forked from ComplianceAsCode/content
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathproduct-make.include
196 lines (164 loc) · 9.44 KB
/
product-make.include
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
#
# product-make.include
#
# The common Makefile snippets used by other Makefiles in various product subfolders
#
# The snippets assume that the following variables are set by each product:
# * $(SHARED)
#
#
# Include project level information
include $(SHARED)/../VERSION
# Defaults for the global variables - directories
IN = input
OUT = output
BUILD = build
BUILD_REMEDIATIONS=$(BUILD)/remediations
TRANS = transforms
SHARED_OVAL = $(SHARED)/oval
SHARED_OVAL_5_11 = $(SHARED_OVAL)/oval_5.11
SHARED_BASH_REMEDIATIONS = $(BUILD)/shared/output/bash $(SHARED)/templates/static/bash # Currently we cannot build shared remediations only once
SHARED_ANSIBLE_REMEDIATIONS = $(BUILD)/shared/output/ansible $(SHARED)/templates/static/ansible # Currently we cannot build shared remediations only once
PRODUCT_BASH_REMEDIATIONS = templates/output/bash
PRODUCT_ANSIBLE_REMEDIATIONS = templates/output/ansible
STANDARD_OVAL_DIRS = $(SHARED_OVAL) $(IN)/oval
REFS = $(SHARED)/references
CONF = $(SHARED)/../config
UTILS = utils
DIST = dist
# Defaults for the global variables - others
ID = ssg
# Query environment - ask openscap if it can do OVAL 5.11
OVAL_5_11 := $(shell oscap --version | grep -q "OVAL Version: 5.11.*"; echo $$?)
# Query environment - ask openscap if it can generate guide from DataStream
OPENSCAP_1_1_OR_LATER := $(shell oscap --version | grep -q -E "OpenSCAP command line tool \(oscap\) 1\.[1-9]+[0-9]*\."; echo $$?)
# Query environment - ask openscap if it has SVG support in guides
OPENSCAP_SVG := $(shell $(SHARED)/$(UTILS)/oscap-svg-support.py; echo $$?)
# Query environment - check shellcheck
SHELLCHECK_AVAIL := $(shell which shellcheck >& /dev/null; echo $$?)
# Common build targets - include the SSG logo into the XCCDF header
$(OUT)/guide.xml: $(SHARED)/$(TRANS)/includelogo.xslt $(SHARED)/xccdf/shared_guide.xml
ifeq ($(OPENSCAP_SVG), 0)
xsltproc -o $(OUT)/guide.xml $(SHARED)/$(TRANS)/includelogo.xslt $(SHARED)/xccdf/shared_guide.xml
else
mkdir -p $(OUT)/
cp $(SHARED)/xccdf/shared_guide.xml $(OUT)/
endif
# Common build targets - compose single shorthand XCCDF guide from all the sources
guide_xslt_deps= $(wildcard $(IN)/auxiliary/*.xml) $(wildcard $(IN)/profiles/*.xml) $(wildcard $(IN)/xccdf/**/*.xml)
$(OUT)/shorthand.xml: $(OUT)/guide.xml $(IN)/guide.xslt $(guide_xslt_deps)
xsltproc --stringparam SHARED_RP "$(realpath $(SHARED))" -o $@ $(IN)/guide.xslt $(OUT)/guide.xml
xmllint --format --output $@ $@
# Create temporary $(SHARED)/$(OUT) folder to hold information like list of contributors or list of
# available remediation functions used by all SSG benchmarks
$(SHARED)/$(OUT):
mkdir -p $@
# Common build targets - convert shorthand format to an XCCDF stub
$(OUT)/xccdf-unlinked-unresolved.xml: $(OUT)/shorthand.xml $(TRANS)/shorthand2xccdf.xslt $(TRANS)/constants.xslt $(SHARED)/$(TRANS)/shared_constants.xslt
xsltproc --stringparam ssg_version "$(SSG_MAJOR_VERSION).$(SSG_MINOR_VERSION)" -o $@ $(TRANS)/shorthand2xccdf.xslt $<
# Common build targets - improve the XCCDF stub - first resolve
$(OUT)/xccdf-unlinked-empty-groups.xml: $(OUT)/xccdf-unlinked-unresolved.xml
