Merge pull request #12093 from Mab879/remove_rhel7

Remove rhel7 product
ComplianceAsCode · Jun 27, 2024 · 9d1238f · 9d1238f
2 parents f0a0c51 + 24c4b85
commit 9d1238f
Show file tree

Hide file tree

Showing 1,607 changed files with 546 additions and 32,373 deletions.
diff --git a/.github/workflows/gate-lint-ansible-roles.yaml b/.github/workflows/gate-lint-ansible-roles.yaml
@@ -17,10 +17,10 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Configure
-        run: cmake -DSSG_PRODUCT_DEFAULT=OFF -DSSG_PRODUCT_RHEL7=ON -DSSG_PRODUCT_RHEL8=ON -DSSG_PRODUCT_RHEL9=ON -G Ninja ..
+        run: cmake -DSSG_PRODUCT_RHEL8=ON -DSSG_PRODUCT_RHEL9=ON -DSSG_PRODUCT_RHEL10=ON -G Ninja ..
         working-directory: ./build
       - name: Build
-        run: ninja -j2 rhel9-profile-playbooks rhel8-profile-playbooks rhel7-profile-playbooks
+        run: ninja -j2 rhel10-profile-playbooks  rhel9-profile-playbooks rhel8-profile-playbooks
         working-directory: ./build
       - name: Build Ansible Roles
         run: PYTHONPATH=. python3 utils/ansible_playbook_to_role.py --build-playbooks-dir ./build/ansible/ --dry-run ./build/ansible_roles

diff --git a/.github/workflows/gate.yaml b/.github/workflows/gate.yaml
@@ -10,19 +10,19 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.number || github.run_id }}
   cancel-in-progress: true
 jobs:
-  validate-centos7:
-    name: Build, Test on CentOS 7 (Container)
+  validate-ol7:
+    name: Build, Test on Oracle Linux 7 (Container)
     runs-on: ubuntu-latest
     container:
-      image: centos:7
+      image: oraclelinux:7.9
     steps:
       - name: Install Deps
-        run: yum install -y cmake make openscap-utils PyYAML libxslt xml-common python-jinja2 python-setuptools
+        run: yum install -y cmake make openscap-utils PyYAML libxslt xml-common python-jinja2 python-setuptools openscap openscap-scanner
       - name: Checkout
         uses: actions/checkout@v3
       - name: Build
         run: |-
-          ./build_product rhel7 rhel8 rhel9 rhel10 --derivatives
+          ./build_product ol7
         env:
           ADDITIONAL_CMAKE_OPTIONS: "-DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF"
       - name: Test
@@ -165,7 +165,6 @@ jobs:
                 fedora \
                 firefox \
                 rhcos4 \
-                rhel7 \
                 rhel8 \
                 rhel9 \
                 rhel10 \

diff --git a/.github/workflows/gate_fedora.yml b/.github/workflows/gate_fedora.yml
@@ -41,7 +41,6 @@ jobs:
                         openembedded \
                         openeuler2203 \
                         rhcos4 \
-                        rhel7 \
                         rhel8 \
                         rhel9 \
                         rhel10 \

diff --git a/.github/workflows/gh-pages.yaml b/.github/workflows/gh-pages.yaml
@@ -37,7 +37,7 @@ jobs:
         run: ninja render-policies -j2
         working-directory: ./build
       - name: Generate Prometheus Metrics
-        run: utils/controleval_metrics.py prometheus -p fedora ocp4 rhcos4 rhel9 rhel8 rhel7 sle12 sle15 -f ./build/policies_metrics
+        run: utils/controleval_metrics.py prometheus -p fedora ocp4 rhcos4 rhel10 rhel9 rhel8 sle12 sle15 -f ./build/policies_metrics
         env:
           PYTHONPATH: ${{ github.workspace }}
       - name: Generate HTML pages

diff --git a/.gitpod.launch.json b/.gitpod.launch.json
@@ -24,7 +24,7 @@
           "macos1015",
           "ocp4",
           "ol7", "ol8",
-          "opensuse","rhel7", "rhel8", "rhel9",
+          "opensuse", "rhel8", "rhel9",
           "rhosp10", "rhosp13",
           "rhv4",
           "sle12", "sle15",

