[Buildroot] [PATCH v3 4/5] package/compliance-as-code: new package
Alexis Lothoré
alexis.lothore at bootlin.com
Thu Oct 16 14:46:37 UTC 2025
Introduce the Compliance As Code package. This project provides data
files consumed by the openscap tool to evaluate a host compliance in
regard with security policies. The package depends on both host-openscap
(needed at build time to process the input files into usable files) and
openscap (needed on the target, will use the generated files to evaluate
the system configuration)
The project is based on cmake, but it also exposes a wrapper script
(build_product). The package uses the cmake build system, but exposes a
few Kconfig options to replicate some of the build_product options:
- BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY: replicates the -d
option, building only the datastream files instead of all the files
- BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS: allow selecting the
product(s) for which we want to generate policies files.
The default install target provided by the project expects a full build,
and so it will try to generate all the files for all the products when
executed (which cancels the benefit of being able to select only a
single or a few products), so the package defines a custom install
command.
Signed-off-by: Alexis Lothoré <alexis.lothore at bootlin.com>
---
Changes in v2:
- reword commit title
- add entry to DEVELOPERS file
- remove non-relevant KConfig deps
- add comment about depends in Config.in
- remove FOO_REDISTRIBUTE = NO
- fix datastream-only build configuration management
- update install target to use cp rather than rsync
---
DEVELOPERS | 1 +
package/Config.in | 1 +
package/compliance-as-code/Config.in | 33 +++++++++++++++++
package/compliance-as-code/compliance-as-code.hash | 4 +++
package/compliance-as-code/compliance-as-code.mk | 41 ++++++++++++++++++++++
5 files changed, 80 insertions(+)
diff --git a/DEVELOPERS b/DEVELOPERS
index 321cb876802e86a58e490cf59a2ebcb72b273ac8..c1d09019c3a705d45b028443aac508a6908a70f1 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -156,6 +156,7 @@ F: package/zabbix/
N: Alexis Lothoré <alexis.lothore at bootlin.com>
F: package/libxmlsec1/
F: package/openscap/
+F: package/compliance-as-code/
N: Alistair Francis <alistair at alistair23.me>
F: board/sifive/
diff --git a/package/Config.in b/package/Config.in
index e78229ea172ad60903d53b3ea3c54a1fb8365913..d8e2b8029d25478d15f26ac55441c3e2b01e815c 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2335,6 +2335,7 @@ endif
endmenu
menu "Security"
+ source "package/compliance-as-code/Config.in"
source "package/libapparmor/Config.in"
source "package/libselinux/Config.in"
source "package/libsemanage/Config.in"
diff --git a/package/compliance-as-code/Config.in b/package/compliance-as-code/Config.in
new file mode 100644
index 0000000000000000000000000000000000000000..f791f0c88cad4cb2e9e2930a44295fd5a69a9364
--- /dev/null
+++ b/package/compliance-as-code/Config.in
@@ -0,0 +1,33 @@
+config BR2_PACKAGE_COMPLIANCE_AS_CODE
+ bool "compliance-as-code"
+ depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS # openscap
+ depends on !BR2_STATIC_LIBS # dlfcn.h
+ select BR2_PACKAGE_OPENSCAP
+ help
+ Generate and install the profiles used for
+ security (e.g. FIPS, CSPN) compliance analysis.
+
+ Uses ComplianceAsCode to generate profiles
+ https://complianceascode.readthedocs.io/en/latest/
+
+comment "compliance-as-code needs a toolchain w/ dynamic library"
+ depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS
+ depends on BR2_STATIC_LIBS
+
+if BR2_PACKAGE_COMPLIANCE_AS_CODE
+
+config BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY
+ bool "datastream only"
+ default y
+ help
+ Build only the datastreams (do not build the html tables,
+ guides, etc)
+
+config BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS
+ string "products"
+ help
+ Provide a space-separated list of products for which you want
+ to build security content. Leave empty to build content for
+ all supported products.
+
+endif
diff --git a/package/compliance-as-code/compliance-as-code.hash b/package/compliance-as-code/compliance-as-code.hash
new file mode 100644
index 0000000000000000000000000000000000000000..223216295de39ac1f2dbf4e5146e669758c80d6a
--- /dev/null
+++ b/package/compliance-as-code/compliance-as-code.hash
@@ -0,0 +1,4 @@
+
+# Locally computed
+sha256 bb79e996035a1d985c49e5df8988a5d5f2310f5b3b5d49492f95a6845db00f43 compliance-as-code-0.1.77.tar.gz
+sha256 ade633d5db670a58ff5f735c3602caafc72657a516416969fff79ff8a0c10298 LICENSE
diff --git a/package/compliance-as-code/compliance-as-code.mk b/package/compliance-as-code/compliance-as-code.mk
new file mode 100644
index 0000000000000000000000000000000000000000..7a961b3ab40d7166a52aac383b3fded929f19650
--- /dev/null
+++ b/package/compliance-as-code/compliance-as-code.mk
@@ -0,0 +1,41 @@
+################################################################################
+#
+# Compliance As Code
+#
+################################################################################
+
+COMPLIANCE_AS_CODE_VERSION = 0.1.77
+COMPLIANCE_AS_CODE_SITE = $(call github,ComplianceAsCode,content,v$(COMPLIANCE_AS_CODE_VERSION))
+COMPLIANCE_AS_CODE_LICENSE = BSD-3-Clause
+COMPLIANCE_AS_CODE_LICENSE_FILES = LICENSE
+
+COMPLIANCE_AS_CODE_DEPENDENCIES = \
+ host-python3 \
+ host-openscap \
+ openscap \
+ host-python-jinja2 \
+ host-python-pyyaml \
+ host-libxslt \
+ host-libxml2
+
+COMPLIANCE_AS_CODE_CONF_ENV = OPENSCAP_ROOT_DIR=$(HOST_DIR)
+COMPLIANCE_AS_CODE_SUPPORTS_IN_SOURCE_BUILD = NO
+
+ifeq ($(BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY),y)
+COMPLIANCE_AS_CODE_MAKE_OPTS = -d
+endif
+
+COMPLIANCE_AS_CODE_MAKE_OPTS += \
+ $(foreach p,\
+ $(call qstrip,$(BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS)),\
+ $(if $(BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY), \
+ generate-ssg-$(p)-ds.xml, $(p) \
+ )\
+ )
+
+define COMPLIANCE_AS_CODE_INSTALL_TARGET_CMDS
+ mkdir -p $(TARGET_DIR)/etc/openscap
+ cp -dpfr $(@D)/buildroot-build/*.xml $(TARGET_DIR)/etc/openscap/
+endef
+
+$(eval $(cmake-package))
--
2.51.0
More information about the buildroot
mailing list