add openEuler ssg project framework

init-openEuler-ssg-project.patch

@@ -0,0 +1,315 @@
+From be290f3b8fc4a9d91925a43a56cb37c3ae27cc07 Mon Sep 17 00:00:00 2001
+From: "steven.y.gui" <steven_ygui@163.com>
+Date: Tue, 9 May 2023 10:50:52 +0800
+Subject: [PATCH] init openEuler ssg project
+
+---
+ CMakeLists.txt                                |  5 ++++
+ .../telnet/package_telnet_removed/rule.yml    |  4 +--
+ openeuler2203/CMakeLists.txt                  |  6 ++++
+ .../cpe/openeuler2203-cpe-dictionary.xml      | 10 +++++++
+ openeuler2203/product.yml                     | 11 ++++++++
+ openeuler2203/profiles/standard.profile       | 11 ++++++++
+ openeuler2203/transforms/constants.xslt       | 15 ++++++++++
+ openeuler2203/transforms/shorthand2xccdf.xslt |  8 ++++++
+ .../xccdf2table-profilecisrefs.xslt           |  9 ++++++
+ .../checks/oval/installed_OS_is_openeuler.xml | 27 ++++++++++++++++++
+ .../oval/installed_OS_is_openeuler2203.xml    | 28 +++++++++++++++++++
+ ssg/constants.py                              |  9 +++++-
+ 12 files changed, 140 insertions(+), 3 deletions(-)
+ create mode 100644 openeuler2203/CMakeLists.txt
+ create mode 100644 openeuler2203/cpe/openeuler2203-cpe-dictionary.xml
+ create mode 100644 openeuler2203/product.yml
+ create mode 100644 openeuler2203/profiles/standard.profile
+ create mode 100644 openeuler2203/transforms/constants.xslt
+ create mode 100644 openeuler2203/transforms/shorthand2xccdf.xslt
+ create mode 100644 openeuler2203/transforms/xccdf2table-profilecisrefs.xslt
+ create mode 100644 shared/checks/oval/installed_OS_is_openeuler.xml
+ create mode 100644 shared/checks/oval/installed_OS_is_openeuler2203.xml
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 82488f7..e594299 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -74,6 +74,7 @@ option(SSG_PRODUCT_OCP3 "If enabled, the OCP3 SCAP content will be built" ${SSG_
+ option(SSG_PRODUCT_OCP4 "If enabled, the OCP4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_OL7 "If enabled, the Oracle Linux 7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_OL8 "If enabled, the Oracle Linux 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
++option(SSG_PRODUCT_OPENEULER2203 "If enabled, the openEuler 22.03 LTS SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_OPENSUSE "If enabled, the openSUSE SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_RHEL6 "If enabled, the RHEL6 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_RHEL7 "If enabled, the RHEL7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+@@ -242,6 +243,7 @@ message(STATUS "OCP3: ${SSG_PRODUCT_OCP3}")
+ message(STATUS "OCP4: ${SSG_PRODUCT_OCP4}")
+ message(STATUS "Oracle Linux 7: ${SSG_PRODUCT_OL7}")
+ message(STATUS "Oracle Linux 8: ${SSG_PRODUCT_OL8}")
++message(STATUS "openEuler 22.03 LTS: ${SSG_PRODUCT_OPENEULER2203}")
+ message(STATUS "openSUSE: ${SSG_PRODUCT_OPENSUSE}")
+ message(STATUS "RHEL 6: ${SSG_PRODUCT_RHEL6}")
+ message(STATUS "RHEL 7: ${SSG_PRODUCT_RHEL7}")
+@@ -329,6 +331,9 @@ endif()
+ if (SSG_PRODUCT_OL8)
+     add_subdirectory("ol8")
+ endif()
++if (SSG_PRODUCT_OPENEULER2203)
++    add_subdirectory("openeuler2203")
++endif()
+ if (SSG_PRODUCT_OPENSUSE)
+     add_subdirectory("opensuse")
+ endif()
+diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
+index 28cbf10..b3e3f2d 100644
+--- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
++++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
+@@ -1,6 +1,6 @@
+ documentation_complete: true
+ 
+-prodtype: ol7,ol8,rhel6,rhel7,rhel8,rhv4
++prodtype: ol7,ol8,openeuler2203,rhel6,rhel7,rhel8,rhv4
+ 
+ title: 'Remove telnet Clients'
+ 
+@@ -14,7 +14,7 @@ rationale: |-
+     to steal credentials. The <tt>ssh</tt> package provides an
+     encrypted session and stronger security and is included in {{{ full_name }}}.
+ 
+-severity: low
++severity: high
+ 
+ identifiers:
+     cce@rhel6: 27428-2
+diff --git a/openeuler2203/CMakeLists.txt b/openeuler2203/CMakeLists.txt
+new file mode 100644
+index 0000000..da8fe4b
+--- /dev/null
++++ b/openeuler2203/CMakeLists.txt
+@@ -0,0 +1,6 @@
++# Sometimes our users will try to do: "cd openeuler2203; cmake ." That needs to error in a nice way.
++if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
++    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the developer_guide.adoc for more details!")
++endif()
++
++ssg_build_product("openeuler2203")
+diff --git a/openeuler2203/cpe/openeuler2203-cpe-dictionary.xml b/openeuler2203/cpe/openeuler2203-cpe-dictionary.xml
+new file mode 100644
+index 0000000..986a804
+--- /dev/null
++++ b/openeuler2203/cpe/openeuler2203-cpe-dictionary.xml
+@@ -0,0 +1,10 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0"
++          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
++          xsi:schemaLocation="http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd">
++      <cpe-item name="cpe:/o:openEuler:openEuler:22.03LTS:ga:server">
++            <title xml:lang="en-us">openEuler 22.03 LTS</title>
++            <!-- the check references an OVAL file that contains an inventory definition -->
++            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_OS_is_openeuler2203</check>
++      </cpe-item>
++</cpe-list>
+diff --git a/openeuler2203/product.yml b/openeuler2203/product.yml
+new file mode 100644
+index 0000000..864a057
+--- /dev/null
++++ b/openeuler2203/product.yml
+@@ -0,0 +1,11 @@
++product: openeuler2203
++full_name: openEuler 22.03 LTS
++type: platform
++
++benchmark_root: "../linux_os/guide"
++
++profiles_root: "./profiles"
++
++pkg_manager: "dnf"
++
++init_system: "systemd"
+diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile
+new file mode 100644
+index 0000000..6fd9707
+--- /dev/null
++++ b/openeuler2203/profiles/standard.profile
+@@ -0,0 +1,11 @@
++documentation_complete: true
++
++title: 'Standard System Security Profile for openEuler 22.03 LTS'
++
++description: |-
++    This profile contains rules to ensure standard security baseline
++    of an openEuler system. Regardless of your system's workload
++    all of these checks should pass.
++
++selections:
++    - package_telnet_removed
+diff --git a/openeuler2203/transforms/constants.xslt b/openeuler2203/transforms/constants.xslt
+new file mode 100644
+index 0000000..a168e75
+--- /dev/null
++++ b/openeuler2203/transforms/constants.xslt
+@@ -0,0 +1,15 @@
++<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
++
++<xsl:include href="../../shared/transforms/shared_constants.xslt"/>
++
++<xsl:variable name="product_long_name">openEuler 22.03 LTS</xsl:variable>
++<xsl:variable name="product_short_name">openEuler 22.03</xsl:variable>
++<xsl:variable name="product_stig_id_name">empty</xsl:variable>
++<xsl:variable name="product_guide_id_name">OPENEULER_2203_LTS</xsl:variable>
++<xsl:variable name="prod_type">openeuler2203</xsl:variable>
++
++<xsl:variable name="cisuri">empty</xsl:variable>
++<xsl:variable name="disa-stigs-uri" select="$disa-stigs-os-unix-linux-uri"/>
++<xsl:variable name="os-stigid-concat" />
++
++</xsl:stylesheet>
+diff --git a/openeuler2203/transforms/shorthand2xccdf.xslt b/openeuler2203/transforms/shorthand2xccdf.xslt
+new file mode 100644
+index 0000000..e017cf6
+--- /dev/null
++++ b/openeuler2203/transforms/shorthand2xccdf.xslt
+@@ -0,0 +1,8 @@
++<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
++
++<xsl:import href="../../shared/transforms/shared_shorthand2xccdf.xslt"/>
++
++<xsl:include href="constants.xslt"/>
++<xsl:param name="ssg_version">unknown</xsl:param>
++
++</xsl:stylesheet>
+diff --git a/openeuler2203/transforms/xccdf2table-profilecisrefs.xslt b/openeuler2203/transforms/xccdf2table-profilecisrefs.xslt
+new file mode 100644
+index 0000000..92cbdf9
+--- /dev/null
++++ b/openeuler2203/transforms/xccdf2table-profilecisrefs.xslt
+@@ -0,0 +1,9 @@
++<?xml version="1.0" encoding="utf-8" standalone="yes"?>
++<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
++
++<xsl:import href="../../shared/transforms/shared_xccdf2table-profilecisrefs.xslt"/>
++
++<xsl:include href="constants.xslt"/>
++<xsl:include href="table-style.xslt"/>
++
++</xsl:stylesheet>
+diff --git a/shared/checks/oval/installed_OS_is_openeuler.xml b/shared/checks/oval/installed_OS_is_openeuler.xml
+new file mode 100644
+index 0000000..f356806
+--- /dev/null
++++ b/shared/checks/oval/installed_OS_is_openeuler.xml
+@@ -0,0 +1,27 @@
++<def-group>
++  <definition class="inventory" id="installed_OS_is_openeuler" version="1">
++    <metadata>
++      <title>openEuler</title>
++      <affected family="unix">
++        <platform>multi_platform_all</platform>
++      </affected>
++      <description>The operating system installed on the system is openEuler.</description>
++    </metadata>
++    <criteria operator="AND">
++      <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" />
++      <criterion comment="openEuler is installed" test_ref="test_openeuler_installed" />
++    </criteria>
++  </definition>
++
++  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="openEuler is installed" id="test_openeuler_installed" version="1">
++    <linux:object object_ref="obj_openeuler_installed" />
++    <linux:state state_ref="state_openeuler_installed" />
++  </linux:rpminfo_test>
++  <linux:rpminfo_state id="state_openeuler_installed" version="1">
++    <linux:name operation="pattern match">openEuler-release</linux:name>
++  </linux:rpminfo_state>
++  <linux:rpminfo_object id="obj_openeuler_installed" version="1">
++    <linux:name>openEuler-release</linux:name>
++  </linux:rpminfo_object>
++
++</def-group>
+diff --git a/shared/checks/oval/installed_OS_is_openeuler2203.xml b/shared/checks/oval/installed_OS_is_openeuler2203.xml
+new file mode 100644
+index 0000000..d819ab6
+--- /dev/null
++++ b/shared/checks/oval/installed_OS_is_openeuler2203.xml
+@@ -0,0 +1,28 @@
++<def-group>
++  <definition class="inventory" id="installed_OS_is_openeuler2203" version="1">
++    <metadata>
++      <title>openEuler 22.03 LTS</title>
++      <affected family="unix">
++        <platform>multi_platform_all</platform>
++      </affected>
++      <reference ref_id="cpe:/o:openEuler:openEuler:22.03LTS:ga:server" source="CPE" />
++      <description>The operating system installed on the system is openEuler 22.03 LTS.</description>
++    </metadata>
++    <criteria operator="AND">
++      <extend_definition comment="openEuler is installed" definition_ref="installed_OS_is_openeuler" />
++      <criterion comment="openEuler 22.03 LTS is installed" test_ref="test_openeuler2203_installed" />
++    </criteria>
++  </definition>
++
++  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="openEuler 22.03 LTS is installed" id="test_openeuler2203_installed" version="1">
