rpms / scap-security-guide

Clone
Source Code
GIT

Files

  1.   fe0dde01a42673c3eda1933c38a8f78dbff6c1de
  2.   SOURCES
  3.   scap-security-guide-0.1.53-introduce_package_platform_name_overrides-PR_6047.patch
Blob Blame History Raw 
From 7c0b04c157374e9251360d1d5e12a9e00dd4375e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 4 Sep 2020 09:50:54 +0200
Subject: [PATCH 1/3] Introduce platform_package_overrides

Introduce a mapping of CPE package platform name to a package name.

Each linux distro or version may have its specific name for a package,
this mapping allows a product to override the package name of a
platorm.

By default, it assumes that the package name will be the same as the
platform name.
---
 rhel8/product.yml         | 7 +++++++
 ssg/build_remediations.py | 3 +++
 2 files changed, 10 insertions(+)

diff --git a/rhel8/product.yml b/rhel8/product.yml
index 6cdc51919e..6b5b4e2748 100644
--- a/rhel8/product.yml
+++ b/rhel8/product.yml
@@ -18,3 +18,10 @@ aux_pkg_version: "d4082792"
 
 release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
 auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+  grub2: "grub2-pc"
+  login_defs: "shadow-utils"
+  sssd: "sssd-common"
+  zipl: "s390x-utils"
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index 866450dd8c..ccbdf9fc1f 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -389,6 +389,9 @@ def update_when_from_rule(self, to_update):
                 if "package_facts" in to_update:
                     continue
 
+                if platform in self.local_env_yaml["platform_package_overrides"]:
+                    platform = self.local_env_yaml["platform_package_overrides"].get(platform)
+
                 additional_when.append('"' + platform + '" in ansible_facts.packages')
                 # After adding the conditional, we need to make sure package_facts are collected.
                 # This is done via inject_package_facts_task()

From 10dc62084cf8e38be9189b527c3b99b545826091 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 4 Sep 2020 14:42:57 +0200
Subject: [PATCH 2/3] Move platform to cpe mappings to ssg/constants

---
 rhel8/product.yml | 6 ------
 ssg/constants.py  | 8 ++++++++
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/rhel8/product.yml b/rhel8/product.yml
index 6b5b4e2748..d839b23231 100644
--- a/rhel8/product.yml
+++ b/rhel8/product.yml
@@ -19,9 +19,3 @@ aux_pkg_version: "d4082792"
 release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
 auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
 
-# Mapping of CPE platform to package
-platform_package_overrides:
-  grub2: "grub2-pc"
-  login_defs: "shadow-utils"
-  sssd: "sssd-common"
-  zipl: "s390x-utils"
diff --git a/ssg/constants.py b/ssg/constants.py
index 3f9d7d37ce..7e9678241c 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -501,6 +501,14 @@
     "zipl": "cpe:/a:zipl",
 }
 
+# Default platform to package mapping
+XCCDF_PLATFORM_TO_PACKAGE = {
+  "grub2": "grub2-pc",
+  "login_defs": "login",
+  "sssd": "sssd-common",
+  "zipl": "s390x-utils",
+}
+
 # _version_name_map = {
 MAKEFILE_ID_TO_PRODUCT_MAP = {
     'chromium': 'Google Chromium Browser',

From feb012f06adae989138be15431020f2c174becc4 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 4 Sep 2020 14:47:29 +0200
Subject: [PATCH 3/3] Allow override of default platform package mapping

With default platform to package mappings defined, we need to allow a
product to override it if needed.
---
 rhcos4/product.yml  | 4 ++++
 rhel6/product.yml   | 4 ++++
 rhel7/product.yml   | 4 ++++
 rhel8/product.yml   | 3 +++
 rhosp10/product.yml | 3 +++
 rhosp13/product.yml | 4 ++++
 rhv4/product.yml    | 4 ++++
 ssg/yaml.py         | 6 +++++-
 8 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/rhcos4/product.yml b/rhcos4/product.yml
index 7d51222952..71f0ae2758 100644
--- a/rhcos4/product.yml
+++ b/rhcos4/product.yml
@@ -9,3 +9,7 @@ profiles_root: "./profiles"
 pkg_system: "rpm"
 
 init_system: "systemd"
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+  login_defs: "shadow-utils"
diff --git a/rhel6/product.yml b/rhel6/product.yml
index cc8fa4f8ed..eab9b80c47 100644
--- a/rhel6/product.yml
+++ b/rhel6/product.yml
@@ -20,3 +20,7 @@ aux_pkg_version: "2fa658e0"
 
 release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
 auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+  login_defs: "shadow-utils"
diff --git a/rhel7/product.yml b/rhel7/product.yml
index f03c928b8f..3ff996b8cc 100644
--- a/rhel7/product.yml
+++ b/rhel7/product.yml
@@ -18,3 +18,7 @@ aux_pkg_version: "2fa658e0"
 
 release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
 auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+  login_defs: "shadow-utils"
diff --git a/rhel8/product.yml b/rhel8/product.yml
index d839b23231..f3aa59faec 100644
--- a/rhel8/product.yml
+++ b/rhel8/product.yml
@@ -19,3 +19,6 @@ aux_pkg_version: "d4082792"
 release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
 auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
 
+# Mapping of CPE platform to package
+platform_package_overrides:
+  login_defs: "shadow-utils"
diff --git a/rhosp10/product.yml b/rhosp10/product.yml
index 51d0a932a5..af42ca998d 100644
--- a/rhosp10/product.yml
+++ b/rhosp10/product.yml
@@ -10,3 +10,6 @@ pkg_manager: "yum"
 
 init_system: "systemd"
 
+# Mapping of CPE platform to package
+platform_package_overrides:
+  login_defs: "shadow-utils"
diff --git a/rhosp13/product.yml b/rhosp13/product.yml
index 5e849ff609..ba42a31cd7 100644
--- a/rhosp13/product.yml
+++ b/rhosp13/product.yml
@@ -9,3 +9,7 @@ profiles_root: "./profiles"
 pkg_manager: "yum"
 
 init_system: "systemd"
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+  login_defs: "shadow-utils"
diff --git a/rhv4/product.yml b/rhv4/product.yml
index 10a2eda079..a61bf1588d 100644
--- a/rhv4/product.yml
+++ b/rhv4/product.yml
@@ -18,3 +18,7 @@ aux_pkg_version: "d4082792"
 
 release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
 auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+  login_defs: "shadow-utils"
diff --git a/ssg/yaml.py b/ssg/yaml.py
index cefbba374c..22cf5bad66 100644
--- a/ssg/yaml.py
+++ b/ssg/yaml.py
@@ -10,7 +10,8 @@
 
 from .jinja import load_macros, process_file
 from .constants import (PKG_MANAGER_TO_SYSTEM,
-                        PKG_MANAGER_TO_CONFIG_FILE)
+                        PKG_MANAGER_TO_CONFIG_FILE,
+                        XCCDF_PLATFORM_TO_PACKAGE)
 from .constants import DEFAULT_UID_MIN
 
 try:
@@ -138,6 +139,9 @@ def open_raw(yaml_file):
 
 def open_environment(build_config_yaml, product_yaml):
     contents = open_raw(build_config_yaml)
+    # Load common platform package mappings,
+    # any specific mapping in product_yaml will override the default
+    contents["platform_package_overrides"] = XCCDF_PLATFORM_TO_PACKAGE
     contents.update(open_raw(product_yaml))
     contents.update(_get_implied_properties(contents))
     return contents

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation