packages/scap-security-guide
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:2efbf43a27dbaf28978db4c97de4a5172bc855af
Branches Tags
packages:main
..
compare: packages:114ad77f87bba53794ac143f7cac922ddf13c6a9
Branches Tags
packages:main

No commits in common. "2efbf43a27dbaf28978db4c97de4a5172bc855af" and "114ad77f87bba53794ac143f7cac922ddf13c6a9" have entirely different histories.
2efbf43a27 ... 114ad77f87

11 changed files with 324 additions and 8511 deletions
Show Stats Expand all files Collapse all files

4992
add-openeuler-control-rules.patch
View File

File diff suppressed because it is too large Load Diff

451
add-openeuler-support.patch
View File

@ -1,451 +0,0 @@
From a67afa8ba2bd385c1c645972fb7a2340d9d6f5bb Mon Sep 17 00:00:00 2001
From: "steven.y.gui" <steven_ygui@163.com>
Date: Mon, 19 Feb 2024 18:59:26 +0800
Subject: [PATCH] add openeuler support
---
CMakeLists.txt | 10 ++++++
controls/std_openeuler.yml | 34 +++++++++++++++++++
.../services/ftp/package_ftp_removed/rule.yml | 2 +-
.../package_telnet-server_removed/rule.yml | 2 +-
.../telnet/package_telnet_removed/rule.yml | 2 +-
.../tftp/package_tftp-server_removed/rule.yml | 2 +-
.../tftp/package_tftp_removed/rule.yml | 2 +-
products/openeuler2203/CMakeLists.txt | 6 ++++
products/openeuler2203/product.yml | 29 ++++++++++++++++
.../openeuler2203/profiles/standard.profile | 14 ++++++++
.../openeuler2203/transforms/constants.xslt | 9 +++++
products/openeuler2403/CMakeLists.txt | 6 ++++
products/openeuler2403/product.yml | 19 +++++++++++
.../openeuler2403/profiles/standard.profile | 14 ++++++++
.../openeuler2403/transforms/constants.xslt | 9 +++++
.../oval/installed_OS_is_openeuler2203.xml | 26 ++++++++++++++
.../oval/installed_OS_is_openeuler2403.xml | 26 ++++++++++++++
.../oval/sysctl_kernel_ipv6_disable.xml | 1 +
ssg/constants.py | 6 ++++
19 files changed, 214 insertions(+), 5 deletions(-)
create mode 100644 controls/std_openeuler.yml
create mode 100644 products/openeuler2203/CMakeLists.txt
create mode 100644 products/openeuler2203/product.yml
create mode 100644 products/openeuler2203/profiles/standard.profile
create mode 100644 products/openeuler2203/transforms/constants.xslt
create mode 100644 products/openeuler2403/CMakeLists.txt
create mode 100644 products/openeuler2403/product.yml
create mode 100644 products/openeuler2403/profiles/standard.profile
create mode 100644 products/openeuler2403/transforms/constants.xslt
create mode 100644 shared/checks/oval/installed_OS_is_openeuler2203.xml
create mode 100644 shared/checks/oval/installed_OS_is_openeuler2403.xml
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 7d1cffd..d911d05 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -83,6 +83,8 @@ option(SSG_PRODUCT_RHCOS4 "If enabled, the RHCOS4 SCAP content will be built" ${
option(SSG_PRODUCT_OL7 "If enabled, the Oracle Linux 7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_OL8 "If enabled, the Oracle Linux 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_OL9 "If enabled, the Oracle Linux 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_OPENEULER2203 "If enabled, the openEuler 22.03 LTS content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_OPENEULER2403 "If enabled, the openEuler 24.03 LTS content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_OPENSUSE "If enabled, the openSUSE SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_RHEL7 "If enabled, the RHEL7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_RHEL8 "If enabled, the RHEL8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -277,6 +279,8 @@ message(STATUS "RHCOS4: ${SSG_PRODUCT_RHCOS4}")
message(STATUS "Oracle Linux 7: ${SSG_PRODUCT_OL7}")
message(STATUS "Oracle Linux 8: ${SSG_PRODUCT_OL8}")
message(STATUS "Oracle Linux 9: ${SSG_PRODUCT_OL9}")
+message(STATUS "openEuler 22.03 LTS: ${SSG_PRODUCT_OPENEULER2203}")
+message(STATUS "openEuler 24.03 LTS: ${SSG_PRODUCT_OPENEULER2403}")
