import scap-security-guide-0.1.56-2.el8

This commit is contained in:
CentOS Sources 2021-06-19 04:26:38 +00:00 committed by Andrew Lukoshko
parent aae7e6be65
commit 9be20b0383
2 changed files with 106 additions and 2 deletions

View File

@ -0,0 +1,76 @@
commit c58a2b0af3c8094446df1850cb1c943d51b2ec5f
Author: Gabriel Becker <ggasparb@redhat.com>
Date: Tue Jun 8 13:40:28 2021 +0200
Add option to enable installation of individual ansible playbooks per rule.
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 6995944..bd317c0 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -46,6 +46,7 @@ option(SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED "If enabled, shellcheck vali
option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used to validate URLs in all the HTML guides and tables." TRUE)
option(SSG_SVG_IN_XCCDF_ENABLED "If enabled, the built XCCDFs will include the SVG SCAP Security Guide logo." TRUE)
option(SSG_SEPARATE_SCAP_FILES_ENABLED "If enabled, separate SCAP files (OVAL, XCCDF, CPE dict, ...) will be installed alongside the source data-streams" TRUE)
+option(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED "If enabled, Ansible Playbooks for each rule will be built and installed." FALSE)
option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE)
option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE)
set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.")
@@ -231,6 +232,7 @@ message(STATUS "OVAL schematron validation: ${SSG_OVAL_SCHEMATRON_VALIDATION_ENA
message(STATUS "shellcheck bash fixes validation: ${SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED}")
message(STATUS "SVG logo in XCCDFs: ${SSG_SVG_IN_XCCDF_ENABLED}")
message(STATUS "Separate SCAP files: ${SSG_SEPARATE_SCAP_FILES_ENABLED}")
+message(STATUS "Ansible Playbooks Per Rule: ${SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED}")
if (SSG_JINJA2_CACHE_ENABLED)
message(STATUS "jinja2 cache: enabled")
message(STATUS "jinja2 cache dir: ${SSG_JINJA2_CACHE_DIR}")
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
index b487a0b..b7db7fd 100644
--- a/cmake/SSGCommon.cmake
+++ b/cmake/SSGCommon.cmake
@@ -746,8 +746,12 @@ macro(ssg_build_product PRODUCT)
ssg_build_xccdf_unlinked(${PRODUCT})
ssg_build_ocil_unlinked(${PRODUCT})
ssg_build_remediations(${PRODUCT})
- if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}")
+ if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED)
ssg_build_ansible_playbooks(${PRODUCT})
+ add_dependencies(
+ ${PRODUCT}-content
+ generate-${PRODUCT}-ansible-playbooks
+ )
endif()
ssg_build_xccdf_with_remediations(${PRODUCT})
ssg_build_oval_unlinked(${PRODUCT})
@@ -778,10 +782,6 @@ macro(ssg_build_product PRODUCT)
add_dependencies(zipfile "generate-ssg-${PRODUCT}-ds.xml")
if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}")
- add_dependencies(
- ${PRODUCT}-content
- generate-${PRODUCT}-ansible-playbooks
- )
ssg_build_profile_playbooks(${PRODUCT})
add_custom_target(
${PRODUCT}-profile-playbooks
@@ -885,6 +885,20 @@ macro(ssg_build_product PRODUCT)
endif()
"
)
+ if(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED)
+ install(
+ CODE "
+ file(GLOB PLAYBOOK_PER_RULE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*\") \n
+ if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks)
+ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks/${PRODUCT}\"
+ TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES})
+ else()
+ file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks/${PRODUCT}\"
+ TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES})
+ endif()
+ "
+ )
+ endif()
# grab all the kickstarts (if any) and install them
file(GLOB KICKSTART_FILES "${CMAKE_CURRENT_SOURCE_DIR}/kickstart/ssg-${PRODUCT}-*-ks.cfg")

View File

@ -3,7 +3,7 @@
Name: scap-security-guide
Version: 0.1.56
Release: 1%{?dist}
Release: 2%{?dist}
Summary: Security guidance and baselines in SCAP formats
Group: Applications/System
License: BSD
@ -16,6 +16,7 @@ Patch0: disable-not-in-good-shape-profiles.patch
Patch1: scap-security-guide-0.1.57-select_seboolean_rules_for_ANSSI-PR_6988.patch
Patch2: scap-security-guide-0.1.57-add_rule_sudo_add_passwd_timeout-PR_6984.patch
Patch3: scap-security-guide-0.1.57-update_ANSSI_profiles_metadata-PR_6997.patch
Patch4: scap-security-guide-0.1.57-ansible-playbooks-per-rule-PR_7039.patch
BuildArch: noarch
@ -48,12 +49,23 @@ The %{name}-doc package contains HTML formatted documents containing
hardening guidances that have been generated from XCCDF benchmarks
present in %{name} package.
%if %{defined rhel}
%package rule-playbooks
Summary: Ansible playbooks per each rule.
Group: System Environment/Base
Requires: %{name} = %{version}-%{release}
%description rule-playbooks
The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
%endif
%prep
%setup -q -b 1
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
mkdir build
%build
@ -69,7 +81,11 @@ cd build
%else
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
%endif
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF ../
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
%if %{defined rhel}
-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \
%endif
../
%make_build
%install
@ -90,12 +106,24 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
%doc %{_docdir}/%{name}/LICENSE
%doc %{_docdir}/%{name}/README.md
%doc %{_docdir}/%{name}/Contributors.md
%if %{defined rhel}
%exclude %{_datadir}/%{name}/ansible/rule_playbooks
%endif
%files doc
%doc %{_docdir}/%{name}/guides/*.html
%doc %{_docdir}/%{name}/tables/*.html
%if %{defined rhel}
%files rule-playbooks
%defattr(-,root,root,-)
%{_datadir}/%{name}/ansible/rule_playbooks
%endif
%changelog
* Tue Jun 8 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.56-2
- Create subpackage to hold ansible playbooks per rule (RHBZ#1966604)
* Tue Jun 01 2021 Watson Sato <wsato@redhat.com> - 0.1.56-1
- Update to the latest upstream release (RHBZ#1966577)
- Add ANSSI High Profile (RHBZ#1955183)