From a5df4d3b9aa13fa4dbf4e510f3ed55950f94a66e Mon Sep 17 00:00:00 2001
From: sluetze <13255307+sluetze@users.noreply.github.com>
Date: Thu, 1 Feb 2024 15:57:03 +0100
Subject: [PATCH 01/13] add manual etcd backup rule
---
.../openshift/etcd/etcd_backup/rule.yml | 26 +++++++++++++++++++
.../etcd/etcd_backup/tests/ocp4/e2e.yml | 2 ++
2 files changed, 28 insertions(+)
create mode 100644 applications/openshift/etcd/etcd_backup/rule.yml
create mode 100644 applications/openshift/etcd/etcd_backup/tests/ocp4/e2e.yml
diff --git a/applications/openshift/etcd/etcd_backup/rule.yml b/applications/openshift/etcd/etcd_backup/rule.yml
new file mode 100644
index 00000000000..013b46bb39a
--- /dev/null
+++ b/applications/openshift/etcd/etcd_backup/rule.yml
@@ -0,0 +1,26 @@
+documentation_complete: true
+
+title: Configure recurring backups for etcd
+
+description: |-
+
+ Back up your clusters etcd data regularly and store in a secure location ideally outside the OpenShift Container Platform environment. Do not take an etcd backup before the first certificate rotation completes, which occurs 24 hours after installation, otherwise the backup will contain expired certificates. It is also recommended to take etcd backups during non-peak usage hours because the etcd snapshot has a high I/O cost.
+
+
+ For more information, follow
+ {{{ weblink(link="https://docs.openshift.com/container-platform/latest/backup_and_restore/control_plane_backup_and_restore/backing-up-etcd.html#backing-up-etcd-data_backup-etcd",
+ text="the relevant documentation") }}}.
+
+
+rationale: |-
+ While etcd automatically recovers from temporary failures, issues may arise if an etcd cluster loses more than (N-1)/2 or when an update goes wrong.
+ Recurring backups of etcd enable you to recover from a disastrous fail.
+
+identifiers: {}
+
+severity: medium
+
+ocil_clause: 'etcd backup needs review'
+
+ocil: |-
+ Ensure, that you have a process in place, that ensures that you do recurring backups for etcd.
diff --git a/applications/openshift/etcd/etcd_backup/tests/ocp4/e2e.yml b/applications/openshift/etcd/etcd_backup/tests/ocp4/e2e.yml
new file mode 100644
index 00000000000..69a7d085eb4
--- /dev/null
+++ b/applications/openshift/etcd/etcd_backup/tests/ocp4/e2e.yml
@@ -0,0 +1,2 @@
+---
+default_result: MANUAL
From 778a1be9b72942a8ec5da552e53c8a2ad8f0f490 Mon Sep 17 00:00:00 2001
From: sluetze <13255307+sluetze@users.noreply.github.com>
Date: Thu, 14 Mar 2024 13:17:45 +0100
Subject: [PATCH 02/13] Defined notes and rules for control BSI APP.4.4.A5
---
.../openshift/etcd/etcd_backup/rule.yml | 5 ++-
.../rule.yml | 43 +++++++++++++++++++
.../tests/ocp4/e2e.yml | 3 ++
.../var_backup_solution_crds_regex.var | 15 +++++++
controls/bsi_app_4_4.yml | 35 +++++++++------
5 files changed, 88 insertions(+), 13 deletions(-)
create mode 100644 applications/openshift/general/general_backup_solution_installed/rule.yml
create mode 100644 applications/openshift/general/general_backup_solution_installed/tests/ocp4/e2e.yml
create mode 100644 applications/openshift/general/var_backup_solution_crds_regex.var
diff --git a/applications/openshift/etcd/etcd_backup/rule.yml b/applications/openshift/etcd/etcd_backup/rule.yml
index 013b46bb39a..4b234d1d3cc 100644
--- a/applications/openshift/etcd/etcd_backup/rule.yml
+++ b/applications/openshift/etcd/etcd_backup/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-title: Configure recurring backups for etcd
+title: Configure Recurring Backups For etcd
description: |-
@@ -18,6 +18,9 @@ rationale: |-
identifiers: {}
+references:
+ bsi: APP.4.4.A5
+
severity: medium
ocil_clause: 'etcd backup needs review'
diff --git a/applications/openshift/general/general_backup_solution_installed/rule.yml b/applications/openshift/general/general_backup_solution_installed/rule.yml
new file mode 100644
index 00000000000..34056c9f31c
--- /dev/null
+++ b/applications/openshift/general/general_backup_solution_installed/rule.yml
@@ -0,0 +1,43 @@
+documentation_complete: true
+
+title: A Backup Solution Has To Be Installed
+
+description: |-
+ Backup and Restore are fundamental practices when it comes to disaster recovery. By utilizing a Backup Software you are able to backup (and restore) data, which is lost, if your cluster crashes beyong recoverability.
+ There are multiple Backup Solutions on the Market which diverge in Features. Thus some of them might only backup your cluster, others might also be able to backup VMs or PVCs running in your Cluster.
+
+rationale: |-
+ Backup and Recovery abilities are a necessity to recover from a disaster.
+
+identifiers: {}
+
+references:
+ bsi: APP.4.4.A5
+
+severity: medium
+
+ocil_clause: 'No CRDs from a known backup solution installed'
+
+ocil: |-
+ Run the following command to retrieve the customresourcedefinitions objects in the system:
+
$ oc crds
+ Make sure there is a crd of a backup solution. Also make sure, that the backup solution is properly configured and that you are able to recover from the backups.
+ You can add your known CRD to the var_backup_solution_crds_regex, to allowlist your own backup solution.
+
+{{% set jqfilter = '[.items[] | if select(.metadata.name | test("{{.var_backup_solution_crds_regex}}"))!=null then true else false end]' %}}
+
+warnings:
+- general: |-
+ {{{ openshift_filtered_cluster_setting({'/apis/apiextensions.k8s.io/v1/customresourcedefinitions?limit=500': jqfilter}) | indent(4) }}}
+
+template:
+ name: yamlfile_value
+ vars:
+ ocp_data: 'true'
+ filepath: "{{{ openshift_filtered_path('/apis/apiextensions.k8s.io/v1/customresourcedefinitions?limit=500', jqfilter) }}}"
+ yamlpath: "[:]"
+ entity_check: "at least one"
+ values:
+ - value: 'true'
+ type: "string"
+ entity_check: "at least one"
diff --git a/applications/openshift/general/general_backup_solution_installed/tests/ocp4/e2e.yml b/applications/openshift/general/general_backup_solution_installed/tests/ocp4/e2e.yml
new file mode 100644
index 00000000000..48b8bc4996a
--- /dev/null
+++ b/applications/openshift/general/general_backup_solution_installed/tests/ocp4/e2e.yml
@@ -0,0 +1,3 @@
+---
+default_result: FAIL
+
diff --git a/applications/openshift/general/var_backup_solution_crds_regex.var b/applications/openshift/general/var_backup_solution_crds_regex.var
new file mode 100644
index 00000000000..b5cf0459b1f
--- /dev/null
+++ b/applications/openshift/general/var_backup_solution_crds_regex.var
@@ -0,0 +1,15 @@
+documentation_complete: true
+
+title: 'Known CRDs which are provided by backup solutions'
+
+description: |-
+ 'A regular expression that lists all CRDs that are known to be part of a backup solution'
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+ default: '^DataProtectionApplication\\.oadp\\.openshift\\.io$|^backups\\.velero\\.io$|^policies\\.config\\.kio\\.kasten\\.io$'
diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml
index 8fd3dc9ff16..6d3e8911f20 100644
--- a/controls/bsi_app_4_4.yml
+++ b/controls/bsi_app_4_4.yml
@@ -143,19 +143,30 @@ controls:
levels:
- basic
description: >-
- A cluster MUST have a backup. The backup MUST include:
- • Persistent volumes
- • Configuration files for Kubernetes and the other programs of the control plane
- • The current state of the Kubernetes cluster, including extensions
- • Databases of the configuration (namely etcd in this case)
- • All infrastructure applications required to operate the cluster and the services within it
- • The data storage of the code and image registries
- Snapshots for the operation of the applications SHOULD also be considered. Snapshots MUST
- NOT be considered a substitute for backups.
+ (1) A cluster MUST have a backup. The backup MUST include:
+ (2) • Persistent volumes
+ (3) • Configuration files for Kubernetes and the other programs of the control plane
+ (4) • The current state of the Kubernetes cluster, including extensions
+ (5) • Databases of the configuration (namely etcd in this case)
+ (6) • All infrastructure applications required to operate the cluster and the services within it
+ (7) • The data storage of the code and image registries
+ (8) Snapshots for the operation of the applications SHOULD also be considered. Snapshots MUST NOT be considered a substitute for backups.
notes: >-
- TBD
- status: pending
- rules: []
+ The data backup of a cluster must be individually defined as part of the system architecture as part of the operating model. The areas of responsibility for the container platform (cluster administration), the infrastructure services (system administration) and the application management (technical administration) should be considered separately.
+
+ For data backup as part of cluster administration (Kubernetes configuration, current state of the Kubernetes cluster, configuration database) the integrated functions or methods of OpenShift must be used. System administration and specialist administration must be carried out in accordance with the respective specifications.
+
+ Snapshots for persistent volumes are supported when using OpenShift's Container Storage Interface (CSI) drivers. OpenShift offers an easily configurable backup system with the OpenShift API for Data Protection (OADP).
+
+ Additional third-party solutions for backup are also available in the OperatorHub.
