Rebase to a new upstream release
Resolves: rhbz#1962564
This commit is contained in:
parent
dfed54b246
commit
dac4498bd5
1
.gitignore
vendored
1
.gitignore
vendored
@ -39,3 +39,4 @@
|
||||
/scap-security-guide-0.1.53.tar.bz2
|
||||
/scap-security-guide-0.1.54.tar.bz2
|
||||
/scap-security-guide-0.1.56.tar.bz2
|
||||
/scap-security-guide-0.1.57.tar.bz2
|
||||
|
@ -1,693 +0,0 @@
|
||||
From 6006e997000ab19aa59df24b074feb285ec4e586 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 11 May 2021 17:14:24 +0200
|
||||
Subject: [PATCH 1/6] Update ANSSI metadata for High level hardening
|
||||
|
||||
---
|
||||
controls/anssi.yml | 15 +++++++++++----
|
||||
1 file changed, 11 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 2053de05c0..e9b9f1b803 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -70,6 +70,10 @@ controls:
|
||||
It is recommended to use the mandatory access control (MAC) features in
|
||||
addition to the traditional Unix user model (DAC), or possibly combine
|
||||
them with partitioning mechanisms.
|
||||
+ notes: >-
|
||||
+ Other partitioning mechanisms can include chroot and containers and are not contemplated
|
||||
+ in this requirement.
|
||||
+ automated: partially
|
||||
rules:
|
||||
- selinux_state
|
||||
- var_selinux_state=enforcing
|
||||
@@ -161,6 +165,7 @@ controls:
|
||||
The iommu = force directive must be added to the list of kernel parameters
|
||||
during startup in addition to those already present in the configuration
|
||||
files of the bootloader (/boot/grub/menu.lst or /etc/default/grub).
|
||||
+ automated: yes
|
||||
rules:
|
||||
- grub2_enable_iommu_force
|
||||
|
||||
@@ -837,8 +842,8 @@ controls:
|
||||
not locally stored in clear), or possibly stored on a separate machine
|
||||
of the one on which the sealing is done.
|
||||
Check section "Database and config signing in AIDE manual"
|
||||
- https://github.com/aide/aide/blob/master/doc/manual.html
|
||||
- # rules: TBD
|
||||
+ https://aide.github.io/doc/#signing
|
||||
+ automated: no
|
||||
|
||||
- id: R53
|
||||
level: enhanced
|
||||
@@ -946,7 +951,7 @@ controls:
|
||||
title: Enable AppArmor security profiles
|
||||
description: >-
|
||||
All AppArmor security profiles on the system must be enabled by default.
|
||||
- # rules: TBD
|
||||
+ automated: no
|
||||
|
||||
- id: R66
|
||||
level: high
|
||||
@@ -990,6 +995,7 @@ controls:
|
||||
description: >-
|
||||
SELinux policy manipulation and debugging tools should not be installed
|
||||
on a machine in production.
|
||||
+ automated: yes
|
||||
rules:
|
||||
- package_setroubleshoot_removed
|
||||
- package_setroubleshoot-server_removed
|
||||
@@ -1000,4 +1006,5 @@ controls:
|
||||
title: Confining interactive non-privileged users
|
||||
description: >-
|
||||
Interactive non-privileged users of a system must be confined by associating them with a SELinux confined user.
|
||||
- # rules: TBD
|
||||
+ notes: Interactive users who still need to perform administrative tasks should not be confined with user_u.
|
||||
+ automated: no
|
||||
|
||||
From 98c310f893c31fb828c7ee17f9f8c7f7f11dde7a Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 11 May 2021 17:31:11 +0200
|
||||
Subject: [PATCH 2/6] Update metadata of other ANSSI hardening levels
|
||||
|
||||
---
|
||||
controls/anssi.yml | 91 ++++++++++++++++++++++++++++++++++++++--------
|
||||
1 file changed, 75 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index e9b9f1b803..291af65f58 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -19,8 +19,10 @@ controls:
|
||||
Those whose presence can not be justified should be disabled, removed or deleted.
|
||||
automated: partially # The list of essential services is not objective.
|
||||
notes: >-
|
||||
- Use of obsolete or insecure services is not recommended.
|
||||
- The minimal install is a good starting point, but this doesn't provide any assurance over any package installed later.
|
||||
+ Manual review is required to assess if the installed services are minimal.
|
||||
+ In general, use of obsolete or insecure services is not recommended.
|
||||
+ Performing a minimal install is a good starting point, but doesn't provide any assurance
|
||||
+ over any package installed later.
|
||||
rules:
|
||||
- package_dhcp_removed
|
||||
#- package_rsh_removed
|
||||
@@ -45,10 +47,9 @@ controls:
|
||||
problematic from a security point of view.
|
||||
The features configured at the level of launched services should be limited to the strict
|
||||
minimum.
|
||||
+ automated: no
|
||||
notes: >-
|
||||
Define a list of most problematic components or features to be hardened or restricted.
|
||||
- # potential components: sshd, pam, chrony?
|
||||
- # rules: TBD
|
||||
|
||||
- id: R3
|
||||
level: enhanced
|
||||
@@ -109,7 +110,10 @@ controls:
|
||||
Network services should as much as possible be hosted on isolated environments.
|
||||
This avoids having other potentially affected services if one of them gets
|
||||
compromised under the same environment.
|
||||
- #rules: TBD
|
||||
+ notes: >-
|
||||
+ Manual analysis is required to determine if services are hosted appropriately in
|
||||
+ separate or isolated system while maintaining functionality.
|
||||
+ automated: no
|
||||
|
||||
- id: R7
|
||||
level: enhanced
|
||||
@@ -117,6 +121,7 @@ controls:
|
||||
description: >-
|
||||
The activities of the running system and services must be logged and
|
||||
archived on an external, non-local system.
|
||||
+ automated: yes
|
||||
rules:
|
||||
# The default remote loghost is logcollector.
|
||||
# Change the default value to the hostname or IP of the system to send the logs to
|
||||
@@ -235,6 +240,7 @@ controls:
|
||||
notes: >-
|
||||
The rule disabling auto-mount for /boot is commented until the rules checking for other
|
||||
/boot mount options are updated to handle this usecase.
|
||||
+ automated: no
|
||||
#rules:
|
||||
#- mount_option_boot_noauto
|
||||
|
||||
@@ -275,7 +281,7 @@ controls:
|
||||
hardening measures.
|
||||
Between two packages providing the same service, those subject to hardening
|
||||
(at compilation, installation, or default configuration) must be preferred.
|
||||
- #rules: TBD
|
||||
+ automated: no
|
||||
|
||||
- id: R17
|
||||
level: enhanced
|
||||
@@ -283,6 +289,7 @@ controls:
|
||||
description: >-
|
||||
A boot loader to protect the password boot must be to be privileged.
|
||||
This password must prevent any user from changing their configuration options.
|
||||
+ automated: yes # without remediation
|
||||
rules:
|
||||
- grub2_password
|
||||
- grub2_uefi_password
|
||||
@@ -358,12 +365,28 @@ controls:
|
||||
must be set up as soon as the system is installed: account and administration
|
||||
passwords, root authority certificates, public keys, or certificates of the
|
||||
host (and their respective private key).
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ This concerns two aspects, the first is administrative, and involves prompt
|
||||
+ installation of secrets or trusted elements by the sysadmin.
|
||||
+ The second involves removal of any default secret or trusted element
|
||||
+ configured by the operating system during install process, e.g. default
|
||||
+ known passwords.
|
||||
+ automated: no
|
||||
|
||||
- id: R21
|
||||
level: intermediary
|
||||
title: Hardening and monitoring of services subject to arbitrary flows
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ SELinux can provide confinement and monitoring of services, and AIDE provides
|
||||
+ basic integrity checking. System logs are configured as part of R43.
|
||||
+ Hardening of particular services should be done on a case by case basis and is
|
||||
+ not automated by this content.
|
||||
+ automated: partially
|
||||
+ rules:
|
||||
+ - selinux_state
|
||||
+ - var_selinux_state=enforcing
|
||||
+ - package_aide_installed
|
||||
+ - aide_build_database
|
||||
|
||||
- id: R22
|
||||
level: intermediary
|
||||
@@ -535,6 +558,7 @@ controls:
|
||||
sysctl kernel.modules_disabledconf:
|
||||
Prohibition of loading modules (except those already loaded to this point)
|
||||
kernel.modules_disabled = 1
|
||||
+ automated: yes # without remediation
|
||||
rules:
|
||||
- sysctl_kernel_modules_disabled
|
||||
|
||||
@@ -545,6 +569,7 @@ controls:
|
||||
It is recommended to load the Yama security module at startup (by example
|
||||
passing the security = yama argument to the kernel) and configure the
|
||||
sysctl kernel.yama.ptrace_scope to a value of at least 1.
|
||||
+ automated: yes
|
||||
rules:
|
||||
- sysctl_kernel_yama_ptrace_scope
|
||||
|
||||
@@ -553,13 +578,19 @@ controls:
|
||||
title: Disabling unused user accounts
|
||||
description: >-
|
||||
Unused user accounts must be disabled at the system level.
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ The definition of unused user accounts is broad. It can include accounts
|
||||
+ whose owners don't use the system anymore, or users created by services
|
||||
+ or applicatons that should not be used.
|
||||
+ automated: no
|
||||
|
||||
- id: R27
|
||||
title: Disabling service accounts
|
||||
level: intermediary
|
||||
notes: >-
|
||||
It is difficult to generally identify the system's service accounts.
|
||||
+ UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
|
||||
+ are not enforced by the OS and can be changed over time.
|
||||
Assisting rules could list users which are not disabled for manual review.
|
||||
automated: no
|
||||
|
||||
@@ -568,7 +599,11 @@ controls:
|
||||
title: Uniqueness and exclusivity of system service accounts
|
||||
description: >-
|
||||
Each service must have its own system account and be dedicated to it exclusively.
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ It is not trivial to identify wether a user account is a service account.
|
||||
+ UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
|
||||
+ are not enforced by the OS and can be changed over time.
|
||||
+ automated: no
|
||||
|
||||
- id: R29
|
||||
level: enhanced
|
||||
@@ -778,6 +813,7 @@ controls:
|
||||
description: >-
|
||||
The syslog services must be isolated from the rest of the system in a
|
||||
dedicated container.
|
||||
+ automated: no
|
||||
# rules: TBD
|
||||
|
||||
- id: R46
|
||||
@@ -825,6 +861,7 @@ controls:
|
||||
This includes: directories containing executables, libraries,
|
||||
configuration files, as well as any files that may contain sensitive
|
||||
elements (cryptographic keys, passwords, confidential data).
|
||||
+ automated: yes
|
||||
rules:
|
||||
- package_aide_installed
|
||||
- aide_build_database
|
||||
@@ -851,7 +888,12 @@ controls:
|
||||
description: >-
|
||||
The deployed services must have their access restricted to the system
|
||||
strict minimum, especially when it comes to files, processes or network.
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ SELinux policies limit the privileges of services and daemons to only what they require.
|
||||
+ automated: partially
|
||||
+ rules:
|
||||
+ - selinux_policytype
|
||||
+ - var_selinux_policy_name=targeted
|
||||
|
||||
- id: R54
|
||||
level: enhanced
|
||||
@@ -859,17 +901,24 @@ controls:
|
||||
description: >-
|
||||
Each component supporting the virtualization must be hardened, especially
|
||||
by applying technical measures to counter the exploit attempts.
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ It may be interesting to point out virtulization components that are installed and
|
||||
+ should be hardened.
|
||||
+ automated: no
|
||||
|
||||
- id: R55
|
||||
level: intermediary
|
||||
title: chroot jail and access right for partitioned service
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ Automation to restrict access and chroot services is not generally reliable.
|
||||
+ autmated: no
|
||||
|
||||
- id: R56
|
||||
level: intermediary
|
||||
title: Enablement and usage of chroot by a service
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ Automation to restrict access and chroot services is not generally reliable.
|
||||
+ automated: no
|
||||
|
||||
- id: R57
|
||||
level: intermediary
|
||||
@@ -924,7 +973,10 @@ controls:
|
||||
description: >-
|
||||
The commands requiring the execution of sub-processes (EXEC tag) must be
|
||||
explicitly listed and their use should be reduced to a strict minimum.
