Thank you for your excellent write-up. I think this new structure
is a big step forward and definitely makes contributing to SSG easier.


Jan Černý
Security Technologies | Red Hat, Inc.

----- Original Message -----
> From: "Alexander Scheel" <asch...@redhat.com>
> To: "Open-scap-list" <open-scap-list@redhat.com>
> Sent: Friday, August 24, 2018 8:03:04 PM
> Subject: [Open-scap] New Structure for Content - Rule Directories in SCAP     
> Security Guide
> Hello everyone!
> This is part two of my end of internship mailing list posts. For part
> one and an introduction, see the earlier post, subject “Guide Mergers
> and Simplifications in SCAP Security Guide":
> https://www.redhat.com/archives/open-scap-list/2018-August/msg00007.html
> Another recent, major change was a complete reorganization of the content.
> We switched to a new rule directory format that should help simplify the
> contribution process. In the past, a rule was a completely separate entity
> from the check and fix content it described. This was apparent in the
> directory structure. For example, under the old system:
>     debian8/guide/services/ssh/ssh_server/sshd_set_keepalive.rule
>     rhel6/fixes/bash/sshd_set_keepalive.sh
>     rhel6/guide/services/ssh/ssh_server/sshd_set_keepalive.rule
>     rhel7/fixes/bash/sshd_set_keepalive.sh
>     shared/checks/oval/sshd_set_keepalive.xml
>     shared/fixes/ansible/sshd_set_keepalive.yml
>     shared/fixes/bash/sshd_set_keepalive.sh
>     shared/guide/services/ssh/ssh_server/sshd_set_keepalive.rule
>     ubuntu1404/guide/services/ssh/ssh_server/sshd_set_keepalive.rule
>     ubuntu1604/guide/services/ssh/ssh_server/sshd_set_keepalive.rule
> By making a rule a directory instead of just a YAML file (after merging all
> of the rules to the shared `linux_os/guide` directory), we can group all
> of the fix and check content in the same location. The same rule now looks
> like:
>     linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
> linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml
>     linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh
>     linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml
> When looking for compliance content, there is now only one directory which
> contains all this information. This will help everyone find the correct
> directory for a rule, improve maintainability, and extensibility. As an
> overview, a rule directory contains a rule.yml file (previously called
> rule_id.rule and with the same information) and five subdirectories:
>     - oval/ (.xml extension)
>     - ansible/ (.yml extension)
>     - anaconda/ (.anaconda extension)
>     - bash/ (.sh extension)
>     - puppet/ (.pp extension)
> Inside each of these subdirectories, files named “shared.ext” will be
> included
> in all products, whereas files named with “product.ext” will be included in
> only that product. This lets us see at a glance what content can be included
> in the build, and eventually enhance our build tests to see if content which
> could have been in a product is not.
> For more information, see the rule directory section of the developer
> documentation:
> https://github.com/OpenSCAP/scap-security-guide/blob/master/docs/manual/developer_guide.adoc#812-rule-directories
> Note that old rule files and the old locations for content is still
> supported by the build system, so if your patches apply against master
> (and/or a are in a separate product), this will not affect them. These
> changes
> were introduced in the following PRs:
>   - Build system support:
>   https://github.com/OpenSCAP/scap-security-guide/pull/3188
>   - Move all existing rules:
>   https://github.com/OpenSCAP/scap-security-guide/pull/3178
>   - Several other PRs adding tests, documentation which are referenced from
>   the above two.
> However, if you have any patches that include new products into our build
> system and wish to convert your changes to this new system, feel free to
> modify and use the `utils/move_rules.py` utility. If you have questions,
> feel free to reach out to us.
> We also introduced a new set of utilities for analyzing the source
> content. These are be located under `utils/rule_dir*.py`. For more
> information on these utilities and other utilities in the build system,
> check out the relevant PRs and the developer documentation (linked above):
>   - Utilities: https://github.com/OpenSCAP/scap-security-guide/pull/3193
> Thanks for reading! As always, if you have any questions, feel free to
> reply to the mailing list, open issues, or find us on the #openscap
> channel on Freenode.
> Until next time,
> Alex Scheel
> Freenode: cipherboy in #openscap
> GitHub: https://github.com/cipherboy
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list@redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list

Open-scap-list mailing list

Reply via email to