+
+ The checks are not checking the requirement in detail. They only setup a foundation to implement the configurations as described. For Section 3,4 and 6 a GitOps approach might achieve the best results. for 2 and 7 a sufficient backup solution is needed. 5 can be achieved with onboard utilities. 8 is dependend on the CSI provider and the available features
+ status: partial
+ rules:
+ # Section 2,7
+ - general_backup_solution_installed
+ # Section 5
+ - etcd_backup
- id: APP.4.4.A6
title: Initialisation of Pods
From 933b37690a35281999e2f1e6e5e6113534c8a62a Mon Sep 17 00:00:00 2001
From: sluetze <13255307+sluetze@users.noreply.github.com>
Date: Wed, 22 May 2024 22:52:45 +0200
Subject: [PATCH 03/13] add identifiers to rules
---
applications/openshift/etcd/etcd_backup/rule.yml | 3 ++-
.../general/general_backup_solution_installed/rule.yml | 3 ++-
shared/references/cce-redhat-avail.txt | 2 --
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/applications/openshift/etcd/etcd_backup/rule.yml b/applications/openshift/etcd/etcd_backup/rule.yml
index 4b234d1d3cc..9db8425b369 100644
--- a/applications/openshift/etcd/etcd_backup/rule.yml
+++ b/applications/openshift/etcd/etcd_backup/rule.yml
@@ -16,7 +16,8 @@ rationale: |-
While etcd automatically recovers from temporary failures, issues may arise if an etcd cluster loses more than (N-1)/2 or when an update goes wrong.
Recurring backups of etcd enable you to recover from a disastrous fail.
-identifiers: {}
+identifiers:
+ cce@ocp4: CCE-88188-8
references:
bsi: APP.4.4.A5
diff --git a/applications/openshift/general/general_backup_solution_installed/rule.yml b/applications/openshift/general/general_backup_solution_installed/rule.yml
index 34056c9f31c..ead60299b17 100644
--- a/applications/openshift/general/general_backup_solution_installed/rule.yml
+++ b/applications/openshift/general/general_backup_solution_installed/rule.yml
@@ -9,7 +9,8 @@ description: |-
rationale: |-
Backup and Recovery abilities are a necessity to recover from a disaster.
-identifiers: {}
+identifiers:
+ cce@ocp4: CCE-90185-0
references:
bsi: APP.4.4.A5
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 2b189a3795a..210efeddfcb 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -1420,7 +1420,6 @@ CCE-88183-9
CCE-88184-7
CCE-88186-2
CCE-88187-0
-CCE-88188-8
CCE-88189-6
CCE-88190-4
CCE-88191-2
@@ -3200,7 +3199,6 @@ CCE-90181-9
CCE-90182-7
CCE-90183-5
CCE-90184-3
-CCE-90185-0
CCE-90186-8
CCE-90188-4
CCE-90189-2
From e7b4cfa3b4b2b97edddd9716fd49ad232e7c69b2 Mon Sep 17 00:00:00 2001
From: sluetze <13255307+sluetze@users.noreply.github.com>
Date: Wed, 22 May 2024 22:52:56 +0200
Subject: [PATCH 04/13] set variable to interactive
---
.../openshift/general/var_backup_solution_crds_regex.var | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/applications/openshift/general/var_backup_solution_crds_regex.var b/applications/openshift/general/var_backup_solution_crds_regex.var
index b5cf0459b1f..63b099ce0b4 100644
--- a/applications/openshift/general/var_backup_solution_crds_regex.var
+++ b/applications/openshift/general/var_backup_solution_crds_regex.var
@@ -9,7 +9,7 @@ type: string
operator: equals
-interactive: false
+interactive: true
options:
default: '^DataProtectionApplication\\.oadp\\.openshift\\.io$|^backups\\.velero\\.io$|^policies\\.config\\.kio\\.kasten\\.io$'
From 67e2200e10ec77d82c503bafb293c642a2cf7532 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt
Date: Wed, 15 May 2024 13:11:58 +0200
Subject: [PATCH 05/13] Minor updates in comments
---
CMakeLists.txt | 57 ++++++++++++++++++++++----------------------------
1 file changed, 25 insertions(+), 32 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 0c6959fbcab..93b8159281e 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -21,7 +21,7 @@ project(scap-security-guide NONE)
list(APPEND CMAKE_MODULE_PATH "${PROJECT_SOURCE_DIR}/cmake")
-# This is set to silence GNUInstallDirs warning about no language being used with cmake
+# This is set to silence GNUInstallDirs warning about no language being used with cmake.
set(CMAKE_INSTALL_LIBDIR "/nowhere")
include(GNUInstallDirs)
include(FindPythonModule)
@@ -67,16 +67,14 @@ option(SSG_SCE_ENABLED "If enabled, additional SCE audit content will be enabled
option(SSG_SRG_XLSX_EXPORT "If enabled, an XLSX of SRG Export will be ceated." FALSE)
set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.")
-# SSG_PRODUCT_DEFAULT modifies the behavior of all other options. Products
-# which should be built by default should use the value ${SSG_PRODUCT_DEFAULT}
-# instead of the boolean True. This allows us disable all default products by
-# passing `-DSSG_PRODUCT_DEFAULT=OFF` and then manually specifying a list of
-# products to build.
+# SSG_PRODUCT_DEFAULT modifies the behavior of all other options. Products which should be built
+# by default should use the value ${SSG_PRODUCT_DEFAULT} instead of the boolean True. This allows
+# us to disable all default products by passing `-DSSG_PRODUCT_DEFAULT=OFF` and then manually
+# specifying a list of products to build.
option(SSG_PRODUCT_DEFAULT "If enabled, all default release products will be built; otherwise only explicitly enabled products will be" TRUE)
-# Products to build content for. These generally correspond to directories in
-# the root of this project. Note that the example product is always disabled
-# unless explicitly asked for.
+# Products to build content for. These generally correspond to directories in the root of this
+# project. Note that the example product is always disabled unless explicitly asked for.
option(SSG_PRODUCT_ALINUX2 "If enabled, the Alibaba Cloud Linux 2 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_ALINUX3 "If enabled, the Alibaba Cloud Linux 3 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_ANOLIS8 "If enabled, the Anolis OS 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -130,8 +128,7 @@ message(STATUS "SCAP Security Guide ${SSG_VERSION}")
message(STATUS "(see ${CMAKE_SOURCE_DIR}/docs/manual/developer_guide.adoc for build instructions)")
message(STATUS "")
-# Strictly speaking in-source will work but will be very messy, let's
-# discourage our users from using them
+# Strictly speaking in-source will work but will be very messy so it is not supported.
if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_BINARY_DIR}")
message(FATAL_ERROR "In-source builds are not supported! Please use out of source builds:\n"
"$ cd content\n"
@@ -181,21 +178,20 @@ if(NOT SSG_TARGET_OVAL_VERSION VERSION_EQUAL "5.11")
message(WARNING "You are targeting OVAL version ${SSG_TARGET_OVAL_VERSION}. In SSG we support/test 5.11 only!")
endif()
-# OCP4 requires non-standard extensions. Vanilla OpenSCAP 1.2 doesn't support
-# it. See also: https://github.com/ComplianceAsCode/content/issues/6798
+# OCP4 requires non-standard extensions. Vanilla OpenSCAP 1.2 doesn't support it.
+# See also: https://github.com/ComplianceAsCode/content/issues/6798
if("${OSCAP_VERSION}" VERSION_LESS "1.3.4" AND SSG_PRODUCT_OCP4)
set(SSG_PRODUCT_OCP4 OFF)
message(WARNING "Won't build OCP4 content as it requires an OpenSCAP version with OCP4 support. See also: https://github.com/ComplianceAsCode/content/issues/6798. n.b.: if 1.3.4 fails to build OCP4 content, please update to 1.3.5")
endif()
-# EKS requires non-standard extensions. Vanilla OpenSCAP 1.2 doesn't support
-# it. See also: https://github.com/ComplianceAsCode/content/issues/6798
+# EKS requires non-standard extensions. Vanilla OpenSCAP 1.2 doesn't support it.
+# See also: https://github.com/ComplianceAsCode/content/issues/6798
if("${OSCAP_VERSION}" VERSION_LESS "1.3.4" AND SSG_PRODUCT_EKS)
set(SSG_PRODUCT_EKS OFF)
message(WARNING "Won't build EKS content as it requires an OpenSCAP version with EKS support. See also: https://github.com/ComplianceAsCode/content/issues/6798. n.b.: if 1.3.4 fails to build EKS content, please update to 1.3.5")
endif()
-
if(SSG_JINJA2_CACHE_ENABLED)
file(MAKE_DIRECTORY "${SSG_JINJA2_CACHE_DIR}")
if(NOT EXISTS "${SSG_JINJA2_CACHE_DIR}")
@@ -343,9 +339,9 @@ message(STATUS "OpenEmbedded: ${SSG_PRODUCT_OPENEMBEDDED}")
message(STATUS " ")
-# Remove this option when we would like to run ansible-lint and yamllint against our playbooks by default.
-# Right now these checks are not performed and need to be enabled by adding -DANSIBLE_CHECKS=ON to cmake
-# before running ctest.
+# Remove this option when we would like to run ansible-lint and yamllint against our playbooks by
+# default. Right now these checks are not performed and need to be enabled by adding
+# -DANSIBLE_CHECKS=ON to cmake before running ctest.
option(ANSIBLE_CHECKS "Set to ON to enable ansible-lint and yamllint checks" OFF)
enable_testing()
@@ -353,8 +349,8 @@ include(SSGCommon)
add_subdirectory("tests")
-# Targets 'stats', 'profile-stats' and 'zipfile' need to be added
-# before any product because they will receive dependencies from products added
+# Targets 'stats', 'profile-stats' and 'zipfile' need to be added before any product because they
+# will receive dependencies from products added.
ssg_build_zipfile_target("scap-security-guide-${SSG_VERSION}")
add_custom_target(stats)
@@ -473,11 +469,10 @@ if(SSG_PRODUCT_OPENEMBEDDED)
add_subdirectory("products/openembedded" "openembedded")
endif()
-# ZIP only contains source data streams and kickstarts, people who
-# want sources to build from should get the tarball instead.