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ Human review is required to assess if the commands requiring EXEC is minimal.
|
||||
+ An auxiliary rule could list rules containing EXEC tag, for analysis.
|
||||
+ automated: no
|
||||
|
||||
- id: R62
|
||||
level: intermediary
|
||||
@@ -944,7 +996,13 @@ controls:
|
||||
- id: R64
|
||||
level: intermediary
|
||||
title: Good use of sudoedit
|
||||
- # rules: TBD
|
||||
+ description: A file requiring sudo to be edited, must be edited through the sudoedit command.
|
||||
+ notes: >-
|
||||
+ In R62 we established that the sudoers files should not use negations, thus the approach
|
||||
+ for this requirement is to ensure that sudoedit is the only text editor allowed.
|
||||
+ But it is difficult to ensure that allowed binaries aren't text editors without human
|
||||
+ review.
|
||||
+ automated: no
|
||||
|
||||
- id: R65
|
||||
level: high
|
||||
@@ -959,6 +1017,7 @@ controls:
|
||||
description: >-
|
||||
It is recommended to enable the targeted policy when the distribution
|
||||
support it and that it does not operate another security module than SELinux.
|
||||
+ automated: yes
|
||||
rules:
|
||||
- selinux_policytype
|
||||
- var_selinux_policy_name=targeted
|
||||
|
||||
From 655c8ab2d778f0826cb9cb9f3052bb5d49fcbbc4 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 11 May 2021 17:49:42 +0200
|
||||
Subject: [PATCH 3/6] Undraft RHEL ANSSI High profiles
|
||||
|
||||
---
|
||||
rhel7/profiles/anssi_nt28_high.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_high.profile | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
|
||||
index 22efad9c09..560460b55f 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_high.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_high.profile
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
+title: 'ANSSI-BP-028 (high)'
|
||||
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
|
||||
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
|
||||
index 22efad9c09..560460b55f 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_high.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_high.profile
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
+title: 'ANSSI-BP-028 (high)'
|
||||
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
|
||||
|
||||
From 227baf32a959a94df241f49016aa23da2917de88 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Yuuma Sato <wsato@redhat.com>
|
||||
Date: Fri, 14 May 2021 10:58:50 +0200
|
||||
Subject: [PATCH 4/6] Fix typos and improve language
|
||||
|
||||
Co-authored-by: vojtapolasek <krecoun@gmail.com>
|
||||
---
|
||||
controls/anssi.yml | 20 ++++++++++----------
|
||||
1 file changed, 10 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 291af65f58..81d099e98b 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -581,7 +581,7 @@ controls:
|
||||
notes: >-
|
||||
The definition of unused user accounts is broad. It can include accounts
|
||||
whose owners don't use the system anymore, or users created by services
|
||||
- or applicatons that should not be used.
|
||||
+ or applications that should not be used.
|
||||
automated: no
|
||||
|
||||
- id: R27
|
||||
@@ -589,7 +589,7 @@ controls:
|
||||
level: intermediary
|
||||
notes: >-
|
||||
It is difficult to generally identify the system's service accounts.
|
||||
- UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
|
||||
+ UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values
|
||||
are not enforced by the OS and can be changed over time.
|
||||
Assisting rules could list users which are not disabled for manual review.
|
||||
automated: no
|
||||
@@ -600,8 +600,8 @@ controls:
|
||||
description: >-
|
||||
Each service must have its own system account and be dedicated to it exclusively.
|
||||
notes: >-
|
||||
- It is not trivial to identify wether a user account is a service account.
|
||||
- UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
|
||||
+ It is not trivial to identify whether a user account is a service account.
|
||||
+ UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values
|
||||
are not enforced by the OS and can be changed over time.
|
||||
automated: no
|
||||
|
||||
@@ -889,7 +889,7 @@ controls:
|
||||
The deployed services must have their access restricted to the system
|
||||
strict minimum, especially when it comes to files, processes or network.
|
||||
notes: >-
|
||||
- SELinux policies limit the privileges of services and daemons to only what they require.
|
||||
+ SELinux policies limit the privileges of services and daemons just to those which are required.
|
||||
automated: partially
|
||||
rules:
|
||||
- selinux_policytype
|
||||
@@ -902,7 +902,7 @@ controls:
|
||||
Each component supporting the virtualization must be hardened, especially
|
||||
by applying technical measures to counter the exploit attempts.
|
||||
notes: >-
|
||||
- It may be interesting to point out virtulization components that are installed and
|
||||
+ It may be interesting to point out virtualization components that are installed and
|
||||
should be hardened.
|
||||
automated: no
|
||||
|
||||
@@ -910,14 +910,14 @@ controls:
|
||||
level: intermediary
|
||||
title: chroot jail and access right for partitioned service
|
||||
notes: >-
|
||||
- Automation to restrict access and chroot services is not generally reliable.
|
||||
- autmated: no
|
||||
+ Using automation to restrict access and chroot services is not generally reliable.
|
||||
+ automated: no
|
||||
|
||||
- id: R56
|
||||
level: intermediary
|
||||
title: Enablement and usage of chroot by a service
|
||||
notes: >-
|
||||
- Automation to restrict access and chroot services is not generally reliable.
|
||||
+ Using automation to restrict access and chroot services is not generally reliable.
|
||||
automated: no
|
||||
|
||||
- id: R57
|
||||
@@ -974,7 +974,7 @@ controls:
|
||||
The commands requiring the execution of sub-processes (EXEC tag) must be
|
||||
explicitly listed and their use should be reduced to a strict minimum.
|
||||
notes: >-
|
||||
- Human review is required to assess if the commands requiring EXEC is minimal.
|
||||
+ Human review is required to assess if the set of commands requiring EXEC is minimal.
|
||||
An auxiliary rule could list rules containing EXEC tag, for analysis.
|
||||
automated: no
|
||||
|
||||
|
||||
From 7bf2131e20bcf5a64e21b66afba48008324b058a Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 14 May 2021 11:41:30 +0200
|
||||
Subject: [PATCH 5/6] Update R1 notes and selected rule
|
||||
|
||||
---
|
||||
controls/anssi.yml | 28 +++++++++----------
|
||||
.../package_xinetd_removed/rule.yml | 1 +
|
||||
.../nis/package_ypbind_removed/rule.yml | 1 +
|
||||
.../nis/package_ypserv_removed/rule.yml | 1 +
|
||||
.../package_rsh-server_removed/rule.yml | 1 +
|
||||
.../r_services/package_rsh_removed/rule.yml | 1 +
|
||||
.../talk/package_talk-server_removed/rule.yml | 1 +
|
||||
.../talk/package_talk_removed/rule.yml | 1 +
|
||||
.../package_telnet-server_removed/rule.yml | 1 +
|
||||
.../telnet/package_telnet_removed/rule.yml | 1 +
|
||||
.../tftp/package_tftp-server_removed/rule.yml | 1 +
|
||||
.../tftp/package_tftp_removed/rule.yml | 4 +++
|
||||
13 files changed, 28 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 81d099e98b..ebee9c4259 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -19,25 +19,25 @@ controls:
|
||||
Those whose presence can not be justified should be disabled, removed or deleted.
|
||||
automated: partially # The list of essential services is not objective.
|
||||
notes: >-
|
||||
- Manual review is required to assess if the installed services are minimal.
|
||||
- In general, use of obsolete or insecure services is not recommended.
|
||||
Performing a minimal install is a good starting point, but doesn't provide any assurance
|
||||
over any package installed later.
|
||||
+ Manual review is required to assess if the installed services are minimal.
|
||||
+ In general, use of obsolete or insecure services is not recommended and we remove some
|
||||
+ of these in this recommendation.
|
||||
rules:
|
||||
- package_dhcp_removed
|
||||
- #- package_rsh_removed
|
||||
- #- package_rsh-server_removed
|
||||
+ - package_rsh_removed
|
||||
+ - package_rsh-server_removed
|
||||
- package_sendmail_removed
|
||||
- - package_telnetd_removed
|
||||
- #- package_talk_removed
|
||||
- #- package_talk-server_removed
|
||||
- #- package_telnet_removed
|
||||
- #- package_telnet-server_removed
|
||||
- #- package_tftp_removed
|
||||
- #- package_tftp-server_removed
|
||||
- #- package_xinetd_removed
|
||||
- #- package_ypbind_removed
|
||||
- #- package_ypserv_removed
|
||||
+ - package_talk_removed
|
||||
+ - package_talk-server_removed
|
||||
+ - package_telnet_removed
|
||||
+ - package_telnet-server_removed
|
||||
+# - package_tftp_removed
|
||||
+ - package_tftp-server_removed
|
||||
+ - package_xinetd_removed
|
||||
+ - package_ypbind_removed
|
||||
+ - package_ypserv_removed
|
||||
|
||||
- id: R2
|
||||
level: intermediary
|
||||
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
|
||||
index e2431be9c5..9494025449 100644
|
||||
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
|
||||
@@ -18,6 +18,7 @@ identifiers:
|
||||
cce@rhel8: CCE-80850-1
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
cis@rhel8: 2.1.1
|
||||
disa: CCI-000305
|
||||
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
|
||||
diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
|
||||
index 97e27e2a4c..e836dc6fb1 100644
|
||||
--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
|
||||
@@ -24,6 +24,7 @@ identifiers:
|
||||
cce@rhel8: CCE-82181-9
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
cis@rhel7: 2.3.1
|
||||
cis@rhel8: 2.3.1
|
||||
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
|
||||
diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
|
||||
index ac1d8e6f4c..7ca7a67e69 100644
|
||||
--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
|
||||
@@ -22,6 +22,7 @@ identifiers:
|
||||
cce@rhel8: CCE-82432-6
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
stigid@ol7: OL07-00-020010
|
||||
cis@rhel7: 2.2.16
|
||||
cis@rhel8: 2.2.17
|
||||
diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
|
||||
index 21f4d7bae6..33c36cde67 100644
|
||||
--- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
|
||||
@@ -22,6 +22,7 @@ identifiers:
|
||||
cce@rhel8: CCE-82184-3
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
stigid@ol7: OL07-00-020000
|
||||
disa: CCI-000381
|
||||
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
|
||||
diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
|
||||
index c8f4673a3a..dbc6bd7329 100644
|
||||
--- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
|
||||
@@ -23,6 +23,7 @@ identifiers:
|
||||
cce@rhel8: CCE-82183-5
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
cis@rhel7: 2.3.2
|
||||
cui: 3.1.13
|
||||
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
|
||||
diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
|
||||
index 12971558e9..e46e4f55d0 100644
|
||||
--- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
|
||||
@@ -18,6 +18,7 @@ identifiers:
|
||||
cce@rhel8: CCE-82180-1
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
cis@rhel7: 2.2.18
|
||||
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
|
||||
|
||||
diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
|
||||
index 68e804ba38..24743fc2d6 100644
|
||||
--- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
|
||||
@@ -23,6 +23,7 @@ identifiers:
|
||||
cce@rhel8: CCE-80848-5
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
cis@rhel7: 2.3.3
|
||||
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
|
||||
|
||||
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
||||
index 7bb5ed5da3..24cf50ff29 100644
|
||||
--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
||||
@@ -31,6 +31,7 @@ identifiers:
|
||||
cce@sle15: CCE-83273-3
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
stigid@ol7: OL07-00-021710
|
||||
cis@rhel7: 2.1.19
|
||||
disa: CCI-000381
|
||||
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
|
||||
index 1b0128ec06..afef488734 100644
|
||||
--- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
|
||||
@@ -21,6 +21,7 @@ identifiers:
|
||||
cce@rhel8: CCE-80849-3
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
cis@rhel7: 2.3.4
|
||||
cis@rhel8: 2.3.2
|
||||
cui: 3.1.13
|
||||
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
|
||||
index 3fcc8db4c8..ca25bb2124 100644
|
||||
--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
|
||||
@@ -22,6 +22,7 @@ identifiers:
|
||||
cce@rhel8: CCE-82436-7
|
||||
|
||||
references:
|
||||
+ anssi: BP28(R1)
|
||||
stigid@ol7: OL07-00-040700
|
||||
disa: CCI-000318,CCI-000366,CCI-000368,CCI-001812,CCI-001813,CCI-001814
|
||||
nist: CM-7(a),CM-7(b),CM-6(a)
|
||||
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
|
||||
index c3a501259c..0be9a60d38 100644
|
||||
--- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
|
||||
@@ -19,6 +19,10 @@ severity: low
|
||||
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80443-5
|
||||
+ cce@rhel8: CCE-83590-0
|
||||
+
|
||||
+references:
|
||||
+ anssi: BP28(R1)
|
||||
|
||||
ocil: '{{{ describe_package_remove(package="tftp") }}}'
|
||||
|
||||
From c8124b72c208951b3ac2a4da1f8c64157f6be69b Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 14 May 2021 11:43:32 +0200
|
||||
Subject: [PATCH 6/6] Update R5 notes and rule selection
|
||||
|
||||
Note commented rules as related, and potentially useful.
|
||||
---
|
||||
controls/anssi.yml | 16 +++++++++-------
|
||||
1 file changed, 9 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index ebee9c4259..bba7148da9 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -88,20 +88,22 @@ controls:
|
||||
automated: partially
|
||||
notes: >-
|
||||
Defense in-depth can be broadly divided into three areas - physical, technical and
|
||||
- administrative. The security profile is best suitedto protect the technical area.
|
||||
+ administrative. The security profile is best suited to protect the technical area.
|
||||
Among the barriers that can be implemented within the technical area are antivirus software,
|
||||
authentication, multi-factor authentication, encryption, logging, auditing, sandboxing,
|
||||
intrusion detection systems, firewalls and vulnerability scanners.
|
||||
+ The selection below is not in any way exaustive and should be adapted to the system's needs.
|
||||
rules:
|
||||
- #- package_audit_installed
|
||||
- #- service_auditd_enabled
|
||||
- sudo_remove_no_authenticate
|
||||
- package_rsyslog_installed
|
||||
- service_rsyslog_enabled
|
||||
- #- package_ntp_installed
|
||||
- #- package_firewalld_installed
|
||||
- #- service_firewalld_enabled
|
||||
- #- sssd_enable_smartcards
|
||||
+ related_rules:
|
||||
+ - package_audit_installed
|
||||
+ - service_auditd_enabled
|
||||
+ - package_ntp_installed
|
||||
+ - package_firewalld_installed
|
||||
+ - service_firewalld_enabled
|
||||
+ - sssd_enable_smartcards
|
||||
|
||||
- id: R6
|
||||
level: enhanced
|
@ -1,477 +0,0 @@
|
||||
From aae5be64cdeb4a41caa3f3273342373cc4f4e9b2 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Wed, 19 May 2021 18:01:14 +0200
|
||||
Subject: [PATCH 1/4] Add options for building Ansible and Bash content
|
||||
|
||||
This patch adds 2 new options SSG_ANSIBLE_PLAYBOOKS_ENABLED and
|
||||
SSG_BASH_SCRIPTS_ENABLED which will allow user to turn on or off
|
||||
building and installing profile Bash remediation scripts and profile
|
||||
Ansible Playbooks. They are enabled by default, therefore the default
|
||||
behavior doesn't change, but people can turn them off to speed up the
|
||||
build. These options can be useful when calling cmake in downstream spec
|
||||
files.
|
||||
---
|
||||
CMakeLists.txt | 4 +++
|
||||
cmake/SSGCommon.cmake | 60 +++++++++++++++++++++++--------------------
|
||||
2 files changed, 36 insertions(+), 28 deletions(-)
|
||||
|
||||
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
||||
index 32a0ddd240a..c309efde9bd 100644
|
||||
--- a/CMakeLists.txt
|
||||
+++ b/CMakeLists.txt
|
||||
@@ -46,6 +46,8 @@ option(SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED "If enabled, shellcheck vali
|
||||
option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used to validate URLs in all the HTML guides and tables." TRUE)
|
||||
option(SSG_SVG_IN_XCCDF_ENABLED "If enabled, the built XCCDFs will include the SVG SCAP Security Guide logo." TRUE)
|
||||
option(SSG_SEPARATE_SCAP_FILES_ENABLED "If enabled, separate SCAP files (OVAL, XCCDF, CPE dict, ...) will be installed alongside the source data-streams" TRUE)
|
||||
+option(SSG_ANSIBLE_PLAYBOOKS_ENABLED "If enabled, Ansible Playbooks for each profile will be built and installed." TRUE)
|
||||
+option(SSG_BASH_SCRIPTS_ENABLED "If enabled, Bash remediation scripts for each profile will be built and installed." TRUE)
|
||||
option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE)
|
||||
option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE)
|
||||
set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.")
