks.keys(): + profiles = get_profile_choices_for_input(input_tree, benchmark_id, + None) +- +- # add the default profile +- profiles[""] = "(default)" +- + for profile_id in profiles: + pair = (benchmark_id, profile_id, profiles[profile_id]) + benchmark_profile_pairs.append(pair) + +From f2c265013dd5fe75fd47c8ce7afe9e2ecc7cf16f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 20 May 2021 09:49:51 +0200 +Subject: [PATCH 3/4] Add option to disable SCAP 1.2 data streams + +This commit adds a new option that enables to turn on building +the SCAP 1.2 source data streams (ssg-*-ds-1.2.xml). This option +will help people who don't want to build and ship this file. +The default setting is TRUE which means the default behavior +shouldn't change. +--- + CMakeLists.txt | 2 + + cmake/SSGCommon.cmake | 100 +++++++++++++++++++++++++++--------------- + 2 files changed, 67 insertions(+), 35 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index c309efde9bd..55b991cedfa 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -41,6 +41,7 @@ set(SSG_TARGET_OVAL_MINOR_VERSION "11" CACHE STRING "Which minor version of OVAL + + set(SSG_TARGET_OVAL_VERSION "${SSG_TARGET_OVAL_MAJOR_VERSION}.${SSG_TARGET_OVAL_MINOR_VERSION}") + ++option(SSG_BUILD_SCAP_12_DS "If enabled, ssg-*-ds-1.2.xml will be built along with ssg-*-ds.xml" TRUE) + option(SSG_OVAL_SCHEMATRON_VALIDATION_ENABLED "If enabled, schematron validation will be performed as part of the ctest tests. Schematron takes a lot of time to complete but can find more issues than just plain XSD validation." TRUE) + option(SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED "If enabled, shellcheck validation of bash fixes will be performed as part of the ctest tests. Shellcheck tests don't pass right now, this option is discouraged until that's fixed." FALSE) + option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used to validate URLs in all the HTML guides and tables." TRUE) +@@ -238,6 +239,7 @@ message(STATUS " ") + message(STATUS "Build options:") + message(STATUS "SSG vendor string: ${SSG_VENDOR}") + message(STATUS "Target OVAL version: ${SSG_TARGET_OVAL_VERSION}") ++message(STATUS "Build SCAP 1.2 source data streams: ${SSG_BUILD_SCAP_12_DS}") + message(STATUS "OVAL schematron validation: ${SSG_OVAL_SCHEMATRON_VALIDATION_ENABLED}") + message(STATUS "shellcheck bash fixes validation: ${SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED}") + message(STATUS "SVG logo in XCCDFs: ${SSG_SVG_IN_XCCDF_ENABLED}") +diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake +index 9b109f86b9f..412db46c687 100644 +--- a/cmake/SSGCommon.cmake ++++ b/cmake/SSGCommon.cmake +@@ -555,7 +555,6 @@ macro(ssg_build_sds PRODUCT) + if("${PRODUCT}" MATCHES "rhel(6|7)") + add_custom_command( + OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" +- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" + WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" + # use --skip-valid here to avoid repeatedly validating everything + COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" +@@ -563,10 +562,8 @@ macro(ssg_build_sds PRODUCT) + COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" + COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" + COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" +- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" + COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" + COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" +- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" + DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml + DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" + DEPENDS generate-ssg-${PRODUCT}-oval.xml +@@ -578,22 +575,19 @@ macro(ssg_build_sds PRODUCT) + DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" + DEPENDS generate-ssg-${PRODUCT}-pcidss-xccdf-1.2.xml + DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" +- COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml and ssg-${PRODUCT}-ds-1.2.xml" ++ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml" + ) + else() + add_custom_command( + OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" +- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" + WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" + # use --skip-valid here to avoid repeatedly validating everything + COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" + COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" + COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" + COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" +- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" + COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" + COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" +- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" + DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml + DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" + DEPENDS generate-ssg-${PRODUCT}-oval.xml +@@ -603,14 +597,30 @@ macro(ssg_build_sds PRODUCT) + DEPENDS generate-ssg-${PRODUCT}-cpe-dictionary.xml + DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml" + DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" +- COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml and ssg-${PRODUCT}-ds-1.2.xml" ++ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml" ++ ) ++ endif() ++ ++ if(SSG_BUILD_SCAP_12_DS) ++ add_custom_command( ++ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" ++ WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" ++ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" ++ COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" ++ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" ++ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-1.2.xml" ++ ) ++ add_custom_target( ++ generate-ssg-${PRODUCT}-ds.xml ++ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" ++ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" ++ ) ++ else() ++ add_custom_target( ++ generate-ssg-${PRODUCT}-ds.xml ++ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" + ) + endif() +- add_custom_target( +- generate-ssg-${PRODUCT}-ds.xml +- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" +- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" +- ) + + if("${PRODUCT}" MATCHES "rhel(6|7|8|9)") + add_test( +@@ -626,10 +636,12 @@ macro(ssg_build_sds PRODUCT) + NAME "validate-ssg-${PRODUCT}-ds.xml" + COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" + ) +- add_test( +- NAME "validate-ssg-${PRODUCT}-ds-1.2.xml" +- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" +- ) ++ if(SSG_BUILD_SCAP_12_DS) ++ add_test( ++ NAME "validate-ssg-${PRODUCT}-ds-1.2.xml" ++ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" ++ ) ++ endif() + endif() + endmacro() + +@@ -640,7 +652,6 @@ macro(ssg_build_html_guides PRODUCT) + COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_all_guides.py" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/guides" build + DEPENDS generate-ssg-${PRODUCT}-ds.xml + DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" +- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" + COMMENT "[${PRODUCT}-guides] generating HTML guides for all profiles in ssg-${PRODUCT}-ds.xml" + ) + add_custom_target( +@@ -854,8 +865,10 @@ macro(ssg_build_product PRODUCT) + install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" + DESTINATION "${SSG_CONTENT_INSTALL_DIR}") + +- install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" +- DESTINATION "${SSG_CONTENT_INSTALL_DIR}") ++ if(SSG_BUILD_SCAP_12_DS) ++ install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" ++ DESTINATION "${SSG_CONTENT_INSTALL_DIR}") ++ endif() + + # This is a common cmake trick, we need the globbing to happen at build time + # and not configure time. +@@ -927,21 +940,34 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) + add_custom_command( + OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" + OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" +- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds-1.2.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" ${DERIVATIVE} --id-name ssg + COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" ${DERIVATIVE} --id-name ssg + COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" +- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" + DEPENDS generate-ssg-${ORIGINAL}-ds.xml + DEPENDS "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds.xml" +- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds-1.2.xml" + DEPENDS "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" +- COMMENT "[${DERIVATIVE}-content] generating ssg-${DERIVATIVE}-ds.xml and ssg-${DERIVATIVE}-ds-1.2.xml" +- ) +- add_custom_target( +- generate-ssg-${DERIVATIVE}-ds.xml +- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" +- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" ++ COMMENT "[${DERIVATIVE}-content] generating ssg-${DERIVATIVE}-ds.xml" + ) ++ if (SSG_BUILD_SCAP_12_DS) ++ add_custom_command( ++ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" ++ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds-1.2.