++    <linux:object object_ref="obj_openeuler2203_installed" />
++    <linux:state state_ref="state_openeuler2203_installed" />
++  </linux:rpminfo_test>
++  <linux:rpminfo_state id="state_openeuler2203_installed" version="1">
++    <linux:version operation="pattern match">^22\.03.*$</linux:version>
++  </linux:rpminfo_state>
++  <linux:rpminfo_object id="obj_openeuler2203_installed" version="1">
++    <linux:name>openEuler-release</linux:name>
++  </linux:rpminfo_object>
++
++</def-group>
+diff --git a/ssg/constants.py b/ssg/constants.py
+index 813e529..401c60d 100644
+--- a/ssg/constants.py
++++ b/ssg/constants.py
+@@ -15,6 +15,7 @@ product_directories = [
+     'jre',
+     'ocp3', 'ocp4',
+     'ol7', 'ol8',
++    'openeuler2203',
+     'opensuse',
+     'rhel6', 'rhel7', 'rhel8',
+     'rhosp10', 'rhosp13',
+@@ -119,6 +120,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = {
+     "Red Hat OpenShift Container Platform 4": "ocp4",
+     "Oracle Linux 7": "ol7",
+     "Oracle Linux 8": "ol8",
++    "openEuler 22.03 LTS": "openeuler2203",
+     "openSUSE": "opensuse",
+     "Red Hat Enterprise Linux 6": "rhel6",
+     "Red Hat Enterprise Linux 7": "rhel7",
+@@ -220,6 +222,9 @@ PRODUCT_TO_CPE_MAPPING = {
+     "ol8": [
+         "cpe:/o:oracle:linux:8",
+     ],
++    "openeuler2203": [
++        "cpe:/o:openEuler:openEuler:22.03LTS:ga:server",
++    ],
+     "opensuse": [
+         "cpe:/o:opensuse:leap:42.1",
+         "cpe:/o:opensuse:leap:42.2",
+@@ -290,12 +295,13 @@ REF_PREFIX_MAP = {
+ }
+ 
+ MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhosp", "rhv", "debian", "ubuntu",
+-                       "wrlinux", "opensuse", "sle", "ol", "ocp", "example"]
++                       "wrlinux", "openeuler","opensuse", "sle", "ol", "ocp", "example"]
+ 
+ MULTI_PLATFORM_MAPPING = {
+     "multi_platform_debian": ["debian8", "debian9", "debian10"],
+     "multi_platform_example": ["example"],
+     "multi_platform_fedora": ["fedora"],
++    "multi_platform_openeuler": ["openeuler2203"],
+     "multi_platform_opensuse": ["opensuse"],
+     "multi_platform_ol": ["ol7", "ol8"],
+     "multi_platform_ocp": ["ocp3", "ocp4"],
+@@ -462,6 +468,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = {
+     'ubuntu': 'Ubuntu',
+     'eap': 'JBoss Enterprise Application Platform',
+     'fuse': 'JBoss Fuse',
++    'openeuler': 'openEuler',
+     'opensuse': 'openSUSE',
+     'sle': 'SUSE Linux Enterprise',
+     'wrlinux': 'WRLinux',
+-- 
+2.21.0.windows.1
+

scap-security-guide.spec

@@ -1,6 +1,6 @@
 Name:		scap-security-guide
 Version:	0.1.49
-Release:	2
+Release:	3
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@@ -11,6 +11,7 @@ Patch0002:backport-fix-deprecated-instance-of-element.getchildren.patch
 Patch0003:backport-fix-deprecated-getiterator-function.patch
 Patch0004:backport-fix-remaining-getchildren-and-getiterator-functions.patch
 Patch0005:backport-fix-for-older-python-versions-lacking-.iter-method.patch
+Patch0006:init-openEuler-ssg-project.patch
 
 BuildArch:	noarch
 BuildRequires: 	libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML
@@ -65,6 +66,9 @@ cd build
 %doc %{_docdir}/%{name}/tables/*.html
 
 %changelog
+* Tue May 9 2023 steven <steven_ygui@163.com> - 0.1.49-3
+- add openEuler project into ssg
+
 * Sat Feb 26 2022 HuaxinLu <luhuaxin1@huawei.com> - 0.1.49-2
 - fix for python upgrade