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -104,7 +104,6 @@ option(SSG_PRODUCT_OPENEMBEDDED "If enabled, the OpenEmbedded SCAP content will
 option(SSG_PRODUCT_OPENEULER2203 "If enabled, the openEuler 22.03 LTS content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_OPENSUSE "If enabled, the openSUSE SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_RHCOS4 "If enabled, the RHCOS4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
-option(SSG_PRODUCT_RHEL7 "If enabled, the RHEL7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_RHEL8 "If enabled, the RHEL8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_RHEL9 "If enabled, the RHEL9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_RHEL10 "If enabled, the RHEL10 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -118,7 +117,6 @@ option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be
 option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 # Products derivatives
 option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE)
-option(SSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED "If enabled, Scientific Linux derivative content will be built from the RHEL content" TRUE)
 
 if("$ENV{PYTHONPATH}" STREQUAL "")
     set(ENV{PYTHONPATH} "${PROJECT_SOURCE_DIR}")
@@ -332,7 +330,6 @@ message(STATUS "Oracle Linux 8: ${SSG_PRODUCT_OL8}")
 message(STATUS "Oracle Linux 9: ${SSG_PRODUCT_OL9}")
 message(STATUS "openEuler 22.03 LTS: ${SSG_PRODUCT_OPENEULER2203}")
 message(STATUS "openSUSE: ${SSG_PRODUCT_OPENSUSE}")
-message(STATUS "RHEL 7: ${SSG_PRODUCT_RHEL7}")
 message(STATUS "RHEL 8: ${SSG_PRODUCT_RHEL8}")
 message(STATUS "RHEL 9: ${SSG_PRODUCT_RHEL9}")
 message(STATUS "RHEL 10: ${SSG_PRODUCT_RHEL10}")
@@ -430,9 +427,6 @@ endif()
 if(SSG_PRODUCT_OPENSUSE)
     add_subdirectory("products/opensuse" "opensuse")
 endif()
-if(SSG_PRODUCT_RHEL7)
-    add_subdirectory("products/rhel7" "rhel7")
-endif()
 if(SSG_PRODUCT_RHEL8)
     add_subdirectory("products/rhel8" "rhel8")
 endif()

diff --git a/CODEOWNERS b/CODEOWNERS
@@ -14,7 +14,6 @@
 
 # Product Specific Control Files
 
-/controls/cis_rhel7.yml @ComplianceAsCode/red-hatters
 /controls/cis_rhel8.yml @ComplianceAsCode/red-hatters
 /controls/cis_rhel9.yml @ComplianceAsCode/red-hatters
 /controls/cis_sle12.yml @ComplianceAsCode/suse-maintainers

diff --git a/README.md b/README.md
@@ -146,20 +146,20 @@ The `oscap` tool is a low-level command line interface that comes from
 the OpenSCAP project. It can be used to scan the local machine.
 
 ```bash
-oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp --results-arf arf.xml --report report.html --oval-results /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
+oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --results-arf arf.xml --report report.html --oval-results /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
 ```
 
 <a href="docs/readme_images/report_sample.png"><img align="right" width="250" src="docs/readme_images/report_sample.png" alt="Evaluation report sample"></a>
 
 After evaluation, the `arf.xml` file will contain all results in a reusable
-*result data stream* (ARF) format, `report.html` will contain a human readable
+*result data stream* (ARF) format, `report.html` will contain a human-readable
 report that can be opened in a browser.
 