+# ZIP only contains source datastreams and kickstarts.
+# People who want sources to build from should get the tarball instead.
ssg_build_zipfile("scap-security-guide-${SSG_VERSION}")
-
ssg_define_guide_and_table_tests()
install(FILES "${CMAKE_SOURCE_DIR}/LICENSE"
@@ -490,10 +485,8 @@ install(FILES "${CMAKE_SOURCE_DIR}/Contributors.md"
install(FILES "${CMAKE_BINARY_DIR}/scap-security-guide.8"
DESTINATION "${CMAKE_INSTALL_MANDIR}/man8")
-# We use CPack to generate the tarball with all sources and
-# packages for testing
-
-# only CPack should follow
+# We use CPack to generate the tarball with all sources and packages for testing.
+# Only CPack should follow.
set(CPACK_CMAKE_GENERATOR "Unix Makefiles")
set(CPACK_SOURCE_GENERATOR "TBZ2")
set(CPACK_SOURCE_PACKAGE_FILE_NAME "scap-security-guide-${SSG_VERSION}" CACHE INTERNAL "tarball basename")
@@ -536,11 +529,11 @@ The %{name} package also contains HTML formatted documents containing
hardening guidances that have been generated from XCCDF benchmarks.
")
-# Change the default file name of the RPMs
-# %{release} includes release number and dist type
-# This only has effect with cmake v3.6 or higher
+# Change the default file name of the RPMs.
+# %{release} includes release number and dist type.
+# This only has effect with cmake v3.6 or higher.
set(CPACK_RPM_FILE_NAME "%{name}-%{version}-%{release}.rpm")
-# For older versions of cmake (e.g. v2.8) file name is defined like below
+# For older versions of cmake (e.g. v2.8) file name is defined like below.
set(CPACK_PACKAGE_FILE_NAME "scap-security-guide-${SSG_VERSION}")
set(CPACK_PACKAGE_CHECKSUM SHA512)
From 7eacbfa0949a0df918625c44d1ef88ef79492634 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt
Date: Wed, 15 May 2024 13:33:13 +0200
Subject: [PATCH 06/13] Group similar variables
For better readability.
---
CMakeLists.txt | 61 +++++++++++++++++++++++++-------------------------
1 file changed, 31 insertions(+), 30 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 93b8159281e..48bed1ea72f 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,4 +1,5 @@
cmake_minimum_required(VERSION 2.8.12)
+project(scap-security-guide NONE)
# Inspired and referenced from https://blog.kitware.com/cmake-and-the-default-build-type
if(NOT CMAKE_BUILD_TYPE AND NOT CMAKE_CONFIGURATION_TYPES)
@@ -17,8 +18,6 @@ if(NOT SSG_THIN_DS)
set(SSG_THIN_DS_RULE_ID "off")
endif()
-project(scap-security-guide NONE)
-
list(APPEND CMAKE_MODULE_PATH "${PROJECT_SOURCE_DIR}/cmake")
# This is set to silence GNUInstallDirs warning about no language being used with cmake.
@@ -32,40 +31,49 @@ else()
set(ENV{PYTHONPATH} "${PROJECT_SOURCE_DIR}:$ENV{PYTHONPATH}")
endif()
-set(SSG_CONTENT_INSTALL_DIR "${CMAKE_INSTALL_DATADIR}/xml/scap/ssg/content")
-set(SSG_GUIDE_INSTALL_DIR "${CMAKE_INSTALL_DOCDIR}/guides")
-set(SSG_TABLE_INSTALL_DIR "${CMAKE_INSTALL_DOCDIR}/tables")
-set(SSG_ANSIBLE_ROLE_INSTALL_DIR "${CMAKE_INSTALL_DATADIR}/scap-security-guide/ansible")
-set(SSG_ANSIBLE_PER_RULE_PLAYBOOKS_INSTALL_DIR "${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks")
-set(SSG_BASH_ROLE_INSTALL_DIR "${CMAKE_INSTALL_DATADIR}/scap-security-guide/bash")
-set(SSG_KICKSTART_INSTALL_DIR "${CMAKE_INSTALL_DATADIR}/scap-security-guide/kickstart")
-set(SSG_TAILORING_INSTALL_DIR "${CMAKE_INSTALL_DATADIR}/scap-security-guide/tailoring")
-
+# Define Version values
set(SSG_MAJOR_VERSION 0)
set(SSG_MINOR_VERSION 1)
set(SSG_PATCH_VERSION 74)
set(SSG_VERSION "${SSG_MAJOR_VERSION}.${SSG_MINOR_VERSION}.${SSG_PATCH_VERSION}")
-set(SSG_VENDOR "ssgproject" CACHE STRING "Specify the XCCDF 1.2 vendor string.")
-
set(SSG_TARGET_OVAL_MAJOR_VERSION "5" CACHE STRING "Which major version of OVAL are we targetting. Only 5 is supported at the moment.")
set(SSG_TARGET_OVAL_MINOR_VERSION "11" CACHE STRING "Which minor version of OVAL are we targetting. Only 11 is supported at the moment.")
-
set(SSG_TARGET_OVAL_VERSION "${SSG_TARGET_OVAL_MAJOR_VERSION}.${SSG_TARGET_OVAL_MINOR_VERSION}")
+set(SSG_VENDOR "ssgproject" CACHE STRING "Specify the XCCDF 1.2 vendor string.")
-option(SSG_OVAL_SCHEMATRON_VALIDATION_ENABLED "If enabled, schematron validation will be performed as part of the ctest tests. Schematron takes a lot of time to complete but can find more issues than just plain XSD validation." TRUE)
-option(SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED "If enabled, shellcheck validation of bash fixes will be performed as part of the ctest tests." TRUE)
-option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used to validate URLs in all the HTML guides and tables." TRUE)
-option(SSG_SEPARATE_SCAP_FILES_ENABLED "If enabled, separate SCAP files (OVAL, XCCDF, CPE dict, ...) will be installed alongside the source data-streams" TRUE)
+# Define Install Directories, where built content will be stored.
+set(SSG_ANSIBLE_ROLE_INSTALL_DIR "${CMAKE_INSTALL_DATADIR}/scap-security-guide/ansible")
+set(SSG_ANSIBLE_PER_RULE_PLAYBOOKS_INSTALL_DIR "${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks")
+set(SSG_BASH_ROLE_INSTALL_DIR "${CMAKE_INSTALL_DATADIR}/scap-security-guide/bash")
+set(SSG_CONTENT_INSTALL_DIR "${CMAKE_INSTALL_DATADIR}/xml/scap/ssg/content")
+set(SSG_GUIDE_INSTALL_DIR "${CMAKE_INSTALL_DOCDIR}/guides")
+set(SSG_KICKSTART_INSTALL_DIR "${CMAKE_INSTALL_DATADIR}/scap-security-guide/kickstart")
+set(SSG_TABLE_INSTALL_DIR "${CMAKE_INSTALL_DOCDIR}/tables")
+set(SSG_TAILORING_INSTALL_DIR "${CMAKE_INSTALL_DATADIR}/scap-security-guide/tailoring")
+
+# Define Source Directories, which will be used during the build.
+set(SSG_BUILD_SCRIPTS "${CMAKE_SOURCE_DIR}/build-scripts")
+set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.")
+set(SSG_SHARED "${CMAKE_SOURCE_DIR}/shared")
+set(SSG_SHARED_REFS "${SSG_SHARED}/references")
+set(SSG_SHARED_TRANSFORMS "${SSG_SHARED}/transforms")
+set(SSG_UTILS_SCRIPTS "${CMAKE_SOURCE_DIR}/utils")
+
+# Content Generation Opetions
option(SSG_ANSIBLE_PLAYBOOKS_ENABLED "If enabled, Ansible Playbooks for each profile will be built and installed." TRUE)
option(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED "If enabled, Ansible Playbooks for each rule will be built and installed." FALSE)
option(SSG_BASH_SCRIPTS_ENABLED "If enabled, Bash remediation scripts for each profile will be built and installed." TRUE)
-option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE)
-option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE)
option(SSG_BUILD_DISA_DELTA_FILES "If enabled, If the product has automated content from DISA for its STIG a tailoring file will be created with rules not covered by DISA's content enabled." TRUE)
+option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE)
option(SSG_SCE_ENABLED "If enabled, additional SCE audit content will be enabled alongside OVAL-based auditing." FALSE)
option(SSG_SRG_XLSX_EXPORT "If enabled, an XLSX of SRG Export will be ceated." FALSE)
-set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.")