|
||||
@@ -240,6 +242,8 @@ message(STATUS "OVAL schematron validation: ${SSG_OVAL_SCHEMATRON_VALIDATION_ENA
|
||||
message(STATUS "shellcheck bash fixes validation: ${SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED}")
|
||||
message(STATUS "SVG logo in XCCDFs: ${SSG_SVG_IN_XCCDF_ENABLED}")
|
||||
message(STATUS "Separate SCAP files: ${SSG_SEPARATE_SCAP_FILES_ENABLED}")
|
||||
+message(STATUS "Ansible Playbooks: ${SSG_ANSIBLE_PLAYBOOKS_ENABLED}")
|
||||
+message(STATUS "Bash scripts: ${SSG_BASH_SCRIPTS_ENABLED}")
|
||||
if (SSG_JINJA2_CACHE_ENABLED)
|
||||
message(STATUS "jinja2 cache: enabled")
|
||||
message(STATUS "jinja2 cache dir: ${SSG_JINJA2_CACHE_DIR}")
|
||||
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
|
||||
index 889c0cf1d3c..9b109f86b9f 100644
|
||||
--- a/cmake/SSGCommon.cmake
|
||||
+++ b/cmake/SSGCommon.cmake
|
||||
@@ -789,7 +789,7 @@ macro(ssg_build_product PRODUCT)
|
||||
|
||||
add_dependencies(zipfile "generate-ssg-${PRODUCT}-ds.xml")
|
||||
|
||||
- if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}")
|
||||
+ if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_ENABLED)
|
||||
add_dependencies(
|
||||
${PRODUCT}-content
|
||||
generate-${PRODUCT}-ansible-playbooks
|
||||
@@ -803,7 +803,7 @@ macro(ssg_build_product PRODUCT)
|
||||
add_dependencies(zipfile ${PRODUCT}-profile-playbooks)
|
||||
endif()
|
||||
|
||||
- if ("${PRODUCT_BASH_REMEDIATION_ENABLED}")
|
||||
+ if ("${PRODUCT_BASH_REMEDIATION_ENABLED}" AND SSG_BASH_SCRIPTS_ENABLED)
|
||||
ssg_build_profile_bash_scripts(${PRODUCT})
|
||||
add_custom_target(
|
||||
${PRODUCT}-profile-bash-scripts
|
||||
@@ -873,30 +873,34 @@ macro(ssg_build_product PRODUCT)
|
||||
endif()
|
||||
"
|
||||
)
|
||||
- install(
|
||||
- CODE "
|
||||
- file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/ansible/${PRODUCT}-playbook-*.yml\") \n
|
||||
- if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR})
|
||||
- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}\"
|
||||
- TYPE FILE FILES \${ROLE_FILES})
|
||||
- else()
|
||||
- file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}\"
|
||||
- TYPE FILE FILES \${ROLE_FILES})
|
||||
- endif()
|
||||
- "
|
||||
- )
|
||||
- install(
|
||||
- CODE "
|
||||
- file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/bash/${PRODUCT}-script-*.sh\") \n
|
||||
- if(NOT IS_ABSOLUTE ${SSG_BASH_ROLE_INSTALL_DIR})
|
||||
- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_BASH_ROLE_INSTALL_DIR}\"
|
||||
- TYPE FILE FILES \${ROLE_FILES})
|
||||
- else()
|
||||
- file(INSTALL DESTINATION \"${SSG_BASH_ROLE_INSTALL_DIR}\"
|
||||
- TYPE FILE FILES \${ROLE_FILES})
|
||||
- endif()
|
||||
- "
|
||||
- )
|
||||
+ if(SSG_ANSIBLE_PLAYBOOKS_ENABLED)
|
||||
+ install(
|
||||
+ CODE "
|
||||
+ file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/ansible/${PRODUCT}-playbook-*.yml\") \n
|
||||
+ if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR})
|
||||
+ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}\"
|
||||
+ TYPE FILE FILES \${ROLE_FILES})
|
||||
+ else()
|
||||
+ file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}\"
|
||||
+ TYPE FILE FILES \${ROLE_FILES})
|
||||
+ endif()
|
||||
+ "
|
||||
+ )
|
||||
+ endif()
|
||||
+ if(SSG_BASH_SCRIPTS_ENABLED)
|
||||
+ install(
|
||||
+ CODE "
|
||||
+ file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/bash/${PRODUCT}-script-*.sh\") \n
|
||||
+ if(NOT IS_ABSOLUTE ${SSG_BASH_ROLE_INSTALL_DIR})
|
||||
+ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_BASH_ROLE_INSTALL_DIR}\"
|
||||
+ TYPE FILE FILES \${ROLE_FILES})
|
||||
+ else()
|
||||
+ file(INSTALL DESTINATION \"${SSG_BASH_ROLE_INSTALL_DIR}\"
|
||||
+ TYPE FILE FILES \${ROLE_FILES})
|
||||
+ endif()
|
||||
+ "
|
||||
+ )
|
||||
+ endif()
|
||||
|
||||
# grab all the kickstarts (if any) and install them
|
||||
file(GLOB KICKSTART_FILES "${CMAKE_CURRENT_SOURCE_DIR}/kickstart/ssg-${PRODUCT}-*-ks.cfg")
|
||||
@@ -968,7 +972,7 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE)
|
||||
|
||||
ssg_build_html_guides(${DERIVATIVE})
|
||||
|
||||
- if ("${PRODUCT_BASH_REMEDIATION_ENABLED}")
|
||||
+ if ("${PRODUCT_BASH_REMEDIATION_ENABLED}" AND SSG_BASH_SCRIPTS_ENABLED)
|
||||
ssg_build_profile_bash_scripts(${DERIVATIVE})
|
||||
add_custom_target(
|
||||
${DERIVATIVE}-profile-bash-scripts
|
||||
@@ -977,7 +981,7 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE)
|
||||
add_dependencies(${DERIVATIVE} ${DERIVATIVE}-profile-bash-scripts)
|
||||
endif()
|
||||
|
||||
- if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}")
|
||||
+ if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_ENABLED)
|
||||
ssg_build_profile_playbooks(${DERIVATIVE})
|
||||
add_custom_target(
|
||||
${DERIVATIVE}-profile-playbooks
|
||||
|
||||
From c7c7baa84ce722304224373c556a2d03edb0f76c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Thu, 20 May 2021 09:14:21 +0200
|
||||
Subject: [PATCH 2/4] Do not build HTML guide for the virtual default profile
|
||||
|
||||
The virtual '(default)' profile is a profile that doesn't contain
|
||||
any rules, so the built HTML guide also doesn't contain any rules
|
||||
which means it contains only group descriptions. This HTML guide
|
||||
has no use for the users and it only increases the built size.
|
||||
---
|
||||
ssg/build_guides.py | 4 ----
|
||||
1 file changed, 4 deletions(-)
|
||||
|
||||
diff --git a/ssg/build_guides.py b/ssg/build_guides.py
|
||||
index 3b2a9469240..2e37d80eef3 100644
|
||||
--- a/ssg/build_guides.py
|
||||
+++ b/ssg/build_guides.py
|
||||
@@ -105,10 +105,6 @@ def get_benchmark_profile_pairs(input_tree, benchmarks):
|
||||
for benchmark_id in benchmarks.keys():
|
||||
profiles = get_profile_choices_for_input(input_tree, benchmark_id,
|
||||
None)
|
||||
-
|
||||
- # add the default profile
|
||||
- profiles[""] = "(default)"
|
||||
-
|
||||
for profile_id in profiles:
|
||||
pair = (benchmark_id, profile_id, profiles[profile_id])
|
||||
benchmark_profile_pairs.append(pair)
|
||||
|
||||
From f2c265013dd5fe75fd47c8ce7afe9e2ecc7cf16f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Thu, 20 May 2021 09:49:51 +0200
|
||||
Subject: [PATCH 3/4] Add option to disable SCAP 1.2 data streams
|
||||
|
||||
This commit adds a new option that enables to turn on building
|
||||
the SCAP 1.2 source data streams (ssg-*-ds-1.2.xml). This option
|
||||
will help people who don't want to build and ship this file.
|
||||
The default setting is TRUE which means the default behavior
|
||||
shouldn't change.
|
||||
---
|
||||
CMakeLists.txt | 2 +
|
||||
cmake/SSGCommon.cmake | 100 +++++++++++++++++++++++++++---------------
|
||||
2 files changed, 67 insertions(+), 35 deletions(-)
|
||||
|
||||
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
||||
index c309efde9bd..55b991cedfa 100644
|
||||
--- a/CMakeLists.txt
|
||||
+++ b/CMakeLists.txt
|
||||
@@ -41,6 +41,7 @@ set(SSG_TARGET_OVAL_MINOR_VERSION "11" CACHE STRING "Which minor version of OVAL
|
||||
|
||||
set(SSG_TARGET_OVAL_VERSION "${SSG_TARGET_OVAL_MAJOR_VERSION}.${SSG_TARGET_OVAL_MINOR_VERSION}")
|
||||
|
||||
+option(SSG_BUILD_SCAP_12_DS "If enabled, ssg-*-ds-1.2.xml will be built along with ssg-*-ds.xml" TRUE)
|
||||
option(SSG_OVAL_SCHEMATRON_VALIDATION_ENABLED "If enabled, schematron validation will be performed as part of the ctest tests. Schematron takes a lot of time to complete but can find more issues than just plain XSD validation." TRUE)
|
||||
option(SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED "If enabled, shellcheck validation of bash fixes will be performed as part of the ctest tests. Shellcheck tests don't pass right now, this option is discouraged until that's fixed." FALSE)
|
||||
option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used to validate URLs in all the HTML guides and tables." TRUE)
|
||||
@@ -238,6 +239,7 @@ message(STATUS " ")
|
||||
message(STATUS "Build options:")
|
||||
message(STATUS "SSG vendor string: ${SSG_VENDOR}")
|
||||
message(STATUS "Target OVAL version: ${SSG_TARGET_OVAL_VERSION}")
|
||||
+message(STATUS "Build SCAP 1.2 source data streams: ${SSG_BUILD_SCAP_12_DS}")
|
||||
message(STATUS "OVAL schematron validation: ${SSG_OVAL_SCHEMATRON_VALIDATION_ENABLED}")
|
||||
message(STATUS "shellcheck bash fixes validation: ${SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED}")
|
||||
message(STATUS "SVG logo in XCCDFs: ${SSG_SVG_IN_XCCDF_ENABLED}")
|
||||
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
|
||||
index 9b109f86b9f..412db46c687 100644
|
||||
--- a/cmake/SSGCommon.cmake
|
||||
+++ b/cmake/SSGCommon.cmake
|
||||
@@ -555,7 +555,6 @@ macro(ssg_build_sds PRODUCT)
|
||||
if("${PRODUCT}" MATCHES "rhel(6|7)")
|
||||
add_custom_command(
|
||||
OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
WORKING_DIRECTORY "${CMAKE_BINARY_DIR}"
|
||||
# use --skip-valid here to avoid repeatedly validating everything
|
||||
COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
@@ -563,10 +562,8 @@ macro(ssg_build_sds PRODUCT)
|
||||
COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml
|
||||
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml"
|
||||
DEPENDS generate-ssg-${PRODUCT}-oval.xml
|
||||
@@ -578,22 +575,19 @@ macro(ssg_build_sds PRODUCT)
|
||||
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml"
|
||||
DEPENDS generate-ssg-${PRODUCT}-pcidss-xccdf-1.2.xml
|
||||
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-pcidss-xccdf-1.2.xml"
|
||||
- COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml and ssg-${PRODUCT}-ds-1.2.xml"
|
||||
+ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml"
|
||||
)
|
||||
else()
|
||||
add_custom_command(
|
||||
OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
WORKING_DIRECTORY "${CMAKE_BINARY_DIR}"
|
||||
# use --skip-valid here to avoid repeatedly validating everything
|
||||
COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml
|
||||
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml"
|
||||
DEPENDS generate-ssg-${PRODUCT}-oval.xml
|
||||
@@ -603,14 +597,30 @@ macro(ssg_build_sds PRODUCT)
|
||||
DEPENDS generate-ssg-${PRODUCT}-cpe-dictionary.xml
|
||||
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml"
|
||||
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml"
|
||||
- COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml and ssg-${PRODUCT}-ds-1.2.xml"
|
||||
+ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml"
|
||||
+ )
|
||||
+ endif()
|
||||
+
|
||||
+ if(SSG_BUILD_SCAP_12_DS)
|
||||
+ add_custom_command(
|
||||
+ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
+ WORKING_DIRECTORY "${CMAKE_BINARY_DIR}"
|
||||
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
+ COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
+ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-1.2.xml"
|
||||
+ )
|
||||
+ add_custom_target(
|
||||
+ generate-ssg-${PRODUCT}-ds.xml
|
||||
+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
+ )
|
||||
+ else()
|
||||
+ add_custom_target(
|
||||
+ generate-ssg-${PRODUCT}-ds.xml
|
||||
+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
)
|
||||
endif()
|
||||
- add_custom_target(
|
||||
- generate-ssg-${PRODUCT}-ds.xml
|
||||
- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
- )
|
||||
|
||||
if("${PRODUCT}" MATCHES "rhel(6|7|8|9)")
|
||||
add_test(
|
||||
@@ -626,10 +636,12 @@ macro(ssg_build_sds PRODUCT)
|
||||
NAME "validate-ssg-${PRODUCT}-ds.xml"
|
||||
COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
)
|
||||
- add_test(
|
||||
- NAME "validate-ssg-${PRODUCT}-ds-1.2.xml"
|
||||
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
- )
|
||||
+ if(SSG_BUILD_SCAP_12_DS)
|
||||
+ add_test(
|
||||
+ NAME "validate-ssg-${PRODUCT}-ds-1.2.xml"
|
||||
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
+ )
|
||||
+ endif()
|
||||
endif()
|
||||
endmacro()
|
||||
|
||||
@@ -640,7 +652,6 @@ macro(ssg_build_html_guides PRODUCT)
|
||||
COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_all_guides.py" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/guides" build
|
||||
DEPENDS generate-ssg-${PRODUCT}-ds.xml
|
||||
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
COMMENT "[${PRODUCT}-guides] generating HTML guides for all profiles in ssg-${PRODUCT}-ds.xml"
|
||||
)
|
||||
add_custom_target(
|
||||
@@ -854,8 +865,10 @@ macro(ssg_build_product PRODUCT)
|
||||
install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
DESTINATION "${SSG_CONTENT_INSTALL_DIR}")
|
||||
|
||||
- install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
- DESTINATION "${SSG_CONTENT_INSTALL_DIR}")
|
||||
+ if(SSG_BUILD_SCAP_12_DS)
|
||||
+ install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
+ DESTINATION "${SSG_CONTENT_INSTALL_DIR}")
|
||||
+ endif()
