SHA256
1
0
forked from pool/openscap
openscap/openscap.spec

324 lines
9.8 KiB
RPMSpec
Raw Normal View History

#
# spec file for package openscap
#
# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define sover 25
%define with_bindings 0
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openscap
Version: 1.3.6
Release: 0
Summary: A Set of Libraries for Integration with SCAP
License: LGPL-2.1-or-later
Group: Development/Tools/Other
URL: https://www.open-scap.org/
- openscap 1.3.1 - the test suite and build scripts were improved to support Debian 10 - offline mode has received some love with a set of dedicated tests and various fixes in OVAL probes; - the oscap-docker wrapper is no longer dependent on Atomic - Python binding are now more robust - HTML reports and guides, generated by the scanner, are now more accessible for non-visual rendering agents - Support of multi-check rules has been improved across the whole workflow There are other changes as well, here is the list: * New features - Offline mode support for environmentvariable58 probe - The oscap-docker wrapper is available without Atomic + Maintenance, bug fixes - Improved support of multi-check rules (report, remediations, console output) - Improved HTML report look and feel, including printed version - Less clutter in verbose mode output; some warnings and errors demoted to verbose mode levels - Probe rpmverifyfile uses and returns canonical paths - Improved a11y of HTML reports and guides - Fixes and improvements for SWIG Python bindings - #1403 fixed: Scanner would not apply remediation for multicheck rules (verbosity) - Fixed URL link mechanism for Red Hat Errata - New STIG Viewer URI: public.cyber.mil - Probe selinuxsecuritycontext would not check if SELinux is enabled - Scanner would provide information about unsupported OVAL objects - Added more tests for offline mode (probes, remediation) - #528 fixed: Eval SCE script when /tmp is in mode noexec - #1173, RHBZ#1603347 fixed: Double chdir/chroot in probe rpmverifypackage OBS-URL: https://build.opensuse.org/package/show/security/openscap?expand=0&rev=242
2020-01-14 14:44:42 +01:00
Source: https://github.com/OpenSCAP/openscap/archive/%{version}.tar.gz
Source1: openscap-rpmlintrc
Source2: sysconfig.oscap-scan
# SUSE specific profile, based on yast2-security checks.
# Generated from http://gitorious.org/test-suite/scap
Source3: scap-yast2sec-xccdf.xml
Source4: scap-yast2sec-oval.xml
Source5: oscap-scan.service
Source6: oscap-scan.sh
Patch1: openscap-opensuse-cpe.patch
Patch2: openscap-suse-cpe.patch
Patch3: openscap-docker-add-suse.patch
%if 0%{?suse_version} != 1599
Patch4: oscap-remediate.service.in.patch
%endif
BuildRequires: asciidoc
# Use package name cause of "have choice for perl(XML::Parser): brp-check-suse perl-XML-Parser"
BuildRequires: cmake
BuildRequires: dbus-1-devel
BuildRequires: doxygen
BuildRequires: gcc-c++
%if 0%{?suse_version} < 1550
BuildRequires: gconf2-devel
%endif
BuildRequires: libacl-devel
BuildRequires: libattr-devel
BuildRequires: libblkid-devel
BuildRequires: libbz2-devel
BuildRequires: libcap-devel
BuildRequires: libcurl-devel
BuildRequires: libgcrypt-devel
BuildRequires: libselinux-devel
BuildRequires: libtool
BuildRequires: libxml2-devel
BuildRequires: libxslt-devel
BuildRequires: libyaml-devel
BuildRequires: lua
BuildRequires: openldap2-devel
BuildRequires: pcre-devel
BuildRequires: perl-XML-Parser
BuildRequires: perl-XML-XPath
BuildRequires: pkgconfig
BuildRequires: procps
BuildRequires: procps-devel
BuildRequires: python3-devel
BuildRequires: rpm-devel
BuildRequires: sendmail
BuildRequires: swig
BuildRequires: systemd-rpm-macros
BuildRequires: unixODBC-devel
BuildRequires: xmlsec1-devel
BuildRequires: xmlsec1-openssl-devel
BuildRequires: pkgconfig(glib-2.0)
BuildRequires: pkgconfig(gobject-2.0)
# remove extra packages from version 1.2.9 and older
Obsoletes: openscap-engine-sce < %{version}
Obsoletes: openscap-extra-probes < %{version}
# Next few lines are needed for unit tests, they expect /etc/os-release to exist
%if !0%{?is_opensuse} && 0%{?sle_version} < 130000
BuildRequires: sles-release
%else
BuildRequires: distribution-release
%endif
%description
OpenSCAP is a set of open source libraries providing an easier path for
integration of the SCAP line of standards.
