On 9/13/13 1:31 AM, Jan Lieskovsky wrote:
0001-Add-Makefile-main-README-and-scap-security-guide.spe.patch
From a961756728efa0ab3e67a031c07ca308da3a73fa Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky<jlieskov(a)redhat.com>
Date: Thu, 12 Sep 2013 17:16:18 +0200
Subject: [PATCH 1/8] Add Makefile, main README, and scap-security-guide.spec
file, that will be used for building Fedora
scap-security-guide (source) RPM package.
Signed-off-by: Jan Lieskovsky<jlieskov(a)redhat.com>
---
FEDORA/Makefile | 58 +++++++++++++++++++++++++++++++++++++++++
FEDORA/README | 30 +++++++++++++++++++++
FEDORA/scap-security-guide.spec | 53 +++++++++++++++++++++++++++++++++++++
3 files changed, 141 insertions(+)
create mode 100644 FEDORA/Makefile
create mode 100644 FEDORA/README
create mode 100644 FEDORA/scap-security-guide.spec
diff --git a/FEDORA/Makefile b/FEDORA/Makefile
new file mode 100644
index 0000000..4c1cb5f
--- /dev/null
+++ b/FEDORA/Makefile
@@ -0,0 +1,58 @@
+IN = input
+OUT = output
+TRANS = transforms
+UTILS = utils
+DIST = dist
+
+ID = fedora-19
+
+all: shorthand2xccdf guide content dist
+
+shorthand-guide:
+ xsltproc -o $(OUT)/$(ID)-shorthand.xml $(IN)/guide.xslt $(IN)/guide.xml
+ xmllint --format --output $(OUT)/$(ID)-shorthand.xml $(OUT)/$(ID)-shorthand.xml
+
+shorthand2xccdf: shorthand-guide
+ xsltproc -o $(OUT)/unlinked-unresolved-fedora-xccdf.xml $(TRANS)/shorthand2xccdf.xslt
$(OUT)/$(ID)-shorthand.xml
+ oscap xccdf resolve -o $(OUT)/unlinked-fedora-xccdf.xml
$(OUT)/unlinked-unresolved-fedora-xccdf.xml
+
+checks:
+ xmlwf $(IN)/checks/*.xml
+ $(TRANS)/combinechecks.py $(IN)/checks > $(OUT)/unlinked-fedora-oval.xml
+ xmllint --format --output $(OUT)/unlinked-fedora-oval.xml
$(OUT)/unlinked-fedora-oval.xml
+
+guide: shorthand2xccdf
+# remove auxiliary Groups which are only for use in tables, and not guide output.
+# specifying a nonexistent profile, "allrules," to make oscap print all
Rules
+ xsltproc -o $(OUT)/unlinked-fedora-xccdf-guide.xml $(TRANS)/xccdf-removeaux.xslt
$(OUT)/unlinked-fedora-xccdf.xml
+ xsltproc -o $(OUT)/unlinked-notest-fedora-xccdf-guide.xml
$(TRANS)/xccdf-removetested.xslt $(OUT)/unlinked-fedora-xccdf.xml
+ oscap xccdf generate guide --profile allrules
$(OUT)/unlinked-notest-fedora-xccdf-guide.xml > $(OUT)/$(ID)-guide.html
+
+content: shorthand2xccdf guide checks
+ $(TRANS)/cpe_generate.py $(OUT)/unlinked-fedora-oval.xml
$(IN)/checks/platform/fedora-cpe-dictionary.xml $(ID)
+ $(TRANS)/relabelids.py unlinked-fedora-xccdf.xml $(ID)
+
+validate-xml:
+ oscap xccdf validate-xml $(OUT)/$(ID)-xccdf.xml
+ oscap oval validate-xml $(OUT)/$(ID)-oval.xml
+ oscap oval validate-xml $(OUT)/$(ID)-cpe-oval.xml
+
+validate: validate-xml
+ cd $(OUT); ../$(UTILS)/verify-references.py --rules-with-invalid-checks
--ovaldefs-unused $(ID)-xccdf.xml
+ oscap oval validate-xml --schematron $(OUT)/$(ID)-oval.xml
+
+# items in dist are expected for distribution in an rpm
+dist: guide content
+ mkdir -p $(DIST)/guide $(DIST)/content
+ cp $(OUT)/*-guide.html $(DIST)/guide
+ cp $(OUT)/$(ID)-xccdf.xml $(DIST)/content
+ cp $(OUT)/$(ID)-oval.xml $(DIST)/content
+ cp $(OUT)/$(ID)-cpe-dictionary.xml $(DIST)/content
+ cp $(OUT)/$(ID)-cpe-oval.xml $(DIST)/content
+
+eval-test:
+ oscap xccdf eval --profile test $(OUT)/$(ID)-xccdf.xml
+
+clean:
+ rm -f $(OUT)/*.xml $(OUT)/*.html $(OUT)/*.xhtml $(OUT)/*.pdf $(OUT)/*.spec
$(OUT)/*.tar $(OUT)/*.gz $(OUT)/*.ini $(OUT)/*.csv
+ rm -rf $(DIST)/content $(DIST)/guide
diff --git a/FEDORA/README b/FEDORA/README
new file mode 100644
index 0000000..c3c94db
--- /dev/null
+++ b/FEDORA/README
@@ -0,0 +1,30 @@
+Directory Structure of scap-security-guide
+------------------------------------------
+
+The input directory contains source files that generate SCAP content, such as
+XCCDF and OVAL. Since a single large XML file is an impractical format for
+multiple authors to collaborate on editing SCAP content, efforts are made to
+keep logically related guidance and checking content in individual files.
