Issue13

ComplianceAsCode/README.md

@@ -0,0 +1,38 @@
+# ComplianceAsCode content
+
+## What is this?
+
+This is a content directory for Rocky Linux 8, and several tools for adding rocky8 content as new product for CimplianceAsCode. 
+
+## What is ComplianceAsCode?
+
+ComplianceAsCode is upstream for OSS SCAP contents [https://github.com/ComplianceAsCode](https://github.com/ComplianceAsCode). 
+ComplianceAsCode content(old name "SCAP content") is including XML files, YAML, and so on for creating SCAP contents such as XCCDF or fixing scritp as BASH, Ansible.
+
+## How to develop ComplianceAsCode content?
+
+See [ComplianceAsCode Developer Guide](https://github.com/ComplianceAsCode/content/blob/master/docs/manual/developer_guide.adoc) in upsteam.
+
+## Structure
+
+Directories as follows
+* content/rocky8 (it is including definition for rocky8 contents)
+* content/shared/checks/oval/installed_OS_is_rocky8.xml (this is working for building OS check contents in XCCDF)
+* tools/ (it is including tool for supporting Rocky8 in ComplianceAsCode content.
+
+## How to use
+
+1. Git clone ComplianceAsCode content from (Official GitHub)[https://github.com/ComplianceAsCode/content] to your working directory(ex. work).
+2. cd work/content
+3. copy content_for_supporting_rocky8 directory from this repo under work/content. (Such as work/content/content_for_supporting_rocky8)
+4. run ./content_for_supporting_rocky8/tools/add_product_rocky8.sh
+
+Then you'll be ready to compile Rocky8 contents.
+
+## How to build rocky8 contents
+
+1. cd to content/build (such as work/content/build)
+2. run "cmake .."
+3. run "make -j4 rocky8" 
+
+Then you'll see several xml contents under build directory.

ComplianceAsCode/content_for_supporting_rocky8/README.md

@@ -0,0 +1,25 @@
+# Rocky8 files and tools
+These are files for supporting Rocky8 for ComplianceAsCode content. 'Files' directory contain files for modifying ComplianceAsCode [content](https://github.com/ComplianceAsCode/content). 'Tools' directory contain script for modifying ComplianceAsCode content to support Rocky8.
+
+## Rocky8 product information.
+Just for now, we use following Name/Values as Rocky8 product informtation(content/rocky8/product.yml)
+
+1. fingerprints vaules. For Redhat, we can check it on [https://access.redhat.com/security/team/key](https://access.redhat.com/security/team/key)
+```pkg_release: "PKG_RELASE"
+ pkg_version: "PKG_VERSION"
+ aux_pkg_release: "AUX_PKG_RELEASE"
+ aux_pkg_version: "AUX_PKG_VERSION"
+
+ release_key_fingerprint: "RELEASE_KEY_FINGERPRINT"
+ auxiliary_key_fingerprint: "AUXILIARY_KEY_FINGERPRINT"
+```
+
+2. OVAL Feed URL. If we will use completely same as RHEL8 OVAL, we might not be need to change it.
+```
+oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml"
+```
+
+3. CPE. CPE name is in /etc/os-release and /etc/system-release-cpe.
+```
+name: "cpe:/o:rocky:rocky_linux:8"
+```

ComplianceAsCode/content_for_supporting_rocky8/files/diff_content_for_supporting_rocky8

