rpms/scap-security-guide
5
0
Fork 0
Code Issues Pull Requests Releases Activity

modify the %prep and %build section to be aligned with cs9

Browse Source 
The previous implementation created nested build directory.
This caused some problems.
I believe it is better to have minimal differences between spec files in centos versions.

add quick patch for the script which generates scap delta tailoring so that paths are not hardcoded there
This commit is contained in:
Vojtech Polasek 2025-02-25 13:01:17 +01:00
parent f0183395a7
commit 9a1ba71e16
2 changed files with 78 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
fix_scap_delta_tailoring.patch Normal file
View File

@ -0,0 +1,63 @@
From 452ee249e43dc3ce5d1f052ed528a084f5a3657f Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 25 Feb 2025 16:55:19 +0100
Subject: create_delta_scap_tailoring: pass path to build_config.yml explicitly
when calling the script from cmake
---
cmake/SSGCommon.cmake | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
index 337067c215..170ae3d39f 100644
--- a/cmake/SSGCommon.cmake
+++ b/cmake/SSGCommon.cmake
@@ -658,7 +658,7 @@ macro(ssg_build_disa_delta PRODUCT PROFILE)
add_custom_command(
OUTPUT "${CMAKE_BINARY_DIR}/${PRODUCT}/tailoring/${PRODUCT}_${PROFILE}_delta_tailoring.xml"
COMMAND ${CMAKE_COMMAND} -E make_directory "${CMAKE_BINARY_DIR}/${PRODUCT}/tailoring"
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create_scap_delta_tailoring.py" --root "${CMAKE_SOURCE_DIR}" --product "${PRODUCT}" --manual "${DISA_SCAP_REF}" --profile "${PROFILE}" --reference "stigid" --output "${CMAKE_BINARY_DIR}/${PRODUCT}/tailoring/${PRODUCT}_${PROFILE}_delta_tailoring.xml" --quiet --build-root ${CMAKE_BINARY_DIR} --resolved-rules-dir
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create_scap_delta_tailoring.py" --root "${CMAKE_SOURCE_DIR}" --product "${PRODUCT}" --manual "${DISA_SCAP_REF}" --profile "${PROFILE}" --reference "stigid" --output "${CMAKE_BINARY_DIR}/${PRODUCT}/tailoring/${PRODUCT}_${PROFILE}_delta_tailoring.xml" --quiet --build-root ${CMAKE_BINARY_DIR} --resolved-rules-dir -c ${CMAKE_BINARY_DIR}/build_config.yml
DEPENDS "${PRODUCT}-content"
COMMENT "[${PRODUCT}-generate-ssg-delta] generating disa tailoring file"
)
--
2.48.1
From 6def0e0e54497f32b8be6b1511fe98e324bc057d Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 25 Feb 2025 17:08:54 +0100
Subject: create_scap_delta_tailoring: remove hardcoded build directory
---
utils/create_scap_delta_tailoring.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/utils/create_scap_delta_tailoring.py b/utils/create_scap_delta_tailoring.py
index ee85a57bc0..04ca197c5f 100755
--- a/utils/create_scap_delta_tailoring.py
+++ b/utils/create_scap_delta_tailoring.py
@@ -24,8 +24,8 @@ NS = {'scap': ssg.constants.datastream_namespace,
PROFILE = 'stig'
-def get_profile(product, profile_name):
- ds_root = ET.parse(os.path.join(SSG_ROOT, 'build', 'ssg-{product}-ds.xml'
+def get_profile(product, profile_name, build_root):
+ ds_root = ET.parse(os.path.join(build_root, 'ssg-{product}-ds.xml'
.format(product=product))).getroot()
profiles = ds_root.findall(
'.//{{{scap}}}component/{{{xccdf}}}Benchmark/{{{xccdf}}}Profile'.format(
@@ -177,7 +177,7 @@ def create_tailoring(args):
args.build_root)
needed_rules = filter_out_implemented_rules(known_rules, NS, benchmark_root)
needed_rule_names_set = set(rulename for ruleset in needed_rules.values() for rulename in ruleset)
- profile_root = get_profile(args.product, args.profile)
+ profile_root = get_profile(args.product, args.profile, args.build_root)
selections = profile_root.findall('xccdf-1.2:select', NS)
tailoring_profile = setup_tailoring_profile(args.profile_id, profile_root)
for selection in selections:
--
2.48.1

36
scap-security-guide.spec
View File

@ -2,8 +2,6 @@
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
# Base name of static rhel7 content tarball
%global _static_rhel7_content %{name}-0.1.73-1.el7_9-rhel7
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
%global _vpath_builddir build
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
Name: scap-security-guide
@ -18,6 +16,7 @@ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{versio
Source1: %{_static_rhel6_content}.tar.bz2
# Include tarball with last released rhel7 content
Source2: %{_static_rhel7_content}.tar.bz2
Patch0: fix_scap_delta_tailoring.patch
BuildArch: noarch
@ -66,30 +65,25 @@ The %{name}-rule-playbooks package contains individual ansible playbooks per rul
%prep
%setup -q -b1 -b2
%patch -P 0 -p1
%define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_BUILD_SCAP_12_DS=OFF -DSSG_PRODUCT_FIREFOX:BOOLEAN=true -DSSG_PRODUCT_JRE:BOOLEAN=TRUE
%define cmake_defines_specific %{nil}
%if 0%{?rhel}
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON
%endif
%if 0%{?centos}
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON
%endif
%build
mkdir -p build
cd build
%cmake \
-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \
-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
-DSSG_PRODUCT_JRE:BOOLEAN=TRUE \
%if %{defined centos}
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \
%else
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
%endif
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
%if ( %{defined rhel} && (! %{defined centos}) )
-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \
%endif
../
mkdir -p %{_vpath_builddir}
cd %{_vpath_builddir}
%cmake -S .. %{cmake_defines_common} %{cmake_defines_specific}
%cmake_build
%install
cd build
cd %{_vpath_builddir}
%cmake_install
# Manually install pre-built rhel6 content