rpms
/
scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to the 0.1.60 upstream version 

Resolves: rhbz#2014561
This commit is contained in:
Watson Sato 2022-01-27 17:21:52 +01:00
parent 21b368fa76
commit a44269807e
6 changed files with 6 additions and 284 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -42,3 +42,4 @@
/scap-security-guide-0.1.57.tar.bz2
/scap-security-guide-0.1.58.tar.bz2
/scap-security-guide-0.1.59.tar.bz2
/scap-security-guide-0.1.60.tar.bz2

53
disable-not-in-good-shape-profiles.patch
View File

@ -1,53 +0,0 @@
diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt
index d61689c97..5e444a101 100644
--- a/products/rhel8/CMakeLists.txt
+++ b/products/rhel8/CMakeLists.txt
@@ -14,15 +14,9 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
ssg_build_html_table_by_ref(${PRODUCT} "anssi")
-ssg_build_html_nistrefs_table(${PRODUCT} "standard")
ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
ssg_build_html_nistrefs_table(${PRODUCT} "stig")
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_minimal")
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_intermediary")
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_enhanced")
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_high")
-
ssg_build_html_cce_table(${PRODUCT})
ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
diff --git a/products/rhel9/profiles/cjis.profile b/rhel9/profiles/cjis.profile
index 035d2705b..c6475f33e 100644
--- a/products/rhel9/profiles/cjis.profile
+++ b/products/rhel9/profiles/cjis.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
metadata:
version: 5.4
diff --git a/products/rhel9/profiles/rht-ccp.profile b/rhel9/profiles/rht-ccp.profile
index c84579592..164ec98c4 100644
--- a/products/rhel9/profiles/rht-ccp.profile
+++ b/products/rhel9/profiles/rht-ccp.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
title: '[RHEL9 DRAFT] Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
diff --git a/products/rhel9/profiles/standard.profile b/rhel9/profiles/standard.profile
index a63ae2cf3..da669bb84 100644
--- a/products/rhel9/profiles/standard.profile
+++ b/products/rhel9/profiles/standard.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
title: 'Standard System Security Profile for Red Hat Enterprise Linux 9'
--
2.26.2

68
scap-security-guide-0.1.59-vm_timeout-PR_7780.patch
View File

@ -1,68 +0,0 @@
From e1408da0fb0224e64037bc693d262374795bf9a4 Mon Sep 17 00:00:00 2001
From: Matus Marhefka <mmarhefk@redhat.com>
Date: Wed, 20 Oct 2021 09:03:59 +0200
Subject: [PATCH] tests/install_vm.py: add timeouted wait for VM to shutdown
Added timeout should prevent issues where a VM is still in
the `running` state after `virsh console` disconnects and
therefore subsequent `virsh start` fails, e.g.:
```
Starting Reboot...
dracut Warning: Killing all remaining processes
Rebooting.
[ 522.430163] reboot: Restarting system
error: Domain is already active
```
---
tests/install_vm.py | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/tests/install_vm.py b/tests/install_vm.py
index 6a51477a289..59ffc499587 100755
--- a/tests/install_vm.py
+++ b/tests/install_vm.py
@@ -4,6 +4,7 @@
import os
import sys
import subprocess
+import time
def parse_args():
@@ -110,6 +111,25 @@ def parse_args():
return parser.parse_args()
+def wait_vm_not_running(domain):
+ timeout = 300
+
+ print("Waiting for {0} VM to shutdown (max. {1}s)".format(domain, timeout))
+ end_time = time.time() + timeout
+ try:
+ while True:
+ time.sleep(5)
+ if subprocess.getoutput("virsh domstate {0}".format(domain)).rstrip() != "running":
+ return
+ if time.time() >= end_time:
+ print("Timeout reached: {0} VM failed to shutdown, cancelling wait."
+ .format(domain))
+ return
+ except KeyboardInterrupt:
+ print("Interrupted, cancelling wait.")
+ return
+
+
def main():
data = parse_args()
username = ""
@@ -210,6 +230,7 @@ def main():
os.system(command)
if data.console:
os.system("unbuffer virsh console {0}".format(data.domain))
+ wait_vm_not_running(data.domain)
os.system("virsh start {0}".format(data.domain))
print("\nTo determine the IP address of the {0} VM use:".format(data.domain))