@@ -0,0 +1,109 @@
+diff -Nru content.org/CMakeLists.txt content/CMakeLists.txt
+--- content.org/CMakeLists.txt	2021-05-03 07:27:49.961754374 +0900
++++ content/CMakeLists.txt	2021-05-03 07:29:29.739430343 +0900
+@@ -88,6 +88,7 @@
+ option(SSG_PRODUCT_VSEL "If enabled, the McAfee VSEL SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_WRLINUX8 "If enabled, the WRLinux8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_WRLINUX1019 "If enabled, the WRLinux1019 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
++option(SSG_PRODUCT_ROCKY8 "If enabled, the ROCKY8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+
+ option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE)
+ option(SSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED "If enabled, Scientific Linux derivative content will be built from the RHEL content" TRUE)
+@@ -277,6 +278,7 @@
+ message(STATUS "McAfee VSEL: ${SSG_PRODUCT_VSEL}")
+ message(STATUS "WRLinux 8: ${SSG_PRODUCT_WRLINUX8}")
+ message(STATUS "WRLinux 1019: ${SSG_PRODUCT_WRLINUX1019}")
++message(STATUS "ROCKY 8: ${SSG_PRODUCT_ROCKY8}")
+
+
+
+@@ -399,6 +401,10 @@
+ if (SSG_PRODUCT_WRLINUX1019)
+     add_subdirectory("wrlinux1019")
+ endif()
++if (SSG_PRODUCT_ROCKY8)
++    add_subdirectory("rocky8")
++endif()
++
+
+ # ZIP only contains source datastreams and kickstarts, people who
+ # want sources to build from should get the tarball instead.
+diff -Nru content.org/build_product content/build_product
+--- content.org/build_product	2021-05-03 07:27:50.029755540 +0900
++++ content/build_product	2021-05-03 07:29:29.739430343 +0900
+@@ -295,6 +295,7 @@
+ 	VSEL
+ 	WRLINUX8
+ 	WRLINUX1019
++	ROCKY8
+ )
+
+ DEFAULT_OVAL_MAJOR_VERSION=5
+diff -Nru content.org/shared/checks/oval/install_mcafee_hbss.xml content/shared/checks/oval/install_mcafee_hbss.xml
+--- content.org/shared/checks/oval/install_mcafee_hbss.xml	2021-05-03 07:27:50.321760545 +0900
++++ content/shared/checks/oval/install_mcafee_hbss.xml	2021-05-03 07:29:57.423884084 +0900
+@@ -14,6 +14,7 @@
+ 	<platform>multi_platform_sle</platform>
+ 	<platform>multi_platform_ubuntu</platform>
+ 	<platform>multi_platform_wrlinux</platform>
++	<platform>multi_platform_rocky</platform>
+       </affected>
+       <description>McAfee Host-Based Intrusion Detection Software (HBSS) software
+       should be installed.</description>
+diff -Nru content.org/shared/checks/oval/sysctl_kernel_ipv6_disable.xml content/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
+--- content.org/shared/checks/oval/sysctl_kernel_ipv6_disable.xml	2021-05-03 07:27:50.325760613 +0900
++++ content/shared/checks/oval/sysctl_kernel_ipv6_disable.xml	2021-05-03 07:30:19.808247714 +0900
+@@ -14,6 +14,7 @@
+ 	<platform>multi_platform_sle</platform>
+ 	<platform>multi_platform_ubuntu</platform>
+ 	<platform>multi_platform_wrlinux</platform>
++	<platform>multi_platform_rocky</platform>
+       </affected>
+       <description>Disables IPv6 for all network interfaces.</description>
+     </metadata>
+diff -Nru content.org/ssg/constants.py content/ssg/constants.py
+--- content.org/ssg/constants.py	2021-05-03 07:27:50.369761368 +0900
++++ content/ssg/constants.py	2021-05-03 07:29:29.739430343 +0900
+@@ -24,7 +24,8 @@
+     'sle12', 'sle15',
+     'ubuntu1604', 'ubuntu1804', 'ubuntu2004',
+     'vsel',
+-    'wrlinux8', 'wrlinux1019'
++    'wrlinux8', 'wrlinux1019',
++    'rocky8'
+ ]
+
+ JINJA_MACROS_BASE_DEFINITIONS = os.path.join(os.path.dirname(os.path.dirname(
+@@ -177,6 +178,7 @@
+     "Ubuntu 20.04": "ubuntu2004",
+     "WRLinux 8": "wrlinux8",
+     "WRLinux 1019": "wrlinux1019",
++    "Rocky Linux 8": "rocky8",
+ }
+
+
+@@ -191,7 +193,7 @@
+ }
+
+ MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhosp", "rhv", "debian", "ubuntu",
+-                       "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "example"]
++                       "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "rocky", "example"]
+
+ MULTI_PLATFORM_MAPPING = {
+     "multi_platform_debian": ["debian9", "debian10"],
+@@ -207,6 +209,7 @@
+     "multi_platform_sle": ["sle12", "sle15"],
+     "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004"],
+     "multi_platform_wrlinux": ["wrlinux8", "wrlinux1019"],
++    "multi_platform_wrlinux": ["rocky8"],
+ }
+
+ RHEL_CENTOS_CPE_MAPPING = {
+@@ -372,6 +375,7 @@
+     'ol': 'Oracle Linux',
+     'ocp': 'Red Hat OpenShift Container Platform',
+     'rhcos': 'Red Hat Enterprise Linux CoreOS',
++    'rocky': 'Rocky Linux',
+ }
+
+