|
||||
|
||||
# This is a common cmake trick, we need the globbing to happen at build time
|
||||
# and not configure time.
|
||||
@@ -927,21 +940,34 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE)
|
||||
add_custom_command(
|
||||
OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml"
|
||||
OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml"
|
||||
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds-1.2.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" ${DERIVATIVE} --id-name ssg
|
||||
COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" ${DERIVATIVE} --id-name ssg
|
||||
COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml"
|
||||
- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml"
|
||||
DEPENDS generate-ssg-${ORIGINAL}-ds.xml
|
||||
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds.xml"
|
||||
- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds-1.2.xml"
|
||||
DEPENDS "${SSG_BUILD_SCRIPTS}/enable_derivatives.py"
|
||||
- COMMENT "[${DERIVATIVE}-content] generating ssg-${DERIVATIVE}-ds.xml and ssg-${DERIVATIVE}-ds-1.2.xml"
|
||||
- )
|
||||
- add_custom_target(
|
||||
- generate-ssg-${DERIVATIVE}-ds.xml
|
||||
- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml"
|
||||
- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml"
|
||||
+ COMMENT "[${DERIVATIVE}-content] generating ssg-${DERIVATIVE}-ds.xml"
|
||||
)
|
||||
+ if (SSG_BUILD_SCAP_12_DS)
|
||||
+ add_custom_command(
|
||||
+ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml"
|
||||
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds-1.2.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" ${DERIVATIVE} --id-name ssg
|
||||
+ COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml"
|
||||
+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds-1.2.xml"
|
||||
+ DEPENDS "${SSG_BUILD_SCRIPTS}/enable_derivatives.py"
|
||||
+ COMMENT "[${DERIVATIVE}-content] generating ssg-${DERIVATIVE}-ds-1.2.xml"
|
||||
+ )
|
||||
+ add_custom_target(
|
||||
+ generate-ssg-${DERIVATIVE}-ds.xml
|
||||
+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml"
|
||||
+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml"
|
||||
+ )
|
||||
+ else()
|
||||
+ add_custom_target(
|
||||
+ generate-ssg-${DERIVATIVE}-ds.xml
|
||||
+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml"
|
||||
+ )
|
||||
+ endif()
|
||||
+
|
||||
define_validate_product("${PRODUCT}")
|
||||
if ("${VALIDATE_PRODUCT}" OR "${FORCE_VALIDATE_EVERYTHING}")
|
||||
add_test(
|
||||
@@ -952,10 +978,12 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE)
|
||||
NAME "validate-ssg-${DERIVATIVE}-ds.xml"
|
||||
COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml"
|
||||
)
|
||||
- add_test(
|
||||
- NAME "validate-ssg-${DERIVATIVE}-ds-1.2.xml"
|
||||
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml"
|
||||
- )
|
||||
+ if (SSG_BUILD_SCAP_12_DS)
|
||||
+ add_test(
|
||||
+ NAME "validate-ssg-${DERIVATIVE}-ds-1.2.xml"
|
||||
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml"
|
||||
+ )
|
||||
+ endif()
|
||||
endif()
|
||||
|
||||
add_custom_target(${DERIVATIVE} ALL)
|
||||
@@ -1004,8 +1032,10 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE)
|
||||
install(FILES "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml"
|
||||
DESTINATION "${SSG_CONTENT_INSTALL_DIR}")
|
||||
|
||||
- install(FILES "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml"
|
||||
- DESTINATION "${SSG_CONTENT_INSTALL_DIR}")
|
||||
+ if(SSG_BUILD_SCAP_12_DS)
|
||||
+ install(FILES "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml"
|
||||
+ DESTINATION "${SSG_CONTENT_INSTALL_DIR}")
|
||||
+ endif()
|
||||
|
||||
# This is a common cmake trick, we need the globbing to happen at build time
|
||||
# and not configure time.
|
||||
|
||||
From 466d3cb4dac4688e234a0fd0eff7fb6e6ae4c578 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Fri, 21 May 2021 09:50:25 +0200
|
||||
Subject: [PATCH 4/4] Add options for Bash and Ansible to build_product
|
||||
|
||||
This will allow people to build easily without Bash scripts
|
||||
or without Ansible Playbooks.
|
||||
---
|
||||
build_product | 22 +++++++++++++++++++++-
|
||||
1 file changed, 21 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/build_product b/build_product
|
||||
index cf84199e22e..8a186fbae0e 100755
|
||||
--- a/build_product
|
||||
+++ b/build_product
|
||||
@@ -7,6 +7,8 @@
|
||||
# ARG_OPTIONAL_SINGLE([jobs],[j],[Count of simultaneous jobs],[auto])
|
||||
# ARG_OPTIONAL_BOOLEAN([debug],[],[Make a debug build with draft profiles],[off])
|
||||
# ARG_OPTIONAL_BOOLEAN([derivatives],[],[Also build derivatives of products if applicable],[off])
|
||||
+# ARG_OPTIONAL_BOOLEAN([ansible-playbooks],[],[Build Ansible Playbooks for every profile],[on])
|
||||
+# ARG_OPTIONAL_BOOLEAN([bash-scripts],[],[Build Bash remediation scripts for every profile],[on])
|
||||
# ARG_OPTIONAL_BOOLEAN([datastream-only],[],[Build the datastream only. Do not build any of the guides, tables, etc],[off])
|
||||
# ARG_USE_ENV([ADDITIONAL_CMAKE_OPTIONS],[],[Whitespace-separated string of arguments to pass to CMake])
|
||||
# ARG_POSITIONAL_INF([product],[Products to build, ALL means all products],[0],[ALL])
|
||||
@@ -71,19 +73,23 @@ _arg_builder="auto"
|
||||
_arg_jobs="auto"
|
||||
_arg_debug="off"
|
||||
_arg_derivatives="off"
|
||||
+_arg_ansible_playbooks="on"
|
||||
+_arg_bash_scripts="on"
|
||||
_arg_datastream_only="off"
|
||||
|
||||
|
||||
print_help()
|
||||
{
|
||||
printf '%s\n' "Wipes out contents of the 'build' directory and builds only and only the given products."
|
||||
- printf 'Usage: %s [-o|--oval <VERSION>] [-b|--builder <BUILDER>] [-j|--jobs <arg>] [--(no-)debug] [--(no-)derivatives] [--(no-)datastream-only] [-h|--help] [<product-1>] ... [<product-n>] ...\n' "$0"
|
||||
+ printf 'Usage: %s [-o|--oval <VERSION>] [-b|--builder <BUILDER>] [-j|--jobs <arg>] [--(no-)debug] [--(no-)derivatives] [--(no-)ansible-playbooks] [--(no-)bash-scripts] [--(no-)datastream-only] [-h|--help] [<product-1>] ... [<product-n>] ...\n' "$0"
|
||||
printf '\t%s\n' "<product>: Products to build, ALL means all products (defaults for <product>: 'ALL')"
|
||||
printf '\t%s\n' "-o, --oval: OVAL version. Can be one of: '5.10', '5.11' and 'auto' (default: 'auto')"
|
||||
printf '\t%s\n' "-b, --builder: Builder engine. Can be one of: 'make', 'ninja' and 'auto' (default: 'auto')"
|
||||
printf '\t%s\n' "-j, --jobs: Count of simultaneous jobs (default: 'auto')"
|
||||
printf '\t%s\n' "--debug, --no-debug: Make a debug build with draft profiles (off by default)"
|
||||
printf '\t%s\n' "--derivatives, --no-derivatives: Also build derivatives of products if applicable (off by default)"
|
||||
+ printf '\t%s\n' "--ansible-playbooks, --no-ansible-playbooks: Build Ansible Playbooks for every profile (on by default)"
|
||||
+ printf '\t%s\n' "--bash-scripts, --no-bash-scripts: Build Bash remediation scripts for every profile (on by default)"
|
||||
printf '\t%s\n' "--datastream-only, --no-datastream-only: Build the datastream only. Do not build any of the guides, tables, etc (off by default)"
|
||||
printf '\t%s\n' "-h, --help: Prints help"
|
||||
printf '\nEnvironment variables that are supported:\n'
|
||||
@@ -140,6 +146,14 @@ parse_commandline()
|
||||
_arg_derivatives="on"
|
||||
test "${1:0:5}" = "--no-" && _arg_derivatives="off"
|
||||
;;
|
||||
+ --no-ansible-playbooks|--ansible-playbooks)
|
||||
+ _arg_ansible_playbooks="on"
|
||||
+ test "${1:0:5}" = "--no-" && _arg_ansible_playbooks="off"
|
||||
+ ;;
|
||||
+ --no-bash-scripts|--bash-scripts)
|
||||
+ _arg_bash_scripts="on"
|
||||
+ test "${1:0:5}" = "--no-" && _arg_bash_scripts="off"
|
||||
+ ;;
|
||||
--no-datastream-only|--datastream-only)
|
||||
_arg_datastream_only="on"
|
||||
test "${1:0:5}" = "--no-" && _arg_datastream_only="off"
|
||||
@@ -339,6 +353,12 @@ done
|
||||
|
||||
CMAKE_OPTIONS=(${ADDITIONAL_CMAKE_OPTIONS} "${build_type_option}" "${oval_major_version_option}" "${oval_minor_version_option}" '-DSSG_PRODUCT_DEFAULT=OFF' "${cmake_enable_args[@]}" -G "$cmake_generator")
|
||||
set_no_derivatives_options
|
||||
+if [ "$_arg_ansible_playbooks" = off ] ; then
|
||||
+ CMAKE_OPTIONS+=("-DSSG_ANSIBLE_PLAYBOOKS_ENABLED:BOOL=OFF")
|
||||
+fi
|
||||
+if [ "$_arg_bash_scripts" = off ] ; then
|
||||
+ CMAKE_OPTIONS+=("-DSSG_BASH_SCRIPTS_ENABLED:BOOL=OFF")
|
||||
+fi
|
||||
EXPLICIT_BUILD_TARGETS=()
|
||||
set_explict_build_targets
|
||||
|
@ -1,202 +0,0 @@
|
||||
From 35c61f74925f99536595824b0e787254ed89c64f Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 26 May 2021 11:36:58 +0200
|
||||
Subject: [PATCH 1/3] Fix output declararation of command generating ds
|
||||
|
||||
The custom command declares that it outputs the derivative 1.2 ds and
|
||||
this causes the actual command that generates the derivative 1.2 not to
|
||||
be run.
|
||||
---
|
||||
cmake/SSGCommon.cmake | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
|
||||
index 412db46c68..272b40ccf3 100644
|
||||
--- a/cmake/SSGCommon.cmake
|
||||
+++ b/cmake/SSGCommon.cmake
|
||||
@@ -939,7 +939,6 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE)
|
||||
|
||||
add_custom_command(
|
||||
OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml"
|
||||
- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds-1.2.xml"
|
||||
COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/enable_derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" ${DERIVATIVE} --id-name ssg
|
||||
COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml"
|
||||
DEPENDS generate-ssg-${ORIGINAL}-ds.xml
|
||||
|
||||
From 551c225accec34e55ac1f011fbd5db7755b5f9ed Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 26 May 2021 14:46:26 +0200
|
||||
Subject: [PATCH 2/3] Fix order in which SCAP 1.2 and 1.3 are generated
|
||||
|
||||
The data stream can be upgraded to 1.3, but not downgrated to 1.2.
|
||||
Instead of chaining generation of DS version on each other, let's
|
||||
generate a base ds from which SCAP 1.2 and 1.3 are generated.
|
||||
---
|
||||
cmake/SSGCommon.cmake | 43 ++++++++++++++++++++++++-------------------
|
||||
1 file changed, 24 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
|
||||
index 272b40ccf3..977c3957d1 100644
|
||||
--- a/cmake/SSGCommon.cmake
|
||||
+++ b/cmake/SSGCommon.cmake
|
||||
@@ -554,16 +554,14 @@ endmacro()
|
||||
macro(ssg_build_sds PRODUCT)
|
||||
if("${PRODUCT}" MATCHES "rhel(6|7)")
|
||||
add_custom_command(
|
||||
- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
+ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
WORKING_DIRECTORY "${CMAKE_BINARY_DIR}"
|
||||
# use --skip-valid here to avoid repeatedly validating everything
|
||||
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
- COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
+ COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml
|
||||
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml"
|
||||
DEPENDS generate-ssg-${PRODUCT}-oval.xml
|
||||
@@ -575,19 +573,17 @@ macro(ssg_build_sds PRODUCT)
|
||||
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml"
|
||||
DEPENDS generate-ssg-${PRODUCT}-pcidss-xccdf-1.2.xml
|
||||
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-pcidss-xccdf-1.2.xml"
|
||||
- COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml"
|
||||
+ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-base.xml"
|
||||
)
|
||||
else()
|
||||
add_custom_command(
|
||||
- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
+ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
WORKING_DIRECTORY "${CMAKE_BINARY_DIR}"
|
||||
# use --skip-valid here to avoid repeatedly validating everything
|
||||
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
- COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
- COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
+ COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml
|
||||
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml"
|
||||
DEPENDS generate-ssg-${PRODUCT}-oval.xml
|
||||
@@ -597,17 +593,26 @@ macro(ssg_build_sds PRODUCT)
|
||||
DEPENDS generate-ssg-${PRODUCT}-cpe-dictionary.xml
|
||||
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml"
|
||||
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml"
|
||||
- COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml"
|
||||
+ COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-base.xml"
|
||||
)
|
||||
endif()
|
||||
|
||||
+ add_custom_command(
|
||||
+ OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
+ WORKING_DIRECTORY "${CMAKE_BINARY_DIR}"
|
||||
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
+ COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
+ COMMENT "[${PRODUCT}-content] Updating data stream ssg-${PRODUCT}-ds.xml to 1.3"
|
||||
+ )
|
||||
+
|
||||
if(SSG_BUILD_SCAP_12_DS)
|
||||
add_custom_command(
|
||||
OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
WORKING_DIRECTORY "${CMAKE_BINARY_DIR}"
|
||||
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
+ DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-1.2.xml"
|
||||
)
|
||||
add_custom_target(
|
||||
|
||||
From 97b1df0349c9c685cc07a0d3e3fd88385e0cd15d Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 26 May 2021 14:51:32 +0200
|
||||
Subject: [PATCH 3/3] Move product base ds to product dir
|
||||
|
||||
The base ds is used to facilitate generation of SCAP 1.2 and SCAP 1.3
|
||||
data streams.