SCAP is a line of standards managed by NIST with the goal of providing
a standard language for the expression of Computer Network Defense
related information.
More information about SCAP can be found at nvd.nist.gov.
%package devel
Summary: Development Files for OpenSCAP
Group: Development/Libraries/C and C++
Requires: %{name} = %{version}-%{release}
Requires: libopenscap%{sover} = %{version}
%description devel
This package contains the development files (mainly C header files) for the
OpenSCAP C library.
%package docker
Summary: Docker plugin for OpenSCAP
Group: System/Libraries
%description docker
This package contains the Docker support for OpenSCAP.
%if 0%{?with_bindings}
%package -n python-openscap
Summary: OpenSCAP Python Library
Group: Development/Libraries/Python
Requires: %{name} = %{version}-%{release}
Provides: openscap-python = %{version}-%{release}
%description -n python-openscap
The OpenSCAP Python Library for easy integration with SCAP.
%package -n perl-openscap
Summary: OpenSCAP Perl Library
Group: Development/Libraries/Perl
Requires: %{name} = %{version}-%{release}
Requires: perl = %{perl_version}
Provides: openscap-perl = %{version}-%{release}
%description -n perl-openscap
The OpenSCAP Perl Library for easy integration with SCAP.
%endif
%package -n libopenscap%{sover}
Summary: OpenSCAP C Library
Group: System/Libraries
%description -n libopenscap%{sover}
The OpenSCAP C Library for easy integration with SCAP.
%package utils
Summary: Openscap utilities
Group: System/Monitoring
Requires: %{name} = %{version}-%{release}
# FIXME: use proper Requires(pre/post/preun/...)
PreReq: %fillup_prereq
%systemd_requires
%description utils
The %{name}-utils package contains various utilities based on %{name} library.
%package content
Summary: SCAP content
Group: System/Monitoring
Requires: %{name} = %{version}-%{release}
%description content
SCAP content for Fedora delivered by Open-SCAP project.
%package -n libopenscap_sce%{sover}
Summary: Script Checking Engine Library for OpenSCAP
Group: System/Libraries
%description -n libopenscap_sce%{sover}
This package contains the Script Checking Engine Library (SCE) for OpenSCAP.
%{!?python_sitearch: %global python_sitearch %(python -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
%prep
%autosetup -p1
%build
%if 0%{?with_bindings}
%cmake -DENABLE_DOCS=TRUE -DCMAKE_SHARED_LINKER_FLAGS=""
%else
%cmake -DENABLE_DOCS=TRUE -DENABLE_PYTHON3=FALSE -DENABLE_PERL=FALSE -DCMAKE_SHARED_LINKER_FLAGS=""
%endif
%if 0%{?sle_version} > 150100 || 0%{?suse_version} == 1599
%cmake_build
%else
%make_jobs
%endif
%check
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:%{buildroot}/%{_libdir}
cd build
# unit tests do not succeed, while working on 1.3 migration we submitted a few
# patches upstream but there is still one unit test that always fails and 1-3
# which fail occasionally
ctest %{?_smp_mflags} || :
cd ..
%install
%cmake_install
mkdir -p %{buildroot}/%{_fillupdir}
install -m 644 %{SOURCE2} %{buildroot}/%{_fillupdir}
mkdir -p %{buildroot}/%{_libexecdir}/openscap
mkdir -p %{buildroot}/%{_libdir}/openscap
install -m 644 %{SOURCE3} %{buildroot}/%{_datadir}/openscap
install -m 644 %{SOURCE4} %{buildroot}/%{_datadir}/openscap
# specific local scan during boot script
mkdir -p %{buildroot}/%{_unitdir}
install -m 644 %{SOURCE5} %{buildroot}/%{_unitdir}/oscap-scan.service
mkdir -p %{buildroot}/%{_bindir}
install -m 755 %{SOURCE6} %{buildroot}/%{_bindir}/oscap-scan
mkdir -p %{buildroot}/%{_sbindir}
ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcoscap-scan
mkdir -p %{buildroot}%{_datadir}/bash-completion/completions
mv %{buildroot}%{_sysconfdir}/bash_completion.d/* %{buildroot}%{_datadir}/bash-completion/completions/
# create symlinks to default content
ln -s %{_datadir}/openscap/scap-yast2sec-oval.xml %{buildroot}/%{_datadir}/openscap/scap-oval.xml
ln -s %{_datadir}/openscap/scap-yast2sec-xccdf.xml %{buildroot}/%{_datadir}/openscap/scap-xccdf.xml
