import scap-security-guide-0.1.56-2.el8

2021-06-19 04:26:38 +00:00 · 2021-06-19 04:26:38 +00:00 · 9be20b0383
parent aae7e6be65
commit 9be20b0383
2 changed files with 106 additions and 2 deletions
--- a/SOURCES/scap-security-guide-0.1.57-ansible-playbooks-per-rule-PR_7039.patch
+++ b/SOURCES/scap-security-guide-0.1.57-ansible-playbooks-per-rule-PR_7039.patch
@ -0,0 +1,76 @@
+commit c58a2b0af3c8094446df1850cb1c943d51b2ec5f
+Author: Gabriel Becker <ggasparb@redhat.com>
+Date:   Tue Jun 8 13:40:28 2021 +0200
+
+    Add option to enable installation of individual ansible playbooks per rule.
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 6995944..bd317c0 100644
+--- a/CMakeLists.txt
+++ b/CMakeLists.txt
+@@ -46,6 +46,7 @@ option(SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED "If enabled, shellcheck vali
+ option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used to validate URLs in all the HTML guides and tables." TRUE)
+ option(SSG_SVG_IN_XCCDF_ENABLED "If enabled, the built XCCDFs will include the SVG SCAP Security Guide logo." TRUE)
+ option(SSG_SEPARATE_SCAP_FILES_ENABLED "If enabled, separate SCAP files (OVAL, XCCDF, CPE dict, ...) will be installed alongside the source data-streams" TRUE)
+option(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED "If enabled, Ansible Playbooks for each rule will be built and installed." FALSE)
+ option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE)
+ option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE)
+ set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.")
+@@ -231,6 +232,7 @@ message(STATUS "OVAL schematron validation: ${SSG_OVAL_SCHEMATRON_VALIDATION_ENA
+ message(STATUS "shellcheck bash fixes validation: ${SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED}")
+ message(STATUS "SVG logo in XCCDFs: ${SSG_SVG_IN_XCCDF_ENABLED}")
+ message(STATUS "Separate SCAP files: ${SSG_SEPARATE_SCAP_FILES_ENABLED}")
+message(STATUS "Ansible Playbooks Per Rule: ${SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED}")
+ if (SSG_JINJA2_CACHE_ENABLED)
+     message(STATUS "jinja2 cache: enabled")
+     message(STATUS "jinja2 cache dir: ${SSG_JINJA2_CACHE_DIR}")
+diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
+index b487a0b..b7db7fd 100644
+--- a/cmake/SSGCommon.cmake
+++ b/cmake/SSGCommon.cmake
+@@ -746,8 +746,12 @@ macro(ssg_build_product PRODUCT)
+     ssg_build_xccdf_unlinked(${PRODUCT})
+     ssg_build_ocil_unlinked(${PRODUCT})
+     ssg_build_remediations(${PRODUCT})
+-    if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}")
+    if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED)
+         ssg_build_ansible_playbooks(${PRODUCT})
+        add_dependencies(
+            ${PRODUCT}-content
+            generate-${PRODUCT}-ansible-playbooks
+        )
+     endif()
+     ssg_build_xccdf_with_remediations(${PRODUCT})
+     ssg_build_oval_unlinked(${PRODUCT})
+@@ -778,10 +782,6 @@ macro(ssg_build_product PRODUCT)
+     add_dependencies(zipfile "generate-ssg-${PRODUCT}-ds.xml")
+ 
+     if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}")
+-        add_dependencies(
+-            ${PRODUCT}-content
+-            generate-${PRODUCT}-ansible-playbooks
+-        )
+         ssg_build_profile_playbooks(${PRODUCT})
+         add_custom_target(
+             ${PRODUCT}-profile-playbooks
+@@ -885,6 +885,20 @@ macro(ssg_build_product PRODUCT)
+         endif()
+         "
+     )
+    if(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED)
+        install(
+            CODE "
+            file(GLOB PLAYBOOK_PER_RULE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*\") \n
+            if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks)
+                file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks/${PRODUCT}\"
+                    TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES})
+            else()
+                file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks/${PRODUCT}\"
+                    TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES})
+            endif()
+            "
+        )
+    endif()
+ 
+     # grab all the kickstarts (if any) and install them
+     file(GLOB KICKSTART_FILES "${CMAKE_CURRENT_SOURCE_DIR}/kickstart/ssg-${PRODUCT}-*-ks.cfg")
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@ -3,7 +3,7 @@

 Name:		scap-security-guide
 Version:	0.1.56
-Release:	1%{?dist}
+Release:	2%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 Group:		Applications/System
 License:	BSD
@ -16,6 +16,7 @@ Patch0:		disable-not-in-good-shape-profiles.patch
 Patch1:		scap-security-guide-0.1.57-select_seboolean_rules_for_ANSSI-PR_6988.patch
 Patch2:		scap-security-guide-0.1.57-add_rule_sudo_add_passwd_timeout-PR_6984.patch
 Patch3:		scap-security-guide-0.1.57-update_ANSSI_profiles_metadata-PR_6997.patch
+Patch4:		scap-security-guide-0.1.57-ansible-playbooks-per-rule-PR_7039.patch

 BuildArch:	noarch

@ -48,12 +49,23 @@ The %{name}-doc package contains HTML formatted documents containing
 hardening guidances that have been generated from XCCDF benchmarks
 present in %{name} package.

+%if %{defined rhel}
+%package	rule-playbooks
+Summary:	Ansible playbooks per each rule.
+Group:		System Environment/Base
+Requires:	%{name} = %{version}-%{release}
+
+%description	rule-playbooks
+The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
+%endif
+
 %prep
 %setup -q -b 1
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 mkdir build

 %build
@ -69,7 +81,11 @@ cd build
 %else
 -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
 %endif
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF ../
+-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
+%if %{defined rhel}
+-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \
+%endif
+../
 %make_build

 %install
@ -90,12 +106,24 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
 %doc %{_docdir}/%{name}/LICENSE
 %doc %{_docdir}/%{name}/README.md
 %doc %{_docdir}/%{name}/Contributors.md
+%if %{defined rhel}
+%exclude %{_datadir}/%{name}/ansible/rule_playbooks
+%endif

 %files doc
 %doc %{_docdir}/%{name}/guides/*.html
 %doc %{_docdir}/%{name}/tables/*.html

+%if %{defined rhel}
+%files rule-playbooks
+%defattr(-,root,root,-)
+%{_datadir}/%{name}/ansible/rule_playbooks
+%endif
+
 %changelog
+* Tue Jun 8 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.56-2
+- Create subpackage to hold ansible playbooks per rule (RHBZ#1966604)
+
 * Tue Jun 01 2021 Watson Sato <wsato@redhat.com> - 0.1.56-1
 - Update to the latest upstream release (RHBZ#1966577)
 - Add ANSSI High Profile (RHBZ#1955183)