Add option to enable installation of individual ansible playbooks per rule

[ggbecker]

Description:

• Add option to enable installation of individual ansible tasks per rule.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[jan-cerny]

What about guarding the call of the ssg_build_ansible_playbooks macro by this option?

[ggbecker]

it makes sense

[ggbecker]

can you please check if this is what you had in mind? 1ec2353

[jan-cerny]

In fact, these files are Ansible Playbooks, so using the term "tasks" is misleading.

[ggbecker]

I understand that... but how should I call them since SSG_ANSIBLE_PLAYBOOKS_ENABLED is already being used?

maybe SSG_ANSIBLE_INDIVIDUAL_PLAYBOOKS_ENABLED or SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED?

[ggbecker]

I've changed to SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED, see: 81f9051#diff-1e7de1ae2d059d21e1dd75d5812d5a34b0222cef273b7c3a2af62eb747f9d20aR51

[jan-cerny]

In fact, these files are Ansible Playbooks and you also have used the misleading word "tasks" for it before so I think using the term "role" for them increases confusion.

[ggbecker]

that's correct... it was a copy paste problem

[ggbecker]

I have also changed the folder's name that holds all the ansible playbooks from tasks to playbooks. So files will be installed to ansible/playbooks/

[JAORMX]

/retest

[jan-cerny]

I'm sorry, I had a comment but I apparently didn't submit it or I misclicked. My comment was that the ${SSG_ANSIBLE_ROLE_INSTALL_DIR} is already used to install profile playbooks. But the downstream Linux distributions will want to place the rule playbooks to a different subpackage than the profile playbooks. Therefore I think it might be better to put the rule playbooks to a different directory than ${SSG_ANSIBLE_ROLE_INSTALL_DIR}. What is your opinion on that?

[ggbecker]

I understand your concern, but it would feel really strange to have ansible playbooks on a different folder than {SSG_ANSIBLE_ROLE_INSTALL_DIR} (which is usually scap-security-guide/ansible). That's why a created a subfolder called playbooks where this files would be installed. I guess the fact that downstream Linux distributions will use these files on a different subpackage doesn't necessarily mean we have to install these files on a different top-level directory.

[jan-cerny]

but it would feel really strange to have ansible playbooks on a different folder than {SSG_ANSIBLE_ROLE_INSTALL_DIR}

It depends, something like /usr/share/scap-security-guide/rule_ansible_playbooks/ could work.

I guess the fact that downstream Linux distributions will use these files on a different subpackage doesn't necessarily mean we have to install these files on a different top-level directory.

That's correct, it's certainly possible to pick the right items for the (sub)packages in spec file.

I mean I think it's fine in the current form, I was curious if we could come up with something possibly better or not.

[yuumasato]

As the profile playbooks installed in ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/ are actually playbooks (not roles), how about installing the rule playbooks in ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks/${PRODUCT}?

[ggbecker]

I agree that the naming is a bit confusing here. I guess it's better to have explicit than some hidden meaning. I'll update it accordingly. Thanks

[jan-cerny]

/retest

[yuumasato]

Just running cmake I get the following warning for each product:

CMake Warning (dev) at cmake/SSGCommon.cmake:804 (add_dependencies):          
  Policy CMP0046 is not set: Error on non-existent dependency in                                                                                             
  add_dependencies.  Run "cmake --help-policy CMP0046" for policy details.    
  Use the cmake_policy command to set the policy and suppress this warning.

  The dependency target "generate-chromium-ansible-playbooks" of target
  "chromium-content" does not exist.
Call Stack (most recent call first):
  chromium/CMakeLists.txt:6 (ssg_build_product)
This warning is for project developers.  Use -Wno-dev to suppress it.

The problem is that SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED being false by default, disables ssg_build_ansible_playbooks(${PRODUCT}) which would add the custom_target generate-${PRODUCT}-ansible-playbooks.

[ggbecker]

Just running cmake I get the following warning for each product:

CMake Warning (dev) at cmake/SSGCommon.cmake:804 (add_dependencies):          
  Policy CMP0046 is not set: Error on non-existent dependency in                                                                                             
  add_dependencies.  Run "cmake --help-policy CMP0046" for policy details.    
  Use the cmake_policy command to set the policy and suppress this warning.