 Replace the profile with other profile of your choice, you can display
 all possible choices using:
 
 ```bash
-oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
+oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
 ```
 
 Please see the [OpenSCAP](https://www.open-scap.org/) website for more information.
@@ -200,7 +200,7 @@ To apply the playbook on your local machine run:
 (*THIS WILL CHANGE CONFIGURATION OF THE MACHINE!*)
 
 ```bash
-ansible-playbook -i "localhost," -c local /usr/share/scap-security-guide/ansible/rhel7-playbook-rht-ccp.yml
+ansible-playbook -i "localhost," -c local /usr/share/scap-security-guide/ansible/rhel9-playbook-ospp.yml
 ```
 
 Each of the Ansible Playbooks contains instructions on how to deploy them. Here
@@ -226,9 +226,9 @@ To see a list of available Bash scripts, run:
 ```bash
 # ls /usr/share/scap-security-guide/bash/
 ...
-rhel7-script-hipaa.sh
-rhel7-script-ospp.sh
-rhel7-script-pci-dss.sh
+rhel8-script-hipaa.sh
+rhel8-script-ospp.sh
+rhel8-script-pci-dss.sh
 ...
 ```
 

diff --git a/build-scripts/build_sce.py b/build-scripts/build_sce.py
@@ -46,7 +46,7 @@ def parse_args():
     p.add_argument(
         "--product-yaml", required=True,
         help="YAML file with information about the product we are building. "
-        "e.g.: ~/scap-security-guide/rhel7/product.yml"
+        "e.g.: ~/scap-security-guide/rhel9/product.yml"
     )
     p.add_argument(
         "--templates-dir", required=True,

diff --git a/build-scripts/build_templated_content.py b/build-scripts/build_templated_content.py
@@ -18,12 +18,12 @@ def parse_args():
     p.add_argument(
         "--product-yaml", required=True,
         help="YAML file with information about the product we are building. "
-        "e.g.: ~/scap-security-guide/rhel7/product.yml"
+        "e.g.: ~/scap-security-guide/rhel9/product.yml"
     )
     p.add_argument(
         "--resolved-rules-dir", required=True,
         help="Directory with <rule-id>.yml resolved rule YAMLs. "
-        "e.g.: ~/scap-security-guide/build/rhel7/rules"
+        "e.g.: ~/scap-security-guide/build/rhel9/rules"
     )
     p.add_argument(
         "--templates-dir", required=True,
@@ -33,22 +33,22 @@ def parse_args():
     p.add_argument(
         "--checks-dir", required=True,
         help="Path to which OVAL checks will be generated. "
-        "e.g.: ~/scap-security-guide/build/rhel7/checks"
+        "e.g.: ~/scap-security-guide/build/rhel9/checks"
     )
     p.add_argument(
         "--platforms-dir", required=True,
         help="Path to directory which contains prebuilt platforms. "
-             "e.g.: ~/scap-security-guide/build/rhel7/platforms"
+             "e.g.: ~/scap-security-guide/build/rhel9/platforms"
     )
     p.add_argument(
         "--cpe-items-dir", required=True,
         help="Path to directory which contains compiled CPE items. "
-             "e.g.: ~/scap-security-guide/build/rhel7/cpe_items"
+             "e.g.: ~/scap-security-guide/build/rhel9/cpe_items"
     )
     p.add_argument(
         "--remediations-dir", required=True,
         help="Path to which remediations will be generated. "
-        "e.g.: ~/scap-security-guide/build/rhel7/fixes_from_templates"
+        "e.g.: ~/scap-security-guide/build/rhel9/fixes_from_templates"
     )
     args = p.parse_args()
     return args