message(STATUS "openSUSE: ${SSG_PRODUCT_OPENSUSE}")
message(STATUS "RHEL 7: ${SSG_PRODUCT_RHEL7}")
message(STATUS "RHEL 8: ${SSG_PRODUCT_RHEL8}")
@@ -374,6 +378,12 @@ endif()
if (SSG_PRODUCT_OL9)
add_subdirectory("products/ol9" "ol9")
endif()
+if (SSG_PRODUCT_OPENEULER2203)
+ add_subdirectory("products/openeuler2203" "openeuler2203")
+endif()
+if (SSG_PRODUCT_OPENEULER2403)
+ add_subdirectory("products/openeuler2403" "openeuler2403")
+endif()
if (SSG_PRODUCT_OPENSUSE)
add_subdirectory("products/opensuse" "opensuse")
endif()
diff --git a/controls/std_openeuler.yml b/controls/std_openeuler.yml
new file mode 100644
index 0000000..5599b04
--- /dev/null
+++ b/controls/std_openeuler.yml
@@ -0,0 +1,34 @@
+---
+policy: 'Standard Benchmark for openEuler'
+title: 'Standard Benchmark for openEuler'
+id: std_openeuler
+version: '1.0'
+levels:
+ - id: base
+
+controls:
+ - id: 1.2.1_ftp_not_installed
+ title: Ensure FTP is not installed
+ levels:
+ - base
+ status: automated
+ rules:
+ - package_ftp_removed
+
+ - id: 1.2.2_tftp_server_not_installed
+ title: Ensure TFTP Server is not installed
+ levels:
+ - base
+ status: automated
+ rules:
+ - package_tftp_removed
+ - package_tftp-server_removed
+
+ - id: 1.2.3_telnet_server_not_installed
+ title: Ensure Telnet Server is not installed
+ levels:
+ - base
+ status: automated
+ rules:
+ - package_telnet_removed
+ - package_telnet-server_removed
diff --git a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml
index 1129ce7..ea1c772 100644
--- a/linux_os/guide/services/ftp/package_ftp_removed/rule.yml
+++ b/linux_os/guide/services/ftp/package_ftp_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel9
+prodtype: openeuler2203,openeuler2403,rhel9
title: 'Remove ftp Package'
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
index 6b59559..26848b4 100644
--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15
title: 'Uninstall telnet-server Package'
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
index 2571d50..8c77862 100644
--- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
title: 'Remove telnet Clients'
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
index 93fd712..60c05ed 100644
--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,rhv4,sle12,sle15
title: 'Uninstall tftp-server Package'
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
index 35e0a2f..6c078d3 100644
--- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15
+prodtype: fedora,ol7,ol8,ol9,openeuler2203,openeuler2403,rhel7,rhel8,rhel9,sle12,sle15
title: 'Remove tftp Daemon'
diff --git a/products/openeuler2203/CMakeLists.txt b/products/openeuler2203/CMakeLists.txt
new file mode 100644
index 0000000..258e195
--- /dev/null
+++ b/products/openeuler2203/CMakeLists.txt
@@ -0,0 +1,6 @@
+# Sometimes our users will try to do: "cd openeuler; cmake ." That needs to error in a nice way.
+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+ssg_build_product("openeuler2203")
diff --git a/products/openeuler2203/product.yml b/products/openeuler2203/product.yml
new file mode 100644
index 0000000..89e9f8b
--- /dev/null
+++ b/products/openeuler2203/product.yml
@@ -0,0 +1,29 @@
+product: openeuler2203
+full_name: openEuler 2203
+type: platform
+
+benchmark_id: OPENEULER2203
+benchmark_root: "../../linux_os/guide"
+
+profiles_root: "./profiles"
+
+pkg_manager: "dnf"
+
+init_system: "systemd"
+
+cpes_root: "../../shared/applicability"
+cpes:
+ - openeuler2203lts:
+ name: "cpe:/o:openEuler:openEuler:22.03LTS:ga:server"
+ title: "openEuler 22.03 LTS"
+ check_id: installed_OS_is_openeuler2203
+
+ - openeuler2203lts-sp1:
+ name: "cpe:/o:openEuler:openEuler:22.03LTS_SP1:ga:server"
+ title: "openEuler 22.03 LTS SP1"
+ check_id: installed_OS_is_openeuler2203
+
+ - openeuler2203lts-sp2:
+ name: "cpe:/o:openEuler:openEuler:22.03LTS_SP2:ga:server"
+ title: "openEuler 22.03 LTS SP2"
+ check_id: installed_OS_is_openeuler2203