|
||||
The base ds is an intermediary product and can be stored in the product
|
||||
specific dir.
|
||||
---
|
||||
cmake/SSGCommon.cmake | 30 +++++++++++++++---------------
|
||||
1 file changed, 15 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
|
||||
index 977c3957d1..111b2b32ed 100644
|
||||
--- a/cmake/SSGCommon.cmake
|
||||
+++ b/cmake/SSGCommon.cmake
|
||||
@@ -554,14 +554,14 @@ endmacro()
|
||||
macro(ssg_build_sds PRODUCT)
|
||||
if("${PRODUCT}" MATCHES "rhel(6|7)")
|
||||
add_custom_command(
|
||||
- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
+ OUTPUT "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
|
||||
WORKING_DIRECTORY "${CMAKE_BINARY_DIR}"
|
||||
# use --skip-valid here to avoid repeatedly validating everything
|
||||
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
- COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
|
||||
+ COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
|
||||
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
|
||||
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
|
||||
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
|
||||
DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml
|
||||
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml"
|
||||
DEPENDS generate-ssg-${PRODUCT}-oval.xml
|
||||
@@ -577,13 +577,13 @@ macro(ssg_build_sds PRODUCT)
|
||||
)
|
||||
else()
|
||||
add_custom_command(
|
||||
- OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
+ OUTPUT "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
|
||||
WORKING_DIRECTORY "${CMAKE_BINARY_DIR}"
|
||||
# use --skip-valid here to avoid repeatedly validating everything
|
||||
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
- COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
- COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
|
||||
+ COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
|
||||
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
|
||||
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/sds_move_ocil_to_checks.py" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
|
||||
DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml
|
||||
DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml"
|
||||
DEPENDS generate-ssg-${PRODUCT}-oval.xml
|
||||
@@ -600,9 +600,9 @@ macro(ssg_build_sds PRODUCT)
|
||||
add_custom_command(
|
||||
OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
WORKING_DIRECTORY "${CMAKE_BINARY_DIR}"
|
||||
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.3" --input "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
|
||||
- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
+ DEPENDS "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
|
||||
COMMENT "[${PRODUCT}-content] Updating data stream ssg-${PRODUCT}-ds.xml to 1.3"
|
||||
)
|
||||
|
||||
@@ -610,9 +610,9 @@ macro(ssg_build_sds PRODUCT)
|
||||
add_custom_command(
|
||||
OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
WORKING_DIRECTORY "${CMAKE_BINARY_DIR}"
|
||||
- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/update_sds_version.py" --version "1.2" --input "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-1.2.xml"
|
||||
- DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds-base.xml"
|
||||
+ DEPENDS "${CMAKE_BINARY_DIR}/${PRODUCT}/ssg-${PRODUCT}-ds-base.xml"
|
||||
COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds-1.2.xml"
|
||||
)
|
||||
add_custom_target(
|
@ -1,224 +0,0 @@
|
||||
From 7283a29c601c250f9809886860f89d4e673be577 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Mon, 24 May 2021 17:25:38 +0200
|
||||
Subject: [PATCH 1/6] Add option to enable installation of individual ansible
|
||||
tasks per rule.
|
||||
|
||||
---
|
||||
CMakeLists.txt | 1 +
|
||||
cmake/SSGCommon.cmake | 14 ++++++++++++++
|
||||
2 files changed, 15 insertions(+)
|
||||
|
||||
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
||||
index 55b991cedfa..13ddcf6aa7c 100644
|
||||
--- a/CMakeLists.txt
|
||||
+++ b/CMakeLists.txt
|
||||
@@ -49,6 +49,7 @@ option(SSG_SVG_IN_XCCDF_ENABLED "If enabled, the built XCCDFs will include the S
|
||||
option(SSG_SEPARATE_SCAP_FILES_ENABLED "If enabled, separate SCAP files (OVAL, XCCDF, CPE dict, ...) will be installed alongside the source data-streams" TRUE)
|
||||
option(SSG_ANSIBLE_PLAYBOOKS_ENABLED "If enabled, Ansible Playbooks for each profile will be built and installed." TRUE)
|
||||
option(SSG_BASH_SCRIPTS_ENABLED "If enabled, Bash remediation scripts for each profile will be built and installed." TRUE)
|
||||
+option(SSG_ANSIBLE_TASKS_ENABLED "If enabled, Ansible Tasks for each rule will be installed." FALSE)
|
||||
option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE)
|
||||
option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE)
|
||||
set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.")
|
||||
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
|
||||
index 412db46c687..e1480561ee1 100644
|
||||
--- a/cmake/SSGCommon.cmake
|
||||
+++ b/cmake/SSGCommon.cmake
|
||||
@@ -914,6 +914,20 @@ macro(ssg_build_product PRODUCT)
|
||||
"
|
||||
)
|
||||
endif()
|
||||
+ if(SSG_ANSIBLE_TASKS_ENABLED)
|
||||
+ install(
|
||||
+ CODE "
|
||||
+ file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*.yml\") \n
|
||||
+ if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks)
|
||||
+ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks\"
|
||||
+ TYPE FILE FILES \${ROLE_FILES})
|
||||
+ else()
|
||||
+ file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks\"
|
||||
+ TYPE FILE FILES \${ROLE_FILES})
|
||||
+ endif()
|
||||
+ "
|
||||
+ )
|
||||
+ endif()
|
||||
|
||||
# grab all the kickstarts (if any) and install them
|
||||
file(GLOB KICKSTART_FILES "${CMAKE_CURRENT_SOURCE_DIR}/kickstart/ssg-${PRODUCT}-*-ks.cfg")
|
||||
|
||||
From 81f9051433bec735f0ce915290d465ba98401f86 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Tue, 25 May 2021 17:07:15 +0200
|
||||
Subject: [PATCH 2/6] Rename ansible per rule cmake option.
|
||||
|
||||
---
|
||||
CMakeLists.txt | 2 +-
|
||||
cmake/SSGCommon.cmake | 14 +++++++-------
|
||||
2 files changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
||||
index 13ddcf6aa7c..04779b18cbc 100644
|
||||
--- a/CMakeLists.txt
|
||||
+++ b/CMakeLists.txt
|
||||
@@ -48,8 +48,8 @@ option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used
|
||||
option(SSG_SVG_IN_XCCDF_ENABLED "If enabled, the built XCCDFs will include the SVG SCAP Security Guide logo." TRUE)
|
||||
option(SSG_SEPARATE_SCAP_FILES_ENABLED "If enabled, separate SCAP files (OVAL, XCCDF, CPE dict, ...) will be installed alongside the source data-streams" TRUE)
|
||||
option(SSG_ANSIBLE_PLAYBOOKS_ENABLED "If enabled, Ansible Playbooks for each profile will be built and installed." TRUE)
|
||||
+option(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED "If enabled, Ansible Playbooks for each rule will be built and installed." FALSE)
|
||||
option(SSG_BASH_SCRIPTS_ENABLED "If enabled, Bash remediation scripts for each profile will be built and installed." TRUE)
|
||||
-option(SSG_ANSIBLE_TASKS_ENABLED "If enabled, Ansible Tasks for each rule will be installed." FALSE)
|
||||
option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE)
|
||||
option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE)
|
||||
set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.")
|
||||
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
|
||||
index e1480561ee1..b3710caafbf 100644
|
||||
--- a/cmake/SSGCommon.cmake
|
||||
+++ b/cmake/SSGCommon.cmake
|
||||
@@ -914,16 +914,16 @@ macro(ssg_build_product PRODUCT)
|
||||
"
|
||||
)
|
||||
endif()
|
||||
- if(SSG_ANSIBLE_TASKS_ENABLED)
|
||||
+ if(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED)
|
||||
install(
|
||||
CODE "
|
||||
- file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*.yml\") \n
|
||||
- if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks)
|
||||
- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks\"
|
||||
- TYPE FILE FILES \${ROLE_FILES})
|
||||
+ file(GLOB PLAYBOOK_PER_RULE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*.yml\") \n
|
||||
+ if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks)
|
||||
+ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks\"
|
||||
+ TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES})
|
||||
else()
|
||||
- file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks\"
|
||||
- TYPE FILE FILES \${ROLE_FILES})
|
||||
+ file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks\"
|
||||
+ TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES})
|
||||
endif()
|
||||
"
|
||||
)
|
||||
|
||||
From 2f424af420f3520797780287812474a5f7c03f07 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Tue, 25 May 2021 17:07:22 +0200
|
||||
Subject: [PATCH 3/6] Guard build of playbooks per rule by a new CMake Option.
|
||||
|
||||
---
|
||||
cmake/SSGCommon.cmake | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
|
||||
index b3710caafbf..04bdfe04bae 100644
|
||||
--- a/cmake/SSGCommon.cmake
|
||||
+++ b/cmake/SSGCommon.cmake
|
||||
@@ -769,7 +769,7 @@ macro(ssg_build_product PRODUCT)
|
||||
ssg_build_xccdf_unlinked(${PRODUCT})
|
||||
ssg_build_ocil_unlinked(${PRODUCT})
|
||||
ssg_build_remediations(${PRODUCT})
|
||||
- if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}")
|
||||
+ if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED)
|
||||
ssg_build_ansible_playbooks(${PRODUCT})
|
||||
endif()
|
||||
ssg_build_xccdf_with_remediations(${PRODUCT})
|
||||
|
||||
From 406a49b4c617499e538817579920b23fc81a09e6 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Tue, 25 May 2021 17:40:10 +0200
|
||||
Subject: [PATCH 4/6] Print message for CMake option enable ansible playbooks
|
||||
per rule.
|
||||
|
||||
---
|
||||
CMakeLists.txt | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
||||
index 04779b18cbc..bba7dd60356 100644
|
||||
--- a/CMakeLists.txt
|
||||
+++ b/CMakeLists.txt
|
||||
@@ -246,6 +246,7 @@ message(STATUS "shellcheck bash fixes validation: ${SSG_SHELLCHECK_BASH_FIXES_VA
|
||||
message(STATUS "SVG logo in XCCDFs: ${SSG_SVG_IN_XCCDF_ENABLED}")
|
||||
message(STATUS "Separate SCAP files: ${SSG_SEPARATE_SCAP_FILES_ENABLED}")
|
||||
message(STATUS "Ansible Playbooks: ${SSG_ANSIBLE_PLAYBOOKS_ENABLED}")
|
||||
+message(STATUS "Ansible Playbooks Per Rule: ${SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED}")
|
||||
message(STATUS "Bash scripts: ${SSG_BASH_SCRIPTS_ENABLED}")
|
||||
if (SSG_JINJA2_CACHE_ENABLED)
|
||||
message(STATUS "jinja2 cache: enabled")
|
||||
|
||||
From 5a185a653ba4f58bdfcee37bfd61812763a2f525 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Tue, 25 May 2021 17:40:42 +0200
|
||||
Subject: [PATCH 5/6] Fix path of gathered ansible playbooks per rule.
|
||||
|
||||
---
|
||||
cmake/SSGCommon.cmake | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
|
||||
index 04bdfe04bae..a382bb787b5 100644
|
||||
--- a/cmake/SSGCommon.cmake
|
||||
+++ b/cmake/SSGCommon.cmake
|
||||
@@ -917,12 +917,12 @@ macro(ssg_build_product PRODUCT)
|
||||
if(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED)
|
||||
install(
|
||||
CODE "
|
||||
- file(GLOB PLAYBOOK_PER_RULE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*.yml\") \n
|
||||
- if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks)
|
||||
- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks\"
|
||||
+ file(GLOB PLAYBOOK_PER_RULE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*\") \n
|
||||
+ if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks)
|
||||
+ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks/${PRODUCT}\"
|
||||
TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES})
|
||||
else()
|
||||
- file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks\"
|
||||
+ file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks/${PRODUCT}\"
|
||||
TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES})
|
||||
endif()
|
||||
"
|
||||
|
||||
From 8b99c9c2a50653b37f88b9eb3bc2b46ae3586be3 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Thu, 27 May 2021 15:55:20 +0200
|
||||
Subject: [PATCH 6/6] Move product dependency closer to declaration
|
||||
|
||||
A dependency on rule playbooks target was being added from a
|
||||
conditional branch related to profile playbooks.
|
||||
It caused issues when building profile playbooks but not rule playbooks,
|
||||
the rule playbooks target would not exist, but still be added as
|
||||
dependency.
