forked from canonical/ubuntu-security-guide
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README.build
128 lines (88 loc) · 5.11 KB
/
README.build
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
The CaC-based usg requires some additional steps in before its package can be
built. This README file contains information on how to execute these steps.
Prerequisite: build the CaC project
METHOD 1: FULLY SCRIPTED
========================
1. Modify the configuration variables in tools/build_config.ini to match your paths and desired settings.
2. Run tools/build.py -- no arguments necessary.
3. Package the project as a deb using your preferred tooling.
METHOD 2: LESS-AUTOMATED
========================
* STEP 1. Update the rules
After you fetch the CaC-based usg project from the git repo, you need to copy
the (properly built) CaC rules from the CaC project directory. Use the
`pre_package_build.sh` script located in the tools subdirectory in order to
automatically do this copy for you.
Note that you need to provide both the location of the CaC project directory
(don't forget to build it first!) and the location of the usg project as
parameters.
If this *change is related to an major update* to the benchmarks included into
the `usg-benchmarks` package, remember to increase the number of the Package
parameter in the debian/control file. For instance, suppose the current value
below for the Package parameter:
...
Package: usg-benchmarks-1
...
You need to change that value to:
...
Package: usg-benchmarks-2
...
** When this step must be done?
Every time a rule is changed/added/removed from the one of the profiles we
care about!
* STEP 2. Update the documentation
The usg provides documentation files for the the rules and the parameters used
by the rules. So it's wise to update the files `usg-rules.md` and
`usg-variables.md`. In order to do that, use the
`create_rule_and_variable_doc.py` python script located in the tools
subdirectory. A command usage example for extracting rules documentation is
below:
python <usg directory>/tools/create_rule_and_variable_doc.py rules <cac directory>/products/ubuntu2004/profiles <usg directory>/benchmarks/Canonical_Ubuntu_20.04_Benchmarks-xccdf.xml
<cac directory> represents the path to the CaC project, while
<usg directory> represents the path to the usg project.
Then just override all the text under the 'LIST OF RULES AND DESCRIPTIONS'
section with the information provided by the script.
The procedure for variables is similar. Start by executing the command:
python <usg directory>/tools/create_rule_and_variable_doc.py variables <cac directory>/products/ubuntu2004/profiles <usg directory>/benchmarks/Canonical_Ubuntu_20.04_Benchmarks-xccdf.xml
Then override all the text under the 'LIST OF VARIABLES AND THEIR DESCRIPTION'
section with the information provided by the script.
** When this step must be done?
When the documentation of a rule used by a profile we care change, or when
a new rule is added or when a rule is removed.
TODO: update the <usg directory>/tools/create_rule_and_variable_doc.py script to automatically
update the documentation, without any manual intervention required.
* STEP 3. Update the tailoring files
All the current tailoring files are located into the tailoring subdirectory.
Four are associated with CIS profiles (cis_level{1,2}_{server,workstation}-tailoring.xml)
while a single one (stig-tailoring.xml) is associated with DISA-STIG.
The tools/ directory provides the `generate_tailoring_file.py` script, which
can be used to help update the aforementioned tailoring files. For
instance, execute the command below to fetch the data for updating the
`cis_level1_server-tailoring.xml`:
python <usg directory>/tools/generate_tailoring_file.py <cac directory>/products/ubuntu2004/profiles/cis_level1_server.profile <usg directory>/benchmarks/Canonical_Ubuntu_20.04_Benchmarks-xccdf.xml
The output data must be put into the <usg directory>/tailoring/cis_level1_server-tailoring.xml
file, under the `xccdf:Profile` element. You can override the other elements
under the `xccdf:Profile` element, except for the `xccdf:title` and
`xccdf:description` elements which must be preserved.
Also, if and only if you increased the number of the Package parameter in the
debian/control file, make sure you update the `benchmark` element of the header
with the same number. For example, suppose you updated the value as described
in the example of the Step 1. Now you have the following value in the headed of
cis_level1_server-tailoring.xml:
...
<cdf-11-tailoring:benchmark href="/usr/share/ubuntu-scap-security-guides/1/benchmarks/Canonical_Ubuntu_20.04_Benchmarks-xccdf.xml"/>
...
So, update the value to the same value used in Step 2:
...
<cdf-11-tailoring:benchmark href="/usr/share/ubuntu-scap-security-guides/2/benchmarks/Canonical_Ubuntu_20.04_Benchmarks-xccdf.xml"/>
...
Repeat the aforementioned procedure for the other 3 CIS profiles and for the single DISA-STIG
profile.
** When this step must be done?
When a new rule is added, a rule is removed or its base description is changed and the rule
belongs to a profile we care about.
* STEP 4. Build the package
Use your favorite way of building the package. Be it local or through the PPAs.
If, and only if, you updated the Package value in the Step 2, a usg-benchmarks
package will be created with the updated number as a suffix to the package
name.