-
Notifications
You must be signed in to change notification settings - Fork 9
/
generate_arf.sh
executable file
·111 lines (91 loc) · 2.46 KB
/
generate_arf.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
#!/usr/bin/env bash
# This script generates ARF results.
# Supported OS:
# - Fedora
# - RHEL8/9
# - Centos8/9
# Requirements:
# - cmake
# - make
# - openscap-utils
# - openscap-scanner
# - python3-pyyaml
# - python3-jinja2
# - python3-setuptools
# - git
# - scap-security-guide
# Usage: ./generate_arf MODE FETCH PRODUCT ARF_FILE SKIP_BUILD
# MODE [latest, ssg] use scap-security-guide or latest content from github
# FETCH [yes, no] scanner fetch remote resources
# ARF_FILE Writes results to a given ARF_FILE.
# SKIP_BUILD [yes] Skip build of latest content(Have affect with mode latest).
set -e -o pipefail
build_content() {
product=$1
echo "Build - Start"
git clone https://github.com/ComplianceAsCode/content.git
cd content/
git checkout master
cd build/
cmake ../
make -j4 "${product}"
cd ../../
echo "Build - Done"
}
run_oscap_scan() {
ds=$1
fetch=$2
file=$3
echo "Scans - Start"
oscap xccdf eval ${fetch} --profile "(all)" --results-arf ${file} ${ds} || EXIT_CODE=$?
echo $EXIT_CODE
if [ ! -f "$file" ]; then
echo "$file does not exist." >&2
exit 2
fi
}
get_product() {
cpe_name=$(grep "CPE_NAME=" < /etc/os-release | sed 's/CPE_NAME=//g' | sed 's/["]//g')
if [[ "${cpe_name}" =~ fedora ]]; then
echo "fedora"
elif [[ "${cpe_name}" =~ redhat ]]; then
version=$(grep VERSION_ID /etc/os-release | grep -o "[0-9]\+" | head -n1)
echo "rhel${version}"
elif [[ "${cpe_name}" =~ centos.*8 ]]; then
echo "centos8"
elif [[ "${cpe_name}" =~ centos ]]; then
version=$(grep VERSION_ID /etc/os-release | grep -o "[0-9]\+")
echo "cs${version}"
else
echo $cpe_name
echo "ERROR: Not supported OS!" >&2
exit 1
fi
}
if [ "$1" = "" ]; then
echo "ERROR: Missing MODE parameter!" >&2
exit 1
fi
if [ "$2" = "" ]; then
echo "ERROR: Missing FETCH parameter!" >&2
exit 1
fi
if [ "$3" = "" ]; then
echo "ERROR: Missing ARF_FILE parameter!" >&2
exit 1
fi
file=$3
product=$(get_product)
fetch="--fetch-remote-resources"
if [ "$2" = "no" ]; then
fetch=""
fi
if [ "$1" = "latest" ]; then
if [ "$4" != "yes" ]; then
build_content "${product}"
fi
run_oscap_scan "./content/build/ssg-${product}-ds.xml" "${fetch}" "${file}"
fi
if [ "$1" = "ssg" ]; then
run_oscap_scan "/usr/share/xml/scap/ssg/content/ssg-${product}-ds.xml" "${fetch}" "${file}"
fi