From 86ab1ed1e61978bb557d2008c96d19b5f20192ae Mon Sep 17 00:00:00 2001 From: Jacob Wang Date: Mon, 31 Mar 2025 13:49:17 +0800 Subject: [PATCH 1/3] [BUG]update to scap-security-guide-0.1.76-1 to #IBXJIA update to scap-security-guide-0.1.76-1 for bugfix Signed-off-by: Jacob Wang --- download | 2 +- fix_scap_delta_tailoring.patch | 63 +++++++++++++++++ scap-security-guide.spec | 119 +++++++++++++-------------------- 3 files changed, 109 insertions(+), 75 deletions(-) create mode 100644 fix_scap_delta_tailoring.patch diff --git a/download b/download index a598ab4..215b538 100644 --- a/download +++ b/download @@ -1,3 +1,3 @@ 219c992603514558e5f6f3d29adaa534 scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2 8cf987028930d5baf17214fb65ad8b6b scap-security-guide-0.1.73-1.el7_9-rhel7.tar.bz2 -b7bb21df2f6ba01161b9068df5db3342 scap-security-guide-0.1.75.tar.bz2 +37bf2c082163d3e5236636302f5ff03c scap-security-guide-0.1.76.tar.bz2 diff --git a/fix_scap_delta_tailoring.patch b/fix_scap_delta_tailoring.patch new file mode 100644 index 0000000..a146bbc --- /dev/null +++ b/fix_scap_delta_tailoring.patch @@ -0,0 +1,63 @@ +From 452ee249e43dc3ce5d1f052ed528a084f5a3657f Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 25 Feb 2025 16:55:19 +0100 +Subject: create_delta_scap_tailoring: pass path to build_config.yml explicitly + when calling the script from cmake + +--- + cmake/SSGCommon.cmake | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake +index 337067c215..170ae3d39f 100644 +--- a/cmake/SSGCommon.cmake ++++ b/cmake/SSGCommon.cmake +@@ -658,7 +658,7 @@ macro(ssg_build_disa_delta PRODUCT PROFILE) + add_custom_command( + OUTPUT "${CMAKE_BINARY_DIR}/${PRODUCT}/tailoring/${PRODUCT}_${PROFILE}_delta_tailoring.xml" + COMMAND ${CMAKE_COMMAND} -E make_directory "${CMAKE_BINARY_DIR}/${PRODUCT}/tailoring" +- COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create_scap_delta_tailoring.py" --root "${CMAKE_SOURCE_DIR}" --product "${PRODUCT}" --manual "${DISA_SCAP_REF}" --profile "${PROFILE}" --reference "stigid" --output "${CMAKE_BINARY_DIR}/${PRODUCT}/tailoring/${PRODUCT}_${PROFILE}_delta_tailoring.xml" --quiet --build-root ${CMAKE_BINARY_DIR} --resolved-rules-dir ++ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/create_scap_delta_tailoring.py" --root "${CMAKE_SOURCE_DIR}" --product "${PRODUCT}" --manual "${DISA_SCAP_REF}" --profile "${PROFILE}" --reference "stigid" --output "${CMAKE_BINARY_DIR}/${PRODUCT}/tailoring/${PRODUCT}_${PROFILE}_delta_tailoring.xml" --quiet --build-root ${CMAKE_BINARY_DIR} --resolved-rules-dir -c ${CMAKE_BINARY_DIR}/build_config.yml + DEPENDS "${PRODUCT}-content" + COMMENT "[${PRODUCT}-generate-ssg-delta] generating disa tailoring file" + ) +-- +2.48.1 + + +From 6def0e0e54497f32b8be6b1511fe98e324bc057d Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 25 Feb 2025 17:08:54 +0100 +Subject: create_scap_delta_tailoring: remove hardcoded build directory + +--- + utils/create_scap_delta_tailoring.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/utils/create_scap_delta_tailoring.py b/utils/create_scap_delta_tailoring.py +index ee85a57bc0..04ca197c5f 100755 +--- a/utils/create_scap_delta_tailoring.py ++++ b/utils/create_scap_delta_tailoring.py +@@ -24,8 +24,8 @@ NS = {'scap': ssg.constants.datastream_namespace, + PROFILE = 'stig' + + +-def get_profile(product, profile_name): +- ds_root = ET.parse(os.path.join(SSG_ROOT, 'build', 'ssg-{product}-ds.xml' ++def get_profile(product, profile_name, build_root): ++ ds_root = ET.parse(os.path.join(build_root, 'ssg-{product}-ds.xml' + .format(product=product))).getroot() + profiles = ds_root.findall( + './/{{{scap}}}component/{{{xccdf}}}Benchmark/{{{xccdf}}}Profile'.format( +@@ -177,7 +177,7 @@ def create_tailoring(args): + args.build_root) + needed_rules = filter_out_implemented_rules(known_rules, NS, benchmark_root) + needed_rule_names_set = set(rulename for ruleset in needed_rules.values() for rulename in ruleset) +- profile_root = get_profile(args.product, args.profile) ++ profile_root = get_profile(args.product, args.profile, args.build_root) + selections = profile_root.findall('xccdf-1.2:select', NS) + tailoring_profile = setup_tailoring_profile(args.profile_id, profile_root) + for selection in selections: +-- +2.48.1 + diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 5a67c45..82cf027 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,37 +1,35 @@ -%define anolis_release .0.1 # Base name of static rhel6 content tarball %global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6 # Base name of static rhel7 content tarball %global _static_rhel7_content %{name}-0.1.73-1.el7_9-rhel7 -# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds -%global _vpath_builddir build # global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly -Name: scap-security-guide -Version: 0.1.75 -Release: 1%{anolis_release}%{?dist} -Summary: Security guidance and baselines in SCAP formats -License: BSD-3-Clause -Group: Applications/System -URL: https://github.com/ComplianceAsCode/content/ -Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 +Name: scap-security-guide +Version: 0.1.76 +Release: 1%{?dist} +Summary: Security guidance and baselines in SCAP formats +License: BSD-3-Clause +Group: Applications/System +URL: https://github.com/ComplianceAsCode/content/ +Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 # Include tarball with last released rhel6 content -Source1: %{_static_rhel6_content}.tar.bz2 +Source1: %{_static_rhel6_content}.tar.bz2 # Include tarball with last released rhel7 content -Source2: %{_static_rhel7_content}.tar.bz2 - -BuildArch: noarch - -BuildRequires: libxslt -BuildRequires: openscap-scanner >= 1.2.5 -BuildRequires: cmake >= 2.8 -BuildRequires: python3-devel -BuildRequires: python%{python3_pkgversion} -BuildRequires: python%{python3_pkgversion}-jinja2 -BuildRequires: python%{python3_pkgversion}-PyYAML -Requires: xml-common, openscap-scanner >= 1.2.5 -Obsoletes: openscap-content < 0:0.9.13 -Provides: openscap-content +Source2: %{_static_rhel7_content}.tar.bz2 +Patch0: fix_scap_delta_tailoring.patch + +BuildArch: noarch + +BuildRequires: libxslt +BuildRequires: openscap-scanner >= 1.2.5 +BuildRequires: cmake >= 2.8 +BuildRequires: python3-devel +BuildRequires: python%{python3_pkgversion} +BuildRequires: python%{python3_pkgversion}-jinja2 +BuildRequires: python%{python3_pkgversion}-PyYAML +Requires: xml-common, openscap-scanner >= 1.2.5 +Obsoletes: openscap-content < 0:0.9.13 +Provides: openscap-content %description The scap-security-guide project provides a guide for configuration of the @@ -46,28 +44,20 @@ conforms to provided guideline. Refer to scap-security-guide(8) manual page for further information. %package doc -Summary: HTML formatted security guides generated from XCCDF benchmarks -Group: System Environment/Base -Requires: %{name} = %{version}-%{release} +Summary: HTML formatted security guides generated from XCCDF benchmarks +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} %description doc The %{name}-doc package contains HTML formatted documents containing hardening guidances that have been generated from XCCDF benchmarks present in %{name} package. -%package extra -Summary: Extra files package -Group: System Environment/Base -Requires: %{name} = %{version}-%{release} - -%description extra -The %{name}-extra package contains various situation guidebooks - %if ( %{defined rhel} && (! %{defined centos}) ) %package rule-playbooks -Summary: Ansible playbooks per each rule. -Group: System Environment/Base -Requires: %{name} = %{version}-%{release} +Summary: Ansible playbooks per each rule. +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} %description rule-playbooks The %{name}-rule-playbooks package contains individual ansible playbooks per rule. @@ -75,31 +65,25 @@ The %{name}-rule-playbooks package contains individual ansible playbooks per rul %prep %setup -q -b1 -b2 +%patch -P 0 -p1 -%build -mkdir -p build -cd build -%cmake \ --DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \ --DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \ --DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \ --DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \ --DSSG_PRODUCT_JRE:BOOLEAN=TRUE \ --DSSG_PRODUCT_ANOLIS8:BOOLEAN=TRUE \ -%if %{defined centos} --DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \ -%else --DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \ +%define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_PRODUCT_FIREFOX:BOOLEAN=true -DSSG_PRODUCT_JRE:BOOLEAN=TRUE +%define cmake_defines_specific %{nil} +%if 0%{?rhel} +%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=TRUE -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON %endif --DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \ -%if ( %{defined rhel} && (! %{defined centos}) ) --DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \ +%if 0%{?centos} +%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=TRUE -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON %endif -../ + +%build +mkdir -p %{_vpath_builddir} +cd %{_vpath_builddir} +%cmake -S .. %{cmake_defines_common} %{cmake_defines_specific} %cmake_build %install -cd build +cd %{_vpath_builddir} %cmake_install # Manually install pre-built rhel6 content @@ -118,11 +102,6 @@ ln -s ssg-rhel8-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-rhel8-ds ln -s ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-firefox-ds-1.2.xml %files -%exclude %{_datadir}/%{name}/ansible/rhel* -%exclude %{_datadir}/%{name}/bash/rhel* -%exclude %{_datadir}/%{name}/kickstart/ssg-rhel* -%exclude %{_datadir}/%{name}/tailoring/rhel* -%exclude %{_datadir}/xml/scap/ssg/content/ssg-rhel* %{_datadir}/xml/scap/ssg/content %{_datadir}/%{name}/kickstart %{_datadir}/%{name}/ansible @@ -140,13 +119,6 @@ ln -s ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-firefo %doc %{_docdir}/%{name}/guides/*.html %doc %{_docdir}/%{name}/tables/*.html -%files extra -%{_datadir}/%{name}/ansible/rhel* -%{_datadir}/%{name}/bash/rhel* -%{_datadir}/%{name}/kickstart/ssg-rhel* -%{_datadir}/%{name}/tailoring/rhel* -%{_datadir}/xml/scap/ssg/content/ssg-rhel* - %if ( %{defined rhel} && (! %{defined centos}) ) %files rule-playbooks %defattr(-,root,root,-) @@ -154,9 +126,8 @@ ln -s ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-firefo %endif %changelog -* Tue Dec 10 2024 Chang Gao - 0.1.75-1.0.1 -- Add extra package -- Add product for Anolis8 (#9770)(Yuqing) +* Tue Feb 25 2025 Vojtech Polasek - 0.1.76-1 +- rebase scap-security-guide to the latest upstream version 0.1.76 (RHEL-74241) * Fri Nov 15 2024 Matthew Burket - 0.1.75-1 - Rebase scap-security-guide to the latest upstream version (RHEL-66153) -- Gitee From edc16b7f5819ac8f7df5442b012a12dd0b3ac991 