diff --git a/products/openeuler2203/profiles/standard.profile b/products/openeuler2203/profiles/standard.profile
new file mode 100644
index 0000000..8a7ae9c
--- /dev/null
+++ b/products/openeuler2203/profiles/standard.profile
@@ -0,0 +1,14 @@
+documentation_complete: true
+
+metadata:
+ version: 1.0
+
+title: 'Standard System Security Profile for openEuler 22.03 LTS'
+
+description: |-
+ This profile contains rules to ensure standard security baseline
+ of an openEuler system. Regardless of your system's workload
+ all of these checks should pass.
+
+selections:
+ - std_openeuler:all:base
diff --git a/products/openeuler2203/transforms/constants.xslt b/products/openeuler2203/transforms/constants.xslt
new file mode 100644
index 0000000..666c119
--- /dev/null
+++ b/products/openeuler2203/transforms/constants.xslt
@@ -0,0 +1,9 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
+
+<xsl:variable name="product_long_name">openEuler2203</xsl:variable>
+<xsl:variable name="product_short_name">openEuler2203</xsl:variable>
+<xsl:variable name="prod_type">openeuler2203</xsl:variable>
+
+</xsl:stylesheet>
diff --git a/products/openeuler2403/CMakeLists.txt b/products/openeuler2403/CMakeLists.txt
new file mode 100644
index 0000000..4f7da6b
--- /dev/null
+++ b/products/openeuler2403/CMakeLists.txt
@@ -0,0 +1,6 @@
+# Sometimes our users will try to do: "cd openeuler; cmake ." That needs to error in a nice way.
+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+ssg_build_product("openeuler2403")
diff --git a/products/openeuler2403/product.yml b/products/openeuler2403/product.yml
new file mode 100644
index 0000000..c27aaa8
--- /dev/null
+++ b/products/openeuler2403/product.yml
@@ -0,0 +1,19 @@
+product: openeuler2403
+full_name: openEuler2403
+type: platform
+
+benchmark_id: OPENEULER2403
+benchmark_root: "../../linux_os/guide"
+
+profiles_root: "./profiles"
+
+pkg_manager: "dnf"
+
+init_system: "systemd"
+
+cpes_root: "../../shared/applicability"
+cpes:
+ - openeuler2403:
+ name: "cpe:/o:openEuler:openEuler:24.03LTS:ga:server"
+ title: "openEuler 24.03 LTS"
+ check_id: installed_OS_is_openeuler2403
diff --git a/products/openeuler2403/profiles/standard.profile b/products/openeuler2403/profiles/standard.profile
new file mode 100644
index 0000000..e4e9450
--- /dev/null
+++ b/products/openeuler2403/profiles/standard.profile
@@ -0,0 +1,14 @@
+documentation_complete: true
+
+metadata:
+ version: 1.0
+
+title: 'Standard System Security Profile for openEuler'
+
+description: |-
+ This profile contains rules to ensure standard security baseline
+ of all openEuler systems. Regardless of your system's workload
+ all of these checks should pass.
+
+selections:
+ - std_openeuler:all:base
diff --git a/products/openeuler2403/transforms/constants.xslt b/products/openeuler2403/transforms/constants.xslt
new file mode 100644
index 0000000..60286a9
--- /dev/null
+++ b/products/openeuler2403/transforms/constants.xslt
@@ -0,0 +1,9 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
+
+<xsl:variable name="product_long_name">openEuler2403</xsl:variable>
+<xsl:variable name="product_short_name">openEuler2403</xsl:variable>
+<xsl:variable name="prod_type">openeuler2403</xsl:variable>
+
+</xsl:stylesheet>
diff --git a/shared/checks/oval/installed_OS_is_openeuler2203.xml b/shared/checks/oval/installed_OS_is_openeuler2203.xml
new file mode 100644
index 0000000..6a1ce97
--- /dev/null
+++ b/shared/checks/oval/installed_OS_is_openeuler2203.xml
@@ -0,0 +1,26 @@
+<def-group>
+ <definition class="inventory" id="installed_OS_is_openeuler2203" version="1">
+ <metadata>
+ <title>openEuler 22.03 LTS</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <description>The operating system installed on the system is openEuler 22.03 LTS.</description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion comment="openEuler 22.03 LTS is installed" test_ref="test_openeuler2203_installed" />