diff --git a/build-scripts/build_xccdf.py b/build-scripts/build_xccdf.py
@@ -32,22 +32,22 @@ def parse_args():
     parser.add_argument(
         "--product-yaml", required=True,
         help="YAML file with information about the product we are building. "
-        "e.g.: ~/scap-security-guide/rhel7/product.yml"
+        "e.g.: ~/scap-security-guide/rhel9/product.yml"
     )
     parser.add_argument(
         "--xccdf", required=True,
         help="Output XCCDF file. "
-        "e.g.:  ~/scap-security-guide/build/rhel7/ssg-rhel7-xccdf.xml"
+        "e.g.:  ~/scap-security-guide/build/rhel9/ssg-rhel9-xccdf.xml"
     )
     parser.add_argument(
         "--ocil", required=True,
         help="Output OCIL file. "
-        "e.g.:  ~/scap-security-guide/build/rhel7/ssg-rhel7-ocil.xml"
+        "e.g.:  ~/scap-security-guide/build/rhel9/ssg-rhel9-ocil.xml"
     )
     parser.add_argument(
         "--oval", required=True,
         help="Output OVAL file. "
-        "e.g.:  ~/scap-security-guide/build/rhel7/ssg-rhel7-oval.xml"
+        "e.g.:  ~/scap-security-guide/build/rhel9/ssg-rhel9-oval.xml"
     )
     parser.add_argument(
         "--build-ovals-dir",
@@ -61,7 +61,7 @@ def parse_args():
     parser.add_argument(
         "--thin-ds-components-dir",
         help="Directory to store XCCDF, OVAL, OCIL, for thin data stream. (off: to disable)"
-        "e.g.: ~/scap-security-guide/build/rhel7/thin_ds_component/"
+        "e.g.: ~/scap-security-guide/build/rhel9/thin_ds_component/"
         "Fake profiles are used to create thin DS. Components are generated for each profile.",
     )
     return parser.parse_args()

diff --git a/build-scripts/collect_remediations.py b/build-scripts/collect_remediations.py
@@ -29,7 +29,7 @@ def parse_args():
     p.add_argument(
         "--product-yaml", required=True,
         help="YAML file with information about the product we are building. "
-        "e.g.: ~/scap-security-guide/rhel7/product.yml"
+        "e.g.: ~/scap-security-guide/rhel9/product.yml"
     )
     p.add_argument(
         "--resolved-rules-dir", required=True,

diff --git a/build-scripts/combine_ovals.py b/build-scripts/combine_ovals.py
@@ -38,7 +38,7 @@ def parse_args():
         required=True,
         dest="product_yaml",
         help="YAML file with information about the product we are building. "
-        "e.g.: ~/scap-security-guide/rhel7/product.yml",
+        "e.g.: ~/scap-security-guide/rhel9/product.yml",
     )
     p.add_argument(
         "--build-ovals-dir",

diff --git a/build-scripts/compile_all.py b/build-scripts/compile_all.py
@@ -25,7 +25,7 @@ def create_parser():
     parser.add_argument(
         "--product-yaml", required=True,
         help="YAML file with information about the product we are building. "
-        "e.g.: ~/scap-security-guide/products/rhel7/product.yml "
+        "e.g.: ~/scap-security-guide/products/rhel9/product.yml "
         "needed for autodetection of profile root"
     )
     parser.add_argument(

diff --git a/build-scripts/compile_product.py b/build-scripts/compile_product.py
@@ -8,7 +8,7 @@ def create_parser():
     parser.add_argument(
         "--product-yaml", required=True,
         help="YAML file with information about the product we are building. "
-        "e.g.: ~/scap-security-guide/products/rhel7/product.yml "
+        "e.g.: ~/scap-security-guide/products/rhel9/product.yml "
         "needed for autodetection of profile root"
     )
     parser.add_argument(

diff --git a/build-scripts/compose_ds.py b/build-scripts/compose_ds.py
@@ -183,7 +183,7 @@ def parse_args():
         help="Directory where XCCDF, OVAL, OCIL files with lower case prefixes "
         "xccdf, oval, ocil are stored to build multiple data streams. "
         "Multiple streams are generated in the thin_ds subdirectory. (off: to disable) "
-        "e.g.: ~/scap-security-guide/build/rhel7/thin_ds_component/",
+        "e.g.: ~/scap-security-guide/build/rhel9/thin_ds_component/",
     )
     return parser.parse_args()
 

