Hi, Thank you for your excellent write-up. I think this new structure is a big step forward and definitely makes contributing to SSG easier.
Kudos! Jan Černý Security Technologies | Red Hat, Inc. ----- Original Message ----- > From: "Alexander Scheel" <asch...@redhat.com> > To: "Open-scap-list" <open-scap-list@redhat.com> > Sent: Friday, August 24, 2018 8:03:04 PM > Subject: [Open-scap] New Structure for Content - Rule Directories in SCAP > Security Guide > > Hello everyone! > > > This is part two of my end of internship mailing list posts. For part > one and an introduction, see the earlier post, subject “Guide Mergers > and Simplifications in SCAP Security Guide": > https://www.redhat.com/archives/open-scap-list/2018-August/msg00007.html > > Another recent, major change was a complete reorganization of the content. > We switched to a new rule directory format that should help simplify the > contribution process. In the past, a rule was a completely separate entity > from the check and fix content it described. This was apparent in the > directory structure. For example, under the old system: > > debian8/guide/services/ssh/ssh_server/sshd_set_keepalive.rule > rhel6/fixes/bash/sshd_set_keepalive.sh > rhel6/guide/services/ssh/ssh_server/sshd_set_keepalive.rule > rhel7/fixes/bash/sshd_set_keepalive.sh > shared/checks/oval/sshd_set_keepalive.xml > shared/fixes/ansible/sshd_set_keepalive.yml > shared/fixes/bash/sshd_set_keepalive.sh > shared/guide/services/ssh/ssh_server/sshd_set_keepalive.rule > ubuntu1404/guide/services/ssh/ssh_server/sshd_set_keepalive.rule > ubuntu1604/guide/services/ssh/ssh_server/sshd_set_keepalive.rule > > By making a rule a directory instead of just a YAML file (after merging all > of the rules to the shared `linux_os/guide` directory), we can group all > of the fix and check content in the same location. The same rule now looks > like: > > linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml > > linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml > linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh > linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml > > When looking for compliance content, there is now only one directory which > contains all this information. This will help everyone find the correct > directory for a rule, improve maintainability, and extensibility. As an > overview, a rule directory contains a rule.yml file (previously called > rule_id.rule and with the same information) and five subdirectories: > > - oval/ (.xml extension) > - ansible/ (.yml extension) > - anaconda/ (.anaconda extension) > - bash/ (.sh extension) > - puppet/ (.pp extension) > > Inside each of these subdirectories, files named “shared.ext” will be > included > in all products, whereas files named with “product.ext” will be included in > only that product. This lets us see at a glance what content can be included > in the build, and eventually enhance our build tests to see if content which > could have been in a product is not. > > For more information, see the rule directory section of the developer > documentation: > https://github.com/OpenSCAP/scap-security-guide/blob/master/docs/manual/developer_guide.adoc#812-rule-directories > > Note that old rule files and the old locations for content is still > supported by the build system, so if your patches apply against master > (and/or a are in a separate product), this will not affect them. These > changes > were introduced in the following PRs: > > - Build system support: > https://github.com/OpenSCAP/scap-security-guide/pull/3188 > - Move all existing rules: > https://github.com/OpenSCAP/scap-security-guide/pull/3178 > - Several other PRs adding tests, documentation which are referenced from > the above two. > > However, if you have any patches that include new products into our build > system and wish to convert your changes to this new system, feel free to > modify and use the `utils/move_rules.py` utility. If you have questions, > feel free to reach out to us. > > > We also introduced a new set of utilities for analyzing the source > content. These are be located under `utils/rule_dir*.py`. For more > information on these utilities and other utilities in the build system, > check out the relevant PRs and the developer documentation (linked above): > > - Utilities: https://github.com/OpenSCAP/scap-security-guide/pull/3193 > > Thanks for reading! As always, if you have any questions, feel free to > reply to the mailing list, open issues, or find us on the #openscap > channel on Freenode. > > > > Until next time, > > Alex Scheel > > Freenode: cipherboy in #openscap > GitHub: https://github.com/cipherboy > > _______________________________________________ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
