Issue generating new content

[Chalmiller]

Description of problem:

I am attempting to generate a custom policy for CentOS7 following the guide. Given that the CentOS-7 CIS benchmarks are very limited compared to the RHEL7 benchmarks, I would like to just use the RHEL7 CIS benchmarks to generate my profile content. Is there a way to do so following the guide's example, or should I just use the SCAP workbench to do so? My main reason for not already doing so is that down the line I will need to incorporate custom rules into my profile.

[ggbecker]

maybe you can start reading the discussion in this issue: #6337

basically CentOS is a derivative product from RHEL and you need to work with RHEL content if you want to introduce new content for CentOS.

in the build_product scripts there is an options --derivatives that should enable the build of CentOS content.

[Chalmiller]

Thank you @ggbecker! I just generated my profile with your advice and it ran successfully. Do you have any advice on how I could potentially modify the guide and report to reflect it being a CentOS instance? If there isn't a built-in method for doing so, I'll just automate that on my end.

[ggbecker]

Thank you @ggbecker! I just generated my profile with your advice and it ran successfully. Do you have any advice on how I could potentially modify the guide and report to reflect it being a CentOS instance? If there isn't a built-in method for doing so, I'll just automate that on my end.

I don't really understand what kind of modifications you want to do. Maybe you can add some examples to illustrate.

These files are responsible for handling these derivative products. You can take a look:

https://github.com/ComplianceAsCode/content/blob/master/build-scripts/enable_derivatives.py

https://github.com/ComplianceAsCode/content/blob/master/ssg/build_derivatives.py

[Chalmiller]

Thanks @ggbecker! I'll take a look at those scripts. I have another semi-related issue with adding Ubuntu20.04. I am adding a Ubuntu20.04 product at the moment following the directions specified here and am running into this issue when specifying rules within my profile:
ValueError: Rule 'kernel_module_cramfs_disabled' was not found in the benchmark. Please remove rule 'kernel_module_cramfs_disabled' from profile 'standard' before proceeding.
Where are the benchmarks defined and is there a way to manually specify which benchmarks are used? I ran into this same issue while trying to manually add in the CentOS7 previously, following the guide, item for item.

[ggbecker]

The rule is probably missing the prodtype value ubuntu2004 from: https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml#L3

This property will say in which benchmark the rule will get into.

We even have a utility to modify this parameter across multiple files. I think you can even try using the matching option the tool provides to match everything from ubuntu1804 so every rule from this product will be applicable to ubuntu2004 which is most likely what's in reality will be.

https://complianceascode.readthedocs.io/en/latest/manual/developer/06_contributing_with_content.html?highlight=prodtype#utils-mod-prodtype-py

[Caligatio]

@Chalmiller As a FYI, I'm actively working on getting a CIS Level 1 Profile working for Ubuntu 20.04 (this is my fork and I broke out all the relevant rules in the profile) and would welcome any help porting/confirming tests.

I am by no means trying to declare dibs on Ubuntu 20.04 but I'd hate for us to be duplicating work. I've debated about opening a WIP PR here but I didn't know when it would be appropriate given there's still a lot of work to do.

[redhatrises]

@Chalmiller As a FYI, I'm actively working on getting a CIS Level 1 Profile working for Ubuntu 20.04 (this is my fork and I broke out all the relevant rules in the profile) and would welcome any help porting/confirming tests.

I am by no means trying to declare dibs on Ubuntu 20.04 but I'd hate for us to be duplicating work. I've debated about opening a WIP PR here but I didn't know when it would be appropriate given there's still a lot of work to do.

I don't see why not? WIP PRs are better than looking at other branches.

[Caligatio]

@redhatrises Fair enough, WIP PR started as #6416

[Chalmiller]

Awesome, thank you @Caligatio! I'll take a look and utilize what you have in place.

@ggbecker @redhatrises @Caligatio Thank you so much! I got the CentOS7 profile running and everything looks great. I've since moved on to CentOS8 using ./build_product rhel8 --derivatives but am running into some issues:

1. All of the checks are returning notapplicable as their result, e.g Title Disable Network File System (nfs) Rule xccdf_org.ssgproject.content_rule_service_nfs_disabled Ident CCE-82762-6 Result notapplicable
   Is there a specific place I need to specify that the rules used in the profile should in fact apply to CentOS as well?
2. Is there a guide for adding the CPEs within the product.yml file? I am currently bypassing them with a blank list, but I'd like to implement all products appropriately.