+option(SSG_SEPARATE_SCAP_FILES_ENABLED "If enabled, separate SCAP files (OVAL, XCCDF, CPE dict, ...) will be installed alongside the source data-streams" TRUE)
+# Validation Options
+option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE)
+option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used to validate URLs in all the HTML guides and tables." TRUE)
+option(SSG_OVAL_SCHEMATRON_VALIDATION_ENABLED "If enabled, schematron validation will be performed as part of the ctest tests. Schematron takes a lot of time to complete but can find more issues than just plain XSD validation." TRUE)
+option(SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED "If enabled, shellcheck validation of bash fixes will be performed as part of the ctest tests." TRUE)
# SSG_PRODUCT_DEFAULT modifies the behavior of all other options. Products which should be built
# by default should use the value ${SSG_PRODUCT_DEFAULT} instead of the boolean True. This allows
@@ -89,12 +97,13 @@ option(SSG_PRODUCT_FEDORA "If enabled, the Fedora SCAP content will be built" ${
option(SSG_PRODUCT_FIREFOX "If enabled, the Firefox SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_MACOS1015 "If enabled, the Apple macOS 10.15 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_OCP4 "If enabled, the OCP4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
-option(SSG_PRODUCT_RHCOS4 "If enabled, the RHCOS4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_OL7 "If enabled, the Oracle Linux 7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_OL8 "If enabled, the Oracle Linux 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_OL9 "If enabled, the Oracle Linux 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_OPENEMBEDDED "If enabled, the OpenEmbedded SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_OPENEULER2203 "If enabled, the openEuler 22.03 LTS content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_OPENSUSE "If enabled, the openSUSE SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_RHCOS4 "If enabled, the RHCOS4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_RHEL7 "If enabled, the RHEL7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_RHEL8 "If enabled, the RHEL8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_RHEL9 "If enabled, the RHEL9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -107,8 +116,6 @@ option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be
option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
-option(SSG_PRODUCT_OPENEMBEDDED "If enabled, the OpenEmbedded SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
-
option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE)
option(SSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED "If enabled, Scientific Linux derivative content will be built from the RHEL content" TRUE)
@@ -118,12 +125,6 @@ option(FORCE_VALIDATE_EVERYTHING "If enabled, perform all validation tests regar
# SCAPVal Options
option(ENABLE_SCAPVAL13 "Set to ON to enable SCAPVal tests" OFF)
-set(SSG_SHARED "${CMAKE_SOURCE_DIR}/shared")
-set(SSG_SHARED_REFS "${SSG_SHARED}/references")
-set(SSG_SHARED_TRANSFORMS "${SSG_SHARED}/transforms")
-set(SSG_BUILD_SCRIPTS "${CMAKE_SOURCE_DIR}/build-scripts")
-set(SSG_UTILS_SCRIPTS "${CMAKE_SOURCE_DIR}/utils")
-
message(STATUS "SCAP Security Guide ${SSG_VERSION}")
message(STATUS "(see ${CMAKE_SOURCE_DIR}/docs/manual/developer_guide.adoc for build instructions)")
message(STATUS "")
From 2e0ac21c0d784f4c7c8ae665a483c5a2e27487de Mon Sep 17 00:00:00 2001
From: Marcus Burghardt
Date: Wed, 15 May 2024 14:14:34 +0200
Subject: [PATCH 07/13] Move some CMake tests to the beginning
Also moved some conditionals used in build time after the definition
of variables.
---
CMakeLists.txt | 64 +++++++++++++++++++++++---------------------------
1 file changed, 30 insertions(+), 34 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 48bed1ea72f..bdf14987144 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,5 +1,15 @@
cmake_minimum_required(VERSION 2.8.12)
-project(scap-security-guide NONE)
+
+# Strictly speaking in-source will work but will be very messy so it is not supported.
+if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_BINARY_DIR}")
+ message(FATAL_ERROR "In-source builds are not supported! Please use out of source builds:\n"
+ "$ cd content\n"
+ "$ rm CMakeCache.txt\n"
+ "$ cd build\n"
+ "$ cmake ../\n"
+ "$ make -j4"
+ )
+endif()
# Inspired and referenced from https://blog.kitware.com/cmake-and-the-default-build-type
if(NOT CMAKE_BUILD_TYPE AND NOT CMAKE_CONFIGURATION_TYPES)
@@ -9,15 +19,7 @@ if(NOT CMAKE_BUILD_TYPE AND NOT CMAKE_CONFIGURATION_TYPES)
"MinSizeRel" "RelWithDebInfo")
endif()
-set(LOG_LEVEL "WARNING")
-if(SSG_LOG)
- set(LOG_LEVEL "DEBUG")
-endif()
-
-if(NOT SSG_THIN_DS)
- set(SSG_THIN_DS_RULE_ID "off")
-endif()
-
+project(scap-security-guide NONE)
list(APPEND CMAKE_MODULE_PATH "${PROJECT_SOURCE_DIR}/cmake")
# This is set to silence GNUInstallDirs warning about no language being used with cmake.
@@ -25,18 +27,14 @@ set(CMAKE_INSTALL_LIBDIR "/nowhere")
include(GNUInstallDirs)
include(FindPythonModule)
-if("$ENV{PYTHONPATH}" STREQUAL "")
- set(ENV{PYTHONPATH} "${PROJECT_SOURCE_DIR}")
-else()
- set(ENV{PYTHONPATH} "${PROJECT_SOURCE_DIR}:$ENV{PYTHONPATH}")
-endif()
-
# Define Version values
set(SSG_MAJOR_VERSION 0)
set(SSG_MINOR_VERSION 1)
set(SSG_PATCH_VERSION 74)
set(SSG_VERSION "${SSG_MAJOR_VERSION}.${SSG_MINOR_VERSION}.${SSG_PATCH_VERSION}")
+message(STATUS "SCAP Security Guide ${SSG_VERSION}")
+
set(SSG_TARGET_OVAL_MAJOR_VERSION "5" CACHE STRING "Which major version of OVAL are we targetting. Only 5 is supported at the moment.")
set(SSG_TARGET_OVAL_MINOR_VERSION "11" CACHE STRING "Which minor version of OVAL are we targetting. Only 11 is supported at the moment.")
set(SSG_TARGET_OVAL_VERSION "${SSG_TARGET_OVAL_MAJOR_VERSION}.${SSG_TARGET_OVAL_MINOR_VERSION}")
@@ -60,6 +58,9 @@ set(SSG_SHARED_REFS "${SSG_SHARED}/references")
set(SSG_SHARED_TRANSFORMS "${SSG_SHARED}/transforms")
set(SSG_UTILS_SCRIPTS "${CMAKE_SOURCE_DIR}/utils")
+message(STATUS "(see ${CMAKE_SOURCE_DIR}/docs/manual/developer_guide.adoc for build instructions)")
+message(STATUS "")
+
# Content Generation Opetions
option(SSG_ANSIBLE_PLAYBOOKS_ENABLED "If enabled, Ansible Playbooks for each profile will be built and installed." TRUE)
option(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED "If enabled, Ansible Playbooks for each rule will be built and installed." FALSE)
@@ -74,6 +75,8 @@ option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests o
option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used to validate URLs in all the HTML guides and tables." TRUE)
option(SSG_OVAL_SCHEMATRON_VALIDATION_ENABLED "If enabled, schematron validation will be performed as part of the ctest tests. Schematron takes a lot of time to complete but can find more issues than just plain XSD validation." TRUE)
option(SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED "If enabled, shellcheck validation of bash fixes will be performed as part of the ctest tests." TRUE)
+option(ENABLE_SCAPVAL13 "Set to ON to enable SCAPVal tests" OFF)
+option(FORCE_VALIDATE_EVERYTHING "If enabled, perform all validation tests regardless of oscap version requirements. By default, the build system may not perform validation of some content types if the openscap used to build it is not up-to-date" FALSE)
# SSG_PRODUCT_DEFAULT modifies the behavior of all other options. Products which should be built
# by default should use the value ${SSG_PRODUCT_DEFAULT} instead of the boolean True. This allows
@@ -120,26 +123,20 @@ option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${S
option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE)
option(SSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED "If enabled, Scientific Linux derivative content will be built from the RHEL content" TRUE)
-option(FORCE_VALIDATE_EVERYTHING "If enabled, perform all validation tests regardless of oscap version requirements. By default, the build system may not perform validation of some content types if the openscap used to build it is not up-to-date" FALSE)
-
-# SCAPVal Options
-option(ENABLE_SCAPVAL13 "Set to ON to enable SCAPVal tests" OFF)
-
-message(STATUS "SCAP Security Guide ${SSG_VERSION}")
-message(STATUS "(see ${CMAKE_SOURCE_DIR}/docs/manual/developer_guide.adoc for build instructions)")
-message(STATUS "")
+set(LOG_LEVEL "WARNING")
+if(SSG_LOG)
+ set(LOG_LEVEL "DEBUG")
+endif()
-# Strictly speaking in-source will work but will be very messy so it is not supported.
-if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_BINARY_DIR}")
- message(FATAL_ERROR "In-source builds are not supported! Please use out of source builds:\n"
- "$ cd content\n"
- "$ rm CMakeCache.txt\n"
- "$ cd build\n"
- "$ cmake ../\n"
- "$ make -j4"
- )
+if(NOT SSG_THIN_DS)
+ set(SSG_THIN_DS_RULE_ID "off")
endif()
+if("$ENV{PYTHONPATH}" STREQUAL "")
+ set(ENV{PYTHONPATH} "${PROJECT_SOURCE_DIR}")
+else()
+ set(ENV{PYTHONPATH} "${PROJECT_SOURCE_DIR}:$ENV{PYTHONPATH}")
+endif()
set(Python_ADDITIONAL_VERSIONS 3 2)
find_package(PythonInterp REQUIRED)
@@ -337,7 +334,6 @@ message(STATUS "Ubuntu 22.04: ${SSG_PRODUCT_UBUNTU2204}")
message(STATUS "Uos 20: ${SSG_PRODUCT_UOS20}")
message(STATUS "OpenEmbedded: ${SSG_PRODUCT_OPENEMBEDDED}")
-
message(STATUS " ")
# Remove this option when we would like to run ansible-lint and yamllint against our playbooks by
From 7f888e5feccdf305fda1d7e6daeb78630d74bb6a Mon Sep 17 00:00:00 2001
From: Marcus Burghardt
Date: Wed, 15 May 2024 14:42:58 +0200
Subject: [PATCH 08/13] Move includes to the beginning
Also ordred the python modules.