|
||||
|
||||
Co-authored-by: Watson Sato <wsato@redhat.com>
|
||||
---
|
||||
cmake/SSGCommon.cmake | 9 +++++----
|
||||
1 file changed, 5 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
|
||||
index a382bb787b5..dc661cc2904 100644
|
||||
--- a/cmake/SSGCommon.cmake
|
||||
+++ b/cmake/SSGCommon.cmake
|
||||
@@ -769,8 +769,13 @@ macro(ssg_build_product PRODUCT)
|
||||
ssg_build_xccdf_unlinked(${PRODUCT})
|
||||
ssg_build_ocil_unlinked(${PRODUCT})
|
||||
ssg_build_remediations(${PRODUCT})
|
||||
+
|
||||
if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED)
|
||||
ssg_build_ansible_playbooks(${PRODUCT})
|
||||
+ add_dependencies(
|
||||
+ ${PRODUCT}-content
|
||||
+ generate-${PRODUCT}-ansible-playbooks
|
||||
+ )
|
||||
endif()
|
||||
ssg_build_xccdf_with_remediations(${PRODUCT})
|
||||
ssg_build_oval_unlinked(${PRODUCT})
|
||||
@@ -801,10 +806,6 @@ macro(ssg_build_product PRODUCT)
|
||||
add_dependencies(zipfile "generate-ssg-${PRODUCT}-ds.xml")
|
||||
|
||||
if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_ENABLED)
|
||||
- add_dependencies(
|
||||
- ${PRODUCT}-content
|
||||
- generate-${PRODUCT}-ansible-playbooks
|
||||
- )
|
||||
ssg_build_profile_playbooks(${PRODUCT})
|
||||
add_custom_target(
|
||||
${PRODUCT}-profile-playbooks
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,815 +0,0 @@
|
||||
From b1ee8de3856252e2052bee8f5dd2aaaee5dcc95b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Thu, 20 May 2021 11:33:52 +0200
|
||||
Subject: [PATCH 1/8] Enable update-related rules for RHEL9.
|
||||
|
||||
---
|
||||
.../software/updating/dnf-automatic_apply_updates/rule.yml | 2 +-
|
||||
.../software/updating/package_dnf-automatic_installed/rule.yml | 2 +-
|
||||
.../software/updating/timer_dnf-automatic_enabled/rule.yml | 2 +-
|
||||
3 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml
|
||||
index 8b0343a52ec..7a10f5dd9ed 100644
|
||||
--- a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml
|
||||
+++ b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol8,rhel8
|
||||
+prodtype: fedora,ol8,rhel8,rhel9
|
||||
|
||||
title: Configure dnf-automatic to Install Available Updates Automatically
|
||||
|
||||
diff --git a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml
|
||||
index 8b332b800c7..0bdace740b4 100644
|
||||
--- a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol8,rhel8
|
||||
+prodtype: fedora,ol8,rhel8,rhel9
|
||||
|
||||
title: 'Install dnf-automatic Package'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml b/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml
|
||||
index 1c51fe22471..07aa5c3575b 100644
|
||||
--- a/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml
|
||||
+++ b/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol8,rhel8
|
||||
+prodtype: fedora,ol8,rhel8,rhel9
|
||||
|
||||
title: Enable dnf-automatic Timer
|
||||
|
||||
|
||||
From 55bc57583158dc7c8080fdfd41b2c7ee4ddb677f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Thu, 20 May 2021 11:45:02 +0200
|
||||
Subject: [PATCH 2/8] Enable AIDE rules for RHEL9.
|
||||
|
||||
The component hasn't changed observably wrt our rules.
|
||||
---
|
||||
.../certified-vendor/installed_OS_is_FIPS_certified/rule.yml | 2 +-
|
||||
.../software-integrity/aide/aide_build_database/rule.yml | 2 +-
|
||||
.../software-integrity/aide/aide_scan_notification/rule.yml | 2 +-
|
||||
.../software-integrity/aide/aide_use_fips_hashes/rule.yml | 2 +-
|
||||
.../integrity/software-integrity/aide/aide_verify_acls/rule.yml | 2 +-
|
||||
.../software-integrity/aide/aide_verify_ext_attributes/rule.yml | 2 +-
|
||||
6 files changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml
|
||||
index 07d55e58e55..012fe8f6edd 100644
|
||||
--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux8,ubuntu1604,ubuntu1804,ubuntu2004,wrlinux1019
|
||||
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux8,ubuntu1604,ubuntu1804,ubuntu2004,wrlinux1019
|
||||
|
||||
title: 'The Installed Operating System Is FIPS 140-2 Certified'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
|
||||
index 175c997d508..6c0ee2e4c7b 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: debian9,debian10,fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
|
||||
+prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
|
||||
|
||||
title: 'Build and Test AIDE Database'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
|
||||
index 24d3f8e1c24..a73fb0a39ad 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,wrlinux1019
|
||||
|
||||
title: 'Configure Notification of Post-AIDE Scan Details'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml
|
||||
index 1f86ed8a973..c982b8fde2e 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8,rhv4
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4
|
||||
|
||||
title: 'Configure AIDE to Use FIPS 140-2 for Validating Hashes'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml
|
||||
index 144c0645503..f527068022a 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
|
||||
|
||||
title: 'Configure AIDE to Verify Access Control Lists (ACLs)'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
|
||||
index b5bcd202dea..7961f3b5a67 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
|
||||
|
||||
title: 'Configure AIDE to Verify Extended Attributes'
|
||||
|
||||
|
||||
From 5425108a0a88ba36b422ee2a1f672f301531c167 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Thu, 20 May 2021 15:44:41 +0200
|
||||
Subject: [PATCH 3/8] Enabled package installed rules for RHEL9.
|
||||
|
||||
Packages are likely to exist in RHEL9.
|
||||
---
|
||||
.../disabling_xwindows/xwindows_remove_packages/rule.yml | 2 +-
|
||||
.../smart_card_login/install_smartcard_packages/rule.yml | 2 +-
|
||||
.../smart_card_login/package_opensc_installed/rule.yml | 2 +-
|
||||
.../system/auditing/package_audispd-plugins_installed/rule.yml | 2 +-
|
||||
.../package_policycoreutils-python-utils_installed/rule.yml | 2 +-
|
||||
.../system/selinux/package_policycoreutils_installed/rule.yml | 2 +-
|
||||
.../software/system-tools/package_rng-tools_installed/rule.yml | 2 +-
|
||||
7 files changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
|
||||
index 2f9dfc1b039..031d63ba778 100644
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
|
||||
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhel9
|
||||
|
||||
title: 'Disable graphical user interface'
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
|
||||
index 85260712c6f..652e9287759 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
|
||||
@@ -8,7 +8,7 @@
|
||||
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,rhel7,rhel8,sle12,sle15
|
||||
+prodtype: fedora,ol7,rhel7,rhel8,rhel9,sle12,sle15
|
||||
|
||||
title: 'Install Smart Card Packages For Multifactor Authentication'
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml
|
||||
index df01a282459..a55409d9e8f 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
|
||||
|
||||
title: 'Install the opensc Package For Multifactor Authentication'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml b/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml
|
||||
index 8ed5af7070a..6d96d340a33 100644
|
||||
--- a/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4
|
||||
+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4
|
||||
|
||||
title: 'Install audispd-plugins Package'
|
||||
|
||||
diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
|
||||
index 6c23fae18ab..a18a57dcbb3 100644
|
||||
--- a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8
|
||||
+prodtype: ol8,rhel8,rhel9
|
||||
|
||||
title: 'Install policycoreutils-python-utils package'
|
||||
|
||||
diff --git a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml
|
||||
index b9fcc6a889e..acce754e9d2 100644
|
||||
--- a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
|
||||
|
||||
title: 'Install policycoreutils Package'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
|
||||
index 7d25f41fb98..f0ca76b6953 100644
|
||||
--- a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
|
||||
|
||||
title: 'Install rng-tools Package'
|
||||
|
||||
|
||||
From ef063898277b53e35db6f3b54604583c3512ff46 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Thu, 20 May 2021 16:07:18 +0200
|
||||
Subject: [PATCH 4/8] Enabled service-related rules for RHEL9.
|
||||
|
||||
---
|
||||
linux_os/guide/services/base/service_kdump_disabled/rule.yml | 2 +-
|
||||
linux_os/guide/services/rng/service_rngd_enabled/rule.yml | 2 +-
|
||||
linux_os/guide/services/ssh/service_sshd_enabled/rule.yml | 2 +-
|
||||
.../coredumps/service_systemd-coredump_disabled/rule.yml | 2 +-
|
||||
4 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/base/service_kdump_disabled/rule.yml b/linux_os/guide/services/base/service_kdump_disabled/rule.yml
|
||||
index 8a12fd05711..1bb014b5993 100644
|
||||
--- a/linux_os/guide/services/base/service_kdump_disabled/rule.yml
|
||||
+++ b/linux_os/guide/services/base/service_kdump_disabled/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,wrlinux1019,sle15
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
|
||||
|
||||
title: 'Disable KDump Kernel Crash Analyzer (kdump)'
|
||||
|
||||
diff --git a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml
|
||||
index 5d47b5d69b3..4f1e4d85197 100644
|
||||
--- a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml
|
||||
+++ b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol8,rhel8
|
||||
+prodtype: fedora,ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Enable the Hardware RNG Entropy Gatherer Service'
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml
|
||||
index 548750d0f61..a7aaa4f3f9c 100644
|
||||
--- a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
|
||||
|
||||
title: 'Enable the OpenSSH Service'
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
|
||||
index a2e1affd89d..baa8a448026 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol8,rhel8
|
||||
+prodtype: fedora,ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Disable acquiring, saving, and processing core dumps'
|
||||
|
||||
|
||||
From ce273a6e9a50893d6cd2d623b74d30cba5c5ad8c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Thu, 20 May 2021 17:13:54 +0200
|
||||
Subject: [PATCH 5/8] More various rules.
|
||||
|
||||
---
|
||||
.../files/dir_perms_world_writable_root_owned/rule.yml | 2 +-
|
||||
.../software/disk_partitioning/encrypt_partitions/rule.yml | 6 ++++--
|
||||
.../installed_OS_is_vendor_supported/rule.yml | 4 ++--
|
||||
.../crypto/configure_openssl_tls_crypto_policy/rule.yml | 2 +-
|
||||
.../rule.yml | 2 +-
|
||||
.../system/software/sudo/sudoers_validate_passwd/rule.yml | 2 +-
|
||||
.../updating/clean_components_post_updating/rule.yml | 2 +-
|
||||
7 files changed, 11 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
|
||||
index 9714947ae47..0a4232cae38 100644
|
||||
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,wrlinux1019
|
||||
|
||||
title: 'Ensure All World-Writable Directories Are Owned by root user'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||
index 7730800a0e8..ef544f33d48 100644
|
||||
--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||
+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhv4,sle12,sle15
|
||||
+prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
|
||||
|
||||
title: 'Encrypt Partitions'
|
||||
|
||||
@@ -37,8 +37,10 @@ description: |-
|
||||
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/install/ol8-install-basic.html#install-storage-network") }}}.
|
||||
{{% elif product in ["sle12", "sle15"] %}}
|
||||
{{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}}
|
||||
- {{% else %}}
|
||||
+ {{% elif product == "rhel7" %}}
|
||||
{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html") }}}.
|
||||
+ {{% else %}}
|
||||
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening") }}}.
|
||||
{{% endif %}}
|
||||
|
||||
rationale: |-
|
||||
diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
|
||||
index ac76ba7c5a0..8a36d5691b7 100644
|
||||
--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
|
||||
|
||||
title: 'The Installed Operating System Is Vendor Supported'
|
||||
|
||||
@@ -56,7 +56,7 @@ ocil_clause: 'the installed operating system is not supported'
|
||||
ocil: |-
|
||||
To verify that the installed operating system is supported, run
|
||||
the following command:
|
||||
-{{% if product in ["rhel7", "rhel8"] %}}
|
||||
+{{% if product.startswith("rhel") %}}
|
||||
<pre>$ grep -i "red hat" /etc/redhat-release</pre>
|
||||
{{% elif product in ["ol7", "ol8"] %}}
|
||||
<pre>$ grep -i "oracle" /etc/oracle-release</pre>
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml
|
||||
index c4637d39fed..dfe105771cc 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel8
|
||||
+prodtype: rhel8,rhel9
|
||||
|
||||
title: 'Configure OpenSSL library to use TLS Encryption'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
|
||||
index 4b01cb39e1a..930915327e0 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
|
||||
@@ -2,7 +2,7 @@ documentation_complete: true
|
||||
|
||||
title: 'The operating system must restrict privilege elevation to authorized personnel'
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8,sle15
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,sle15
|
||||
|
||||
description: |-
|
||||
The sudo command allows a user to execute programs with elevated
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
||||
index eede35be8a1..d17f33852db 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
||||
@@ -2,7 +2,7 @@ documentation_complete: true
|
||||
|
||||
title: 'Ensure invoking users password for privilege escalation when using sudo'
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,sle15
|
||||
|
||||
description: |-
|
||||
The sudoers security policy requires that users authenticate themselves before they can use sudo.
|
||||
diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
|
||||
index 34723d0e2a5..d0289b311c6 100644
|
||||
--- a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
|
||||
+++ b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
|
||||
|
||||
title: 'Ensure {{{ pkg_manager }}} Removes Previous Package Versions'
|
||||
|
||||
|
||||
From 255ee86df41e9d5e8ee427ff28e214833796f156 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Thu, 20 May 2021 17:15:51 +0200
|
||||
Subject: [PATCH 6/8] Enabled zIPL rules for RHEL9.
|
||||
|
||||
There are indications that zIPL will remain the default bootloader for x390, and the project is very conservative.
|
||||
---
|
||||
.../guide/system/bootloader-zipl/zipl_audit_argument/rule.yml | 2 +-
|
||||
.../bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml | 2 +-
|
||||
.../guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 2 +-
|
||||
.../system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml | 2 +-
|
||||
.../system/bootloader-zipl/zipl_page_poison_argument/rule.yml | 2 +-
|
||||
.../system/bootloader-zipl/zipl_slub_debug_argument/rule.yml | 2 +-
|
||||
.../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 2 +-
|
||||
7 files changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
index c2fb5ba678c..987a42d31ec 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel8,rhcos4
|
||||
+prodtype: rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL'
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
index 6548c352acc..cfb8c08f31d 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel8,rhcos4
|
||||
+prodtype: rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL'
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
||||
index c3f032d8cbb..b8b025f74f4 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel8,rhcos4
|
||||
+prodtype: rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Ensure all zIPL boot entries are BLS compliant'
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
|
||||
index 13192cd8ca5..c8133e19ab4 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel8,rhcos4
|
||||
+prodtype: rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Ensure zIPL bootmap is up to date'
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
index 42c1c8aecd5..c626f6188cd 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel8,rhcos4
|
||||
+prodtype: rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Enable page allocator poisoning in zIPL'
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
index 2f9b04f7a27..d266165cddc 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel8,rhcos4
|
||||
+prodtype: rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Enable SLUB/SLAB allocator poisoning in zIPL'
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
index f90a0fb4141..387f7f13850 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel8,rhcos4
|
||||
+prodtype: rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Disable vsyscalls in zIPL'
|
||||
|
||||
|
||||
From 807dbda2042184d6d2e602506e846bb3a19a775d Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Thu, 20 May 2021 17:40:30 +0200
|
||||
Subject: [PATCH 7/8] Enabled more audit rules for RHEL9.