158
scap-security-guide-0.1.60-centos_stream_9_content-PR_7878.patch
View File

@ -1,158 +0,0 @@
From bc5b337584131ab33eb7a770400df484d5fea271 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 15 Nov 2021 15:28:09 +0100
Subject: [PATCH 1/2] Add CentOS Stream 9 derivative product from RHEL9.
---
build-scripts/enable_derivatives.py | 3 +-
products/rhel9/CMakeLists.txt | 4 ++
products/rhel9/product.yml | 4 ++
shared/applicability/derivatives.yml | 5 ++
.../checks/oval/installed_OS_is_centos9.xml | 47 +++++++++++++++++++
ssg/constants.py | 1 +
6 files changed, 63 insertions(+), 1 deletion(-)
create mode 100644 shared/checks/oval/installed_OS_is_centos9.xml
diff --git a/build-scripts/enable_derivatives.py b/build-scripts/enable_derivatives.py
index 3d9f10a2160..867520b758d 100755
--- a/build-scripts/enable_derivatives.py
+++ b/build-scripts/enable_derivatives.py
@@ -97,7 +97,8 @@ def main():
raise RuntimeError("No Benchmark found!")
for namespace, benchmark in benchmarks:
- ssg.build_derivatives.profile_handling(benchmark, namespace)
+ if args[1] != "cs9":
+ ssg.build_derivatives.profile_handling(benchmark, namespace)
if not ssg.build_derivatives.add_cpes(benchmark, namespace, mapping):
raise RuntimeError(
"Could not add derivative OS CPEs to Benchmark '%s'."
diff --git a/products/rhel9/CMakeLists.txt b/products/rhel9/CMakeLists.txt
index 47efb8b6625..65402ca1dfd 100644
--- a/products/rhel9/CMakeLists.txt
+++ b/products/rhel9/CMakeLists.txt
@@ -15,3 +15,7 @@ ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
# ssg_build_html_stig_tables(${PRODUCT} "stig")
#ssg_build_html_stig_tables(${PRODUCT} "ospp")
+
+if (SSG_CENTOS_DERIVATIVES_ENABLED)
+ ssg_build_derivative_product(${PRODUCT} "centos" "cs9")
+endif()
diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml
index b4f80662616..ce0667fa9c2 100644
--- a/products/rhel9/product.yml
+++ b/products/rhel9/product.yml
@@ -42,3 +42,7 @@ platform_package_overrides:
reference_uris:
cis: 'https://www.cisecurity.org/benchmark/red_hat_linux/'
+
+centos_pkg_release: "5ccc5b19"
+centos_pkg_version: "8483c65d"
+centos_major_version: "9"
diff --git a/shared/applicability/derivatives.yml b/shared/applicability/derivatives.yml
index e980f9c1c5c..a5701bc8d66 100644
--- a/shared/applicability/derivatives.yml
+++ b/shared/applicability/derivatives.yml
@@ -10,6 +10,11 @@ cpes:
title: "CentOS 8"
check_id: installed_OS_is_centos8
+ - cs9:
+ name: "cpe:/o:centos:centos:9"
+ title: "CentOS Stream 9"
+ check_id: installed_OS_is_centos9
+
- sl7:
name: "cpe:/o:scientificlinux:scientificlinux:7"
title: "Scientific Linux 7"
diff --git a/shared/checks/oval/installed_OS_is_centos9.xml b/shared/checks/oval/installed_OS_is_centos9.xml
new file mode 100644
index 00000000000..65f3b42d8ac
--- /dev/null
+++ b/shared/checks/oval/installed_OS_is_centos9.xml
@@ -0,0 +1,47 @@
+<def-group>
+ <definition class="inventory"
+ id="installed_OS_is_centos9" version="2">
+ <metadata>
+ <title>CentOS Stream 9</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <reference ref_id="cpe:/o:centos:centos:9"
+ source="CPE" />
+ <description>The operating system installed on the system is
+ CentOS Stream 9</description>
+ </metadata>
+ <criteria operator="AND">
+ <extend_definition comment="Installed OS is part of the Unix family"
+ definition_ref="installed_OS_is_part_of_Unix_family" />
+ <criterion comment="OS is CentOS Stream" test_ref="test_centos9_name" />
+ <criterion comment="OS version is 9" test_ref="test_centos9_version" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check os-release ID" id="test_centos9_name" version="1">
+ <ind:object object_ref="obj_name_centos9" />
+ <ind:state state_ref="state_name_centos9" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_name_centos9" version="1" comment="Check os-release ID">
+ <ind:filepath>/etc/os-release</ind:filepath>
+ <ind:pattern operation="pattern match">^ID=&quot;(\w+)&quot;$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_name_centos9" version="1">
+ <ind:subexpression>centos</ind:subexpression>
+ </ind:textfilecontent54_state>
+
+ <ind:textfilecontent54_test check="all" comment="Check os-release VERSION_ID" id="test_centos9_version" version="1">
+ <ind:object object_ref="obj_version_centos9" />
+ <ind:state state_ref="state_version_centos9" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_version_centos9" version="1" comment="Check os-release VERSION_ID">
+ <ind:filepath>/etc/os-release</ind:filepath>
+ <ind:pattern operation="pattern match">^VERSION_ID=&quot;(\d)&quot;$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_version_centos9" version="1">
+ <ind:subexpression>9</ind:subexpression>
+ </ind:textfilecontent54_state>
+</def-group>
diff --git a/ssg/constants.py b/ssg/constants.py
index 982c8c64f7a..66c72665b34 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -282,6 +282,7 @@
"cpe:/o:redhat:enterprise_linux:6": "cpe:/o:centos:centos:6",
"cpe:/o:redhat:enterprise_linux:7": "cpe:/o:centos:centos:7",
"cpe:/o:redhat:enterprise_linux:8": "cpe:/o:centos:centos:8",
+ "cpe:/o:redhat:enterprise_linux:9": "cpe:/o:centos:centos:9",
}
RHEL_SL_CPE_MAPPING = {
From f6e90ef5846ebc11fd4fe2b4d350b86f9470aacf Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 16 Nov 2021 17:39:20 +0100
Subject: [PATCH 2/2] Add comment explaining why profiles are kept in CentOS
Stream 9.
---
build-scripts/enable_derivatives.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/build-scripts/enable_derivatives.py b/build-scripts/enable_derivatives.py
index 867520b758d..48a2379ea69 100755
--- a/build-scripts/enable_derivatives.py
+++ b/build-scripts/enable_derivatives.py
@@ -98,6 +98,8 @@ def main():
for namespace, benchmark in benchmarks:
if args[1] != "cs9":
+ # In CentOS Stream 9 profiles are kept because it is a system
+ # intended to test content that will get into RHEL
ssg.build_derivatives.profile_handling(benchmark, namespace)
if not ssg.build_derivatives.add_cpes(benchmark, namespace, mapping):
raise RuntimeError(