---
CMakeLists.txt | 28 ++++++++++++++--------------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index bdf14987144..6bce6a2c405 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -25,7 +25,12 @@ list(APPEND CMAKE_MODULE_PATH "${PROJECT_SOURCE_DIR}/cmake")
# This is set to silence GNUInstallDirs warning about no language being used with cmake.
set(CMAKE_INSTALL_LIBDIR "/nowhere")
include(GNUInstallDirs)
+include(CPack)
+include(CMakeDependentOption)
include(FindPythonModule)
+include(SSGCommon)
+
+cmake_dependent_option(ENABLE_PYTHON_COVERAGE "Enable Python tests with coverage support" ON "PY_PYTEST_COV" OFF)
# Define Version values
set(SSG_MAJOR_VERSION 0)
@@ -141,34 +146,31 @@ endif()
set(Python_ADDITIONAL_VERSIONS 3 2)
find_package(PythonInterp REQUIRED)
-find_python_module(yaml REQUIRED)
find_python_module(jinja2 REQUIRED)
-find_python_module(lxml)
-find_python_module(pytest)
-find_python_module(pytest_cov)
+find_python_module(yaml REQUIRED)
+find_python_module(cmakelint)
+find_python_module(github)
find_python_module(json2html)
+find_python_module(lxml)
find_python_module(mypy)
find_python_module(openpyxl)
find_python_module(pandas)
find_python_module(pcre2)
-find_python_module(cmakelint)
-find_python_module(github)
+find_python_module(pytest)
+find_python_module(pytest_cov)
# sphinx documentation requirements
+find_python_module(myst_parser)
find_python_module(sphinx)
find_python_module(sphinxcontrib.autojinja)
find_python_module(sphinx_rtd_theme)
-find_python_module(myst_parser)
# prometheus_metrics requirements
find_python_module(prometheus_client)
# compliance-trestle requirements
-find_python_module(trestle)
find_python_module(requests)
-
-include(CMakeDependentOption)
-cmake_dependent_option(ENABLE_PYTHON_COVERAGE "Enable Python tests with coverage support" ON "PY_PYTEST_COV" OFF)
+find_python_module(trestle)
find_package(OpenSCAP REQUIRED)
@@ -342,7 +344,7 @@ message(STATUS " ")
option(ANSIBLE_CHECKS "Set to ON to enable ansible-lint and yamllint checks" OFF)
enable_testing()
-include(SSGCommon)
+
add_subdirectory("tests")
@@ -533,6 +535,4 @@ set(CPACK_RPM_FILE_NAME "%{name}-%{version}-%{release}.rpm")
# For older versions of cmake (e.g. v2.8) file name is defined like below.
set(CPACK_PACKAGE_FILE_NAME "scap-security-guide-${SSG_VERSION}")
set(CPACK_PACKAGE_CHECKSUM SHA512)
-
set(CPACK_GENERATOR "RPM;DEB")
-include(CPack)
From 0914af5af268385eedc425dc2e6381c4937d8d06 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt
Date: Wed, 15 May 2024 18:03:18 +0200
Subject: [PATCH 09/13] Group calls to find dependencies
---
CMakeLists.txt | 97 ++++++++++++++++++++++++--------------------------
1 file changed, 46 insertions(+), 51 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 6bce6a2c405..89ef046d602 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -38,8 +38,6 @@ set(SSG_MINOR_VERSION 1)
set(SSG_PATCH_VERSION 74)
set(SSG_VERSION "${SSG_MAJOR_VERSION}.${SSG_MINOR_VERSION}.${SSG_PATCH_VERSION}")
-message(STATUS "SCAP Security Guide ${SSG_VERSION}")
-
set(SSG_TARGET_OVAL_MAJOR_VERSION "5" CACHE STRING "Which major version of OVAL are we targetting. Only 5 is supported at the moment.")
set(SSG_TARGET_OVAL_MINOR_VERSION "11" CACHE STRING "Which minor version of OVAL are we targetting. Only 11 is supported at the moment.")
set(SSG_TARGET_OVAL_VERSION "${SSG_TARGET_OVAL_MAJOR_VERSION}.${SSG_TARGET_OVAL_MINOR_VERSION}")
@@ -63,6 +61,17 @@ set(SSG_SHARED_REFS "${SSG_SHARED}/references")
set(SSG_SHARED_TRANSFORMS "${SSG_SHARED}/transforms")
set(SSG_UTILS_SCRIPTS "${CMAKE_SOURCE_DIR}/utils")
+if(SSG_JINJA2_CACHE_ENABLED)
+ file(MAKE_DIRECTORY "${SSG_JINJA2_CACHE_DIR}")
+ if(NOT EXISTS "${SSG_JINJA2_CACHE_DIR}")
+ message(FATAL_ERROR "jinja2 cache dir was set to '${SSG_JINJA2_CACHE_DIR}'. This directory doesn't seem to exist and attempt to create it has failed.")
+ endif()
+ set(SSG_JINJA2_CACHE_ENABLED_BOOL "true")
+else()
+ set(SSG_JINJA2_CACHE_ENABLED_BOOL "false")
+endif()
+
+message(STATUS "SCAP Security Guide ${SSG_VERSION}")
message(STATUS "(see ${CMAKE_SOURCE_DIR}/docs/manual/developer_guide.adoc for build instructions)")
message(STATUS "")
@@ -124,19 +133,10 @@ option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be
option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
-
+# Products derivatives
option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE)
option(SSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED "If enabled, Scientific Linux derivative content will be built from the RHEL content" TRUE)
-set(LOG_LEVEL "WARNING")
-if(SSG_LOG)
- set(LOG_LEVEL "DEBUG")
-endif()
-
-if(NOT SSG_THIN_DS)
- set(SSG_THIN_DS_RULE_ID "off")
-endif()
-
if("$ENV{PYTHONPATH}" STREQUAL "")
set(ENV{PYTHONPATH} "${PROJECT_SOURCE_DIR}")
else()
@@ -145,6 +145,7 @@ endif()
set(Python_ADDITIONAL_VERSIONS 3 2)
find_package(PythonInterp REQUIRED)
+find_package(OpenSCAP REQUIRED)
find_python_module(jinja2 REQUIRED)
find_python_module(yaml REQUIRED)
@@ -165,6 +166,11 @@ find_python_module(sphinx)
find_python_module(sphinxcontrib.autojinja)
find_python_module(sphinx_rtd_theme)
+if(PY_SPHINX AND PY_SPHINXCONTRIB.AUTOJINJA AND PY_SPHINX_RTD_THEME AND PY_MYST_PARSER)
+ message(STATUS "Enabling docs directory as system supports Sphinx builds.")
+ add_subdirectory("docs")
+endif()
+
# prometheus_metrics requirements
find_python_module(prometheus_client)
@@ -172,7 +178,29 @@ find_python_module(prometheus_client)
find_python_module(requests)
find_python_module(trestle)
-find_package(OpenSCAP REQUIRED)
+find_program(SHELLCHECK_EXECUTABLE NAMES shellcheck)
+find_program(LINKCHECKER_EXECUTABLE NAMES linkchecker)
+find_program(BATS_EXECUTABLE NAMES bats)
+find_program(GREP_EXECUTABLE NAMES grep)
+find_program(ANSIBLE_PLAYBOOK_EXECUTABLE NAMES ansible-playbook)
+find_program(ANSIBLE_LINT_EXECUTABLE NAMES ansible-lint)
+find_program(YAMLLINT_EXECUTABLE NAMES yamllint)
+find_program(PYTHON3_EXECUTABLE NAMES python3)
+find_program(GIT_EXECUTABLE NAMES git)
+find_program(XSLTPROC_EXECUTABLE NAMES xsltproc)
+if(NOT XSLTPROC_EXECUTABLE)
+ message(SEND_ERROR "xsltproc is required!")
+endif()
+
+find_program(XMLLINT_EXECUTABLE NAMES xmllint)
+if(NOT XMLLINT_EXECUTABLE)
+ message(SEND_ERROR "xmllint is required!")
+endif()
+
+find_program(SED_EXECUTABLE NAMES sed)
+if(NOT SED_EXECUTABLE)
+ message(SEND_ERROR "sed is required!")
+endif()
if(NOT SSG_TARGET_OVAL_VERSION VERSION_EQUAL "5.11")
message(WARNING "You are targeting OVAL version ${SSG_TARGET_OVAL_VERSION}. In SSG we support/test 5.11 only!")
@@ -192,41 +220,15 @@ if("${OSCAP_VERSION}" VERSION_LESS "1.3.4" AND SSG_PRODUCT_EKS)
message(WARNING "Won't build EKS content as it requires an OpenSCAP version with EKS support. See also: https://github.com/ComplianceAsCode/content/issues/6798. n.b.: if 1.3.4 fails to build EKS content, please update to 1.3.5")
endif()
-if(SSG_JINJA2_CACHE_ENABLED)
- file(MAKE_DIRECTORY "${SSG_JINJA2_CACHE_DIR}")
- if(NOT EXISTS "${SSG_JINJA2_CACHE_DIR}")
- message(FATAL_ERROR "jinja2 cache dir was set to '${SSG_JINJA2_CACHE_DIR}'. This directory doesn't seem to exist and attempt to create it has failed.")
- endif()
- set(SSG_JINJA2_CACHE_ENABLED_BOOL "true")
-else()
- set(SSG_JINJA2_CACHE_ENABLED_BOOL "false")
-endif()
-
-find_program(XSLTPROC_EXECUTABLE NAMES xsltproc)
-if(NOT XSLTPROC_EXECUTABLE)
- message(SEND_ERROR "xsltproc is required!")
-endif()
-
-find_program(XMLLINT_EXECUTABLE NAMES xmllint)
-if(NOT XMLLINT_EXECUTABLE)
- message(SEND_ERROR "xmllint is required!")