[ggbecker]

Awesome, thank you @Caligatio! I'll take a look and utilize what you have in place.

@ggbecker Thank you so much! I got the CentOS7 profile running and everything looks great. I've since moved on to CentOS8 using ./build_product rhel8 --derivatives but am running into some issues:

1. All of the checks are returning `notapplicable` as their result, e.g `Title   Disable Network File System (nfs) Rule    xccdf_org.ssgproject.content_rule_service_nfs_disabled Ident   CCE-82762-6 Result  notapplicable`
   Is there a specific place I need to specify that the rules used in the profile should in fact apply to CentOS as well?

There is an issue with the CPEs for derivative products that should be fixed by #6447. I believe after that gets merged it will solve your issue. You may even try the changes from that pull request.

2. Is there a guide for adding the CPEs within the `product.yml` file? I am currently bypassing them with a blank list, but I'd like to implement all products appropriately.

The way we introduce CPEs to the project got changed a bit recently. Here is the documentation: https://complianceascode.readthedocs.io/en/latest/manual/developer/06_contributing_with_content.html?highlight=cpe#applicability-by-cpe and you can also get inspired by the pull request that introduced the new way of adding CPEs: #6304

[Chalmiller]

Awesome, I'll take a look at the pull request now.

As an aside, do you happen to know if an Amazon Linux product is in the works? I've tried adding one following the guide listed in my initial post here, but I'm getting this runtime error RuntimeError: Unknown product name: amzn2 from build_templated_content.py

Here is the full stack trace:

Traceback (most recent call last):
  File "/home/ec2-user/ComplianceAsCode/content/build-scripts/build_templated_content.py", line 56, in <module>
    builder.build()
  File "/home/ec2-user/ComplianceAsCode/content/ssg/templates.py", line 547, in build
    self.build_all_rules()
  File "/home/ec2-user/ComplianceAsCode/content/ssg/templates.py", line 534, in build_all_rules
    rule.id_, rule.title, rule.template, langs_to_generate)
  File "/home/ec2-user/ComplianceAsCode/content/ssg/templates.py", line 508, in build_rule
    rule_id, template_name, template_vars, lang, local_env_yaml)
  File "/home/ec2-user/ComplianceAsCode/content/ssg/templates.py", line 450, in build_lang
    template_file_path, jinja_dict)
  File "/home/ec2-user/ComplianceAsCode/content/ssg/jinja.py", line 174, in process_file_with_macros
    return process_file(filepath, substitutions_dict)
  File "/home/ec2-user/ComplianceAsCode/content/ssg/jinja.py", line 130, in process_file
    return template.render(substitutions_dict)
  File "/usr/lib/python2.7/site-packages/jinja2/environment.py", line 969, in render
    return self.environment.handle_exception(exc_info, True)
  File "/usr/lib/python2.7/site-packages/jinja2/environment.py", line 742, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/home/ec2-user/ComplianceAsCode/content/shared/templates/template_OVAL_service_enabled", line 8, in top-level template code
    {{{ oval_metadata("The " + SERVICENAME + " service should be enabled if possible.") }}}
  File "/home/ec2-user/ComplianceAsCode/content/shared/macros-oval.jinja", line 608, in template
    {{{ oval_affected(products) | indent -}}}
  File "/home/ec2-user/ComplianceAsCode/content/shared/macros-highlevel.jinja", line 183, in template
    {{{ prodtype_to_platform(products)|indent(2) }}}
  File "/home/ec2-user/ComplianceAsCode/content/ssg/utils.py", line 74, in prodtype_to_platform
    return name_to_platform(prodtype_to_name(prods))
  File "/home/ec2-user/ComplianceAsCode/content/ssg/utils.py", line 55, in prodtype_to_name
    raise RuntimeError("Unknown product name: %s" % prod)
RuntimeError: Unknown product name: amzn2
make[2]: *** [amzn2/templated-content-amzn2] Error 1
make[1]: *** [amzn2/CMakeFiles/generate-internal-templated-content-amzn2.dir/all] Error 2
make: *** [all] Error 2

sys.platform return linux2 so I'm assuming that is the conflict. Looking at the ssg-amzn2-ds.xml from openscap-security-guide, the product name amzn2 seems to be correct, but the platform is indicated as Amazon Linux 2.