+ </criteria>
+ </definition>
+
+ <linux:rpminfo_test check="all" check_existence="all_exist" comment="openEuler 22.03 LTS is installed" id="test_openeuler2203_installed" version="1">
+ <linux:object object_ref="obj_openeuler2203_installed" />
+ <linux:state state_ref="state_openeuler2203_installed" />
+ </linux:rpminfo_test>
+ <linux:rpminfo_state id="state_openeuler2203_installed" version="1">
+ <linux:version operation="pattern match">^22\.03.*$</linux:version>
+ </linux:rpminfo_state>
+ <linux:rpminfo_object id="obj_openeuler2203_installed" version="1">
+ <linux:name>openEuler-release</linux:name>
+ </linux:rpminfo_object>
+
+</def-group>
diff --git a/shared/checks/oval/installed_OS_is_openeuler2403.xml b/shared/checks/oval/installed_OS_is_openeuler2403.xml
new file mode 100644
index 0000000..31c6084
--- /dev/null
+++ b/shared/checks/oval/installed_OS_is_openeuler2403.xml
@@ -0,0 +1,26 @@
+<def-group>
+ <definition class="inventory" id="installed_OS_is_openeuler2403" version="1">
+ <metadata>
+ <title>openEuler</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <description>The operating system installed on the system is openEuler 24.03 LTS</description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion comment="openEuler 24.03 LTS is installed" test_ref="test_openeuler2403_installed" />
+ </criteria>
+ </definition>
+
+ <linux:rpminfo_test check="all" check_existence="all_exist" comment="openEuler 24.03 LTS is installed" id="test_openeuler2403_installed" version="1">
+ <linux:object object_ref="obj_openeuler2403_installed" />
+ <linux:state state_ref="state_openeuler2403_installed" />
+ </linux:rpminfo_test>
+ <linux:rpminfo_state id="state_openeuler2403_installed" version="1">
+ <linux:version operation="pattern match">^24\.03.*$</linux:version>
+ </linux:rpminfo_state>
+ <linux:rpminfo_object id="obj_openeuler2403_installed" version="1">
+ <linux:name>openEuler-release</linux:name>
+ </linux:rpminfo_object>
+
+</def-group>
diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
index affb977..593ecda 100644
--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
+++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
@@ -8,6 +8,7 @@
<platform>multi_platform_debian</platform>
<platform>multi_platform_example</platform>
<platform>multi_platform_fedora</platform>
+ <platform>multi_platform_openeuler</platform>
<platform>multi_platform_opensuse</platform>
<platform>multi_platform_ol</platform>
<platform>multi_platform_rhcos</platform>
diff --git a/ssg/constants.py b/ssg/constants.py
index f66ba00..ff5bb02 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -50,6 +50,7 @@ product_directories = [
'ocp4',
'rhcos4',
'ol7', 'ol8', 'ol9',
+ 'openeuler2203', 'openeuler2403',
'opensuse',
'rhel7', 'rhel8', 'rhel9',
'rhv4',
@@ -207,6 +208,8 @@ FULL_NAME_TO_PRODUCT_MAPPING = {
"Oracle Linux 7": "ol7",
"Oracle Linux 8": "ol8",
"Oracle Linux 9": "ol9",
+ "openEuler 2203": "openeuler2203",
+ "openEuler 2403": "openeuler2403",
"openSUSE": "opensuse",
"Red Hat Enterprise Linux 7": "rhel7",
"Red Hat Enterprise Linux 8": "rhel8",
@@ -266,6 +269,7 @@ REFERENCES = dict(
MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
+ "openeuler",
"opensuse", "sle", "ol", "ocp", "rhcos",
"example", "eks", "alinux", "uos", "anolis"]
@@ -276,6 +280,7 @@ MULTI_PLATFORM_MAPPING = {
"multi_platform_example": ["example"],
"multi_platform_eks": ["eks"],
"multi_platform_fedora": ["fedora"],
+ "multi_platform_openeuler": ["openeuler2203", "openeuler2403"],
"multi_platform_opensuse": ["opensuse"],
"multi_platform_ol": ["ol7", "ol8", "ol9"],
"multi_platform_ocp": ["ocp4"],
@@ -447,6 +452,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = {
'uos': 'UnionTech OS Server',
'eap': 'JBoss Enterprise Application Platform',
'fuse': 'JBoss Fuse',
+ 'openeuler': 'openEuler',
'opensuse': 'openSUSE',
'sle': 'SUSE Linux Enterprise',
'example': 'Example',
--
2.21.0.windows.1