Mon Sep 17 00:00:00 2001 From: "taifu.gc" Date: Thu, 10 Nov 2022 02:22:35 +0800 Subject: [PATCH 2/3] Add extra package --- scap-security-guide.spec | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 82cf027..d545e7f 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 # Base name of static rhel6 content tarball %global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6 # Base name of static rhel7 content tarball @@ -6,7 +7,7 @@ Name: scap-security-guide Version: 0.1.76 -Release: 1%{?dist} +Release: 1%{anolis_release}%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause Group: Applications/System @@ -53,6 +54,14 @@ The %{name}-doc package contains HTML formatted documents containing hardening guidances that have been generated from XCCDF benchmarks present in %{name} package. +%package extra +Summary: Extra files package +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} + +%description extra +The %{name}-extra package contains various situation guidebooks + %if ( %{defined rhel} && (! %{defined centos}) ) %package rule-playbooks Summary: Ansible playbooks per each rule. @@ -102,6 +111,11 @@ ln -s ssg-rhel8-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-rhel8-ds ln -s ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-firefox-ds-1.2.xml %files +%exclude %{_datadir}/%{name}/ansible/rhel* +%exclude %{_datadir}/%{name}/bash/rhel* +%exclude %{_datadir}/%{name}/kickstart/ssg-rhel* +%exclude %{_datadir}/%{name}/tailoring/rhel* +%exclude %{_datadir}/xml/scap/ssg/content/ssg-rhel* %{_datadir}/xml/scap/ssg/content %{_datadir}/%{name}/kickstart %{_datadir}/%{name}/ansible @@ -119,6 +133,13 @@ ln -s ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-firefo %doc %{_docdir}/%{name}/guides/*.html %doc %{_docdir}/%{name}/tables/*.html +%files extra +%{_datadir}/%{name}/ansible/rhel* +%{_datadir}/%{name}/bash/rhel* +%{_datadir}/%{name}/kickstart/ssg-rhel* +%{_datadir}/%{name}/tailoring/rhel* +%{_datadir}/xml/scap/ssg/content/ssg-rhel* + %if ( %{defined rhel} && (! %{defined centos}) ) %files rule-playbooks %defattr(-,root,root,-) @@ -126,6 +147,9 @@ ln -s ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-firefo %endif %changelog +* Mon Mar 31 2025 Chang Gao - 0.1.76-1.0.1 +- Add extra package + * Tue Feb 25 2025 Vojtech Polasek - 0.1.76-1 - rebase scap-security-guide to the latest upstream version 0.1.76 (RHEL-74241) -- Gitee From e4ae5b3a5b65a4970163e4faeb480c69271f4217 Mon Sep 17 00:00:00 2001 From: qhw01063182 Date: Thu, 23 Feb 2023 16:49:16 +0800 Subject: [PATCH 3/3] Add product for Anolis8 Signed-off-by: qhw01063182 --- scap-security-guide.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scap-security-guide.spec b/scap-security-guide.spec index d545e7f..b7477ba 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -83,6 +83,9 @@ The %{name}-rule-playbooks package contains individual ansible playbooks per rul %endif %if 0%{?centos} %define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=TRUE -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON +%if 0%{?anolis} +%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=TRUE -DSSG_PRODUCT_ANOLIS%{anolis}:BOOLEAN=TRUE -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON +%endif %endif %build @@ -149,6 +152,7 @@ ln -s ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-firefo %changelog * Mon Mar 31 2025 Chang Gao - 0.1.76-1.0.1 - Add extra package +- Add product for Anolis8 (#9770)(Yuqing) * Tue Feb 25 2025 Vojtech Polasek - 0.1.76-1 - rebase scap-security-guide to the latest upstream version 0.1.76 (RHEL-74241) -- Gitee