  The dependency target "generate-chromium-ansible-playbooks" of target
  "chromium-content" does not exist.
Call Stack (most recent call first):
  chromium/CMakeLists.txt:6 (ssg_build_product)
This warning is for project developers.  Use -Wno-dev to suppress it.

The problem is that SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED being false by default, disables ssg_build_ansible_playbooks(${PRODUCT}) which would add the custom_target generate-${PRODUCT}-ansible-playbooks.

That's why I had initially an OR logic expression in the condition for ssg_build_ansible_playbooks call... I guess I'll have to reevaluate some things. Thanks for noticing that.

[yuumasato]

That's why I had initially an OR logic expression in the condition for ssg_build_ansible_playbooks call... I guess I'll have to reevaluate some things. Thanks for noticing that.

I think the AND makes sense. A solution could be to declare the custom target directly in the ssg_build_product macro, like in:

content/cmake/SSGCommon.cmake

Line 755 in a705438

add_custom_target(${PRODUCT}-content)

[ggbecker]

That's why I had initially an OR logic expression in the condition for ssg_build_ansible_playbooks call... I guess I'll have to reevaluate some things. Thanks for noticing that.

I think the AND makes sense. A solution could be to declare the custom target directly in the ssg_build_product macro, like in:

content/cmake/SSGCommon.cmake

Line 755 in a705438

add_custom_target(${PRODUCT}-content)

hopefully that's what you had in mind :) f7bb68f

[yuumasato]

hopefully that's what you had in mind :) f7bb68f

Almost there, see my comments.

[ggbecker]

hopefully that's what you had in mind :) f7bb68f

Almost there, see my comments.

Okay, done in 141dce8 (amended commit)

[yuumasato]

hopefully that's what you had in mind :) f7bb68f

Almost there, see my comments.

Okay, done in 141dce8 (amended commit)

Now I get warnings when doing this, :(
cmake -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOLEAN=ON ../

@ggbecker I apologize, my suggestion doesn't work as expected. add_dependencies() only works on targets, not files.

I think you'll need to have a better look on why this dependency is added here:

content/cmake/SSGCommon.cmake

Lines 805 to 808 in 141dce8

	add_dependencies(
	${PRODUCT}-content
	generate-${PRODUCT}-ansible-playbooks
	)

To me it looks like it should be moved closer to where it is defined.

[ggbecker]

hopefully that's what you had in mind :) f7bb68f

Almost there, see my comments.

Okay, done in 141dce8 (amended commit)

Now I get warnings when doing this, :(
cmake -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOLEAN=ON ../

@ggbecker I apologize, my suggestion doesn't work as expected. add_dependencies() only works on targets, not files.

I think you'll need to have a better look on why this dependency is added here:

content/cmake/SSGCommon.cmake

Lines 805 to 808 in 141dce8

	add_dependencies(
	${PRODUCT}-content
	generate-${PRODUCT}-ansible-playbooks
	)

To me it looks like it should be moved closer to where it is defined.

I brought the dependency definition closer to the target definition. That might fix the issue, although I'm not entirely sure if this would cause any undesired side effect. See: 02df119

[yuumasato]

@ggbecker The rule playbooks were not being built with 02df119.
I made a PR to your branch.
It would also be good to squash the last few commits to clean up a bit this back and forth with the target and dependencies.

[ggbecker]

@ggbecker The rule playbooks were not being built with 02df119.
I made a PR to your branch.

Thank you very much.

It would also be good to squash the last few commits to clean up a bit this back and forth with the target and dependencies.

I definitely will :D

[yuumasato]

LGTM, I just have one comment about the install path of rule playbooks.

[yuumasato]

As the profile playbooks installed in ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/ are actually playbooks (not roles), how about installing the rule playbooks in ${SSG_ANSIBLE_ROLE_INSTALL_DIR}/rule_playbooks/${PRODUCT}?

[ggbecker]

LGTM, I just have one comment about the install path of rule playbooks.

I have updated the installing directory.

[yuumasato]

@JAORMX Hey man, I see a a lot of "didn't match expected results" in the rhcos e2e, are these somehow expected?
I don't see how changes in this PR would cause it.
The expected result for the audit_rules_etc_group_open rule didn't match. Expected 'PASS', Got 'FAIL'

[yuumasato]

/retest

[yuumasato]

Test results look good now, :)