55
backport-fix-deprecated-getiterator-function.patch Normal file
View File

@ -0,0 +1,55 @@
From b0adc1d53780def4a95e310b6d26bb91ee97177e Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 8 Jun 2020 13:27:41 +0200
Subject: [PATCH] fix deprecated getiterator function
Signed-off-by: HuaxinLu <luhuaxin1@huawei.com>
---
ssg/build_cpe.py | 6 +++---
ssg/id_translate.py | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/ssg/build_cpe.py b/ssg/build_cpe.py
index 2e5d24a5da..8c046777a5 100644
--- a/ssg/build_cpe.py
+++ b/ssg/build_cpe.py
@@ -17,7 +17,7 @@ def extract_subelement(objects, sub_elem_type):
"""
for obj in objects:
- for subelement in obj.getiterator():
+ for subelement in obj.iter():
if subelement.get(sub_elem_type):
sub_element = subelement.get(sub_elem_type)
return sub_element
@@ -44,12 +44,12 @@ def extract_referred_nodes(tree_with_refs, tree_with_ids, attrname):
reflist = []
elementlist = []
- for element in tree_with_refs.getiterator():
+ for element in tree_with_refs.iter():
value = element.get(attrname)
if value is not None:
reflist.append(value)
- for element in tree_with_ids.getiterator():
+ for element in tree_with_ids.iter():
if element.get("id") in reflist:
elementlist.append(element)
diff --git a/ssg/id_translate.py b/ssg/id_translate.py
index 72b07be181..ba92259049 100644
--- a/ssg/id_translate.py
+++ b/ssg/id_translate.py
@@ -64,7 +64,7 @@ class IDTranslator(object):
)
def translate(self, tree, store_defname=False):
- for element in tree.getiterator():
+ for element in tree.iter():
idname = element.get("id")
if idname:
# store the old name if requested (for OVAL definitions)
--
2.30.0

40
backport-fix-deprecated-instance-of-element.getchildren.patch Normal file
View File

@ -0,0 +1,40 @@
From e435bf2dc59d652710104a1c59332e410b12bb64 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 8 Jun 2020 12:33:48 +0200
Subject: [PATCH] fix deprecated instance of element.getchildren
Signed-off-by: HuaxinLu <luhuaxin1@huawei.com>
---
ssg/build_remediations.py | 2 +-
ssg/build_stig.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index fdde0f268a..c18d6bd549 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -735,7 +735,7 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions):
# First concat output form of modified fix text (including text appended
# to all children of the fix)
modfix = [fix.text]
- for child in fix.getchildren():
+ for child in list(fix):
if child is not None and child.text is not None:
modfix.append(child.text)
modfixtext = "".join(modfix)
diff --git a/ssg/build_stig.py b/ssg/build_stig.py
index 528285f3d1..6122981fcb 100644
--- a/ssg/build_stig.py
+++ b/ssg/build_stig.py
@@ -38,7 +38,7 @@ def add_references(reference, destination):
for ref in refs:
if (ref.get('href').startswith(stig_refs) and
ref.text in dictionary):
- index = rule.getchildren().index(ref)
+ index = list(rule).index(ref)
new_ref = ET.Element(
'{%s}reference' % XCCDF11_NS, {'href': stig_ns})
new_ref.text = dictionary[ref.text]
--
2.30.0

