Allow conditional building of SCE content

Introduces the SSG_SCE_ENABLED variable (defaulting to false) to
enable/disable SCE content generation. Note that an empty metadata.json
will still be generated, but no SCE content will be generated.

Signed-off-by: Alexander Scheel <[email protected]>

Author: cipherboy

CMakeLists.txt

@@ -52,6 +52,7 @@ option(SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED "If enabled, Ansible Playbooks for
 option(SSG_BASH_SCRIPTS_ENABLED "If enabled, Bash remediation scripts for each profile will be built and installed." TRUE)
 option(SSG_JINJA2_CACHE_ENABLED "If enabled, the jinja2 templating files will be cached into bytecode. Also see SSG_JINJA2_CACHE_DIR." TRUE)
 option(SSG_BATS_TESTS_ENABLED "If enabled, bats will be used to run unit-tests of bash remediations." TRUE)
+option(SSG_SCE_ENABLED "If enabled, additional SCE audit content will be enabled alongside OVAL-based auditing." FALSE)
 set(SSG_JINJA2_CACHE_DIR "${CMAKE_BINARY_DIR}/jinja2_cache" CACHE PATH "Where the jinja2 cached bytecode should be stored. This speeds up builds at the expense of disk space. You can use one location for multiple SSG builds for performance improvements.")
 
 # SSG_PRODUCT_DEFAULT modifies the behavior of all other options. Products

build_config.yml.in

@@ -7,3 +7,5 @@ target_oval_version_str: "@SSG_TARGET_OVAL_VERSION@"
 
 jinja2_cache_enabled: @SSG_JINJA2_CACHE_ENABLED_BOOL@
 jinja2_cache_dir: "@SSG_JINJA2_CACHE_DIR@"
+
+sce_enabled: "@SSG_SCE_ENABLED@"

cmake/SSGCommon.cmake

@@ -393,19 +393,31 @@ macro(ssg_build_sce PRODUCT)
     # in the combine paths below.
     set(SCE_COMBINE_PATHS "${SSG_SHARED}/checks/sce" "${CMAKE_CURRENT_SOURCE_DIR}/checks/sce")
 
-    # Unlike build_oval_unlinked, we don't depend on templated content yet.
-    #
-    # This is for two reasons:
-    # 1. Support for templated SCE isn't yet implemented.
-    # 2. Generating YAML->Shorthand (in ssg_build_shorthand_xml) relies on
-    #    our data, so we need it to occur earlier. However, templating depends
-    #    the Shorthand, so we'd have a dependency circle.
-    add_custom_command(
-        OUTPUT "${BUILD_CHECKS_DIR}/sce/metadata.json"
-        COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_sce.py" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --product-yaml "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" --output "${BUILD_CHECKS_DIR}/sce" ${SCE_COMBINE_PATHS}
-        DEPENDS "${SSG_BUILD_SCRIPTS}/build_sce.py"
-        COMMENT "[${PRODUCT}-content] generating sce/metadata.json"
-    )
+    if (SSG_SCE_ENABLED)
+        # Unlike build_oval_unlinked, we don't depend on templated content yet.
+        #
+        # This is for two reasons:
+        # 1. Support for templated SCE isn't yet implemented.
+        # 2. Generating YAML->Shorthand (in ssg_build_shorthand_xml) relies on
+        #    our data, so we need it to occur earlier. However, templating depends
+        #    the Shorthand, so we'd have a dependency circle.
+        add_custom_command(
+            OUTPUT "${BUILD_CHECKS_DIR}/sce/metadata.json"
+            COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${SSG_BUILD_SCRIPTS}/build_sce.py" --build-config-yaml "${CMAKE_BINARY_DIR}/build_config.yml" --product-yaml "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" --output "${BUILD_CHECKS_DIR}/sce" ${SCE_COMBINE_PATHS}
+            DEPENDS "${SSG_BUILD_SCRIPTS}/build_sce.py"
+            COMMENT "[${PRODUCT}-content] generating sce/metadata.json"
+        )
+    else()
+        # Here we fake generating SCE metadata by creating an empty file.
+        # Because every other step reads data from this metadata file, if
+        # it is empty, no SCE content will actually be generated.
+        add_custom_command(
+            OUTPUT "${BUILD_CHECKS_DIR}/sce/metadata.json"
+            COMMAND ${CMAKE_COMMAND} -E make_directory "${BUILD_CHECKS_DIR}/sce"
+            COMMAND ${CMAKE_COMMAND} -E touch "${BUILD_CHECKS_DIR}/sce/metadata.json"
+            COMMENT "[${PRODUCT}-content] generating sce/metadata.json"
+        )
+    endif()
     add_custom_target(
         generate-internal-${PRODUCT}-sce-metadata.json
         DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/checks/sce/metadata.json"
@@ -920,8 +932,10 @@ macro(ssg_build_product PRODUCT)
             DESTINATION "${SSG_CONTENT_INSTALL_DIR}")
     endif()
 
-    install(DIRECTORY "${CMAKE_BINARY_DIR}/${PRODUCT}/checks/sce/"
-        DESTINATION "${SSG_CONTENT_INSTALL_DIR}/${PRODUCT}/checks/sce")
+    if (SSG_SCE_ENABLED)
+        install(DIRECTORY "${CMAKE_BINARY_DIR}/${PRODUCT}/checks/sce/"
+            DESTINATION "${SSG_CONTENT_INSTALL_DIR}/${PRODUCT}/checks/sce")
+    endif()
 
     install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml"
         DESTINATION "${SSG_CONTENT_INSTALL_DIR}")

ssg/build_yaml.py

@@ -1594,7 +1594,7 @@ def __init__(self, profiles_dir, bash_remediation_fns, env_yaml,
             os.mkdir(resolved_rules_dir)
 
         self.sce_metadata = None
-        if sce_metadata_path:
+        if sce_metadata_path and os.path.getsize(sce_metadata_path):
             self.sce_metadata = json.load(open(sce_metadata_path, 'r'))
 
     def _process_values(self):