oscap xccdf resolve -o $@ $<
# Common build targets - improve the XCCDF stub - second resolve
$(OUT)/xccdf-unlinked-empty-groups-unselected.xml: $(OUT)/xccdf-unlinked-empty-groups.xml $(SHARED)/$(UTILS)/unselect-empty-xccdf-groups.py
$(SHARED)/$(UTILS)/unselect-empty-xccdf-groups.py --input $< --output $@
# Common build targets - improve the XCCDF stub - third resolve
$(OUT)/xccdf-unlinked-resolved.xml: $(OUT)/xccdf-unlinked-empty-groups-unselected.xml
oscap xccdf resolve -o $@ $<
# Common build targets - create OCIL questionnaire stub for further processing
$(OUT)/ocil-unlinked.xml: $(OUT)/xccdf-unlinked-resolved.xml $(SHARED)/$(TRANS)/xccdf-create-ocil.xslt
xsltproc -o $@ $(SHARED)/$(TRANS)/xccdf-create-ocil.xslt $<
xmllint --format --output $(OUT)/unlinked-$(PROD)-ocil.xml $@
# Common build targets - an XCCDF witch OCIL checks in the form of official OCIL-2.0 syntax
$(OUT)/xccdf-unlinked-ocilrefs.xml: $(OUT)/xccdf-unlinked-resolved.xml $(OUT)/ocil-unlinked.xml $(SHARED)/$(TRANS)/xccdf-ocilcheck2ref.xslt $(SHARED)/$(TRANS)/shared_constants.xslt
xsltproc -stringparam product "$(PROD)" -o $@ $(SHARED)/$(TRANS)/xccdf-ocilcheck2ref.xslt $<
$(PRODUCT_BASH_REMEDIATIONS):
if [ -f templates/Makefile ]; \
then \
$(MAKE) -C templates bash; \
else \
mkdir -p templates/output/bash; \
fi
$(PRODUCT_ANSIBLE_REMEDIATIONS):
# todo: Create ansible target everywhere
if grep -q '^ansible:' templates/Makefile 2> /dev/null ; \
then \
$(MAKE) -C templates ansible; \
else \
mkdir -p templates/output/ansible; \
mkdir -p templates/static/ansible; \
fi
$(BUILD)/shared/output/bash:
$(MAKE) -C $(SHARED)/templates/ PREFIX_DIR=$(abspath $(BUILD)/shared) bash
$(BUILD)/shared/output/ansible:
$(MAKE) -C $(SHARED)/templates/ PREFIX_DIR=$(abspath $(BUILD)/shared) ansible
templates/static/bash:
mkdir -p $@
templates/static/ansible:
mkdir -p $@
# Common build targets - a catalogue of XCCDF remediations
product_bash_remediations_deps=$(wildcard templates/static/bash/*.sh)
shared_bash_remediations_deps= $(wildcard $(SHARED_BASH_REMEDIATIONS)/*.sh)
bash_remediations_deps= $(product_bash_remediations_deps) $(shared_bash_remediations_deps)
$(OUT)/bash-remediations.xml: $(SHARED)/$(TRANS)/combineremediations.py $(bash_remediations_deps) $(PRODUCT_BASH_REMEDIATIONS) $(BUILD)/shared/output/bash templates/static/bash
$(SHARED)/$(TRANS)/combineremediations.py $(PROD) bash $(SHARED_BASH_REMEDIATIONS) $(PRODUCT_BASH_REMEDIATIONS) templates/static/bash $(OUT)/bash-remediations.xml
# Common build targets - a catalogue of XCCDF remediations
product_ansible_remediations_deps=$(wildcard templates/static/ansible/*.sh)
shared_ansible_remediations_deps= $(wildcard $(SHARED_ANSIBLE_REMEDIATIONS)/*.sh)
ansible_remediations_deps= $(product_ansible_remediations_deps) $(shared_ansible_remediations_deps)
$(OUT)/ansible-remediations.xml: $(SHARED)/$(TRANS)/combineremediations.py $(ansible_remediations_deps) $(PRODUCT_ANSIBLE_REMEDIATIONS) $(BUILD)/shared/output/ansible templates/static/ansible
$(SHARED)/$(TRANS)/combineremediations.py $(PROD) ansible $(SHARED_ANSIBLE_REMEDIATIONS) $(PRODUCT_ANSIBLE_REMEDIATIONS) templates/static/ansible $(OUT)/ansible-remediations.xml