ComplianceAsCode/content_for_supporting_rocky8/files/installed_OS_is_rocky8.xml

@@ -0,0 +1,47 @@
+<def-group>
+  <definition class="inventory"
+  id="installed_OS_is_rocky8" version="1">
+    <metadata>
+      <title>Rocky Linux 8</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <reference ref_id="cpe:/o:rocky:rocky_linux:8"
+      source="CPE" />
+      <description>The operating system installed on the system is
+      Rocky Linux 8</description>
+    </metadata>
+    <criteria operator="AND">
+      <extend_definition comment="Installed OS is part of the Unix family"
+      definition_ref="installed_OS_is_part_of_Unix_family" />
+      <criterion comment="OS is Rocky Linux" test_ref="test_rocky8_name" />
+      <criterion comment="OS version is 8" test_ref="test_rocky8_version" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check os-release ID" id="test_rocky8_name" version="1">
+    <ind:object object_ref="obj_name_rocky8" />
+    <ind:state state_ref="state_name_rocky8" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_name_rocky8" version="1" comment="Check os-release ID">
+    <ind:filepath>/etc/os-release</ind:filepath>
+    <ind:pattern operation="pattern match">^ID=&quot;(\w+)&quot;$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_name_rocky8" version="1">
+    <ind:subexpression>rocky</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+  <ind:textfilecontent54_test check="all" comment="Check os-release VERSION_ID" id="test_rocky8_version" version="1">
+    <ind:object object_ref="obj_version_rocky8" />
+    <ind:state state_ref="state_version_rocky8" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_version_rocky8" version="1" comment="Check os-release VERSION_ID">
+    <ind:filepath>/etc/os-release</ind:filepath>
+    <ind:pattern operation="pattern match">^VERSION_ID=&quot;(\d)&quot;$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_version_rocky8" version="1">
+    <ind:subexpression>8</ind:subexpression>
+  </ind:textfilecontent54_state>
+</def-group>

ComplianceAsCode/content_for_supporting_rocky8/files/rocky8/CMakeLists.txt

@@ -0,0 +1,36 @@
+# Sometimes our users will try to do: "cd rocky8; cmake ." That needs to error in a nice way.
+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+set(PRODUCT "rocky8")
+set(DISA_SRG_TYPE "os")
+
+ssg_build_product(${PRODUCT})
+
+ssg_build_html_table_by_ref(${PRODUCT} "nist")
+ssg_build_html_table_by_ref(${PRODUCT} "cui")
+ssg_build_html_table_by_ref(${PRODUCT} "cis")
+ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
+ssg_build_html_table_by_ref(${PRODUCT} "anssi")
+
+ssg_build_html_nistrefs_table(${PRODUCT} "standard")
+ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
+ssg_build_html_nistrefs_table(${PRODUCT} "stig")
+
+ssg_build_html_anssirefs_table(${PRODUCT} "bp28_minimal")
+ssg_build_html_anssirefs_table(${PRODUCT} "bp28_intermediary")
+ssg_build_html_anssirefs_table(${PRODUCT} "bp28_enhanced")
+ssg_build_html_anssirefs_table(${PRODUCT} "bp28_high")
+
+ssg_build_html_cce_table(${PRODUCT})
+
+ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
+
+ssg_build_html_stig_tables(${PRODUCT} "stig")
+
+#ssg_build_html_stig_tables(${PRODUCT} "ospp")
+
+#if (SSG_CENTOS_DERIVATIVES_ENABLED)
+#    ssg_build_derivative_product(${PRODUCT} "centos" "centos8")
+#endif()