124
backport-fix-for-older-python-versions-lacking-.iter-method.patch Normal file
View File

@ -0,0 +1,124 @@
From 435ad2a81f4d56da42a2b24cad9e0e04d0523fd4 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 9 Jun 2020 18:55:42 +0200
Subject: [PATCH] fix for older python versions lacking .iter method
Signed-off-by: HuaxinLu <luhuaxin1@huawei.com>
---
build-scripts/verify_references.py | 8 +++++-
.../pcidss/transform_benchmark_to_pcidss.py | 8 +++++-
ssg/build_cpe.py | 28 +++++++++++++++++--
ssg/id_translate.py | 9 +++++-
4 files changed, 47 insertions(+), 6 deletions(-)
diff --git a/build-scripts/verify_references.py b/build-scripts/verify_references.py
index 95d387f46f..003aa4c48c 100755
--- a/build-scripts/verify_references.py
+++ b/build-scripts/verify_references.py
@@ -179,7 +179,13 @@ def main():
check_content_refs = xccdftree.findall(".//{%s}check-content-ref"
% xccdf_ns)
- xccdf_parent_map = dict((c, p) for p in xccdftree.iter() for c in p)
+ # decide on usage of .iter or .getiterator method of elementtree class.
+ # getiterator is deprecated in Python 3.9, but iter is not available in
+ # older versions
+ if getattr(xccdftree, 'iter', None) == None:
+ xccdf_parent_map = dict((c, p) for p in xccdftree.getiterator() for c in p)
+ else:
+ xccdf_parent_map = dict((c, p) for p in xccdftree.iter() for c in p)
# now we can actually do the verification work here
if options.rules_with_invalid_checks or options.all_checks:
for check_content_ref in check_content_refs:
diff --git a/shared/transforms/pcidss/transform_benchmark_to_pcidss.py b/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
index c94b12c45c..05df5a9889 100755
--- a/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
+++ b/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
@@ -111,7 +111,13 @@ def main():
benchmark.findall(".//{%s}Value" % (XCCDF_NAMESPACE)):
values.append(value)
- parent_map = dict((c, p) for p in benchmark.iter() for c in p)
+ # decide on usage of .iter or .getiterator method of elementtree class.
+ # getiterator is deprecated in Python 3.9, but iter is not available in
+ # older versions
+ if getattr(benchmark, "iter", None) == None:
+ parent_map = dict((c, p) for p in benchmark.getiterator() for c in p)
+ else:
+ parent_map = dict((c, p) for p in benchmark.iter() for c in p)
for rule in \
benchmark.findall(".//{%s}Rule" % (XCCDF_NAMESPACE)):
parent_map[rule].remove(rule)
diff --git a/ssg/build_cpe.py b/ssg/build_cpe.py
index 8c046777a5..26f182395e 100644
--- a/ssg/build_cpe.py
+++ b/ssg/build_cpe.py
@@ -17,7 +17,14 @@ def extract_subelement(objects, sub_elem_type):
"""
for obj in objects:
- for subelement in obj.iter():
+ # decide on usage of .iter or .getiterator method of elementtree class.
+ # getiterator is deprecated in Python 3.9, but iter is not available in
+ # older versions
+ if getattr(obj, "iter", None) == None:
+ obj_iterator = obj.getiterator()
+ else:
+ obj_iterator = obj.iter()
+ for subelement in obj_iterator:
if subelement.get(sub_elem_type):
sub_element = subelement.get(sub_elem_type)
return sub_element
@@ -44,12 +51,27 @@ def extract_referred_nodes(tree_with_refs, tree_with_ids, attrname):
reflist = []
elementlist = []
- for element in tree_with_refs.iter():
+
+ # decide on usage of .iter or .getiterator method of elementtree class.
+ # getiterator is deprecated in Python 3.9, but iter is not available in
+ # older versions
+ if getattr(tree_with_refs, "iter", None) == None:
+ tree_with_refs_iterator = tree_with_refs.getiterator()
+ else:
+ tree_with_refs_iterator = tree_with_refs.iter()
+ for element in tree_with_refs_iterator:
value = element.get(attrname)
if value is not None:
reflist.append(value)
- for element in tree_with_ids.iter():
+ # decide on usage of .iter or .getiterator method of elementtree class.
+ # getiterator is deprecated in Python 3.9, but iter is not available in
+ # older versions
+ if getattr(tree_with_ids, "iter", None) == None:
+ tree_with_ids_iterator = tree_with_ids.getiterator()
+ else:
+ tree_with_ids_iterator = tree_with_ids.iter()
+ for element in tree_with_ids_iterator:
if element.get("id") in reflist:
elementlist.append(element)
diff --git a/ssg/id_translate.py b/ssg/id_translate.py
index ba92259049..520c47fbfd 100644
--- a/ssg/id_translate.py
+++ b/ssg/id_translate.py
@@ -64,7 +64,14 @@ class IDTranslator(object):
)
def translate(self, tree, store_defname=False):
- for element in tree.iter():
+ # decide on usage of .iter or .getiterator method of elementtree class.
+ # getiterator is deprecated in Python 3.9, but iter is not available in
+ # older versions
+ if getattr(tree, "iter", None) == None:
+ tree_iterator = tree.getiterator()
+ else:
+ tree_iterator = tree.iter()
+ for element in tree_iterator:
idname = element.get("id")
if idname:
# store the old name if requested (for OVAL definitions)
--
2.30.0