# Common build targets - an XCCDF with remediations but not linked to OVAL yet
# Prefer "$(OUT)/xccdf-unlinked-ocilrefs.xml" document below since it contains OCIL expanded to official OCIL-2.0 syntax
# Fixes: https://github.com/OpenSCAP/scap-security-guide/issues/1037
# Fixes: https://github.com/OpenSCAP/scap-security-guide/issues/1038
$(OUT)/xccdf-unlinked-withremediations.xml: $(OUT)/xccdf-unlinked-ocilrefs.xml $(OUT)/xccdf-unlinked-resolved.xml $(OUT)/bash-remediations.xml $(OUT)/ansible-remediations.xml $(SHARED)/$(TRANS)/xccdf-addremediations.xslt
xsltproc \
-stringparam bash_remediations "$(realpath $(OUT)/bash-remediations.xml)" \
-stringparam ansible_remediations "$(realpath $(OUT)/ansible-remediations.xml)" \
-o $@ $(SHARED)/$(TRANS)/xccdf-addremediations.xslt $(OUT)/xccdf-unlinked-ocilrefs.xml
xmllint --format --output $@ $@
# Common build targets - OVAL files
standard-oval-build:
# If openscap on the system supports OVAL-5.11 language version, include also OVAL-5.11 checks
# into final list of OVAL checks
ifeq ($(OVAL_5_11), 0)
# System supports OVAL-5.11 => propagate 'RUNTIME_OVAL_VERSION' variable into the environment
$(eval MOD_ENV := env RUNTIME_OVAL_VERSION='5.11')
$(eval STANDARD_OVAL_DIRS+=$(SHARED_OVAL_5_11) $(IN)/oval/oval_5.11)
endif
find $(OVAL_DIRS) -name "*.xml" | xargs xmlwf
$(MOD_ENV) $(SHARED)/$(TRANS)/combineovals.py $(CONF) $(PROD) $(STANDARD_OVAL_DIRS) > $(OUT)/unlinked-$(PROD)-oval.xml
xmllint --format --output $(OUT)/unlinked-$(PROD)-oval.xml $(OUT)/unlinked-$(PROD)-oval.xml
validate-bash:
ifeq ($(SHELLCHECK_AVAIL), 0)
shellcheck -s bash $(product_bash_remediations_deps)
else
@echo "Skipping ShellCheck analysis, ensure shellcheck executable is present in the PATH!"
endif
# Sanity check to verify if intended remediations got truly included into the benchmark being currently build
#
# In the case "$(OUT)/bash-remediations.xml" contains at least one "<fix rule" element and remediations got included
# properly, there needs to exist at least one "<fix system" element in the "xccdf-unlinked-withremediations.xml" file.
# If not "xsltproc" call in the $(OUT)/xccdf-unlinked-withremediations.xml target above didn't include the remediations
# (due to "warning: failed to load external entity" problem or some other error)
#
# Resign to continue building the benchmark in that case (since it would miss the remediations), print out an error
# message and exit with failure
#
$(OUT)/xccdf-unlinked-final.xml: $(OUT)/xccdf-unlinked-withremediations.xml $(OUT)/bash-remediations.xml
@if grep -q '<fix rule' "$(OUT)/bash-remediations.xml"; \
then \
# At least one "<fix rule" element is included in "$(OUT)/bash-remediations.xml" \
\
if ! grep -q '<fix system' "$(OUT)/xccdf-unlinked-withremediations.xml"; \
then \
# But "xccdf-unlinked-withremediations.xml" doesn't contain "<fix system" element \
\
echo -e "\n\tError: Can't locate remediation (\"<fix system\") elements in \"$(OUT)/xccdf-unlinked-withremediations.xml\". Exiting!\n"; \
exit 1; \
fi \
fi \
# Copy "$(OUT)/xccdf-unlinked-withremediations.xml" to "$(OUT)/xccdf-unlinked-final.xml" \
# (so subsequent targets can find the "$(OUT)/xccdf-unlinked-final.xml" prerequisite) \
cp "$(OUT)/xccdf-unlinked-withremediations.xml" "$(OUT)/xccdf-unlinked-final.xml"