diff --git a/build-scripts/cpe_generate.py b/build-scripts/cpe_generate.py
@@ -32,7 +32,7 @@ def parse_args():
     p.add_argument(
         "--product-yaml",
         help="YAML file with information about the product we are building. "
-        "e.g.: ~/scap-security-guide/rhel7/product.yml "
+        "e.g.: ~/scap-security-guide/rhel9/product.yml "
         "needed for autodetection of profile root"
     )
     p.add_argument(
@@ -54,7 +54,7 @@ def parse_args():
     p.add_argument(
         "--thin-ds-components-dir",
         help="Directory to store CPE OVAL for thin data stream. (off: to disable)"
-        "e.g.: ~/scap-security-guide/build/rhel7/thin_ds_component/"
+        "e.g.: ~/scap-security-guide/build/rhel9/thin_ds_component/"
         "Fake profiles are used to create thin DS. Components are generated for each profile."
         "The minimal cpe will be generated from the minimal XCCDF, "
         "which is in the same directory.",

diff --git a/build-scripts/enable_derivatives.py b/build-scripts/enable_derivatives.py
@@ -25,19 +25,15 @@
 oval_ns = ssg.constants.oval_namespace
 
 CENTOS_NOTICE_ELEMENT = ssg.xml.ElementTree.fromstring(ssg.constants.CENTOS_NOTICE)
-SL_NOTICE_ELEMENT = ssg.xml.ElementTree.fromstring(ssg.constants.SL_NOTICE)
 
 CENTOS_WARNING = 'centos_warning'
-SL_WARNING = 'sl_warning'
 
 
 def parse_args():
     usage = "usage: %prog [options]"
     parser = OptionParser(usage=usage)
     parser.add_option("--enable-centos", dest="centos", default=False,
                       action="store_true", help="Enable CentOS")
-    parser.add_option("--enable-sl", dest="sl", default=False,
-                      action="store_true", help="Enable Scientific Linux")
     parser.add_option("-i", "--input", dest="input_content", default=False,
                       action="store",
                       help="INPUT can be XCCDF or Source data stream")
@@ -56,13 +52,6 @@ def parse_args():
 
     (options, args) = parser.parse_args()
 
-    if options.centos and options.sl:
-        sys.stderr.write(
-            "Cannot enable two derivative OS(s) at the same time\n"
-        )
-        parser.print_help()
-        sys.exit(1)
-
     if not options.output and not options.input_content:
         parser.print_help()
         sys.exit(1)
@@ -84,12 +73,6 @@ def main():
         warning = CENTOS_WARNING
         derivative = "CentOS"
 
-    if options.sl:
-        mapping = ssg.constants.RHEL_SL_CPE_MAPPING
-        notice = SL_NOTICE_ELEMENT
-        warning = SL_WARNING
-        derivative = "Scientific Linux"
-
     tree = ssg.xml.open_xml(options.input_content)
     root = tree.getroot()
 
@@ -111,6 +94,9 @@ def main():
             # intended to test content that will get into RHEL
             ssg.build_derivatives.profile_handling(benchmark, namespace)
         if not ssg.build_derivatives.add_cpes(benchmark, namespace, mapping):
+            import pprint
+            pprint.pprint(namespace)
+            pprint.pprint(mapping)
             raise RuntimeError(
                 "Could not add derivative OS CPEs to Benchmark '%s'."
                 % (benchmark)

diff --git a/build_product b/build_product
@@ -329,9 +329,6 @@ set_no_derivatives_options() {
 	if grep -q 'rhel' <<< "${_arg_product[*]}"; then
 		CMAKE_OPTIONS+=("-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF")
 	fi
-	if grep -q 'rhel7' <<< "${_arg_product[*]}"; then
-		CMAKE_OPTIONS+=("-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF")
-	fi
 }
 
 set_explict_build_targets() {
@@ -363,7 +360,6 @@ all_cmake_products=(
 	OL8
 	OL9
 	OPENSUSE
-	RHEL7
 	RHEL8
 	RHEL9
 	RHEL10