@ggbecker Would you mind double checking me on whether I am specifying these environment variables correctly?

export SHORTNAME="A"
export NAME="amzn"
export CAMEL_CASE_NAME="Amazon Linux"
export VERSION="2"
export CAPITAL_NAME="AMZN"

[ggbecker]

Awesome, I'll take a look at the pull request now.

As an aside, do you happen to know if an Amazon Linux product is in the works? I've tried adding one following the guide listed in my initial post here, but I'm getting this runtime error RuntimeError: Unknown product name: amzn2 from build_templated_content.py

Here is the full stack trace:

Traceback (most recent call last):
  File "/home/ec2-user/ComplianceAsCode/content/build-scripts/build_templated_content.py", line 56, in <module>
    builder.build()
  File "/home/ec2-user/ComplianceAsCode/content/ssg/templates.py", line 547, in build
    self.build_all_rules()
  File "/home/ec2-user/ComplianceAsCode/content/ssg/templates.py", line 534, in build_all_rules
    rule.id_, rule.title, rule.template, langs_to_generate)
  File "/home/ec2-user/ComplianceAsCode/content/ssg/templates.py", line 508, in build_rule
    rule_id, template_name, template_vars, lang, local_env_yaml)
  File "/home/ec2-user/ComplianceAsCode/content/ssg/templates.py", line 450, in build_lang
    template_file_path, jinja_dict)
  File "/home/ec2-user/ComplianceAsCode/content/ssg/jinja.py", line 174, in process_file_with_macros
    return process_file(filepath, substitutions_dict)
  File "/home/ec2-user/ComplianceAsCode/content/ssg/jinja.py", line 130, in process_file
    return template.render(substitutions_dict)
  File "/usr/lib/python2.7/site-packages/jinja2/environment.py", line 969, in render
    return self.environment.handle_exception(exc_info, True)
  File "/usr/lib/python2.7/site-packages/jinja2/environment.py", line 742, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/home/ec2-user/ComplianceAsCode/content/shared/templates/template_OVAL_service_enabled", line 8, in top-level template code
    {{{ oval_metadata("The " + SERVICENAME + " service should be enabled if possible.") }}}
  File "/home/ec2-user/ComplianceAsCode/content/shared/macros-oval.jinja", line 608, in template
    {{{ oval_affected(products) | indent -}}}
  File "/home/ec2-user/ComplianceAsCode/content/shared/macros-highlevel.jinja", line 183, in template
    {{{ prodtype_to_platform(products)|indent(2) }}}
  File "/home/ec2-user/ComplianceAsCode/content/ssg/utils.py", line 74, in prodtype_to_platform
    return name_to_platform(prodtype_to_name(prods))
  File "/home/ec2-user/ComplianceAsCode/content/ssg/utils.py", line 55, in prodtype_to_name
    raise RuntimeError("Unknown product name: %s" % prod)
RuntimeError: Unknown product name: amzn2
make[2]: *** [amzn2/templated-content-amzn2] Error 1
make[1]: *** [amzn2/CMakeFiles/generate-internal-templated-content-amzn2.dir/all] Error 2
make: *** [all] Error 2

sys.platform return linux2 so I'm assuming that is the conflict. Looking at the ssg-amzn2-ds.xml from openscap-security-guide, the product name amzn2 seems to be correct, but the platform is indicated as Amazon Linux 2.

@ggbecker Would you mind double checking me on whether I am specifying these environment variables correctly?

export SHORTNAME="A"
export NAME="amzn"
export CAMEL_CASE_NAME="Amazon Linux"
export VERSION="2"
export CAPITAL_NAME="AMZN"

I don't know exactly what the error is and I realized that the instructions on example/README.md are a bit outdated because of new way of defining CPEs. I have tested the instructions again and created the amzn2 product and it's now compiling just fine. Take a look: ggbecker@9e0d0e2 you can use this changes to compare with yours or just pick the commit instead. Please, be aware that you still have to modify the shared/checks/oval/installed_OS_is_amzn2.xml to properly detect Amazon Linux systems, what is there is basically a placeholder.

[ggbecker]

Maybe you are still interested in contributing a new amazon linux product to the project. This is a very fresh PR that introduced a new product and can be used as a template: #10548

I closing this ticket for now due to inactivity.