From 647bb4589814bc9bdc6cf7ac6ab2a1d303636516 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jun 19 2021 04:26:38 +0000
Subject: import scap-security-guide-0.1.56-2.el8


---

diff --git a/SOURCES/scap-security-guide-0.1.57-ansible-playbooks-per-rule-PR_7039.patch b/SOURCES/scap-security-guide-0.1.57-ansible-playbooks-per-rule-PR_7039.patch
new file mode 100644
index 0000000..9a1a330
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.57-ansible-playbooks-per-rule-PR_7039.patch
@@ -0,0 +1,76 @@
+commit c58a2b0af3c8094446df1850cb1c943d51b2ec5f
+Author: Gabriel Becker <ggasparb@redhat.com>
+Date:   Tue Jun 8 13:40:28 2021 +0200
+
+    Add option to enable installation of individual ansible playbooks per rule.
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 6995944..bd317c0 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -46,6 +46,7 @@ option(SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED "If enabled, shellcheck vali
+ option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used to validate URLs in all the HTML guides and tables." TRUE)
+ option(SSG_SVG_IN_XCCDF_ENABLED "If enabled, the built XCCDFs will include the SVG SCAP Security Guide logo." TRUE)
+ option(SSG_SEPARATE_SCAP_FILES_ENABLED "If enabled, separate SCAP files (OVAL, XCCDF, CPE dict, ...) will be installed alongside the source data-streams" TRUE)
++option(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED "If enabled, Ansible Playbooks for each rule will be built and installed." FALSE)
+ option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE)
+ option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE)
+ set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.")
+@@ -231,6 +232,7 @@ message(STATUS "OVAL schematron validation: ${SSG_OVAL_SCHEMATRON_VALIDATION_ENA
+ message(STATUS "shellcheck bash fixes validation: ${SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED}")
+ message(STATUS "SVG logo in XCCDFs: ${SSG_SVG_IN_XCCDF_ENABLED}")
+ message(STATUS "Separate SCAP files: ${SSG_SEPARATE_SCAP_FILES_ENABLED}")
++message(STATUS "Ansible Playbooks Per Rule: ${SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED}")
+ if (SSG_JINJA2_CACHE_ENABLED)
+     message(STATUS "jinja2 cache: enabled")
+     message(STATUS "jinja2 cache dir: ${SSG_JINJA2_CACHE_DIR}")
+diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
+index b487a0b..b7db7fd 100644
+--- a/cmake/SSGCommon.cmake
++++ b/cmake/SSGCommon.cmake
+@@ -746,8 +746,12 @@ macro(ssg_build_product PRODUCT)
+     ssg_build_xccdf_unlinked(${PRODUCT})
+     ssg_build_ocil_unlinked(${PRODUCT})
+     ssg_build_remediations(${PRODUCT})
+-    if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}")
++    if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}" AND SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED)
+         ssg_build_ansible_playbooks(${PRODUCT})
++        add_dependencies(
++            ${PRODUCT}-content
++            generate-${PRODUCT}-ansible-playbooks
++        )
+     endif()
+     ssg_build_xccdf_with_remediations(${PRODUCT})
+     ssg_build_oval_unlinked(${PRODUCT})
+@@ -778,10 +782,6 @@ macro(ssg_build_product PRODUCT)
+     add_dependencies(zipfile "generate-ssg-${PRODUCT}-ds.xml")
+ 
+     if ("${PRODUCT_ANSIBLE_REMEDIATION_ENABLED}")
+-        add_dependencies(
+-            ${PRODUCT}-content
+-            generate-${PRODUCT}-ansible-playbooks
+-        )
+         ssg_build_profile_playbooks(${PRODUCT})
+         add_custom_target(
+             ${PRODUCT}-profile-playbooks
+@@ -885,6 +885,20 @@ macro(ssg_build_product PRODUCT)
+         endif()
+         "
+     )
++    if(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED)
++        install(
++            CODE "
++            file(GLOB PLAYBOOK_PER_RULE_FILES \"${CMAKE_BINARY_DIR}/${PRODUCT}/playbooks/*\") \n
++            if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks)
++                file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks/${PRODUCT}\"
++                    TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES})
++            else()
++                file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks/${PRODUCT}\"
++                    TYPE FILE FILES \${PLAYBOOK_PER_RULE_FILES})
++            endif()
++            "
++        )
++    endif()
+ 
+     # grab all the kickstarts (if any) and install them
+     file(GLOB KICKSTART_FILES "${CMAKE_CURRENT_SOURCE_DIR}/kickstart/ssg-${PRODUCT}-*-ks.cfg")
diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
index 3168f54..ec82c63 100644
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@@ -3,7 +3,7 @@
 
 Name:		scap-security-guide
 Version:	0.1.56
-Release:	1%{?dist}
+Release:	2%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 Group:		Applications/System
 License:	BSD
@@ -16,6 +16,7 @@ Patch0:		disable-not-in-good-shape-profiles.patch
 Patch1:		scap-security-guide-0.1.57-select_seboolean_rules_for_ANSSI-PR_6988.patch
 Patch2:		scap-security-guide-0.1.57-add_rule_sudo_add_passwd_timeout-PR_6984.patch
 Patch3:		scap-security-guide-0.1.57-update_ANSSI_profiles_metadata-PR_6997.patch
+Patch4:		scap-security-guide-0.1.57-ansible-playbooks-per-rule-PR_7039.patch
 
 BuildArch:	noarch
 
@@ -48,12 +49,23 @@ The %{name}-doc package contains HTML formatted documents containing
 hardening guidances that have been generated from XCCDF benchmarks
 present in %{name} package.
 
+%if %{defined rhel}
+%package	rule-playbooks
+Summary:	Ansible playbooks per each rule.
+Group:		System Environment/Base
+Requires:	%{name} = %{version}-%{release}
+
+%description	rule-playbooks
+The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
+%endif
+
 %prep
 %setup -q -b 1
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 mkdir build
 
 %build
@@ -69,7 +81,11 @@ cd build
 %else
 -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
 %endif
--DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF ../
+-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
+%if %{defined rhel}
+-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \
+%endif
+../
 %make_build
 
 %install
@@ -90,12 +106,24 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
 %doc %{_docdir}/%{name}/LICENSE
 %doc %{_docdir}/%{name}/README.md
 %doc %{_docdir}/%{name}/Contributors.md
+%if %{defined rhel}
+%exclude %{_datadir}/%{name}/ansible/rule_playbooks
+%endif
 
 %files doc
 %doc %{_docdir}/%{name}/guides/*.html
 %doc %{_docdir}/%{name}/tables/*.html
 
+%if %{defined rhel}
+%files rule-playbooks
+%defattr(-,root,root,-)
+%{_datadir}/%{name}/ansible/rule_playbooks
+%endif
+
 %changelog
+* Tue Jun 8 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.56-2
+- Create subpackage to hold ansible playbooks per rule (RHBZ#1966604)
+
 * Tue Jun 01 2021 Watson Sato <wsato@redhat.com> - 0.1.56-1
 - Update to the latest upstream release (RHBZ#1966577)
 - Add ANSSI High Profile (RHBZ#1955183)