8
scap-security-guide.spec
View File

@ -4,7 +4,7 @@
%global _vpath_builddir build
Name: scap-security-guide
Version: 0.1.59
Version: 0.1.60
Release: 1%{?dist}
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
@ -12,9 +12,6 @@ URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
BuildArch: noarch
Patch0: disable-not-in-good-shape-profiles.patch
Patch1: scap-security-guide-0.1.60-centos_stream_9_content-PR_7878.patch
BuildRequires: libxslt
BuildRequires: expat
BuildRequires: openscap-scanner >= 1.2.5
@ -100,6 +97,9 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
%endif
%changelog
* Thu Jan 27 2022 Watson Sato <wsato@redhat.com> - 0.1.60-1
- Rebase to a new upstream release (RHBZ#2014561)
* Wed Dec 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.59-1
- Rebase to a new upstream release (RHBZ#2014561)
- Enable Centos Stream 9 content (RHBZ#2021284)

2
sources
View File

@ -1 +1 @@
SHA512 (scap-security-guide-0.1.59.tar.bz2) = 2a92e6835749137c1080f08d2120949dbfea01eedf5f29728beb84dae62f90fd81b8869337cffa738de90641e0f5efc58115d914dceb691b12b805af2ad2de04
SHA512 (scap-security-guide-0.1.60.tar.bz2) = 41899c1209b64eb13e76368da141db25fe7e2ab280e67dafc750d470049062f0f16c70ee79f4b3a2131f30c9fb8e23e3c22fb354577239698f2b7f30544d969a