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" ${DERIVATIVE} --id-name ssg ++ COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" ++ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds-1.2.xml" ++ DEPENDS "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" ++ COMMENT "[${DERIVATIVE}-content] generating ssg-${DERIVATIVE}-ds-1.2.xml" ++ ) ++ add_custom_target( ++ generate-ssg-${DERIVATIVE}-ds.xml ++ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" ++ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" ++ ) ++ else() ++ add_custom_target( ++ generate-ssg-${DERIVATIVE}-ds.xml ++ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" ++ ) ++ endif() ++ + define_validate_product("${PRODUCT}") + if ("${VALIDATE_PRODUCT}" OR "${FORCE_VALIDATE_EVERYTHING}") + add_test( +@@ -952,10 +978,12 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) + NAME "validate-ssg-${DERIVATIVE}-ds.xml" + COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" + ) +- add_test( +- NAME "validate-ssg-${DERIVATIVE}-ds-1.2.xml" +- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" +- ) ++ if (SSG_BUILD_SCAP_12_DS) ++ add_test( ++ NAME "validate-ssg-${DERIVATIVE}-ds-1.2.xml" ++ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" ++ ) ++ endif() + endif() + + add_custom_target(${DERIVATIVE} ALL) +@@ -1004,8 +1032,10 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) + install(FILES "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" + DESTINATION "${SSG_CONTENT_INSTALL_DIR}") + +- install(FILES "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" +- DESTINATION "${SSG_CONTENT_INSTALL_DIR}") ++ if(SSG_BUILD_SCAP_12_DS) ++ install(FILES "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" ++ DESTINATION "${SSG_CONTENT_INSTALL_DIR}") ++ endif() + + # This is a common cmake trick, we need the globbing to happen at build time + # and not configure time. + +From 466d3cb4dac4688e234a0fd0eff7fb6e6ae4c578 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 21 May 2021 09:50:25 +0200 +Subject: [PATCH 4/4] Add options for Bash and Ansible to build_product + +This will allow people to build easily without Bash scripts +or without Ansible Playbooks. +--- + build_product | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/build_product b/build_product +index cf84199e22e..8a186fbae0e 100755 +--- a/build_product ++++ b/build_product +@@ -7,6 +7,8 @@ + # ARG_OPTIONAL_SINGLE([jobs],[j],[Count of simultaneous jobs],[auto]) + # ARG_OPTIONAL_BOOLEAN([debug],[],[Make a debug build with draft profiles],[off]) + # ARG_OPTIONAL_BOOLEAN([derivatives],[],[Also build derivatives of products if applicable],[off]) ++# ARG_OPTIONAL_BOOLEAN([ansible-playbooks],[],[Build Ansible Playbooks for every profile],[on]) ++# ARG_OPTIONAL_BOOLEAN([bash-scripts],[],[Build Bash remediation scripts for every profile],[on]) + # ARG_OPTIONAL_BOOLEAN([datastream-only],[],[Build the datastream only. Do not build any of the guides, tables, etc],[off]) + # ARG_USE_ENV([ADDITIONAL_CMAKE_OPTIONS],[],[Whitespace-separated string of arguments to pass to CMake]) + # ARG_POSITIONAL_INF([product],[Products to build, ALL means all products],[0],[ALL]) +@@ -71,19 +73,23 @@ _arg_builder="auto" + _arg_jobs="auto" + _arg_debug="off" + _arg_derivatives="off" ++_arg_ansible_playbooks="on" ++_arg_bash_scripts="on" + _arg_datastream_only="off" + + + print_help() + { + printf '%s\n' "Wipes out contents of the 'build' directory and builds only and only the given products." +- printf 'Usage: %s [-o|--oval ] [-b|--builder ] [-j|--jobs ] [--(no-)debug] [--(no-)derivatives] [--(no-)datastream-only] [-h|--help] [] ... [] ...\n' "$0" ++ printf 'Usage: %s [-o|--oval ] [-b|--builder ] [-j|--jobs ] [--(no-)debug] [--(no-)derivatives] [--(no-)ansible-playbooks] [--(no-)bash-scripts] [--(no-)datastream-only] [-h|--help] [] ... [] ...\n' "$0" + printf '\t%s\n' ": Products to build, ALL means all products (defaults for : 'ALL')" + printf '\t%s\n' "-o, --oval: OVAL version. Can be one of: '5.10', '5.11' and 'auto' (default: 'auto')" + printf '\t%s\n' "-b, --builder: Builder engine. Can be one of: 'make', 'ninja' and 'auto' (default: 'auto')" + printf '\t%s\n' "-j, --jobs: Count of simultaneous jobs (default: 'auto')" + printf '\t%s\n' "--debug, --no-debug: Make a debug build with draft profiles (off by default)" + printf '\t%s\n' "--derivatives, --no-derivatives: Also build derivatives of products if applicable (off by default)" ++ printf '\t%s\n' "--ansible-playbooks, --no-ansible-playbooks: Build Ansible Playbooks for every profile (on by default)" ++ printf '\t%s\n' "--bash-scripts, --no-bash-scripts: Build Bash remediation scripts for every profile (on by default)" + printf '\t%s\n' "--datastream-only, --no-datastream-only: Build the datastream only. Do not build any of the guides, tables, etc (off by default)" + printf '\t%s\n' "-h, --help: Prints help" + printf '\nEnvironment variables that are supported:\n' +@@ -140,6 +146,14 @@ parse_commandline() + _arg_derivatives="on" + test "${1:0:5}" = "--no-" && _arg_derivatives="off" + ;; ++ --no-ansible-playbooks|--ansible-playbooks) ++ _arg_ansible_playbooks="on" ++ test "${1:0:5}" = "--no-" && _arg_ansible_playbooks="off" ++ ;; ++ --no-bash-scripts|--bash-scripts) ++ _arg_bash_scripts="on" ++ test "${1:0:5}" = "--no-" && _arg_bash_scripts="off" ++ ;; + --no-datastream-only|--datastream-only) + _arg_datastream_only="on" + test "${1:0:5}" = "--no-" && _arg_datastream_only="off" +@@ -339,6 +353,12 @@ done + + CMAKE_OPTIONS=(${ADDITIONAL_CMAKE_OPTIONS} "${build_type_option}" "${oval_major_version_option}" "${oval_minor_version_option}" '-DSSG_PRODUCT_DEFAULT=OFF' "${cmake_enable_args[@]}" -G "$cmake_generator") + set_no_derivatives_options ++if [ "$_arg_ansible_playbooks" = off ] ; then ++ CMAKE_OPTIONS+=("-DSSG_ANSIBLE_PLAYBOOKS_ENABLED:BOOL=OFF") ++fi ++if [ "$_arg_bash_scripts" = off ] ; then ++ CMAKE_OPTIONS+=("-DSSG_BASH_SCRIPTS_ENABLED:BOOL=OFF") ++fi + EXPLICIT_BUILD_TARGETS=() + set_explict_build_targets + diff --git a/scap-security-guide-0.1.57-fix-build-scap-12-ds-pr-7049.patch b/scap-security-guide-0.1.57-fix-build-scap-12-ds-pr-7049.patch new file mode 100644 index 0000000..595f26a --- /dev/null +++ b/scap-security-guide-0.1.57-fix-build-scap-12-ds-pr-7049.patch @@ -0,0 +1,202 @@ +From 35c61f74925f99536595824b0e787254ed89c64f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 26 May 2021 11:36:58 +0200 +Subject: [PATCH 1/3] Fix output declararation of command generating ds + +The custom command declares that it outputs the derivative 1.2 ds and +this causes the actual command that generates the derivative 1.2 not to +be run. +--- + cmake/SSGCommon.cmake | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake +index 412db46c68..272b40ccf3 100644 +--- a/cmake/SSGCommon.cmake ++++ b/cmake/SSGCommon.cmake +@@ -939,7 +939,6 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) + + add_custom_command( + OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" +- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" + COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" ${DERIVATIVE} --id-name ssg + COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" + DEPENDS generate-ssg-${ORIGINAL}-ds.xml + +From 551c225accec34e55ac1f011fbd5db7755b5f9ed Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 26 May 2021 14:46:26 +0200 +Subject: [PATCH 2/3] Fix order in which SCAP 1.2 and 1.3 are generated + +The data stream can be upgraded to 1.3, but not downgrated to 1.2. +Instead of chaining generation of DS version on each other, let's +generate a base ds from which SCAP 1.2 and 1.3 are generated. +--- + cmake/SSGCommon.cmake | 43 ++++++++++++++++++++++++------------------- + 1 file changed, 24 insertions(+), 19 deletions(-) + +diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake +index 272b40ccf3..977c3957d1 100644 +--- a/cmake/SSGCommon.cmake ++++ b/cmake/SSGCommon.cmake +@@ -554,16 +554,14 @@ endmacro() + macro(ssg_build_sds PRODUCT) + if("${PRODUCT}" MATCHES "rhel(6|7)") + add_custom_command( +- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" ++ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" + WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" + # use --skip-valid here to avoid repeatedly validating everything +- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" +- COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" +- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" +- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" +- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" +- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" +- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" ++ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" ++ COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" ++ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" ++ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" ++ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" + DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml + DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" + DEPENDS generate-ssg-${PRODUCT}-oval.xml +@@ -575,19 +573,17 @@ macro(ssg_build_sds PRODUCT) + DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" + DEPENDS generate-ssg-${PRODUCT}-pcidss-xccdf-1.2.xml + DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" +- COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml" ++ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-base.xml" + ) + else() + add_custom_command( +- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" ++ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" + WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" + # use --skip-valid here to avoid repeatedly validating everything +- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" +- COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" +- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" +- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" +- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" +- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" ++ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" ++ COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" ++ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" ++ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" + DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml + DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" + DEPENDS generate-ssg-${PRODUCT}-oval.xml +@@ -597,17 +593,26 @@ macro(ssg_build_sds PRODUCT) + DEPENDS generate-ssg-${PRODUCT}-cpe-dictionary.xml + DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml" + DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" +- COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml" ++ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-base.xml" + ) + endif() + ++ add_custom_command( ++ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" ++ WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" ++ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" ++ COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" ++ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" ++ COMMENT "[${PRODUCT}-content] Updating data stream ssg-${PRODUCT}-ds.xml to 1.3" ++ ) ++ + if(SSG_BUILD_SCAP_12_DS) + add_custom_command( + OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" + WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" +- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" ++ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" + COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" +- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" ++ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" + COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-1.2.xml" + ) + add_custom_target( + +From 97b1df0349c9c685cc07a0d3e3fd88385e0cd15d Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 26 May 2021 14:51:32 +0200 +Subject: [PATCH 3/3] Move product base ds to product dir + +The base ds is used to facilitate generation of SCAP 1.2 and SCAP 1.3 +data streams. +The base ds is an intermediary product and can be stored in the product +specific dir. +--- + cmake/SSGCommon.cmake | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake +index 977c3957d1..111b2b32ed 100644 +--- a/cmake/SSGCommon.cmake ++++ b/cmake/SSGCommon.cmake +@@ -554,14 +554,14 @@ endmacro() + macro(ssg_build_sds PRODUCT) + if("${PRODUCT}" MATCHES "rhel(6|7)") + add_custom_command( +- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" ++ OUTPUT "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" + WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" + # use --skip-valid here to avoid repeatedly validating everything +- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" +- COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" +- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" +- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" +- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" ++ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" ++ COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" ++ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" ++ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" ++ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" + DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml + DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" + DEPENDS generate-ssg-${PRODUCT}-oval.xml +@@ -577,13 +577,13 @@ macro(ssg_build_sds PRODUCT) + ) + else() + add_custom_command( +- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" ++ OUTPUT "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" + WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" + # use --skip-valid here to avoid repeatedly validating everything +- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" +- COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" +- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" +- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" ++ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" ++ COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" ++ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" ++ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" + DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml + DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" + DEPENDS generate-ssg-${PRODUCT}-oval.xml +@@ -600,9 +600,9 @@ macro(ssg_build_sds PRODUCT) + add_custom_command( + OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" + WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" +- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" ++ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" + COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" +- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" ++ DEPENDS "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" + COMMENT "[${PRODUCT}-content] Updating data stream ssg-${PRODUCT}-ds.xml to 1.3" + ) + +@@ -610,9 +610,9 @@ macro(ssg_build_sds PRODUCT) + add_custom_command( + OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" + WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" +- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" ++ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" + COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" +- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" ++ DEPENDS "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" + COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-1.2.xml" + ) + add_custom_target( diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 10f76be..f180b0b 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -4,12 +4,14 @@ %global _vpath_builddir build Name: scap-security-guide -Version: 0.1.54 -Release: 3%{?dist} +Version: 0.1.56 +Release: 1%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 +Patch1: scap-security-guide-0.1.57-build-system-pr-7025.patch +Patch2: scap-security-guide-0.1.57-fix-build-scap-12-ds-pr-7049.patch BuildArch: noarch BuildRequires: libxslt @@ -20,8 +22,6 @@ BuildRequires: python%{python3_pkgversion} BuildRequires: python%{python3_pkgversion}-jinja2 BuildRequires: python%{python3_pkgversion}-PyYAML Requires: xml-common, openscap-scanner >= 1.2.5 -Obsoletes: openscap-content < 0:0.9.13 -Provides: openscap-content %description The scap-security-guide project provides a guide for configuration of the @@ -29,7 +29,7 @@ system from the final system's security point of view. The guidance is specified in the Security Content Automation Protocol (SCAP) format and constitutes a catalog of practical hardening advice, linked to government requirements where applicable. The project bridges the gap between generalized policy -requirements and specific implementation guidelines. The Fedora system +requirements and specific implementation guidelines. The system administrator can use the oscap CLI tool from openscap-scanner package, or the scap-workbench GUI tool from scap-workbench package to verify that the system conforms to provided guideline. Refer to scap-security-guide(8) manual page for @@ -45,30 +45,46 @@ hardening guidances that have been generated from XCCDF benchmarks present in %{name} package. %prep -%setup -q +%autosetup -p1 %build -%cmake +%cmake \ +-DSSG_PRODUCT_DEFAULT=OFF \ +-DSSG_PRODUCT_RHEL9=ON \ +-DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF \ +-DSSG_BASH_SCRIPTS_ENABLED=OFF \ +-DSSG_BUILD_SCAP_12_DS=OFF %cmake_build %install %cmake_install +rm %{buildroot}/%{_docdir}/%{name}/README.md +rm %{buildroot}/%{_docdir}/%{name}/Contributors.md %files %{_datadir}/xml/scap/ssg/content -%{_datadir}/%{name}/kickstart -%{_datadir}/%{name}/ansible -%{_datadir}/%{name}/bash +# Temporary comment out until RHEL 9 kickstarts are created +#%{_datadir}/%{name}/kickstart +%{_datadir}/%{name}/ansible/*.yml %lang(en) %{_mandir}/man8/scap-security-guide.8.* %doc %{_docdir}/%{name}/LICENSE -%doc %{_docdir}/%{name}/README.md -%doc %{_docdir}/%{name}/Contributors.md %files doc %doc %{_docdir}/%{name}/guides/*.html %doc %{_docdir}/%{name}/tables/*.html %changelog +* Wed May 19 2021 Jan Černý - 0.1.56-1 +- Upgrade to the latest upstream release +- remove README.md and Contributors.md +- remove SCAP component files +- remove SCAP 1.2 source data streams +- remove HTML guides for the virtual “(default)” profile +- remove profile Bash remediation scripts +- build only RHEL9 content +- remove other products +- use autosetup in %prep phase + * Fri Apr 16 2021 Mohan Boddu - 0.1.54-3 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 diff --git a/sources b/sources index 7a2c4b2..cad4a93 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (scap-security-guide-0.1.54.tar.bz2) = 35d89737c5000c0fcebb36c5ad48958f95edf4563579af2a5591e0f8560fc3de8d90aad39536318ae6ab1261bf2c3e4504533604e94f68d23acc6fc153a37f96 +SHA512 (scap-security-guide-0.1.56.tar.bz2) = 1c876f1a8e03f3f68de8fd5a8fd020567f0eecb1fb8b9c9f754453c2f22278944f50d06c0f4e771020e2e25facf6cecb1044d3ddb12e531428ca5aacfec3c86c