+set(LOG_LEVEL "WARNING")
+if(SSG_LOG)
+ set(LOG_LEVEL "DEBUG")
endif()
-find_program(SED_EXECUTABLE NAMES sed)
-if(NOT SED_EXECUTABLE)
- message(SEND_ERROR "sed is required!")
+if(NOT SSG_THIN_DS)
+ set(SSG_THIN_DS_RULE_ID "off")
endif()
-find_program(SHELLCHECK_EXECUTABLE NAMES shellcheck)
-find_program(LINKCHECKER_EXECUTABLE NAMES linkchecker)
-find_program(BATS_EXECUTABLE NAMES bats)
-find_program(GREP_EXECUTABLE NAMES grep)
-find_program(ANSIBLE_PLAYBOOK_EXECUTABLE NAMES ansible-playbook)
-find_program(ANSIBLE_LINT_EXECUTABLE NAMES ansible-lint)
-find_program(YAMLLINT_EXECUTABLE NAMES yamllint)
-find_program(PYTHON3_EXECUTABLE NAMES python3)
-find_program(GIT_EXECUTABLE NAMES git)
-
configure_file("${CMAKE_SOURCE_DIR}/build_config.yml.in" "${CMAKE_BINARY_DIR}/build_config.yml" @ONLY)
message(STATUS "CMake:")
@@ -344,8 +346,6 @@ message(STATUS " ")
option(ANSIBLE_CHECKS "Set to ON to enable ansible-lint and yamllint checks" OFF)
enable_testing()
-
-
add_subdirectory("tests")
# Targets 'stats', 'profile-stats' and 'zipfile' need to be added before any product because they
@@ -360,11 +360,6 @@ add_custom_target(html-profile-stats)
add_custom_target(render-policies)
-if(PY_SPHINX AND PY_SPHINXCONTRIB.AUTOJINJA AND PY_SPHINX_RTD_THEME AND PY_MYST_PARSER)
- message(STATUS "Enabling docs directory as system supports Sphinx builds.")
- add_subdirectory("docs")
-endif()
-
ssg_build_man_page()
if(SSG_PRODUCT_ALINUX2)
From 8da7993f27078e10eedfca7ef8ef222a968fd025 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt
Date: Wed, 15 May 2024 18:49:27 +0200
Subject: [PATCH 10/13] Review and improve readability of output messages
The options were not grouped and it was difficult to review. Once they
were grouped it was noticed some options not being showing in output
messages. They were included.
---
CMakeLists.txt | 121 ++++++++++++++++++++++++++-----------------------
1 file changed, 64 insertions(+), 57 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 89ef046d602..5337de51aae 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -143,10 +143,13 @@ else()
set(ENV{PYTHONPATH} "${PROJECT_SOURCE_DIR}:$ENV{PYTHONPATH}")
endif()
-set(Python_ADDITIONAL_VERSIONS 3 2)
+# Required Packages
find_package(PythonInterp REQUIRED)
find_package(OpenSCAP REQUIRED)
+message(STATUS "")
+message(STATUS "Find Python Modules:")
+set(Python_ADDITIONAL_VERSIONS 3 2)
find_python_module(jinja2 REQUIRED)
find_python_module(yaml REQUIRED)
find_python_module(cmakelint)
@@ -178,29 +181,18 @@ find_python_module(prometheus_client)
find_python_module(requests)
find_python_module(trestle)
-find_program(SHELLCHECK_EXECUTABLE NAMES shellcheck)
-find_program(LINKCHECKER_EXECUTABLE NAMES linkchecker)
+find_program(ANSIBLE_LINT_EXECUTABLE NAMES ansible-lint)
+find_program(ANSIBLE_PLAYBOOK_EXECUTABLE NAMES ansible-playbook)
find_program(BATS_EXECUTABLE NAMES bats)
+find_program(GIT_EXECUTABLE NAMES git)
find_program(GREP_EXECUTABLE NAMES grep)
-find_program(ANSIBLE_PLAYBOOK_EXECUTABLE NAMES ansible-playbook)
-find_program(ANSIBLE_LINT_EXECUTABLE NAMES ansible-lint)
-find_program(YAMLLINT_EXECUTABLE NAMES yamllint)
+find_program(LINKCHECKER_EXECUTABLE NAMES linkchecker)
find_program(PYTHON3_EXECUTABLE NAMES python3)
-find_program(GIT_EXECUTABLE NAMES git)
-find_program(XSLTPROC_EXECUTABLE NAMES xsltproc)
-if(NOT XSLTPROC_EXECUTABLE)
- message(SEND_ERROR "xsltproc is required!")
-endif()
-
-find_program(XMLLINT_EXECUTABLE NAMES xmllint)
-if(NOT XMLLINT_EXECUTABLE)
- message(SEND_ERROR "xmllint is required!")
-endif()
-
-find_program(SED_EXECUTABLE NAMES sed)
-if(NOT SED_EXECUTABLE)
- message(SEND_ERROR "sed is required!")
-endif()
+find_program(SED_EXECUTABLE NAMES sed REQUIRED)
+find_program(SHELLCHECK_EXECUTABLE NAMES shellcheck)
+find_program(XMLLINT_EXECUTABLE NAMES xmllint REQUIRED)
+find_program(XSLTPROC_EXECUTABLE NAMES xsltproc REQUIRED)
+find_program(YAMLLINT_EXECUTABLE NAMES yamllint)
if(NOT SSG_TARGET_OVAL_VERSION VERSION_EQUAL "5.11")
message(WARNING "You are targeting OVAL version ${SSG_TARGET_OVAL_VERSION}. In SSG we support/test 5.11 only!")
@@ -231,78 +223,94 @@ endif()
configure_file("${CMAKE_SOURCE_DIR}/build_config.yml.in" "${CMAKE_BINARY_DIR}/build_config.yml" @ONLY)
-message(STATUS "CMake:")
-message(STATUS "build type: ${CMAKE_BUILD_TYPE}")
-message(STATUS "generator: ${CMAKE_GENERATOR}")
-message(STATUS "source directory: ${CMAKE_SOURCE_DIR}")
-message(STATUS "build directory: ${CMAKE_BINARY_DIR}")
-message(STATUS "Logging: ${SSG_LOG}")
message(STATUS " ")
-
-message(STATUS "Tools:")
+message(STATUS "Python Tools and Modules:")
+# Required Python Tools
message(STATUS "python: ${PYTHON_EXECUTABLE} (version: ${PYTHON_VERSION_STRING})")
message(STATUS "python yaml module: ${PY_YAML}")
message(STATUS "python jinja2 module: ${PY_JINJA2}")
-message(STATUS "oscap: ${OPENSCAP_OSCAP_EXECUTABLE} (version: ${OSCAP_VERSION})")
-message(STATUS "xsltproc: ${XSLTPROC_EXECUTABLE}")
-message(STATUS "xmllint: ${XMLLINT_EXECUTABLE}")
-message(STATUS "sed: ${SED_EXECUTABLE}")
-message(STATUS "shellcheck (optional): ${SHELLCHECK_EXECUTABLE}")
-message(STATUS "linkchecker (optional): ${LINKCHECKER_EXECUTABLE}")
-message(STATUS "grep (optional): ${GREP_EXECUTABLE}")
-message(STATUS "python pytest module (optional): ${PY_PYTEST}")
-message(STATUS "ansible-playbook module (optional): ${ANSIBLE_PLAYBOOK_EXECUTABLE}")
-message(STATUS "ansible-lint module (optional): ${ANSIBLE_LINT_EXECUTABLE}")
-message(STATUS "yamllint module (optional): ${YAMLLINT_EXECUTABLE}")
+# Optional Python Tools
+message(STATUS "python compliance-trestle module (optional): ${PY_TRESTLE}")
+message(STATUS "python cmakelint module (optional): ${PY_CMAKELINT}")
+message(STATUS "python github (PyGitHub) module (optional): ${PY_GITHUB}")
+message(STATUS "python json2html module (optional): ${PY_JSON2HTML}")
+message(STATUS "python lxml module (optional): ${PY_LXML}")
message(STATUS "python mypy module (optional): ${PY_MYPY}")
-message(STATUS "BATS framework (optional): ${BATS_EXECUTABLE}")
-message(STATUS "python sphinx module (optional): ${PY_SPHINX}")
-message(STATUS "python sphinxcontrib.autojinja module (optional): ${PY_SPHINXCONTRIB.AUTOJINJA}")
-message(STATUS "python sphinx_rtd_theme module (optional): ${PY_SPHINX_RTD_THEME}")
message(STATUS "python myst-parser module (optional): ${PY_MYST_PARSER}")
message(STATUS "python openpyxl module (optional): ${PY_OPENPYXL}")
message(STATUS "python pandas module (optional): ${PY_PANDAS}")
message(STATUS "python pcre2 module (optional): ${PY_PCRE2}")
-message(STATUS "python lxml module (optional): ${PY_LXML}")
message(STATUS "python prometheus-client module (optional): ${PY_PROMETHEUS_CLIENT}")
-message(STATUS "python compliance-trestle module (optional): ${PY_TRESTLE}")
-message(STATUS "python github (PyGitHub) module (optional): ${PY_GITHUB}")
+message(STATUS "python pytest_cov module (optional): ${PY_PYTEST_COV}")
+message(STATUS "python pytest module (optional): ${PY_PYTEST}")
+message(STATUS "python requests module (optional): ${PY_REQUESTS}")
+message(STATUS "python sphinx module (optional): ${PY_SPHINX}")
+message(STATUS "python sphinxcontrib.autojinja module (optional): ${PY_SPHINXCONTRIB.AUTOJINJA}")
+message(STATUS "python sphinx_rtd_theme module (optional): ${PY_SPHINX_RTD_THEME}")
message(STATUS " ")
+message(STATUS "System Tools:")
+# Required System Tools
+message(STATUS "oscap: ${OPENSCAP_OSCAP_EXECUTABLE} (version: ${OSCAP_VERSION})")
+message(STATUS "sed: ${SED_EXECUTABLE}")
+message(STATUS "xsltproc: ${XSLTPROC_EXECUTABLE}")
+message(STATUS "xmllint: ${XMLLINT_EXECUTABLE}")
+# Optional System Tools
