Hello everyone!
This is part two of my end of internship mailing list posts. For part one and an introduction, see the earlier post, subject “Guide Mergers and Simplifications in SCAP Security Guide": https://www.redhat.com/archives/open-scap-list/2018-August/msg00007.html Another recent, major change was a complete reorganization of the content. We switched to a new rule directory format that should help simplify the contribution process. In the past, a rule was a completely separate entity from the check and fix content it described. This was apparent in the directory structure. For example, under the old system: debian8/guide/services/ssh/ssh_server/sshd_set_keepalive.rule rhel6/fixes/bash/sshd_set_keepalive.sh rhel6/guide/services/ssh/ssh_server/sshd_set_keepalive.rule rhel7/fixes/bash/sshd_set_keepalive.sh shared/checks/oval/sshd_set_keepalive.xml shared/fixes/ansible/sshd_set_keepalive.yml shared/fixes/bash/sshd_set_keepalive.sh shared/guide/services/ssh/ssh_server/sshd_set_keepalive.rule ubuntu1404/guide/services/ssh/ssh_server/sshd_set_keepalive.rule ubuntu1604/guide/services/ssh/ssh_server/sshd_set_keepalive.rule By making a rule a directory instead of just a YAML file (after merging all of the rules to the shared `linux_os/guide` directory), we can group all of the fix and check content in the same location. The same rule now looks like: linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml When looking for compliance content, there is now only one directory which contains all this information. This will help everyone find the correct directory for a rule, improve maintainability, and extensibility. As an overview, a rule directory contains a rule.yml file (previously called rule_id.rule and with the same information) and five subdirectories: - oval/ (.xml extension) - ansible/ (.yml extension) - anaconda/ (.anaconda extension) - bash/ (.sh extension) - puppet/ (.pp extension) Inside each of these subdirectories, files named “shared.ext” will be included in all products, whereas files named with “product.ext” will be included in only that product. This lets us see at a glance what content can be included in the build, and eventually enhance our build tests to see if content which could have been in a product is not. For more information, see the rule directory section of the developer documentation: https://github.com/OpenSCAP/scap-security-guide/blob/master/docs/manual/developer_guide.adoc#812-rule-directories Note that old rule files and the old locations for content is still supported by the build system, so if your patches apply against master (and/or a are in a separate product), this will not affect them. These changes were introduced in the following PRs: - Build system support: https://github.com/OpenSCAP/scap-security-guide/pull/3188 - Move all existing rules: https://github.com/OpenSCAP/scap-security-guide/pull/3178 - Several other PRs adding tests, documentation which are referenced from the above two. However, if you have any patches that include new products into our build system and wish to convert your changes to this new system, feel free to modify and use the `utils/move_rules.py` utility. If you have questions, feel free to reach out to us. We also introduced a new set of utilities for analyzing the source content. These are be located under `utils/rule_dir*.py`. For more information on these utilities and other utilities in the build system, check out the relevant PRs and the developer documentation (linked above): - Utilities: https://github.com/OpenSCAP/scap-security-guide/pull/3193 Thanks for reading! As always, if you have any questions, feel free to reply to the mailing list, open issues, or find us on the #openscap channel on Freenode. Until next time, Alex Scheel Freenode: cipherboy in #openscap GitHub: https://github.com/cipherboy _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