+
+The transforms directory contains resources that enable the files inside the
+input directory (or output directory) to be combined and reformatted into
+valid SCAP formats or human-readable formats.
+
+The output directory is used as a storage area for items generated by the files
+in the inputs directory. It should be empty in the repository, and built on
+users' individual systems (and rely on its .gitignore file to keep such files
+out). The output directory contains transitional output (which may only exist
+in order to be further transformed) as well as final output.
+
+The references directory should contain documents which are specified as
+references from within the SCAP content, or documents that are "seeds," viz.
+documents whose prose will be translated into SCAP formats, as well as other
+examples of SCAP content.
+
+The utils directory contains helper scripts and other items that are useful to
+developers but are not essential to producing the project's output.
+
+The dist directory contains final outputs, which could be shipped in an RPM for
+consumption by end-users. Updating the Makefile to copy an item from the
+outputs directory to the dist directory indicates that an item is considered a
+final output.
diff --git a/FEDORA/scap-security-guide.spec b/FEDORA/scap-security-guide.spec
new file mode 100644
index 0000000..b4d47f8
--- /dev/null
+++ b/FEDORA/scap-security-guide.spec
@@ -0,0 +1,53 @@
+
+# IMPORTANT NOTE: This spec file is solely dedicated to make changes to the
+# Fedora's scap-security-guide package. If you want to apply changes against
+# the main RHEL-6 scap-security-guide RPM content, use scap-security-guide.spec
+# file one level up - in the main scap-security-guide directory (instead of
+# this one).
+
+Name: scap-security-guide
+Version: 0.1
+Release: 1.fc19
+Summary: Security guidance and baselines in SCAP formats
+Group: Applications/System
+License: Public Domain and GPLv2
Since most (all?) of the RHEL6 content is public domain, this may be
confusing. Should (begrudgingly) start adding per-file License headers
to identify which code snippets are public domain vs GPLv2?
IMO, to simplify the SSG relationship with government & gov-contractor
commiters, *everything* should be public domain as they're unable to
assign any copyright as required by most open source licenses.
For the govies -- will the addition of GPLv2 to Fedora content affect
your ability to commit? What happens if you patch a GPLv2 file, but a
"single line change" must be public domain?
As we prepare for formal Red Hat packaging, I'd rather begin to address
the issue now.
+URL:
https://fedorahosted.org/scap-security-guide/
+Source0:
http://fedorapeople.org/~jlieskov/%{name}-%{version}.tar.gz
+BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
+BuildArch: noarch
+BuildRequires: coreutils, libxslt, expat, python, openscap-utils >= 0.9.1,
python-lxml
+Requires: filesystem, openscap-utils >= 0.9.1
+
+%description
+The scap-security-guide project provides security configuration guidance in
+formats of the Security Content Automation Protocol (SCAP). It provides a
+catalog of practical hardening advice and links it to government requirements
+where applicable. The project bridges the gap between generalized policy
+requirements and specific implementation guidance.
+%prep
+%setup -q
+
+
+%build
+cd FEDORA && make dist
+
+
+%install
+rm -rf $RPM_BUILD_ROOT
+mkdir -p $RPM_BUILD_ROOT/usr/share/xml/scap/ssg/fedora/19
+
+# Add in core content (SCAP, guide)
+cp -r FEDORA/dist/* $RPM_BUILD_ROOT/usr/share/xml/scap/ssg/fedora/19
+
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+
+%files
+%defattr(-,root,root,-)
+/usr/share/xml/scap/ssg/fedora/19/*
+
+%changelog
+* Thu Sep 12 2013 Jan iankko Lieskovsky<jlieskov(a)redhat.com> 0.1-1
+- Initial Fedora SSG RPM.
-- 1.7.11.7
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
--
Shawn Wells
Director, Innovation Programs
shawn(a)redhat.com | 443.534.0130
@shawndwells