Allow conditional building of SCE content

Introduces the SSG_SCE_ENABLED variable (defaulting to false) to enable/disable SCE content generation. Note that an empty metadata.json will still be generated, but no SCE content will be generated. Signed-off-by: Alexander Scheel <[email protected]>
mrkanon · Jul 29, 2021 · dc6d9a7 · dc6d9a7
1 parent 7dbd76d
commit dc6d9a7
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 16 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -52,6 +52,7 @@ option(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED "If enabled, Ansible Playbooks for
 option(SSG_BASH_SCRIPTS_ENABLED "If enabled, Bash remediation scripts for each profile will be built and installed." TRUE)
 option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE)
 option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE)
+option(SSG_SCE_ENABLED "If enabled, additional SCE audit content will be enabled alongside OVAL-based auditing." FALSE)
 set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.")
 
 # SSG_PRODUCT_DEFAULT modifies the behavior of all other options. Products

diff --git a/build_config.yml.in b/build_config.yml.in
@@ -7,3 +7,5 @@ target_oval_version_str: "@SSG_TARGET_OVAL_VERSION@"
 
 jinja2_cache_enabled: @SSG_JINJA2_CACHE_ENABLED_BOOL@
 jinja2_cache_dir: "@SSG_JINJA2_CACHE_DIR@"
+
+sce_enabled: "@SSG_SCE_ENABLED@"
diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
@@ -393,19 +393,31 @@ macro(ssg_build_sce PRODUCT)
     # in the combine paths below.
     set(SCE_COMBINE_PATHS "${SSG_SHARED}/checks/sce" "${CMAKE_CURRENT_SOURCE_DIR}/checks/sce")
 
-    # Unlike build_oval_unlinked, we don't depend on templated content yet.
-    #
-    # This is for two reasons:
-    # 1. Support for templated SCE isn't yet implemented.
-    # 2. Generating YAML->Shorthand (in ssg_build_shorthand_xml) relies on
-    #    our data, so we need it to occur earlier. However, templating depends
-    #    the Shorthand, so we'd have a dependency circle.
-    add_custom_command(
-        OUTPUT "${BUILD_CHECKS_DIR}/sce/metadata.json"
-        COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_sce.py" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --product-yaml "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" --output "${BUILD_CHECKS_DIR}/sce" ${SCE_COMBINE_PATHS}
-        DEPENDS "${SSG_BUILD_SCRIPTS}/build_sce.py"
-        COMMENT "[${PRODUCT}-content] generating sce/metadata.json"
-    )
+    if (SSG_SCE_ENABLED)
+        # Unlike build_oval_unlinked, we don't depend on templated content yet.
+        #
+        # This is for two reasons:
+        # 1. Support for templated SCE isn't yet implemented.
+        # 2. Generating YAML->Shorthand (in ssg_build_shorthand_xml) relies on
+        #    our data, so we need it to occur earlier. However, templating depends
+        #    the Shorthand, so we'd have a dependency circle.
+        add_custom_command(
+            OUTPUT "${BUILD_CHECKS_DIR}/sce/metadata.json"
+            COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_sce.py" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --product-yaml "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" --output "${BUILD_CHECKS_DIR}/sce" ${SCE_COMBINE_PATHS}
+            DEPENDS "${SSG_BUILD_SCRIPTS}/build_sce.py"
+            COMMENT "[${PRODUCT}-content] generating sce/metadata.json"
+        )
+    else()
+        # Here we fake generating SCE metadata by creating an empty file.
+        # Because every other step reads data from this metadata file, if
+        # it is empty, no SCE content will actually be generated.
+        add_custom_command(
+            OUTPUT "${BUILD_CHECKS_DIR}/sce/metadata.json"
+            COMMAND ${CMAKE_COMMAND} -E make_directory "${BUILD_CHECKS_DIR}/sce"
+            COMMAND ${CMAKE_COMMAND} -E touch "${BUILD_CHECKS_DIR}/sce/metadata.json"
+            COMMENT "[${PRODUCT}-content] generating sce/metadata.json"
+        )
+    endif()
     add_custom_target(
         generate-internal-${PRODUCT}-sce-metadata.json
         DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/checks/sce/metadata.json"
@@ -920,8 +932,10 @@ macro(ssg_build_product PRODUCT)
             DESTINATION "${SSG_CONTENT_INSTALL_DIR}")
     endif()
 
-    install(DIRECTORY "${CMAKE_BINARY_DIR}/${PRODUCT}/checks/sce/"
-        DESTINATION "${SSG_CONTENT_INSTALL_DIR}/${PRODUCT}/checks/sce")
+    if (SSG_SCE_ENABLED)
+        install(DIRECTORY "${CMAKE_BINARY_DIR}/${PRODUCT}/checks/sce/"
+            DESTINATION "${SSG_CONTENT_INSTALL_DIR}/${PRODUCT}/checks/sce")
+    endif()
 
     install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
         DESTINATION "${SSG_CONTENT_INSTALL_DIR}")

diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
@@ -1594,7 +1594,7 @@ def __init__(self, profiles_dir, bash_remediation_fns, env_yaml,
             os.mkdir(resolved_rules_dir)
 
         self.sce_metadata = None
-        if sce_metadata_path:
+        if sce_metadata_path and os.path.getsize(sce_metadata_path):
             self.sce_metadata = json.load(open(sce_metadata_path, 'r'))
 
     def _process_values(self):
Original file line number	Diff line number	Diff line change
Expand Up		@@ -7,3 +7,5 @@ target_oval_version_str: "@SSG_TARGET_OVAL_VERSION@"

		jinja2_cache_enabled: @SSG_JINJA2_CACHE_ENABLED_BOOL@
		jinja2_cache_dir: "@SSG_JINJA2_CACHE_DIR@"

		sce_enabled: "@SSG_SCE_ENABLED@"