|
||||
|
||||
Component maintainers have reported that there are no breaking changes in the audit configuration.
|
||||
---
|
||||
.../system/auditing/policy_rules/audit_access_failed/rule.yml | 2 +-
|
||||
.../system/auditing/policy_rules/audit_access_success/rule.yml | 2 +-
|
||||
.../auditing/policy_rules/audit_basic_configuration/rule.yml | 2 +-
|
||||
.../system/auditing/policy_rules/audit_create_failed/rule.yml | 2 +-
|
||||
.../system/auditing/policy_rules/audit_create_success/rule.yml | 2 +-
|
||||
.../system/auditing/policy_rules/audit_delete_failed/rule.yml | 2 +-
|
||||
.../system/auditing/policy_rules/audit_delete_success/rule.yml | 2 +-
|
||||
.../auditing/policy_rules/audit_immutable_login_uids/rule.yml | 2 +-
|
||||
.../system/auditing/policy_rules/audit_modify_failed/rule.yml | 2 +-
|
||||
.../system/auditing/policy_rules/audit_modify_success/rule.yml | 2 +-
|
||||
.../system/auditing/policy_rules/audit_module_load/rule.yml | 2 +-
|
||||
.../system/auditing/policy_rules/audit_ospp_general/rule.yml | 2 +-
|
||||
.../auditing/policy_rules/audit_owner_change_failed/rule.yml | 2 +-
|
||||
.../auditing/policy_rules/audit_owner_change_success/rule.yml | 2 +-
|
||||
.../auditing/policy_rules/audit_perm_change_failed/rule.yml | 2 +-
|
||||
.../auditing/policy_rules/audit_perm_change_success/rule.yml | 2 +-
|
||||
16 files changed, 16 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
|
||||
index 458ac7e0ae6..a0d856b023b 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of unsuccessful file accesses'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
|
||||
index 064618716e8..6f79a5cf04a 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of successful file accesses'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
|
||||
index cce5e83fd6e..bd5d6455351 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure basic parameters of Audit system'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
|
||||
index 92800b472c7..b2f731d11ba 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of unsuccessful file creations'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
|
||||
index 59db7b10073..a03a7f3b715 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of successful file creations'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
|
||||
index 2f67a150dc5..d4bd88e6cfc 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of unsuccessful file deletions'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
|
||||
index f54899fb842..6c05a736e39 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of successful file deletions'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
|
||||
index 073f29c9fe6..34e9fc134e0 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure immutable Audit login UIDs'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
|
||||
index 51f9d76f06d..2d0f7cf9da3 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of unsuccessful file modifications'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
|
||||
index b51acc04dcb..28045878a69 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of successful file modifications'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
|
||||
index 20bfca83eee..d764e384ea2 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of loading and unloading of kernel modules'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
|
||||
index fbf7473cc4c..0a41ece25fc 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Perform general configuration of Audit for OSPP'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
|
||||
index b0052f8b645..a95c0146b11 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of unsuccessful ownership changes'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
|
||||
index 3657a32fc3a..4133eb193f2 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of successful ownership changes'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
|
||||
index 477c74282d0..47f248a2b36 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of unsuccessful permission changes'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
|
||||
index 53ecf9d589a..5017b17849b 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of successful permission changes'
|
||||
|
||||
|
||||
From 65b2fe65e7143d38f46f782d7e0d49738ad7dd76 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Thu, 20 May 2021 17:46:00 +0200
|
||||
Subject: [PATCH 8/8] Enabled Grub cmdline rules for RHEL9.
|
||||
|
||||
Those rules are not very specific - they perform basic configuration of kernel parameters.
|
||||
---
|
||||
.../system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml | 2 +-
|
||||
.../guide/system/bootloader-grub2/grub2_pti_argument/rule.yml | 2 +-
|
||||
.../system/bootloader-grub2/grub2_vsyscall_argument/rule.yml | 2 +-
|
||||
.../restrictions/poisoning/grub2_page_poison_argument/rule.yml | 2 +-
|
||||
.../restrictions/poisoning/grub2_slub_debug_argument/rule.yml | 2 +-
|
||||
5 files changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
|
||||
index 39f1bbe285c..03f56b8031d 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8
|
||||
+prodtype: ol8,rhel8,rhel9
|
||||
|
||||
title: 'Configure kernel to trust the CPU random number generator'
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
|
||||
index 1516972d72c..f186b1ae6e7 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol8,rhel8
|
||||
+prodtype: fedora,ol8,rhel8,rhel9
|
||||
|
||||
title: 'Enable Kernel Page-Table Isolation (KPTI)'
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||||
index 9ad81924ceb..0b5873c56a2 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9
|
||||
|
||||
title: 'Disable vsyscalls'
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||||
index 820e4799f87..9b18bee588f 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9
|
||||
|
||||
title: 'Enable page allocator poisoning'
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||||
index 182a0cc507c..f6059044f14 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9
|
||||
|
||||
title: 'Enable SLUB/SLAB allocator poisoning'
|
||||
|
@ -1,141 +0,0 @@
|
||||
From a6bd844c52ccadae91ebcb7c252cf4a153522776 Mon Sep 17 00:00:00 2001
|
||||
From: Matej Tyc <matyc@redhat.com>
|
||||
Date: Wed, 30 Jun 2021 15:10:13 +0200
|
||||
Subject: [PATCH] Enable templates for RHEL9.
|
||||
|
||||
Concerned templates are low-level, underlying components are stable.
|
||||
---
|
||||
shared/templates/audit_rules_file_deletion_events/bash.template | 2 +-
|
||||
shared/templates/audit_rules_login_events/bash.template | 2 +-
|
||||
shared/templates/audit_rules_path_syscall/bash.template | 2 +-
|
||||
shared/templates/audit_rules_privileged_commands/bash.template | 2 +-
|
||||
.../audit_rules_unsuccessful_file_modification/bash.template | 2 +-
|
||||
shared/templates/grub2_bootloader_argument/bash.template | 2 +-
|
||||
shared/templates/kernel_module_disabled/ansible.template | 2 +-
|
||||
shared/templates/mount/anaconda.template | 2 +-
|
||||
shared/templates/mount_option/anaconda.template | 2 +-
|
||||
.../mount_option_removable_partitions/anaconda.template | 2 +-
|
||||
shared/templates/zipl_bls_entries_option/ansible.template | 2 +-
|
||||
shared/templates/zipl_bls_entries_option/bash.template | 2 +-
|
||||
12 files changed, 12 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/shared/templates/audit_rules_file_deletion_events/bash.template b/shared/templates/audit_rules_file_deletion_events/bash.template
|
||||
index c387624cfb..851b0fd43e 100644
|
||||
--- a/shared/templates/audit_rules_file_deletion_events/bash.template
|
||||
+++ b/shared/templates/audit_rules_file_deletion_events/bash.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
|
||||
# Include source function library.
|
||||
. /usr/share/scap-security-guide/remediation_functions
|
||||
diff --git a/shared/templates/audit_rules_login_events/bash.template b/shared/templates/audit_rules_login_events/bash.template
|
||||
index 065e8bb288..69e8be9c50 100644
|
||||
--- a/shared/templates/audit_rules_login_events/bash.template
|
||||
+++ b/shared/templates/audit_rules_login_events/bash.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
|
||||
# Include source function library.
|
||||
. /usr/share/scap-security-guide/remediation_functions
|
||||
diff --git a/shared/templates/audit_rules_path_syscall/bash.template b/shared/templates/audit_rules_path_syscall/bash.template
|
||||
index c3d31aade9..656d168ddd 100644
|
||||
--- a/shared/templates/audit_rules_path_syscall/bash.template
|
||||
+++ b/shared/templates/audit_rules_path_syscall/bash.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
|
||||
# Include source function library.
|
||||
. /usr/share/scap-security-guide/remediation_functions
|
||||
diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template
|
||||
index 42e12671ac..85dbc9b828 100644
|
||||
--- a/shared/templates/audit_rules_privileged_commands/bash.template
|
||||
+++ b/shared/templates/audit_rules_privileged_commands/bash.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
|
||||
# Include source function library.
|
||||
. /usr/share/scap-security-guide/remediation_functions
|
||||
diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template
|
||||
index e89ac0749c..daf146f7eb 100644
|
||||
--- a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template
|
||||
+++ b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
|
||||
# Include source function library.
|
||||
. /usr/share/scap-security-guide/remediation_functions
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
|
||||
index bac84526ee..965fe5bac0 100644
|
||||
--- a/shared/templates/grub2_bootloader_argument/bash.template
|
||||
+++ b/shared/templates/grub2_bootloader_argument/bash.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
|
||||
{{% if product in ["rhel7", "ol7"] %}}
|
||||
{{% if '/' in ARG_NAME %}}
|
||||
diff --git a/shared/templates/kernel_module_disabled/ansible.template b/shared/templates/kernel_module_disabled/ansible.template
|
||||
index 72f7ae18bf..2526baf737 100644
|
||||
--- a/shared/templates/kernel_module_disabled/ansible.template
|
||||
+++ b/shared/templates/kernel_module_disabled/ansible.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
|
||||
# reboot = true
|
||||
# strategy = disable
|
||||
# complexity = low
|
||||
diff --git a/shared/templates/mount/anaconda.template b/shared/templates/mount/anaconda.template
|
||||
index 5093c926da..fdcb4ee3e8 100644
|
||||
--- a/shared/templates/mount/anaconda.template
|
||||
+++ b/shared/templates/mount/anaconda.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
# reboot = false
|
||||
# strategy = enable
|
||||
# complexity = low
|
||||
diff --git a/shared/templates/mount_option/anaconda.template b/shared/templates/mount_option/anaconda.template
|
||||
index 0a54865e12..083b0ef008 100644
|
||||
--- a/shared/templates/mount_option/anaconda.template
|
||||
+++ b/shared/templates/mount_option/anaconda.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
# reboot = false
|
||||
# strategy = enable
|
||||
# complexity = low
|
||||
diff --git a/shared/templates/mount_option_removable_partitions/anaconda.template b/shared/templates/mount_option_removable_partitions/anaconda.template
|
||||
index b4510ae804..8665fb913a 100644
|
||||
--- a/shared/templates/mount_option_removable_partitions/anaconda.template
|
||||
+++ b/shared/templates/mount_option_removable_partitions/anaconda.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
# reboot = false
|
||||
# strategy = enable
|
||||
# complexity = low
|
||||
diff --git a/shared/templates/zipl_bls_entries_option/ansible.template b/shared/templates/zipl_bls_entries_option/ansible.template
|
||||
index 7e73d391de..336775e4f8 100644
|
||||
--- a/shared/templates/zipl_bls_entries_option/ansible.template
|
||||
+++ b/shared/templates/zipl_bls_entries_option/ansible.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 8
|
||||
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
|
||||
# reboot = true
|
||||
# strategy = configure
|
||||
# complexity = medium
|
||||
diff --git a/shared/templates/zipl_bls_entries_option/bash.template b/shared/templates/zipl_bls_entries_option/bash.template
|
||||
index 81bbb7884b..25cd7432c9 100644
|
||||
--- a/shared/templates/zipl_bls_entries_option/bash.template
|
||||
+++ b/shared/templates/zipl_bls_entries_option/bash.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 8
|
||||
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
|
||||
|
||||
# Correct BLS option using grubby, which is a thin wrapper around BLS operations
|
||||
grubby --update-kernel=ALL --args="{{{ ARG_NAME }}}={{{ ARG_VALUE }}}"
|
@ -1,206 +0,0 @@
|
||||
From 5d3bcea7c2927f449fbd82074a62425bad89e605 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Haydock <alex@alexhaydock.co.uk>
|
||||
Date: Sun, 30 May 2021 19:16:11 +0100
|
||||
Subject: [PATCH 1/5] Add sudo custom logfile control for RHEL 8 CIS
|
||||
|
||||
---
|
||||
.../sudo/sudo_custom_logfile/rule.yml | 20 +++++++++++++++++++
|
||||
.../system/software/sudo/var_sudo_logfile.var | 16 +++++++++++++++
|
||||
rhel8/profiles/cis.profile | 2 +-
|
||||
3 files changed, 37 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
create mode 100644 linux_os/guide/system/software/sudo/var_sudo_logfile.var
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..5571c92a679
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
@@ -0,0 +1,20 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Ensure Sudo Logfile Exists - sudo logfile'
|
||||
+
|
||||
+description: |-
|
||||
+ A custom logfile can be configured for sudo with the logfile tag.
|
||||
+
|
||||
+rationale: |-
|
||||
+ A sudo log file simplifies auditing of sudo commands.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cis@rhel8: 1.3.3
|
||||
+
|
||||
+template:
|
||||
+ name: sudo_defaults_option
|
||||
+ vars:
|
||||
+ option: logfile
|
||||
+ variable_name: var_sudo_logfile
|
||||
diff --git a/linux_os/guide/system/software/sudo/var_sudo_logfile.var b/linux_os/guide/system/software/sudo/var_sudo_logfile.var
|
||||
new file mode 100644
|
||||
index 00000000000..65b23b5f3c2
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/var_sudo_logfile.var
|
||||
@@ -0,0 +1,16 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Sudo - logfile value'
|
||||
+
|
||||
+description: |-
|
||||
+ Specify the sudo logfile to use. The default value used here matches the example
|
||||
+ location from CIS, which uses /var/log/sudo.log.
