diff --git a/scap-security-guide-0.1.57-playbooks_per_rule-PR_7039.patch b/scap-security-guide-0.1.57-playbooks_per_rule-PR_7039.patch new file mode 100644 index 0000000..47df298 --- /dev/null +++ b/scap-security-guide-0.1.57-playbooks_per_rule-PR_7039.patch @@ -0,0 +1,224 @@ +From 7283a29c601c250f9809886860f89d4e673be577 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 24 May 2021 17:25:38 +0200 +Subject: [PATCH 1/6] Add option to enable installation of individual ansible + tasks per rule. + +--- + CMakeLists.txt | 1 + + cmake/SSGCommon.cmake | 14 ++++++++++++++ + 2 files changed, 15 insertions(+) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 55b991cedfa..13ddcf6aa7c 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -49,6 +49,7 @@ option(SSG_SVG_IN_XCCDF_ENABLED "If enabled, the built XCCDFs will include the S + option(SSG_SEPARATE_SCAP_FILES_ENABLED "If enabled, separate SCAP files (OVAL, XCCDF, CPE dict, ...) will be installed alongside the source data-streams" TRUE) + option(SSG_ANSIBLE_PLAYBOOKS_ENABLED "If enabled, Ansible Playbooks for each profile will be built and installed." TRUE) + option(SSG_BASH_SCRIPTS_ENABLED "If enabled, Bash remediation scripts for each profile will be built and installed." TRUE) ++option(SSG_ANSIBLE_TASKS_ENABLED "If enabled, Ansible Tasks for each rule will be installed." FALSE) + option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE) + option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE) + set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.") +diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake +index 412db46c687..e1480561ee1 100644 +--- a/cmake/SSGCommon.cmake ++++ b/cmake/SSGCommon.cmake +@@ -914,6 +914,20 @@ macro(ssg_build_product PRODUCT) + " + ) + endif() ++ if(SSG_ANSIBLE_TASKS_ENABLED) ++ install( ++ CODE " ++ file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*.yml\") \n ++ if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks) ++ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks\" ++ TYPE FILE FILES \${ROLE_FILES}) ++ else() ++ file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks\" ++ TYPE FILE FILES \${ROLE_FILES}) ++ endif() ++ " ++ ) ++ endif() + + # grab all the kickstarts (if any) and install them + file(GLOB KICKSTART_FILES "${CMAKE_CURRENT_SOURCE_DIR}/kickstart/ssg-${PRODUCT}-*-ks.cfg") + +From 81f9051433bec735f0ce915290d465ba98401f86 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 25 May 2021 17:07:15 +0200 +Subject: [PATCH 2/6] Rename ansible per rule cmake option. + +--- + CMakeLists.txt | 2 +- + cmake/SSGCommon.cmake | 14 +++++++------- + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 13ddcf6aa7c..04779b18cbc 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -48,8 +48,8 @@ option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used + option(SSG_SVG_IN_XCCDF_ENABLED "If enabled, the built XCCDFs will include the SVG SCAP Security Guide logo." TRUE) + option(SSG_SEPARATE_SCAP_FILES_ENABLED "If enabled, separate SCAP files (OVAL, XCCDF, CPE dict, ...) will be installed alongside the source data-streams" TRUE) + option(SSG_ANSIBLE_PLAYBOOKS_ENABLED "If enabled, Ansible Playbooks for each profile will be built and installed." TRUE) ++option(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED "If enabled, Ansible Playbooks for each rule will be built and installed." FALSE) + option(SSG_BASH_SCRIPTS_ENABLED "If enabled, Bash remediation scripts for each profile will be built and installed." TRUE) +-option(SSG_ANSIBLE_TASKS_ENABLED "If enabled, Ansible Tasks for each rule will be installed." FALSE) + option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE) + option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE) + set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.") +diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake +index e1480561ee1..b3710caafbf 100644 +--- a/cmake/SSGCommon.cmake ++++ b/cmake/SSGCommon.cmake +@@ -914,16 +914,16 @@ macro(ssg_build_product PRODUCT) + " + ) + endif() +- if(SSG_ANSIBLE_TASKS_ENABLED) ++ if(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED) + install( + CODE " +- file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*.yml\") \n +- if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks) +- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks\" +- TYPE FILE FILES \${ROLE_FILES}) ++ file(GLOB PLAYBOOK_PER_RULE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*.yml\") \n ++ if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks) ++ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks\" ++ TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES}) + else() +- file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/tasks\" +- TYPE FILE FILES \${ROLE_FILES}) ++ file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks\" ++ TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES}) + endif() + " + ) + +From 2f424af420f3520797780287812474a5f7c03f07 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 25 May 2021 17:07:22 +0200 +Subject: [PATCH 3/6] Guard build of playbooks per rule by a new CMake Option. + +--- + cmake/SSGCommon.cmake | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake +index b3710caafbf..04bdfe04bae 100644 +--- a/cmake/SSGCommon.cmake ++++ b/cmake/SSGCommon.cmake +@@ -769,7 +769,7 @@ macro(ssg_build_product PRODUCT) + ssg_build_xccdf_unlinked(${PRODUCT}) + ssg_build_ocil_unlinked(${PRODUCT}) + ssg_build_remediations(${PRODUCT}) +- if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}") ++ if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED) + ssg_build_ansible_playbooks(${PRODUCT}) + endif() + ssg_build_xccdf_with_remediations(${PRODUCT}) + +From 406a49b4c617499e538817579920b23fc81a09e6 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 25 May 2021 17:40:10 +0200 +Subject: [PATCH 4/6] Print message for CMake option enable ansible playbooks + per rule. + +--- + CMakeLists.txt | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 04779b18cbc..bba7dd60356 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -246,6 +246,7 @@ message(STATUS "shellcheck bash fixes validation: ${SSG_SHELLCHECK_BASH_FIXES_VA + message(STATUS "SVG logo in XCCDFs: ${SSG_SVG_IN_XCCDF_ENABLED}") + message(STATUS "Separate SCAP files: ${SSG_SEPARATE_SCAP_FILES_ENABLED}") + message(STATUS "Ansible Playbooks: ${SSG_ANSIBLE_PLAYBOOKS_ENABLED}") ++message(STATUS "Ansible Playbooks Per Rule: ${SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED}") + message(STATUS "Bash scripts: ${SSG_BASH_SCRIPTS_ENABLED}") + if (SSG_JINJA2_CACHE_ENABLED) + message(STATUS "jinja2 cache: enabled") + +From 5a185a653ba4f58bdfcee37bfd61812763a2f525 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 25 May 2021 17:40:42 +0200 +Subject: [PATCH 5/6] Fix path of gathered ansible playbooks per rule. + +--- + cmake/SSGCommon.cmake | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake +index 04bdfe04bae..a382bb787b5 100644 +--- a/cmake/SSGCommon.cmake ++++ b/cmake/SSGCommon.cmake +@@ -917,12 +917,12 @@ macro(ssg_build_product PRODUCT) + if(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED) + install( + CODE " +- file(GLOB PLAYBOOK_PER_RULE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*.yml\") \n +- if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks) +- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks\" ++ file(GLOB PLAYBOOK_PER_RULE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*\") \n ++ if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks) ++ file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks/${PRODUCT}\" + TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES}) + else() +- file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/playbooks\" ++ file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks/${PRODUCT}\" + TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES}) + endif() + " + +From 8b99c9c2a50653b37f88b9eb3bc2b46ae3586be3 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 27 May 2021 15:55:20 +0200 +Subject: [PATCH 6/6] Move product dependency closer to declaration + +A dependency on rule playbooks target was being added from a +conditional branch related to profile playbooks. +It caused issues when building profile playbooks but not rule playbooks, +the rule playbooks target would not exist, but still be added as +dependency. + +Co-authored-by: Watson Sato +--- + cmake/SSGCommon.cmake | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake +index a382bb787b5..dc661cc2904 100644 +--- a/cmake/SSGCommon.cmake ++++ b/cmake/SSGCommon.cmake +@@ -769,8 +769,13 @@ macro(ssg_build_product PRODUCT) + ssg_build_xccdf_unlinked(${PRODUCT}) + ssg_build_ocil_unlinked(${PRODUCT}) + ssg_build_remediations(${PRODUCT}) ++ + if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED) + ssg_build_ansible_playbooks(${PRODUCT}) ++ add_dependencies( ++ ${PRODUCT}-content ++ generate-${PRODUCT}-ansible-playbooks ++ ) + endif() + ssg_build_xccdf_with_remediations(${PRODUCT}) + ssg_build_oval_unlinked(${PRODUCT}) +@@ -801,10 +806,6 @@ macro(ssg_build_product PRODUCT) + add_dependencies(zipfile "generate-ssg-${PRODUCT}-ds.xml") + + if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_ENABLED) +- add_dependencies( +- ${PRODUCT}-content +- generate-${PRODUCT}-ansible-playbooks +- ) + ssg_build_profile_playbooks(${PRODUCT}) + add_custom_target( + ${PRODUCT}-profile-playbooks diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 6f6c263..7b22e05 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -13,6 +13,7 @@ Patch5: scap-security-guide-0.1.57-rhel9_rules_various-PR_7006.patch Patch6: scap-security-guide-0.1.57-rhel9_rules_various_2-PR_7040.patch Patch7: scap-security-guide-0.1.57-rhel9_profile_stubs-PR_7106.patch Patch8: scap-security-guide-0.1.57-rhel9_templates-PR_7182.patch +Patch9: scap-security-guide-0.1.57-playbooks_per_rule-PR_7039.patch BuildArch: noarch BuildRequires: libxslt @@ -66,7 +67,6 @@ The %{name}-rule-playbooks package contains individual ansible playbooks per rul -DSSG_PRODUCT_RHEL9=ON \ -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF \ -DSSG_BASH_SCRIPTS_ENABLED=OFF \ --DSSG_BUILD_SCAP_12_DS=OFF %if %{defined centos} -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \ %else @@ -76,6 +76,7 @@ The %{name}-rule-playbooks package contains individual ansible playbooks per rul %if %{defined rhel} -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \ %endif +-DSSG_BUILD_SCAP_12_DS=OFF %cmake_build %install