+message(STATUS "ansible-lint module (optional): ${ANSIBLE_LINT_EXECUTABLE}")
+message(STATUS "ansible-playbook module (optional): ${ANSIBLE_PLAYBOOK_EXECUTABLE}")
+message(STATUS "BATS framework (optional): ${BATS_EXECUTABLE}")
+message(STATUS "grep (optional): ${GREP_EXECUTABLE}")
+message(STATUS "shellcheck (optional): ${SHELLCHECK_EXECUTABLE}")
+message(STATUS "linkchecker (optional): ${LINKCHECKER_EXECUTABLE}")
+message(STATUS "yamllint module (optional): ${YAMLLINT_EXECUTABLE}")
+message(STATUS " ")
+message(STATUS "CMake Settings:")
+message(STATUS "build type: ${CMAKE_BUILD_TYPE}")
+message(STATUS "generator: ${CMAKE_GENERATOR}")
+message(STATUS "source directory: ${CMAKE_SOURCE_DIR}")
+message(STATUS "build directory: ${CMAKE_BINARY_DIR}")
+message(STATUS "Logging: ${SSG_LOG}")
+
+message(STATUS " ")
message(STATUS "Build options:")
message(STATUS "SSG vendor string: ${SSG_VENDOR}")
message(STATUS "Target OVAL version: ${SSG_TARGET_OVAL_VERSION}")
-message(STATUS "OVAL schematron validation: ${SSG_OVAL_SCHEMATRON_VALIDATION_ENABLED}")
-message(STATUS "shellcheck bash fixes validation: ${SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED}")
-message(STATUS "Separate SCAP files: ${SSG_SEPARATE_SCAP_FILES_ENABLED}")
message(STATUS "Ansible Playbooks: ${SSG_ANSIBLE_PLAYBOOKS_ENABLED}")
message(STATUS "Ansible Playbooks Per Rule: ${SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED}")
message(STATUS "Bash scripts: ${SSG_BASH_SCRIPTS_ENABLED}")
-message(STATUS "Thin data streams: ${SSG_THIN_DS}")
+message(STATUS "STIG Delta Taloring files: ${SSG_BUILD_DISA_DELTA_FILES}")
if(SSG_JINJA2_CACHE_ENABLED)
message(STATUS "jinja2 cache: enabled")
message(STATUS "jinja2 cache dir: ${SSG_JINJA2_CACHE_DIR}")
else()
message(STATUS "jinja2 cache: disabled")
endif()
-message(STATUS "STIG Delta Taloring files: ${SSG_BUILD_DISA_DELTA_FILES}")
-message(STATUS "Build SCE Content: " ${SSG_SCE_ENABLED})
+message(STATUS "Build SCE Content: ${SSG_SCE_ENABLED}")
+message(STATUS "Build SRG XLSX Export: ${SSG_SRG_XLSX_EXPORT}")
+message(STATUS "Separate SCAP files: ${SSG_SEPARATE_SCAP_FILES_ENABLED}")
+message(STATUS "Thin data streams: ${SSG_THIN_DS}")
+
+message(STATUS " ")
+message(STATUS "Validation options:")
+message(STATUS "BATS tests: ${SSG_BATS_TESTS_ENABLED}")
+message(STATUS "Link Checker validation: ${SSG_LINKCHECKER_VALIDATION_ENABLED}")
+message(STATUS "OVAL schematron validation: ${SSG_OVAL_SCHEMATRON_VALIDATION_ENABLED}")
+message(STATUS "shellcheck bash fixes validation: ${SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED}")
message(STATUS "SCAPVal 1.3 Enabled: ${ENABLE_SCAPVAL13}")
if(ENABLE_SCAPVAL13)
message(STATUS "SCAPVAL Path: ${SCAPVAL_PATH}")
if(NOT SCAPVAL_PATH)
message(SEND_ERROR "Path to SCAPVal was not specified.")
endif()
-
find_program(JAVA_EXECUTABLE NAMES java)
message(STATUS "java: ${JAVA_EXECUTABLE}")
if(NOT JAVA_EXECUTABLE)
message(SEND_ERROR "java is required for SCAPVal!")
endif()
-
endif()
-message(STATUS " ")
+message(STATUS "Force validate everything: ${FORCE_VALIDATE_EVERYTHING}")
+message(STATUS " ")
message(STATUS "Products:")
message(STATUS "Alibaba Cloud Linux 2: ${SSG_PRODUCT_ALINUX2}")
message(STATUS "Alibaba Cloud Linux 3: ${SSG_PRODUCT_ALINUX3}")
@@ -337,7 +345,6 @@ message(STATUS "Ubuntu 20.04: ${SSG_PRODUCT_UBUNTU2004}")
message(STATUS "Ubuntu 22.04: ${SSG_PRODUCT_UBUNTU2204}")
message(STATUS "Uos 20: ${SSG_PRODUCT_UOS20}")
message(STATUS "OpenEmbedded: ${SSG_PRODUCT_OPENEMBEDDED}")
-
message(STATUS " ")
# Remove this option when we would like to run ansible-lint and yamllint against our playbooks by
From 174a46eb72d31b8322655da996deaedd30dee602 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt
Date: Tue, 21 May 2024 11:44:13 +0200
Subject: [PATCH 11/13] Fix ordering issues
Thanks @jan-cerny for the hints.
---
CMakeLists.txt | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 5337de51aae..3dc1ad56895 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -25,13 +25,10 @@ list(APPEND CMAKE_MODULE_PATH "${PROJECT_SOURCE_DIR}/cmake")
# This is set to silence GNUInstallDirs warning about no language being used with cmake.
set(CMAKE_INSTALL_LIBDIR "/nowhere")
include(GNUInstallDirs)
-include(CPack)
include(CMakeDependentOption)
include(FindPythonModule)
include(SSGCommon)
-cmake_dependent_option(ENABLE_PYTHON_COVERAGE "Enable Python tests with coverage support" ON "PY_PYTEST_COV" OFF)
-
# Define Version values
set(SSG_MAJOR_VERSION 0)
set(SSG_MINOR_VERSION 1)
@@ -162,6 +159,7 @@ find_python_module(pandas)
find_python_module(pcre2)
find_python_module(pytest)
find_python_module(pytest_cov)
+cmake_dependent_option(ENABLE_PYTHON_COVERAGE "Enable Python tests with coverage support" ON "PY_PYTEST_COV" OFF)
# sphinx documentation requirements
find_python_module(myst_parser)
@@ -538,3 +536,4 @@ set(CPACK_RPM_FILE_NAME "%{name}-%{version}-%{release}.rpm")
set(CPACK_PACKAGE_FILE_NAME "scap-security-guide-${SSG_VERSION}")
set(CPACK_PACKAGE_CHECKSUM SHA512)
set(CPACK_GENERATOR "RPM;DEB")
+include(CPack)
From 0056b9dd13dba32a37a628db0dc24493b344fb0a Mon Sep 17 00:00:00 2001
From: Marcus Burghardt
Date: Thu, 23 May 2024 12:21:35 +0200
Subject: [PATCH 12/13] Move find_python_modules calls after find_program
---
CMakeLists.txt | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 3dc1ad56895..24e47b02902 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -144,6 +144,19 @@ endif()
find_package(PythonInterp REQUIRED)
find_package(OpenSCAP REQUIRED)
+find_program(ANSIBLE_LINT_EXECUTABLE NAMES ansible-lint)
+find_program(ANSIBLE_PLAYBOOK_EXECUTABLE NAMES ansible-playbook)
+find_program(BATS_EXECUTABLE NAMES bats)
+find_program(GIT_EXECUTABLE NAMES git)
+find_program(GREP_EXECUTABLE NAMES grep)
+find_program(LINKCHECKER_EXECUTABLE NAMES linkchecker)
+find_program(PYTHON3_EXECUTABLE NAMES python3)
+find_program(SED_EXECUTABLE NAMES sed REQUIRED)
+find_program(SHELLCHECK_EXECUTABLE NAMES shellcheck)
+find_program(XMLLINT_EXECUTABLE NAMES xmllint REQUIRED)
+find_program(XSLTPROC_EXECUTABLE NAMES xsltproc REQUIRED)
+find_program(YAMLLINT_EXECUTABLE NAMES yamllint)
+
message(STATUS "")
message(STATUS "Find Python Modules:")
set(Python_ADDITIONAL_VERSIONS 3 2)
@@ -179,19 +192,6 @@ find_python_module(prometheus_client)
find_python_module(requests)
find_python_module(trestle)
-find_program(ANSIBLE_LINT_EXECUTABLE NAMES ansible-lint)
-find_program(ANSIBLE_PLAYBOOK_EXECUTABLE NAMES ansible-playbook)
-find_program(BATS_EXECUTABLE NAMES bats)
-find_program(GIT_EXECUTABLE NAMES git)
-find_program(GREP_EXECUTABLE NAMES grep)
-find_program(LINKCHECKER_EXECUTABLE NAMES linkchecker)
-find_program(PYTHON3_EXECUTABLE NAMES python3)
-find_program(SED_EXECUTABLE NAMES sed REQUIRED)
-find_program(SHELLCHECK_EXECUTABLE NAMES shellcheck)
-find_program(XMLLINT_EXECUTABLE NAMES xmllint REQUIRED)
-find_program(XSLTPROC_EXECUTABLE NAMES xsltproc REQUIRED)
-find_program(YAMLLINT_EXECUTABLE NAMES yamllint)
-
if(NOT SSG_TARGET_OVAL_VERSION VERSION_EQUAL "5.11")
message(WARNING "You are targeting OVAL version ${SSG_TARGET_OVAL_VERSION}. In SSG we support/test 5.11 only!")
endif()
From fd7d236508be6527bec53cd300732a92a43328d6 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt
Date: Mon, 27 May 2024 16:34:19 +0200
Subject: [PATCH 13/13] Fix issue with python executable
The set(Python_ADDITIONAL_VERSIONS 3 2) line was accidentaly moved after
find_package(PythonInterp REQUIRED), impacting in the value of
PYTHON_EXECUTABLE variable. It was noticed in a CI test for CentOS
Stream8 where the "/usr/bin/python3" was still poiting to "/usr/bin/python3.6"
while "/usr/bin/python3.11" was already present and this impacted the
detection of installed Python modules.