|
||||
+
|
||||
+interactive: false
|
||||
+
|
||||
+type: string
|
||||
+
|
||||
+operator: equals
|
||||
+
|
||||
+options:
|
||||
+ default: "/var/log/sudo.log"
|
||||
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
|
||||
index ec9cbfa0a3d..411083d6e71 100644
|
||||
--- a/rhel8/profiles/cis.profile
|
||||
+++ b/rhel8/profiles/cis.profile
|
||||
@@ -132,7 +132,7 @@ selections:
|
||||
# NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5220
|
||||
|
||||
### 1.3.3 Ensure sudo log file exists (Scored)
|
||||
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5221
|
||||
+ - sudo_custom_logfile
|
||||
|
||||
## 1.4 Filesystem Integrity Checking
|
||||
|
||||
|
||||
From da0883992ba7e712f805b86e5b7c96162aed93ec Mon Sep 17 00:00:00 2001
|
||||
From: Alex Haydock <alex@alexhaydock.co.uk>
|
||||
Date: Sun, 30 May 2021 20:46:58 +0100
|
||||
Subject: [PATCH 2/5] Update rule with OCIL parameters
|
||||
|
||||
---
|
||||
.../system/software/sudo/sudo_custom_logfile/rule.yml | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
index 5571c92a679..de0ecb98a76 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
@@ -8,11 +8,18 @@ description: |-
|
||||
rationale: |-
|
||||
A sudo log file simplifies auditing of sudo commands.
|
||||
|
||||
-severity: medium
|
||||
+severity: low
|
||||
|
||||
identifiers:
|
||||
cis@rhel8: 1.3.3
|
||||
|
||||
+ocil_clause: 'logfile is not enabled in sudo'
|
||||
+
|
||||
+ocil: |-
|
||||
+ To determine if <tt>logfile</tt> has been configured for sudo, run the following command:
|
||||
+ <pre>$ sudo grep -ri "^[\s]*Defaults.*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
|
||||
+ The command should return a matching output.
|
||||
+
|
||||
template:
|
||||
name: sudo_defaults_option
|
||||
vars:
|
||||
|
||||
From 2b6721b3e3858d75f27d7ad8395a79a1ce68bc73 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Haydock <alex@alexhaydock.co.uk>
|
||||
Date: Mon, 31 May 2021 11:44:13 +0100
|
||||
Subject: [PATCH 3/5] Use references field for CIS rather than identifiers
|
||||
|
||||
---
|
||||
.../guide/system/software/sudo/sudo_custom_logfile/rule.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
index de0ecb98a76..afce7f1867c 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
@@ -10,7 +10,7 @@ rationale: |-
|
||||
|
||||
severity: low
|
||||
|
||||
-identifiers:
|
||||
+references:
|
||||
cis@rhel8: 1.3.3
|
||||
|
||||
ocil_clause: 'logfile is not enabled in sudo'
|
||||
|
||||
From ee4ed67f0f9e246b20098d60efed7e20bc7b7a13 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Haydock <alex@alexhaydock.co.uk>
|
||||
Date: Tue, 1 Jun 2021 11:28:08 +0100
|
||||
Subject: [PATCH 4/5] Add missing CCE identifiers to sudo logfile rule
|
||||
|
||||
---
|
||||
.../system/software/sudo/sudo_custom_logfile/rule.yml | 9 ++++++++-
|
||||
shared/references/cce-redhat-avail.txt | 2 --
|
||||
2 files changed, 8 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
index afce7f1867c..d08b7891293 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
@@ -3,14 +3,21 @@ documentation_complete: true
|
||||
title: 'Ensure Sudo Logfile Exists - sudo logfile'
|
||||
|
||||
description: |-
|
||||
- A custom logfile can be configured for sudo with the logfile tag.
|
||||
+ A custom log sudo file can be configured with the 'logfile' tag. This rule configures
|
||||
+ a sudo custom logfile at the default location suggested by CIS, which uses
|
||||
+ /var/log/sudo.log.
|
||||
|
||||
rationale: |-
|
||||
A sudo log file simplifies auditing of sudo commands.
|
||||
|
||||
severity: low
|
||||
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-83600-7
|
||||
+ cce@rhel8: CCE-83601-5
|
||||
+
|
||||
references:
|
||||
+ cis@rhel7: 5.2.3
|
||||
cis@rhel8: 1.3.3
|
||||
|
||||
ocil_clause: 'logfile is not enabled in sudo'
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index ae54d0ee0b2..e74b6779509 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -94,8 +94,6 @@ CCE-83594-2
|
||||
CCE-83595-9
|
||||
CCE-83596-7
|
||||
CCE-83599-1
|
||||
-CCE-83600-7
|
||||
-CCE-83601-5
|
||||
CCE-83606-4
|
||||
CCE-83608-0
|
||||
CCE-83609-8
|
||||
|
||||
From 298533e0e7360752737b24deb07903c04b33bc21 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Haydock <alex@alexhaydock.co.uk>
|
||||
Date: Tue, 1 Jun 2021 16:19:45 +0100
|
||||
Subject: [PATCH 5/5] Allow users to override sudo logfile location with
|
||||
tailoring
|
||||
|
||||
---
|
||||
linux_os/guide/system/software/sudo/var_sudo_logfile.var | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/var_sudo_logfile.var b/linux_os/guide/system/software/sudo/var_sudo_logfile.var
|
||||
index 65b23b5f3c2..7c5d02d37eb 100644
|
||||
--- a/linux_os/guide/system/software/sudo/var_sudo_logfile.var
|
||||
+++ b/linux_os/guide/system/software/sudo/var_sudo_logfile.var
|
||||
@@ -6,7 +6,7 @@ description: |-
|
||||
Specify the sudo logfile to use. The default value used here matches the example
|
||||
location from CIS, which uses /var/log/sudo.log.
|
||||
|
||||
-interactive: false
|
||||
+interactive: true
|
||||
|
||||
type: string
|
||||
|
@ -0,0 +1,55 @@
|
||||
From 460922d3b258ba5b437afc99b5b02d2690788db9 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <alex.scheel@canonical.com>
|
||||
Date: Tue, 27 Jul 2021 15:20:08 -0400
|
||||
Subject: [PATCH] Remove FragmentPath check from service_disabled
|
||||
|
||||
In https://github.com/systemd/systemd/issues/582 it is documented that
|
||||
systemd could eventually replace FragmentPath=/dev/null (on masked
|
||||
services) with the actual service path -- not the fully (symlink)
|
||||
resolved path as is currently the case.
|
||||
|
||||
This matches the behavior currently seen in Ubuntu (all versions) and
|
||||
RHEL 9/Fedora 34.
|
||||
|
||||
Per discussion with Gabriel, Matej, Richard, and Matt, it is best to
|
||||
remove this check, especially since ActiveState=Masked suffices.
|
||||
|
||||
Resolves: #7280
|
||||
Resolves: #7248
|
||||
|
||||
Signed-off-by: Alexander Scheel <alex.scheel@canonical.com>
|
||||
---
|
||||
shared/templates/service_disabled/oval.template | 13 -------------
|
||||
1 file changed, 13 deletions(-)
|
||||
|
||||
diff --git a/shared/templates/service_disabled/oval.template b/shared/templates/service_disabled/oval.template
|
||||
index 33b52518307..e4ccb0566e7 100644
|
||||
--- a/shared/templates/service_disabled/oval.template
|
||||
+++ b/shared/templates/service_disabled/oval.template
|
||||
@@ -13,7 +13,6 @@
|
||||
<criteria operator="AND" comment="service {{{ SERVICENAME }}} is not configured to start">
|
||||
<criterion comment="{{{ SERVICENAME }}} is not running" test_ref="test_service_not_running_{{{ SERVICENAME }}}" />
|
||||
<criterion comment="Property LoadState of service {{{ SERVICENAME }}} is masked" test_ref="test_service_loadstate_is_masked_{{{ SERVICENAME }}}" />
|
||||
- <criterion comment="Property FragmentPath of service {{{ SERVICENAME }}} is set to /dev/null" test_ref="test_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}" />
|
||||
</criteria>
|
||||
</criteria>
|
||||
</definition>
|
||||
@@ -41,18 +40,6 @@
|
||||
<linux:value>masked</linux:value>
|
||||
</linux:systemdunitproperty_state>
|
||||
|
||||
- <linux:systemdunitproperty_test id="test_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}" check="all" check_existence="any_exist" comment="Test that the property FragmentPath from the service {{{ SERVICENAME }}} is set to /dev/null" version="1">
|
||||
- <linux:object object_ref="obj_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}"/>
|
||||
- <linux:state state_ref="state_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}"/>
|
||||
- </linux:systemdunitproperty_test>
|
||||
- <linux:systemdunitproperty_object id="obj_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}" comment="Retrieve the FragmentPath property of {{{ SERVICENAME }}}" version="1">
|
||||
- <linux:unit operation="pattern match">^{{{ SERVICENAME }}}\.(service|socket)$</linux:unit>
|
||||
- <linux:property>FragmentPath</linux:property>
|
||||
- </linux:systemdunitproperty_object>
|
||||
- <linux:systemdunitproperty_state id="state_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}" version="1" comment="FragmentPath is set to /dev/null">
|
||||
- <linux:value>/dev/null</linux:value>
|
||||
- </linux:systemdunitproperty_state>
|
||||
-
|
||||
{{% else %}}
|
||||
|
||||
{{% if init_system != "systemd" %}}
|
@ -1,25 +1,25 @@
|
||||
# SSG build system and tests count with build directory name `build`.
|
||||
# For more details see:
|
||||
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
|
||||
%global _vpath_builddir build
|
||||
|
||||
Name: scap-security-guide
|
||||
Version: 0.1.56
|
||||
Release: 3%{?dist}
|
||||
Version: 0.1.57
|
||||
Release: 1%{?dist}
|
||||
Summary: Security guidance and baselines in SCAP formats
|
||||
License: BSD-3-Clause
|
||||
URL: https://github.com/ComplianceAsCode/content/
|
||||
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
||||
Patch1: scap-security-guide-0.1.57-anssi_telnetd_update-PR_6997.patch
|
||||
Patch2: scap-security-guide-0.1.57-build-system-pr-7025.patch
|
||||
Patch3: scap-security-guide-0.1.57-fix-build-scap-12-ds-pr-7049.patch
|
||||
Patch4: scap-security-guide-0.1.57-sudo_custom_logfile-PR_7058.patch
|
||||
Patch5: scap-security-guide-0.1.57-rhel9_rules_various-PR_7006.patch
|
||||
Patch6: scap-security-guide-0.1.57-rhel9_rules_various_2-PR_7040.patch
|
||||
Patch7: scap-security-guide-0.1.57-rhel9_profile_stubs-PR_7106.patch
|
||||
Patch8: scap-security-guide-0.1.57-rhel9_templates-PR_7182.patch
|
||||
Patch9: scap-security-guide-0.1.57-playbooks_per_rule-PR_7039.patch
|
||||
BuildArch: noarch
|
||||
|
||||
Patch0: scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch
|
||||
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: expat
|
||||
BuildRequires: openscap-scanner >= 1.2.5
|
||||
BuildRequires: cmake >= 2.8
|
||||
# To get python3 inside the buildroot require its path explicitly in BuildRequires
|
||||
BuildRequires: /usr/bin/python3
|
||||
BuildRequires: python%{python3_pkgversion}
|
||||
BuildRequires: python%{python3_pkgversion}-jinja2
|
||||
BuildRequires: python%{python3_pkgversion}-PyYAML
|
||||
@ -46,7 +46,7 @@ The %{name}-doc package contains HTML formatted documents containing
|
||||
hardening guidances that have been generated from XCCDF benchmarks
|
||||
present in %{name} package.
|
||||
|
||||
%if %{defined rhel}
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
%package rule-playbooks
|
||||
Summary: Ansible playbooks per each rule.
|
||||
Group: System Environment/Base
|
||||
@ -56,27 +56,21 @@ Requires: %{name} = %{version}-%{release}
|
||||
The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
|
||||
%endif
|
||||
|
||||
# Temporarily needed to apply the profile stub patch (identifiers were sorted)
|
||||
%global _default_patch_fuzz 1
|
||||
%prep
|
||||
%autosetup -p1
|
||||
|
||||
%define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_BUILD_SCAP_12_DS=OFF
|
||||
%define cmake_defines_specific %{nil}
|
||||
%if 0%{?rhel}
|
||||
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON
|
||||
%endif
|
||||
%if 0%{?centos}
|
||||
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON
|
||||
%endif
|
||||
|
||||
mkdir -p build
|
||||
%build
|
||||
%cmake \
|
||||
-DSSG_PRODUCT_DEFAULT=OFF \
|
||||
-DSSG_PRODUCT_RHEL9=ON \
|
||||
-DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF \
|
||||
-DSSG_BASH_SCRIPTS_ENABLED=OFF \
|
||||
%if %{defined centos}
|
||||
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \
|
||||
%else
|
||||
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
|
||||
%endif
|
||||
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
|
||||
%if %{defined rhel}
|
||||
-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \
|
||||
%endif
|
||||
-DSSG_BUILD_SCAP_12_DS=OFF
|
||||
%cmake %{cmake_defines_common} %{cmake_defines_specific}
|
||||
%cmake_build
|
||||
|
||||
%install
|
||||
@ -90,7 +84,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
|
||||
%{_datadir}/%{name}/ansible/*.yml
|
||||
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
|
||||
%doc %{_docdir}/%{name}/LICENSE
|
||||
%if %{defined rhel}
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
%exclude %{_datadir}/%{name}/ansible/rule_playbooks
|
||||
%endif
|
||||
|
||||
@ -98,13 +92,17 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
|
||||
%doc %{_docdir}/%{name}/guides/*.html
|
||||
%doc %{_docdir}/%{name}/tables/*.html
|
||||
|
||||
%if %{defined rhel}
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
%files rule-playbooks
|
||||
%defattr(-,root,root,-)
|
||||
%{_datadir}/%{name}/ansible/rule_playbooks
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jul 28 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
|
||||
- Upgrade to the latest upstream release
|
||||
- Introduce more complete RHEL9 content in terms of rules, profiles and kickstarts.
|
||||
|
||||
* Wed Jul 07 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-3
|
||||
- Introduced the playbooks subpackage.
|
||||
- Enabled CentOS content on CentOS systems.
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (scap-security-guide-0.1.56.tar.bz2) = 1c876f1a8e03f3f68de8fd5a8fd020567f0eecb1fb8b9c9f754453c2f22278944f50d06c0f4e771020e2e25facf6cecb1044d3ddb12e531428ca5aacfec3c86c
|
||||
SHA512 (scap-security-guide-0.1.57.tar.bz2) = e0f030445cc8c629f94be156581a3732abb104e2e5a57a92c64e7fa168b2107e60ee8edfcf8d715c339180317f09378317d031d575673b5384f16208528d66a2
|
||||
|
Loading…
Reference in New Issue
Block a user