43
backport-fix-python-imports-of-ElementTree.patch Normal file
View File

@ -0,0 +1,43 @@
From 27dc7ecafe8ab5c2e0bbbb2fcdc399bece5c250e Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 8 Jun 2020 12:02:16 +0200
Subject: [PATCH] fix python imports of ElementTree
Signed-off-by: HuaxinLu <luhuaxin1@huawei.com>
---
shared/transforms/pcidss/transform_benchmark_to_pcidss.py | 5 ++++-
ssg/xml.py | 2 +-
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/shared/transforms/pcidss/transform_benchmark_to_pcidss.py b/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
index 3023e0435f..0ceaf727d3 100755
--- a/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
+++ b/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
@@ -20,7 +20,10 @@
# Martin Preisler <mpreisle@redhat.com>
import logging
-from xml.etree import cElementTree as ElementTree
+try:
+ from xml.etree import cElementTree as ElementTree
+except ImportError:
+ from xml.etree import ElementTree as ElementTree
import json
import sys
import os
diff --git a/ssg/xml.py b/ssg/xml.py
index 736875a9d2..71c1381c23 100644
--- a/ssg/xml.py
+++ b/ssg/xml.py
@@ -9,7 +9,7 @@ from .constants import xml_version, oval_header, timestamp, PREFIX_TO_NS
try:
from xml.etree import cElementTree as ElementTree
except ImportError:
- import cElementTree as ElementTree
+ from xml.etree import ElementTree as ElementTree
def oval_generated_header(product_name, schema_version, ssg_version):
--
2.30.0

54
backport-fix-remaining-getchildren-and-getiterator-functions.patch Normal file
View File