# oscap-remediate should be in /usr/libexec but this is not well supported in
# older versions of the distro
%if 0%{?suse_version} != 1599
%if 0%{?sle_version} > 150200
mv %{buildroot}/%{_libexecdir}/oscap-remediate %{buildroot}/%{_bindir}
%else
# in older versions _libexecdir expands to /usr/lib, which does not help
mv %{buildroot}/%{_prefix}/libexec/oscap-remediate %{buildroot}/%{_bindir}
%endif
%endif
%post -n libopenscap%{sover} -p /sbin/ldconfig
%postun -n libopenscap%{sover} -p /sbin/ldconfig
%post -n libopenscap_sce%{sover} -p /sbin/ldconfig
%postun -n libopenscap_sce%{sover} -p /sbin/ldconfig
%post -n openscap-utils
%service_add_post oscap-scan.service oscap-remediate.service
%postun -n openscap-utils
%service_del_postun oscap-scan.service oscap-remediate.service
%pre -n openscap-utils
%service_add_pre oscap-scan.service oscap-remediate.service
%preun -n openscap-utils
%service_del_preun oscap-scan.service oscap-remediate.service
%files
%license COPYING
%doc AUTHORS NEWS
%dir %{_datadir}/openscap
%dir %{_datadir}/openscap/cpe
%dir %{_datadir}/openscap/schemas
%dir %{_datadir}/openscap/xsl
%{_datadir}/openscap/cpe/*
%{_datadir}/openscap/schemas/*
%{_datadir}/openscap/xsl/*
%files -n libopenscap%{sover}
%{_libdir}/libopenscap.so.%{sover}*
%files devel
%dir %{_datadir}/doc/openscap
%{_libdir}/*.so
%{_libdir}/pkgconfig/*.pc
%{_datadir}/doc/openscap/*
%{_includedir}/*
%files docker
%{python3_sitelib}/oscap_docker_python
%{_bindir}/oscap-docker
%if 0%{?with_bindings}
%files -n python-openscap
%{python_sitearch}/*
%files -n perl-openscap
%{perl_vendorlib}/openscap.pm
%{perl_vendorarch}/openscap_pm.so
%endif
%files utils
%{_fillupdir}/sysconfig.oscap-scan
%doc docs/oscap-scan.cron
%{_mandir}/man8/*
%{_unitdir}/oscap-scan.service
Accepting request 799976 from home:msmeissn:branches:security - openscap 1.3.3. Notable improvements in this release: - a Python script that can be used for CLI tailoring (autotailor) (thank you, Matěj Týč); - timezone for XCCDF TestResult start and end time (thank you, Jan Černý); - new yamlfilecontent independent probe (draft implementation), see the proposal https://github.com/OVAL-Community/OVAL/issues/91 for additional information. There are other changes as well, here is the list: - Introduced `urn:xccdf:fix:script:kubernetes` fix type in XCCDF; - Added ability to generate `machineconfig` fix; - Detect ambiguous scan target (utils/oscap-podman); - Fixed #170: The rpmverifyfile probe can't verify files from '/bin' directory; - The data system_info probe return for offline and online modes is consistent and actual; - Prevent crashes when complicated regexes are executed in textfilecontent58 probe; - Fixed #1512: Severity refinement lost in generated guide; - Fixed #1453: Pointer lost in Swig API; - Evaluation Characteristics of the XCCDF report are now consistent with OVAL entities; from system_info probe; - Fixed filepath pattern matching in offline mode in textfilecontent58 probe; - Fixed infinite recursion in systemdunitdependency probe; - Fixed the case when CMake couldn't find libacl or xattr.h. - dropped 0001-Do-not-use-C-keyword-operator-as-a-function-paramete.patch: upstream OBS-URL: https://build.opensuse.org/request/show/799976 OBS-URL: https://build.opensuse.org/package/show/security/openscap?expand=0&rev=248
2020-05-04 20:33:17 +02:00
%{_bindir}/autotailor
%{_bindir}/oscap
%{_bindir}/oscap-vm
%{_bindir}/oscap-scan
%{_bindir}/oscap-ssh
%{_bindir}/oscap-chroot
%{_bindir}/scap-as-rpm
%{_bindir}/oscap-podman
%{_bindir}/oscap-run-sce-script
%{_sbindir}/rcoscap-scan
%{_datadir}/bash-completion/completions/*
%{_bindir}/oscap-remediate-offline
%{_prefix}/lib/systemd/system/oscap-remediate.service
%if 0%{?suse_version} != 1599
%{_bindir}/oscap-remediate
%else
%{_libexecdir}/oscap-remediate
%endif
%files content
%{_datadir}/openscap/scap*.xml
%files -n libopenscap_sce%{sover}
%{_libdir}/libopenscap_sce.so.*
%changelog