Few other improvements in readability were made in this commit.
---
CMakeLists.txt | 52 ++++++++++++++++++++++++++------------------------
1 file changed, 27 insertions(+), 25 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 24e47b02902..11037cb8505 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -58,20 +58,6 @@ set(SSG_SHARED_REFS "${SSG_SHARED}/references")
set(SSG_SHARED_TRANSFORMS "${SSG_SHARED}/transforms")
set(SSG_UTILS_SCRIPTS "${CMAKE_SOURCE_DIR}/utils")
-if(SSG_JINJA2_CACHE_ENABLED)
- file(MAKE_DIRECTORY "${SSG_JINJA2_CACHE_DIR}")
- if(NOT EXISTS "${SSG_JINJA2_CACHE_DIR}")
- message(FATAL_ERROR "jinja2 cache dir was set to '${SSG_JINJA2_CACHE_DIR}'. This directory doesn't seem to exist and attempt to create it has failed.")
- endif()
- set(SSG_JINJA2_CACHE_ENABLED_BOOL "true")
-else()
- set(SSG_JINJA2_CACHE_ENABLED_BOOL "false")
-endif()
-
-message(STATUS "SCAP Security Guide ${SSG_VERSION}")
-message(STATUS "(see ${CMAKE_SOURCE_DIR}/docs/manual/developer_guide.adoc for build instructions)")
-message(STATUS "")
-
# Content Generation Opetions
option(SSG_ANSIBLE_PLAYBOOKS_ENABLED "If enabled, Ansible Playbooks for each profile will be built and installed." TRUE)
option(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED "If enabled, Ansible Playbooks for each rule will be built and installed." FALSE)
@@ -139,7 +125,11 @@ if("$ENV{PYTHONPATH}" STREQUAL "")
else()
set(ENV{PYTHONPATH} "${PROJECT_SOURCE_DIR}:$ENV{PYTHONPATH}")
endif()
+message(STATUS "PYTHONPATH: $ENV{PYTHONPATH}")
+# Setting Python_ADDITIONAL_VERSIONS before calling PythonInterp can influence the priority of
+# python executables in a scenario where multiple versions are present.
+set(Python_ADDITIONAL_VERSIONS 3 2)
# Required Packages
find_package(PythonInterp REQUIRED)
find_package(OpenSCAP REQUIRED)
@@ -150,7 +140,6 @@ find_program(BATS_EXECUTABLE NAMES bats)
find_program(GIT_EXECUTABLE NAMES git)
find_program(GREP_EXECUTABLE NAMES grep)
find_program(LINKCHECKER_EXECUTABLE NAMES linkchecker)
-find_program(PYTHON3_EXECUTABLE NAMES python3)
find_program(SED_EXECUTABLE NAMES sed REQUIRED)
find_program(SHELLCHECK_EXECUTABLE NAMES shellcheck)
find_program(XMLLINT_EXECUTABLE NAMES xmllint REQUIRED)
@@ -158,8 +147,11 @@ find_program(XSLTPROC_EXECUTABLE NAMES xsltproc REQUIRED)
find_program(YAMLLINT_EXECUTABLE NAMES yamllint)
message(STATUS "")
-message(STATUS "Find Python Modules:")
-set(Python_ADDITIONAL_VERSIONS 3 2)
+message(STATUS "SCAP Security Guide ${SSG_VERSION}")
+message(STATUS "(see ${CMAKE_SOURCE_DIR}/docs/manual/developer_guide.adoc for build instructions)")
+
+message(STATUS "")
+message(STATUS "Finding Python Modules:")
find_python_module(jinja2 REQUIRED)
find_python_module(yaml REQUIRED)
find_python_module(cmakelint)
@@ -219,10 +211,20 @@ if(NOT SSG_THIN_DS)
set(SSG_THIN_DS_RULE_ID "off")
endif()
+if(SSG_JINJA2_CACHE_ENABLED)
+ file(MAKE_DIRECTORY "${SSG_JINJA2_CACHE_DIR}")
+ if(NOT EXISTS "${SSG_JINJA2_CACHE_DIR}")
+ message(FATAL_ERROR "jinja2 cache dir was set to '${SSG_JINJA2_CACHE_DIR}'. This directory doesn't seem to exist and attempt to create it has failed.")
+ endif()
+ set(SSG_JINJA2_CACHE_ENABLED_BOOL "true")
+else()
+ set(SSG_JINJA2_CACHE_ENABLED_BOOL "false")
+endif()
+
configure_file("${CMAKE_SOURCE_DIR}/build_config.yml.in" "${CMAKE_BINARY_DIR}/build_config.yml" @ONLY)
message(STATUS " ")
-message(STATUS "Python Tools and Modules:")
+message(STATUS "Summary of Python Tools and Modules:")
# Required Python Tools
message(STATUS "python: ${PYTHON_EXECUTABLE} (version: ${PYTHON_VERSION_STRING})")
message(STATUS "python yaml module: ${PY_YAML}")
@@ -246,7 +248,7 @@ message(STATUS "python sphinx module (optional): ${PY_SPHINX}")
message(STATUS "python sphinxcontrib.autojinja module (optional): ${PY_SPHINXCONTRIB.AUTOJINJA}")
message(STATUS "python sphinx_rtd_theme module (optional): ${PY_SPHINX_RTD_THEME}")
message(STATUS " ")
-message(STATUS "System Tools:")
+message(STATUS "Summary of System Tools:")
# Required System Tools
message(STATUS "oscap: ${OPENSCAP_OSCAP_EXECUTABLE} (version: ${OSCAP_VERSION})")
message(STATUS "sed: ${SED_EXECUTABLE}")
@@ -257,35 +259,35 @@ message(STATUS "ansible-lint module (optional): ${ANSIBLE_LINT_EXECUTABLE}")
message(STATUS "ansible-playbook module (optional): ${ANSIBLE_PLAYBOOK_EXECUTABLE}")
message(STATUS "BATS framework (optional): ${BATS_EXECUTABLE}")
message(STATUS "grep (optional): ${GREP_EXECUTABLE}")
-message(STATUS "shellcheck (optional): ${SHELLCHECK_EXECUTABLE}")
message(STATUS "linkchecker (optional): ${LINKCHECKER_EXECUTABLE}")
+message(STATUS "shellcheck (optional): ${SHELLCHECK_EXECUTABLE}")
message(STATUS "yamllint module (optional): ${YAMLLINT_EXECUTABLE}")
message(STATUS " ")
message(STATUS "CMake Settings:")
message(STATUS "build type: ${CMAKE_BUILD_TYPE}")
+message(STATUS "build directory: ${CMAKE_BINARY_DIR}")
message(STATUS "generator: ${CMAKE_GENERATOR}")
message(STATUS "source directory: ${CMAKE_SOURCE_DIR}")
-message(STATUS "build directory: ${CMAKE_BINARY_DIR}")
-message(STATUS "Logging: ${SSG_LOG}")
message(STATUS " ")
message(STATUS "Build options:")
message(STATUS "SSG vendor string: ${SSG_VENDOR}")
message(STATUS "Target OVAL version: ${SSG_TARGET_OVAL_VERSION}")
+message(STATUS "Logging: ${SSG_LOG}")
message(STATUS "Ansible Playbooks: ${SSG_ANSIBLE_PLAYBOOKS_ENABLED}")
message(STATUS "Ansible Playbooks Per Rule: ${SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED}")
message(STATUS "Bash scripts: ${SSG_BASH_SCRIPTS_ENABLED}")
-message(STATUS "STIG Delta Taloring files: ${SSG_BUILD_DISA_DELTA_FILES}")
+message(STATUS "Build SCE Content: ${SSG_SCE_ENABLED}")
+message(STATUS "Build SRG XLSX Export: ${SSG_SRG_XLSX_EXPORT}")
if(SSG_JINJA2_CACHE_ENABLED)
message(STATUS "jinja2 cache: enabled")
message(STATUS "jinja2 cache dir: ${SSG_JINJA2_CACHE_DIR}")
else()
message(STATUS "jinja2 cache: disabled")
endif()
-message(STATUS "Build SCE Content: ${SSG_SCE_ENABLED}")
-message(STATUS "Build SRG XLSX Export: ${SSG_SRG_XLSX_EXPORT}")
message(STATUS "Separate SCAP files: ${SSG_SEPARATE_SCAP_FILES_ENABLED}")
+message(STATUS "STIG Delta Taloring files: ${SSG_BUILD_DISA_DELTA_FILES}")
message(STATUS "Thin data streams: ${SSG_THIN_DS}")
message(STATUS " ")