@ -0,0 +1,54 @@
From a0da16c5eeb9a7414f7f2a37a6b270c8d04b2ddf Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 8 Jun 2020 14:01:55 +0200
Subject: [PATCH] fix remaining getchildren and getiterator functions
Signed-off-by: HuaxinLu <luhuaxin1@huawei.com>
---
build-scripts/sds_move_ocil_to_checks.py | 2 +-
build-scripts/verify_references.py | 2 +-
shared/transforms/pcidss/transform_benchmark_to_pcidss.py | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/build-scripts/sds_move_ocil_to_checks.py b/build-scripts/sds_move_ocil_to_checks.py
index 5f5139659e..64dc19084d 100755
--- a/build-scripts/sds_move_ocil_to_checks.py
+++ b/build-scripts/sds_move_ocil_to_checks.py
@@ -106,7 +106,7 @@ def move_ocil_content_from_ds_extended_component_to_ds_component(datastreamtree,
timestamp = extendedcomp.get('timestamp')
# Get children elements of <ds:extended-component> containing OCIL content
- extchildren = extendedcomp.getchildren()
+ extchildren = list(extendedcomp)
# There should be just one OCIL subcomponent in <ds:extended-component>
if len(extchildren) != 1:
sys.stderr.write("ds:extended-component contains more than one element!"
diff --git a/build-scripts/verify_references.py b/build-scripts/verify_references.py
index 69b3e2d1f7..95d387f46f 100755
--- a/build-scripts/verify_references.py
+++ b/build-scripts/verify_references.py
@@ -179,7 +179,7 @@ def main():
check_content_refs = xccdftree.findall(".//{%s}check-content-ref"
% xccdf_ns)
- xccdf_parent_map = dict((c, p) for p in xccdftree.getiterator() for c in p)
+ xccdf_parent_map = dict((c, p) for p in xccdftree.iter() for c in p)
# now we can actually do the verification work here
if options.rules_with_invalid_checks or options.all_checks:
for check_content_ref in check_content_refs:
diff --git a/shared/transforms/pcidss/transform_benchmark_to_pcidss.py b/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
index 0ceaf727d3..c94b12c45c 100755
--- a/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
+++ b/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
@@ -111,7 +111,7 @@ def main():
benchmark.findall(".//{%s}Value" % (XCCDF_NAMESPACE)):
values.append(value)
- parent_map = dict((c, p) for p in benchmark.getiterator() for c in p)
+ parent_map = dict((c, p) for p in benchmark.iter() for c in p)
for rule in \
benchmark.findall(".//{%s}Rule" % (XCCDF_NAMESPACE)):
parent_map[rule].remove(rule)
--
2.30.0

3046
optimize-rules-for-openEuler.patch
View File

File diff suppressed because it is too large Load Diff

BIN
scap-security-guide-0.1.49.tar.bz2 Normal file
View File

Binary file not shown.

BIN
scap-security-guide-0.1.68.tar.bz2
View File

Binary file not shown.

30
scap-security-guide.spec
View File

@ -1,14 +1,16 @@
Name: scap-security-guide
Version: 0.1.68
Release: 4
Version: 0.1.49
Release: 2
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
Patch0001: add-openeuler-support.patch
Patch0002: add-openeuler-control-rules.patch
Patch0003: optimize-rules-for-openEuler.patch
Patch0001:backport-fix-python-imports-of-ElementTree.patch
Patch0002:backport-fix-deprecated-instance-of-element.getchildren.patch
Patch0003:backport-fix-deprecated-getiterator-function.patch
Patch0004:backport-fix-remaining-getchildren-and-getiterator-functions.patch
Patch0005:backport-fix-for-older-python-versions-lacking-.iter-method.patch
BuildArch: noarch
BuildRequires: libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML
@ -41,7 +43,7 @@ mkdir build
%build
cd build
%cmake -DSSG_SCE_ENABLED=ON ../
%cmake ../
%make_build
%install
@ -52,7 +54,6 @@ cd build
%{_datadir}/xml/scap/ssg/content
%{_datadir}/%{name}/kickstart
%{_datadir}/%{name}/ansible
%{_datadir}/%{name}/tailoring
%{_datadir}/%{name}/bash
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
%doc %{_docdir}/%{name}/LICENSE
@ -64,21 +65,6 @@ cd build
%doc %{_docdir}/%{name}/tables/*.html
%changelog
* Sat Feb 24 2024 wangqingsan <wangqingsan@huawei.com> - 0.1.68-4
- optimiz rules for openEuler
* Mon Feb 19 2024 steven <steven_ygui@163.com> - 0.1.68-3
- add openEuler 2403 LTS supporting and remove openEuler general version supporting
* Mon Oct 9 2023 steven <steven_ygui@163.com> - 0.1.68-2
- add openeuler supporting and add 100+ control rules
* Tue Jul 18 2023 xu_ping <707078654@qq.com> - 0.1.68-1
- Upgrade to 0.1.68
* Fri Dec 30 2022 xuxinyu <xuxinyu@xfusion.com> - 0.1.49-3
- Fix test scenarios for OSPP profile
* Sat Feb 26 2022 HuaxinLu <luhuaxin1@huawei.com> - 0.1.49-2
- fix for python upgrade